Merge pull request #1259 from awslabs/BucketKeyWarning

feat(bucket warning): add a warning if a bucket key is not requested No change in functionality
awslabs · Feb 4, 2025 · 681533e · 681533e
2 parents 171aeee + ab3865f
commit 681533e
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts
@@ -21,7 +21,7 @@ import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as cdk from 'aws-cdk-lib';
 import { DefaultS3Props } from './s3-bucket-defaults';
-import { overrideProps, addCfnSuppressRules, consolidateProps, CheckBooleanWithDefault } from './utils';
+import { overrideProps, addCfnSuppressRules, consolidateProps, CheckBooleanWithDefault, printWarning } from './utils';
 import { StorageClass } from 'aws-cdk-lib/aws-s3';
 import { Duration } from 'aws-cdk-lib';
 // Note: To ensure CDKv2 compatibility, keep the import statement for Construct separate
@@ -325,6 +325,13 @@ export function CheckS3Props(propsObject: S3Props | any) {
     errorFound = true;
   }
 
+  if (propsObject?.bucketProps?.encryption === s3.BucketEncryption.KMS_MANAGED) {
+    if (!propsObject.bucketProps.bucketKeyEnabled) {
+      printWarning("When using SSE-KMS Bucket Encryption, set bucketKeyEnabled to true to lower costs");
+      printWarning('https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html');
+    }
+  }
+
   if (errorFound) {
     throw new Error(errorMessages);
   }