Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

L2 SNS Topic: Setting enforceSSL prop to true does not create AWS::SNS::TopicPolicy #31558

Closed
1 task
jaychung-aws opened this issue Sep 25, 2024 · 3 comments · Fixed by #31569
Closed
1 task

L2 SNS Topic: Setting enforceSSL prop to true does not create AWS::SNS::TopicPolicy #31558

jaychung-aws opened this issue Sep 25, 2024 · 3 comments · Fixed by #31569
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@jaychung-aws
Copy link

Describe the bug

CDK Version used:
2.147.2

Steps to Reproduce:

  1. Create a L2 SNS Topic construct with enforceSSL prop set to true.
import * as cdk from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';

const stack = new cdk.Stack();

const topic = new sns.Topic(stack, 'MySNSTopic', {
  topicName: 'my-sns-topic',
  enforceSSL: true,
});
  1. cdk synth.
  2. Inspect the synthesized CloudFormation template.
  3. Check if CDK generated an AWS::SNS::TopicPolicy with a statement that denies any sns::Publish if aws:SecureTransport is false, as follows:
{
       "Action": "sns:Publish",
       "Condition": {
        "Bool": {
         "aws:SecureTransport": "false"
        }
       },
       "Effect": "Deny",
       "Principal": "*",
       "Resource": {
        "Ref": "SnsTopicStdAllProps5206973F"
       },
       "Sid": "AllowPublishThroughSSLOnly"
}
  1. CDK does not create the expected AWS::SNS::TopicPolicy. However, if you haven a policy statement being added as follows to the Topic via .addToResourcePolicy(..):
import * as cdk from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';

const stack = new cdk.Stack();

const topic = new sns.Topic(stack, 'MySNSTopic', {
  topicName: 'my-sns-topic',
  enforceSSL: true,
});
topic.addToResourcePolicy(new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      principals: [
        new iam.ServicePrincipal('sns.amazonaws.com'),
      ],
      actions: [
        'SNS:Publish',
      ],
      resources: [
        '*',
      ],
    }));

then CDK correctly creates an AWS::SNS::TopicPolicy and appends the above statement to it:

"SnsTopicStdAllPropsPolicy76A2A260": {
   "Type": "AWS::SNS::TopicPolicy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "SNS:Publish",
       "Effect": "Allow",
       "Principal": {
        "Service": "sns.amazonaws.com"
       },
       "Resource": "*",
       "Sid": "0"
      },
      {
       "Action": "sns:Publish",
       "Condition": {
        "Bool": {
         "aws:SecureTransport": "false"
        }
       },
       "Effect": "Deny",
       "Principal": "*",
       "Resource": {
        "Ref": "SnsTopicStdAllProps5206973F"
       },
       "Sid": "AllowPublishThroughSSLOnly"
      }
     ],
     "Version": "2012-10-17"
    },
    "Topics": [
     {
      "Ref": "SnsTopicStdAllProps5206973F"
     }
    ]
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "TestedConstructStacks-SNSTopicStdAllProperties-stack/SnsTopicStdAllProps/Policy/Resource"
   }
  }

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

When a user synthesizes a CDK stack containing L2 SNS Topic with enforceSSL set to true, then CDK should output a CloudFormation stack that contains an AWS::SNS::TopicPolicy with a statement that "Adds a statement to enforce encryption of data in transit when publishing to the topic" as defined in the CDK documentation.

Current Behavior

When a user synthesizes a CDK stack containing L2 SNS Topic with enforceSSL set to true, CDK does not output a CloudFormation stack that contains an AWS::SNS::TopicPolicy with a statement that "Adds a statement to enforce encryption of data in transit when publishing to the topic" as defined in the CDK documentation.

CDK however handles this correctly when there is a policy being added to the Topic via .addToResourcePolicy(). In this case, a AWS::SNS::TopicPolicy is included in the synthesized CloudFormation template where the statement that blocks sns::Publish from sources that do not use SSL.

