aws · devnotfound · Sep 14, 2022 · Oct 2, 2022 · Oct 6, 2022 · Oct 6, 2022
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
@@ -77,6 +77,8 @@ const securityGroup2 = new ec2.SecurityGroup(this, 'SecurityGroup2', { vpc });
 lb.addSecurityGroup(securityGroup2);
 ```
 
+NOTE: Enabling ALB logs using an encryption enabled Amazon S3 Bucket is currently unsupported
+
 ### Conditions
 
 It's possible to route traffic to targets based on conditions in the incoming

diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts
@@ -246,6 +246,9 @@ export abstract class BaseLoadBalancer extends Resource {
    * environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html
    */
   public logAccessLogs(bucket: s3.IBucket, prefix?: string) {
+    if (bucket.encryptionKey) {
+      throw new Error('Encryption key detected. Bucket encryption using KMS keys is unsupported');
+    }
     prefix = prefix || '';
     this.setAttribute('access_logs.s3.enabled', 'true');
     this.setAttribute('access_logs.s3.bucket', bucket.bucketName.toString());

diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json b/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json
@@ -100,6 +100,7 @@
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "constructs": "^10.0.0"
   },
   "homepage": "https://github.com/aws/aws-cdk",
@@ -115,6 +116,7 @@
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "constructs": "^10.0.0"
   },
   "engines": {

diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
@@ -1,6 +1,7 @@
 import { Match, Template } from '@aws-cdk/assertions';
 import { Metric } from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as kms from '@aws-cdk/aws-kms';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as cdk from '@aws-cdk/core';
 import * as elbv2 from '../../lib';
@@ -147,15 +148,31 @@ describe('tests', () => {
 
   describe('logAccessLogs', () => {
 
-    function loggingSetup(): { stack: cdk.Stack, bucket: s3.Bucket, lb: elbv2.ApplicationLoadBalancer } {
+    function loggingSetup(withEncryption: boolean = false): { stack: cdk.Stack, bucket: s3.Bucket, lb: elbv2.ApplicationLoadBalancer } {
       const app = new cdk.App();
       const stack = new cdk.Stack(app, undefined, { env: { region: 'us-east-1' } });
       const vpc = new ec2.Vpc(stack, 'Stack');
-      const bucket = new s3.Bucket(stack, 'AccessLoggingBucket');
+      let bucketProps = {};
+      if (withEncryption) {
+        const myKey = new kms.Key(stack, 'MyKey');
+        bucketProps = { ...bucketProps, encryption: s3.BucketEncryption.KMS, encryptionKey: myKey };
+      }
+      const bucket = new s3.Bucket(stack, 'AccessLoggingBucket', { ...bucketProps });
       const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
       return { stack, bucket, lb };
     }
 
+    test('should throw an error when a kms bucketkey is detected', () => {
+      // GIVEN
+      const { bucket, lb } = loggingSetup(true);
+
+      // WHEN
+      const logAccessLogFunctionTest = () => lb.logAccessLogs(bucket);
+
+      // THEN
+      expect(logAccessLogFunctionTest).toThrow('Encryption key detected. Bucket encryption using KMS keys is unsupported');
+    });
+
     test('sets load balancer attributes', () => {
       // GIVEN
       const { stack, bucket, lb } = loggingSetup();