Skip to content

(aws-appconfig): Policy from SqsDestination does not grant access to queue's encryption key #35180

New issue
New issue
Open
#35194
Open
(aws-appconfig): Policy from SqsDestination does not grant access to queue's encryption key#35180
#35194
Labels
@aws-cdk/aws-appconfigRelated to AWS AppConfigbugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@taesungh

Description

@taesungh
taesungh
opened on Aug 6, 2025

Describe the bug

The SqsDestination used with an AWS AppConfig extension does not grant permissions to read from an SQS queue encrypted with a customer-managed key.

aws-cdk/packages/aws-cdk-lib/aws-appconfig/lib/extension.ts

Lines 101 to 108 in 6b318f5

const policy = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: [this.extensionUri],
actions: ['sqs:SendMessage'],
});
this.policyDocument = new iam.PolicyDocument({
statements: [policy],
});

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

Users would expect the SQS destination for AppConfig to work without additional effort in the CDK code: the policy document provided by SqsDestination should include a policy statement for accessing the queue's encryption key.

Current Behavior

The IAM role used by the event action is missing the policy statement for the queue's encryption key, so the event action will not be able to send messages to the destination queue.

Reproduction Steps

Add an SQS destination for an encrypted queue to an AppConfig application:

const key = new kms.Key(this, "MyKey");
const queue = new sqs.Queue(this, "MyQueue", { encryptionMasterKey: key });

const application = new appconfig.Application(this, "MyApp");
application.onDeploymentComplete(new appconfig.SqsDestination(queue));

Observe the generated role does not have permissions for the encryption key:

MyAppExtension8693CRole10911697645ED:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: appconfig.amazonaws.com
      Version: "2012-10-17"
    Policies:
      - PolicyDocument:
          Statement:
            - Action: sqs:SendMessage
              Effect: Allow
              Resource:
                Fn::GetAtt:
                  - MyQueueE6CA6235
                  - Arn
          Version: "2012-10-17"
        PolicyName: AllowAppConfigInvokeExtensionEventSourcePolicy

Deploy the resources, complete an AppConfig deployment to trigger the extension, and observe the queue does not receive any messages.

Possible Solution

Add another policy for the encryption key if present

if (queue.encryptionMasterKey) {
	policy.addStatements(
		new PolicyStatement({
			actions: ["kms:Decrypt", "kms:GenerateDataKey"],
			resources: [queue.encryptionMasterKey.keyArn],
		})
	);
}

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.208.0

AWS CDK CLI version

2.1024.0

Node.js Version

N/A

OS

N/A

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-appconfigRelated to AWS AppConfigbugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions