upgrade cdk and default encryption for compliance #473

sam-goodwin · 2023-10-21T00:32:27Z

Upgrade CDK to 2.102.0
Add a Compliance Construct that manages compliance policies and centralizes encryption keys
Add SecureBucket, SecureTable and SecureQueue with default secure configurations based on the compliance policy
Enable encryption on auto-created Lambda Log Groups - see: https://dev.to/danielbayerlein/encrypt-auto-created-log-groups-from-aws-lambda-with-aws-cdk-1j88

sam-goodwin · 2023-10-21T00:42:33Z

packages/@eventual/aws-cdk/src/bucket-service.ts

+    if (this.props.compliancePolicy.isCustomerManagedKeys()) {
+      // data in the buckets are encrypted with a key that the customer owns
+      this.props.compliancePolicy.dataEncryptionKey.grantEncryptDecrypt(
+        grantee
+      );
+    }


Not sure if I need to do this for AWS-managed keys. I don't have to for AWS-owned because there's zero visibility into that, but AWS-managed creates a key with an alias, like aws/s3 and I'm hoping I don't need to grant permissions but I may.

packages/@eventual/aws-cdk/src/utils.ts

sam-goodwin · 2023-10-22T23:04:39Z

sam-goodwin · 2023-10-22T23:05:33Z

sam-goodwin · 2023-10-22T23:08:08Z

Bug: the Entity Tables are using an AWS-owned key instead of an AWS-managed key:

Fixed in: d16b66b

packages/@eventual/aws-cdk/src/secure/log-group.ts

sam-goodwin added 2 commits October 20, 2023 17:28

upgrade cdk and implement compliance policies with encryption

7550965

upgrade cdk alpha

acc4a1d

sam-goodwin requested a review from thantos October 21, 2023 00:33

sam-goodwin added 2 commits October 20, 2023 17:34

Merge branch 'main' into sam/compliance

b23b988

grant encrypt/decrypt on data key for entity and queue

c8f7f46

sam-goodwin commented Oct 21, 2023

View reviewed changes

sam-goodwin added 2 commits October 20, 2023 17:45

remove unnecessary check

c95d96c

disable nag

9fe2104

thantos reviewed Oct 21, 2023

View reviewed changes

packages/@eventual/aws-cdk/src/utils.ts Outdated Show resolved Hide resolved

sam-goodwin added 4 commits October 20, 2023 20:50

nodejs latest

7bcf95d

enable bucket key

9125e92

enable hipaa

d764ef1

export ComplianceStandard

41e03aa

sam-goodwin added 2 commits October 22, 2023 16:09

fix: use SecureTable in EntityService

d16b66b

create log group with KMS encryption when CMK is required

5a93fc8

sam-goodwin commented Oct 23, 2023

View reviewed changes

packages/@eventual/aws-cdk/src/secure/log-group.ts Show resolved Hide resolved

thantos approved these changes Oct 23, 2023

View reviewed changes

sam-goodwin merged commit 38eb3b0 into main Oct 23, 2023
6 checks passed

sam-goodwin deleted the sam/compliance branch October 23, 2023 17:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

upgrade cdk and default encryption for compliance #473

upgrade cdk and default encryption for compliance #473

sam-goodwin commented Oct 21, 2023 •

edited

Loading

sam-goodwin Oct 21, 2023

sam-goodwin commented Oct 22, 2023

sam-goodwin commented Oct 22, 2023

sam-goodwin commented Oct 22, 2023 •

edited

Loading

upgrade cdk and default encryption for compliance #473

upgrade cdk and default encryption for compliance #473

Conversation

sam-goodwin commented Oct 21, 2023 • edited Loading

sam-goodwin Oct 21, 2023

Choose a reason for hiding this comment

sam-goodwin commented Oct 22, 2023

sam-goodwin commented Oct 22, 2023

sam-goodwin commented Oct 22, 2023 • edited Loading

sam-goodwin commented Oct 21, 2023 •

edited

Loading

sam-goodwin commented Oct 22, 2023 •

edited

Loading