Skip to content

Commit

Permalink
fix: enforce ssl on s3 deployment bucket (#13857)
Browse files Browse the repository at this point in the history
  • Loading branch information
awsluja authored Jul 18, 2024
1 parent cca1f3b commit 5ec5d4d
Show file tree
Hide file tree
Showing 4 changed files with 162 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,53 @@
}
}
},
"DeploymentBucketBlockHTTP": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DeploymentBucketName"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"Principal": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeploymentBucketName"
},
"/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeploymentBucketName"
}
]
]
}
],
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
}
]
}
}
},
"AuthRole": {
"Type": "AWS::IAM::Role",
"Properties": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,53 @@ exports[`Check RootStack Template generates root stack Template 1`] = `
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
},
"DeploymentBucketBlockHTTP": {
"Properties": {
"Bucket": {
"Ref": "DeploymentBucketName",
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false,
},
},
"Effect": "Deny",
"Principal": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeploymentBucketName",
},
"/*",
],
],
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeploymentBucketName",
},
],
],
},
],
},
],
},
},
"Type": "AWS::S3::BucketPolicy",
},
"UnauthRole": {
"Properties": {
"AssumeRolePolicyDocument": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,53 @@ exports[`Root stack template tests Generated root stack template during init 1`]
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
},
"DeploymentBucketBlockHTTP": {
"Properties": {
"Bucket": {
"Ref": "DeploymentBucketName",
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false,
},
},
"Effect": "Deny",
"Principal": "*",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeploymentBucketName",
},
"/*",
],
],
},
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DeploymentBucketName",
},
],
],
},
],
},
],
},
},
"Type": "AWS::S3::BucketPolicy",
},
"UnauthRole": {
"Properties": {
"AssumeRolePolicyDocument": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -90,12 +90,32 @@ export class AmplifyRootStack extends cdk.Stack implements AmplifyRootStackTempl
}

generateRootStackResources = async (): Promise<void> => {
const bucketName = this._cfnParameterMap.get('DeploymentBucketName').valueAsString;
this.deploymentBucket = new s3.CfnBucket(this, 'DeploymentBucket', {
bucketName: this._cfnParameterMap.get('DeploymentBucketName').valueAsString,
bucketName: bucketName,
});

this.deploymentBucket.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);

new s3.CfnBucketPolicy(this, 'DeploymentBucketBlockHTTP', {
bucket: bucketName,
policyDocument: {
Statement: [
{
Action: 's3:*',
Effect: 'Deny',
Principal: '*',
Resource: [`arn:aws:s3:::${bucketName}/*`, `arn:aws:s3:::${bucketName}`],
Condition: {
Bool: {
'aws:SecureTransport': false,
},
},
},
],
},
});

this.authRole = new iam.CfnRole(this, 'AuthRole', {
roleName: this._cfnParameterMap.get('AuthRoleName').valueAsString,
assumeRolePolicyDocument: {
Expand Down

0 comments on commit 5ec5d4d

Please sign in to comment.