feat: add support for kms replication of objects

- When doing cross account replications for items that are encrypted at rest using SSE-KMS you need to provide a new key in the S3 account that can be used - This update covers the extra permissions and processes that we do
hamlet-io · Oct 31, 2023 · 46f616a · 46f616a
1 parent 8bc64d8
commit 46f616a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/aws/components/s3/setup.ftl b/aws/components/s3/setup.ftl
@@ -37,6 +37,7 @@
     [#local replicationCrossAccount = false ]
     [#local replicationDestinationAccountId = "" ]
     [#local replicationExternalPolicy = []]
+    [#local replicationKMSKey = ""]
 
     [#local backupTags = {} ]
 
@@ -296,9 +297,16 @@
                             [#local replicationEnabled = true]
                             [#local versioningEnabled = true]
 
-                            [#local replicationDestinationAccountId = linkTargetAttributes["ACCOUNT_ID"]!"" ]
+                            [#local replicationDestinationAccountId = (linkTargetAttributes["ACCOUNT_ID"])!"" ]
                             [#local replicationExternalPolicy +=   s3ReplicaDestinationPermission( linkTargetAttributes["ARN"] ) ]
                             [#local replicationBucket = linkTargetAttributes["ARN"]]
+                            [#local replicationKMSKey = (linkTargetAttributes["KMS_KEY_ARN"])!""]
+                            [#local replicationKMSKeyARN = (linkTargetAttributes["KMS_KEY_REGION"])!""]
+
+                            [#if replicationKMSKey?has_content ]
+                                [#local replicationExternalPolicy += s3EncryptionAllPermission(replicationKMSKey, replicationBucket, "*", replicationKMSKeyARN)]
+                            [/#if]
+
                             [#break]
 
                         [#case "save" ]
@@ -394,7 +402,10 @@
                     solution.Replication.Enabled,
                     prefix,
                     replicateEncryptedData,
-                    kmsKeyId,
+                    replicationKMSKey?has_content?then(
+                        replicationKMSKey,
+                        kmsKeyId
+                    ),
                     replicationDestinationAccountId
                 )]]
         [/#list]

diff --git a/aws/services/kms/policy.ftl b/aws/services/kms/policy.ftl
@@ -76,7 +76,13 @@
                 "",
                 {
                     "StringLike" : {
-                        "kms:EncryptionContext:aws:s3:arn" : "arn:aws:s3:::" + formatRelativePath(bucketName, bucketPrefix?ensure_ends_with("*") )
+                        "kms:EncryptionContext:aws:s3:arn" : formatRelativePath(
+                            bucketName?is_string?then(
+                                bucketName?ensure_starts_with("arn:aws:s3:::"),
+                                bucketName
+                            ),
+                            bucketPrefix?ensure_ends_with("*")
+                        )
                     }
                 }
             )

diff --git a/aws/services/s3/policy.ftl b/aws/services/s3/policy.ftl
@@ -243,6 +243,7 @@
     [#return
         getS3Statement(
             [
+                "s3:PutObject",
                 "s3:ReplicateObject",
                 "s3:ReplicateDelete",
                 "s3:ObjectOwnerOverrideToBucketOwner",