fix: enforce ssl on s3 deployment bucket (aws-amplify#13857)

packages/amplify-provider-awscloudformation/resources/rootStackTemplate.json

@@ -26,6 +26,53 @@
         }
       }
     },
+    "DeploymentBucketBlockHTTP": {
+      "Type": "AWS::S3::BucketPolicy",
+      "Properties": {
+        "Bucket": {
+          "Ref": "DeploymentBucketName"
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Effect": "Deny",
+              "Principal": "*",
+              "Resource": [
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:s3:::",
+                      {
+                        "Ref": "DeploymentBucketName"
+                      },
+                      "/*"
+                    ]
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:s3:::",
+                      {
+                        "Ref": "DeploymentBucketName"
+                      }
+                    ]
+                  ]
+                }
+              ],
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": false
+                }
+              }
+            }
+          ]
+        }
+      }
+    },
     "AuthRole": {
       "Type": "AWS::IAM::Role",
       "Properties": {

packages/amplify-provider-awscloudformation/src/__tests__/root-stack-builder/__snapshots__/root-stack-builder.test.ts.snap

@@ -104,6 +104,53 @@ exports[`Check RootStack Template generates root stack Template 1`] = `
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "DeploymentBucketBlockHTTP": {
+      "Properties": {
+        "Bucket": {
+          "Ref": "DeploymentBucketName",
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": false,
+                },
+              },
+              "Effect": "Deny",
+              "Principal": "*",
+              "Resource": [
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:s3:::",
+                      {
+                        "Ref": "DeploymentBucketName",
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:s3:::",
+                      {
+                        "Ref": "DeploymentBucketName",
+                      },
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "UnauthRole": {
       "Properties": {
         "AssumeRolePolicyDocument": {

packages/amplify-provider-awscloudformation/src/__tests__/root-stack-builder/__snapshots__/root-stack-transform.test.ts.snap

@@ -125,6 +125,53 @@ exports[`Root stack template tests Generated root stack template during init 1`]
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "DeploymentBucketBlockHTTP": {
+      "Properties": {
+        "Bucket": {
+          "Ref": "DeploymentBucketName",
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": false,
+                },
+              },
+              "Effect": "Deny",
+              "Principal": "*",
+              "Resource": [
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:s3:::",
+                      {
+                        "Ref": "DeploymentBucketName",
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:aws:s3:::",
+                      {
+                        "Ref": "DeploymentBucketName",
+                      },
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "UnauthRole": {
       "Properties": {
         "AssumeRolePolicyDocument": {

packages/amplify-provider-awscloudformation/src/root-stack-builder/root-stack-builder.ts

@@ -90,12 +90,32 @@ export class AmplifyRootStack extends cdk.Stack implements AmplifyRootStackTempl
   }
 
   generateRootStackResources = async (): Promise<void> => {
+    const bucketName = this._cfnParameterMap.get('DeploymentBucketName').valueAsString;
     this.deploymentBucket = new s3.CfnBucket(this, 'DeploymentBucket', {
-      bucketName: this._cfnParameterMap.get('DeploymentBucketName').valueAsString,
+      bucketName: bucketName,
     });
 
     this.deploymentBucket.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);
 
+    new s3.CfnBucketPolicy(this, 'DeploymentBucketBlockHTTP', {
+      bucket: bucketName,
+      policyDocument: {
+        Statement: [
+          {
+            Action: 's3:*',
+            Effect: 'Deny',
+            Principal: '*',
+            Resource: [`arn:aws:s3:::${bucketName}/*`, `arn:aws:s3:::${bucketName}`],
+            Condition: {
+              Bool: {
+                'aws:SecureTransport': false,
+              },
+            },
+          },
+        ],
+      },
+    });
+
     this.authRole = new iam.CfnRole(this, 'AuthRole', {
       roleName: this._cfnParameterMap.get('AuthRoleName').valueAsString,
       assumeRolePolicyDocument: {