Chore: [AEA-0000] - fix kms policy

packages/cdk/resources/BedrockExecutionRole.ts

@@ -6,6 +6,7 @@ import {
   ManagedPolicy
 } from "aws-cdk-lib/aws-iam"
 import {Bucket} from "aws-cdk-lib/aws-s3"
+import {Key} from "aws-cdk-lib/aws-kms"
 
 // Amazon Titan embedding model for vector generation
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
@@ -14,6 +15,7 @@ export interface BedrockExecutionRoleProps {
   readonly region: string
   readonly account: string
   readonly kbDocsBucket: Bucket
+  readonly kbDocsKmsKey: Key
 }
 
 export class BedrockExecutionRole extends Construct {
@@ -63,7 +65,7 @@ export class BedrockExecutionRole extends Construct {
     // KMS permissions for S3 bucket encryption
     const kmsAccessPolicy = new PolicyStatement({
       actions: ["kms:Decrypt", "kms:DescribeKey"],
-      resources: ["*"],
+      resources:  [props.kbDocsKmsKey.keyArn],
       conditions: {"StringEquals": {"aws:ResourceAccount": props.account}}
     })
 

packages/cdk/resources/Storage.ts

@@ -1,20 +1,26 @@
 import {Construct} from "constructs"
 import {S3Bucket} from "../constructs/S3Bucket"
+import {Key} from "aws-cdk-lib/aws-kms"
+import {Bucket} from "aws-cdk-lib/aws-s3"
 
 export interface StorageProps {
   readonly stackName: string
 }
 
 export class Storage extends Construct {
-  public readonly kbDocsBucket: S3Bucket
+  public readonly kbDocsBucket: Bucket
+  public readonly kbDocsKmsKey: Key
 
   constructor(scope: Construct, id: string, props: StorageProps) {
     super(scope, id)
 
     // Create S3 bucket for knowledge base documents with encryption
-    this.kbDocsBucket = new S3Bucket(this, "DocsBucket", {
+    const kbDocsBucket = new S3Bucket(this, "DocsBucket", {
       bucketName: `${props.stackName}-Docs`,
       versioned: true
     })
+
+    this.kbDocsBucket = kbDocsBucket.bucket
+    this.kbDocsKmsKey = kbDocsBucket.kmsKey
   }
 }

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -85,7 +85,8 @@ export class EpsAssistMeStack extends Stack {
     const bedrockExecutionRole = new BedrockExecutionRole(this, "BedrockExecutionRole", {
       region,
       account,
-      kbDocsBucket: storage.kbDocsBucket.bucket
+      kbDocsBucket: storage.kbDocsBucket,
+      kbDocsKmsKey: storage.kbDocsKmsKey
     })
 
     // Create OpenSearch Resources with Bedrock execution role
@@ -108,7 +109,7 @@ export class EpsAssistMeStack extends Stack {
     // Create VectorKnowledgeBase construct with Bedrock execution role
     const vectorKB = new VectorKnowledgeBaseResources(this, "VectorKB", {
       stackName: props.stackName,
-      docsBucket: storage.kbDocsBucket.bucket,
+      docsBucket: storage.kbDocsBucket,
       bedrockExecutionRole: bedrockExecutionRole.role,
       collectionArn: openSearchResources.collection.collectionArn,
       vectorIndexName: vectorIndex.indexName,
@@ -167,7 +168,7 @@ export class EpsAssistMeStack extends Stack {
 
     // Add S3 notification to trigger sync Lambda function
     new S3LambdaNotification(this, "S3LambdaNotification", {
-      bucket: storage.kbDocsBucket.bucket,
+      bucket: storage.kbDocsBucket,
       lambdaFunction: functions.syncKnowledgeBaseFunction.function
     })
 
@@ -229,11 +230,11 @@ export class EpsAssistMeStack extends Stack {
     })
 
     new CfnOutput(this, "kbDocsBucketArn", {
-      value: storage.kbDocsBucket.bucket.bucketArn,
+      value: storage.kbDocsBucket.bucketArn,
       exportName: `${props.stackName}:kbDocsBucket:Arn`
     })
     new CfnOutput(this, "kbDocsBucketName", {
-      value: storage.kbDocsBucket.bucket.bucketName,
+      value: storage.kbDocsBucket.bucketName,
       exportName: `${props.stackName}:kbDocsBucket:Name`
     })