Can't create a S3 bucket with KMS_MANAGED key and bucketKeyEneabled via CDK

Question

I have a S3 bucket with this configuration:

I'm trying to create a bucket with this same configuration via CDK:

Bucket.Builder.create(this, "test1")
  .bucketName("com.myorg.test1")
  .encryption(BucketEncryption.KMS_MANAGED)
  .bucketKeyEnabled(true)
  .build()

But I'm getting this error:

Error: bucketKeyEnabled is specified, so 'encryption' must be set to KMS (value: MANAGED)

This seems like a bug to me, but I'm relatively new to CDK so I'm not sure. Am I doing something wrong, or is this indeed a bug?

Answer 1

I encountered the issue recently, and I have found the answer. I want to share the findings here just in case anyone gets stuck.

Yes, this was a bug in the AWS-CDK. The fix was merged this month: https://github.com/aws/aws-cdk/pull/22331

According to the CDK doc (https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#bucketkeyenabled), if bucketKeyEnabled is set to true, S3 will use its own time-limited key instead, which helps reduce the cost (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html); it's only relevant when Encryption is set to BucketEncryption.KMS or BucketEncryption.KMS_MANAGED.

Answer 2

bucketKeyEnabled flag , straight from docs:

Specifies whether Amazon S3 should use an S3 Bucket Key with server-side encryption using KMS (SSE-KMS)

BucketEncryption has 4 options.

NONE - no encryption

MANAGED - Kms key managed by AWS

S3MANAGED - Key managed by S3

KMS - key managed by user, a new KMS key will be created.

we don't need to set bucketKeyEnabled at all for any scenario. In this case, all we need is aws/s3 , so,

bucketKeyEnabled: Need not be set.(since this is only for SSE-KMS)

encryption: Should be set to BucketEncryption.S3_MANAGED

Example:

const buck = new s3.Bucket(this, "my-bucket", {
  bucketName: "my-test-bucket-1234",
  encryption: s3.BucketEncryption.KMS_MANAGED,
});