chore(cost savings): Make things cheaper by reducing KMS usage where …

…not needed
Enterprise-CMCS · Aug 5, 2024 · ed9e79f · ed9e79f
1 parent 52cf822
commit ed9e79f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 37 deletions.
diff --git a/lib/local-constructs/clamav-scanning/index.ts b/lib/local-constructs/clamav-scanning/index.ts
@@ -56,6 +56,7 @@ export class ClamScanScanner extends Construct {
     // Create a customer-managed KMS key
     const kmsKey = new kms.Key(this, "NotificationQueueKey", {
       enableKeyRotation: true,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
     });
 
     // Grant SQS and S3 permissions to use the KMS key

diff --git a/lib/stacks/alerts.ts b/lib/stacks/alerts.ts
@@ -19,47 +19,16 @@ export class Alerts extends cdk.NestedStack {
   private initializeResources(props: AlertsStackProps): cdk.aws_sns.Topic {
     const { project, stage } = props;
 
-    // Create Alerts Topic with KMS Key
+    // Create Alerts Topic with AWS-managed KMS Key
     const alertsTopic = new cdk.aws_sns.Topic(this, "AlertsTopic", {
       topicName: `Alerts-${project}-${stage}`,
+      masterKey: cdk.aws_kms.Alias.fromAliasName(
+        this,
+        "KmsAlias",
+        "alias/aws/sns",
+      ),
     });
 
-    const kmsKeyForSns = new cdk.aws_kms.Key(this, "KmsKeyForSns", {
-      enableKeyRotation: true,
-    });
-
-    // KMS Key Policy
-    kmsKeyForSns.addToResourcePolicy(
-      new cdk.aws_iam.PolicyStatement({
-        sid: "Allow access for Root User",
-        effect: cdk.aws_iam.Effect.ALLOW,
-        principals: [new cdk.aws_iam.AccountPrincipal(cdk.Aws.ACCOUNT_ID)],
-        actions: ["kms:*"],
-        resources: ["*"],
-      }),
-    );
-    kmsKeyForSns.addToResourcePolicy(
-      new cdk.aws_iam.PolicyStatement({
-        sid: "Allow access for Key User (SNS Service Principal)",
-        effect: cdk.aws_iam.Effect.ALLOW,
-        principals: [new cdk.aws_iam.ServicePrincipal("sns.amazonaws.com")],
-        actions: ["kms:GenerateDataKey", "kms:Decrypt"],
-        resources: ["*"],
-      }),
-    );
-    kmsKeyForSns.addToResourcePolicy(
-      new cdk.aws_iam.PolicyStatement({
-        sid: "Allow CloudWatch events to use the key",
-        effect: cdk.aws_iam.Effect.ALLOW,
-        principals: [
-          new cdk.aws_iam.ServicePrincipal("events.amazonaws.com"),
-          new cdk.aws_iam.ServicePrincipal("cloudwatch.amazonaws.com"),
-        ],
-        actions: ["kms:Decrypt", "kms:GenerateDataKey"],
-        resources: ["*"],
-      }),
-    );
-
     // Output the Alerts Topic ARN
     new cdk.CfnOutput(this, "AlertsTopicArn", {
       description: "Alerts Topic ARN",