feat(s3): default to KMS if encryptionKey is specified

If `encryptionKey` is specified, defaults to KMS encryption. Fixes #2714
aws · Jun 3, 2019 · 7e9997d · 7e9997d
1 parent 0f54698
commit 7e9997d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/packages/@aws-cdk/aws-s3/lib/bucket.ts b/packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -604,7 +604,7 @@ export interface BucketProps {
    * If you choose KMS, you can specify a KMS key via `encryptionKey`. If
    * encryption key is not specified, a key will automatically be created.
    *
-   * @default BucketEncryption.Unencrypted
+   * @default - `Kms` if `encryptionKey` is specified, or `Unencrypted` otherwise.
    */
   readonly encryption?: BucketEncryption;
 
@@ -934,8 +934,11 @@ export class Bucket extends BucketBase {
     encryptionKey?: kms.IKey
   } {
 
-    // default to unencrypted.
-    const encryptionType = props.encryption || BucketEncryption.Unencrypted;
+    // default based on whether encryptionKey is specified
+    let encryptionType = props.encryption;
+    if (encryptionType === undefined) {
+      encryptionType = props.encryptionKey ? BucketEncryption.Kms : BucketEncryption.Unencrypted;
+    }
 
     // if encryption key is set, encryption must be set to KMS.
     if (encryptionType !== BucketEncryption.Kms && props.encryptionKey) {

diff --git a/packages/@aws-cdk/aws-s3/test/test.bucket.ts b/packages/@aws-cdk/aws-s3/test/test.bucket.ts
@@ -1370,4 +1370,14 @@ export = {
     });
     test.done();
   },
+
+  'if a kms key is specified, it implies bucket is encrypted with kms (dah)'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const key = new kms.Key(stack, 'k');
+
+    // THEN
+    new Bucket(stack, 'b', { encryptionKey: key });
+    test.done();
+  }
 };