Add KMS alias and removal policy for S3 bucket KMS key

kris-szlapa · kris-szlapa · commit 3df4d12f674b · 2025-08-14T09:58:56.000Z
diff --git a/packages/cdk/constructs/S3Bucket.ts b/packages/cdk/constructs/S3Bucket.ts
@@ -6,7 +6,7 @@ import {
   BlockPublicAccess,
   ObjectOwnership
 } from "aws-cdk-lib/aws-s3"
-import {Key} from "aws-cdk-lib/aws-kms"
+import {Key, Alias} from "aws-cdk-lib/aws-kms"
 
 export interface S3BucketProps {
   readonly bucketName: string
@@ -16,13 +16,21 @@ export interface S3BucketProps {
 export class S3Bucket extends Construct {
   public readonly bucket: Bucket
   public readonly kmsKey: Key
+  public readonly kmsAlias: Alias
 
   constructor(scope: Construct, id: string, props: S3BucketProps) {
     super(scope, id)
 
     this.kmsKey = new Key(this, "BucketKey", {
       enableKeyRotation: true,
-      description: `KMS key for ${props.bucketName} S3 bucket encryption`
+      description: `KMS key for ${props.bucketName} S3 bucket encryption`,
+      removalPolicy: RemovalPolicy.DESTROY
+    })
+
+    this.kmsAlias = new Alias(this, "BucketKeyAlias", {
+      aliasName: `alias/${props.bucketName}-s3-key`,
+      targetKey: this.kmsKey,
+      removalPolicy: RemovalPolicy.DESTROY
     })
 
     this.bucket = new Bucket(this, props.bucketName, {
