Skip to content

feat(kms): add bypassPolicyLockoutSafetyCheck property #35973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(kms): add bypassPolicyLockoutSafetyCheck property #35973

wants to merge 4 commits into from
+950 −1

Conversation

@maczac150
Copy link

@maczac150 maczac150 commented Nov 6, 2025

Issue # (if applicable)

None

Reason for this change

AWS KMS supports bypassing the key policy lockout safety check via the BypassPolicyLockoutSafetyCheck parameter (Link).
This feature was not previously configurable in the AWS CDK L2 construct.

Description of changes

  • Added bypassPolicyLockoutSafetyCheck to KeyProps and threaded it through to CfnKey.
  • Documented the property with security warnings and usage examples in README.

Describe any new or updated permissions being added

None – This property only affects how AWS KMS performs its key policy lockout safety check, and does not introduce any new permissions or access scope changes.

Description of how you validated changes

  • Added unit tests covering all three cases (true/false/undefined)
  • Added integration test demonstrating all three scenarios

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team November 6, 2025 23:25
@github-actions github-actions bot added p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Nov 6, 2025
go-to-k
go-to-k reviewed Nov 7, 2025
View reviewed changes
Copy link
Contributor

@go-to-k go-to-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. Left some minor comments

@maczac150
Copy link
Author

maczac150 commented Nov 7, 2025

Thank you for the review. I'll make the suggested changes and commit them shortly.

@maczac150 maczac150 force-pushed the kms-bypass-policy-lockout branch from f4fd1b0 to 7a8d97d Compare November 7, 2025 15:01
@maczac150
Copy link
Author

maczac150 commented Nov 8, 2025

I’ve committed all three suggested changes. Thank you again for the feedback.

go-to-k
go-to-k approved these changes Nov 9, 2025
View reviewed changes
Copy link
Contributor

@go-to-k go-to-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes.

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 11, 2025

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Nov 11, 2025
This was referenced Nov 11, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@go-to-k go-to-k go-to-k approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maczac150 @aws-cdk-automation @go-to-k