Reproduction Steps

aws-cdk-lib Version used:
2.147.2

Steps to Reproduce:

  1. Create a L2 SNS Topic construct with enforceSSL prop set to true.
import * as cdk from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';

const stack = new cdk.Stack();

const topic = new sns.Topic(stack, 'MySNSTopic', {
  topicName: 'my-sns-topic',
  enforceSSL: true,
});
  1. cdk synth.
  2. Inspect the synthesized CloudFormation template.
  3. Check if CDK generated an AWS::SNS::TopicPolicy with a statement that denies any sns::Publish if aws:SecureTransport is false, as follows:
{
       "Action": "sns:Publish",
       "Condition": {
        "Bool": {
         "aws:SecureTransport": "false"
        }
       },
       "Effect": "Deny",
       "Principal": "*",
       "Resource": {
        "Ref": "SnsTopicStdAllProps5206973F"
       },
       "Sid": "AllowPublishThroughSSLOnly"
}
  1. CDK does not create the expected AWS::SNS::TopicPolicy. However, if you haven a policy statement being added as follows to the Topic via .addToResourcePolicy(..):
import * as cdk from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';

const stack = new cdk.Stack();

const topic = new sns.Topic(stack, 'MySNSTopic', {
  topicName: 'my-sns-topic',
  enforceSSL: true,
});
topic.addToResourcePolicy(new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      principals: [
        new iam.ServicePrincipal('sns.amazonaws.com'),
      ],
      actions: [
        'SNS:Publish',
      ],
      resources: [
        '*',
      ],
    }));

then CDK correctly creates an AWS::SNS::TopicPolicy and appends the above statement to it:

"SnsTopicStdAllPropsPolicy76A2A260": {
   "Type": "AWS::SNS::TopicPolicy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "SNS:Publish",
       "Effect": "Allow",
       "Principal": {
        "Service": "sns.amazonaws.com"
       },
       "Resource": "*",
       "Sid": "0"
      },
      {
       "Action": "sns:Publish",
       "Condition": {
        "Bool": {
         "aws:SecureTransport": "false"
        }
       },
       "Effect": "Deny",
       "Principal": "*",
       "Resource": {
        "Ref": "SnsTopicStdAllProps5206973F"
       },
       "Sid": "AllowPublishThroughSSLOnly"
      }
     ],
     "Version": "2012-10-17"
    },
    "Topics": [
     {
      "Ref": "SnsTopicStdAllProps5206973F"
     }
    ]
   },
   "UpdateReplacePolicy": "Delete",
   "DeletionPolicy": "Delete",
   "Metadata": {
    "aws:cdk:path": "TestedConstructStacks-SNSTopicStdAllProperties-stack/SnsTopicStdAllProps/Policy/Resource"
   }
  }

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.156.0

Framework Version

No response

Node.js Version

18.20.2

OS

MacOS Sonoma 14.6.1

Language

TypeScript

Language Version

No response

Other information

No response
@jaychung-aws jaychung-aws added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2024
@github-actions github-actions bot added the @aws-cdk/aws-sns Related to Amazon Simple Notification Service label Sep 25, 2024
@ashishdhingra ashishdhingra self-assigned this Sep 25, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2024
@go-to-k go-to-k mentioned this issue Sep 26, 2024
Merged
1 task
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Sep 26, 2024
edited
Loading

Reproducible using customer provided code. Simply using the below code doesn't create AWS::SNS::TopicPolicy at all (AWS CDK version 2.160.0 (build 7a8ae02)):

import * as cdk from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';

export class CdktestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const topic = new sns.Topic(this, 'MySNSTopic', {
      topicName: 'my-sns-topic',
      enforceSSL: true,
    });
  }
}

PR #31569 contributed by community addresses the issue.

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 26, 2024
@ashishdhingra ashishdhingra removed their assignment Sep 26, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 31, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sns): topic policy is not created even if enforceSSL enabled go-to-k/aws-cdk
2 participants
@ashishdhingra @jaychung-aws