Skip to content

Commit 5ec5d4d

Browse files
awslujaawsluja
authored
fix: enforce ssl on s3 deployment bucket (#13857)
1 parent cca1f3b commit 5ec5d4d

File tree

4 files changed

+162
-1
lines changed

4 files changed

+162
-1
lines changed

packages/amplify-provider-awscloudformation/resources/rootStackTemplate.json

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,53 @@
2626
}
2727
}
2828
},
29+
"DeploymentBucketBlockHTTP": {
30+
"Type": "AWS::S3::BucketPolicy",
31+
"Properties": {
32+
"Bucket": {
33+
"Ref": "DeploymentBucketName"
34+
},
35+
"PolicyDocument": {
36+
"Statement": [
37+
{
38+
"Action": "s3:*",
39+
"Effect": "Deny",
40+
"Principal": "*",
41+
"Resource": [
42+
{
43+
"Fn::Join": [
44+
"",
45+
[
46+
"arn:aws:s3:::",
47+
{
48+
"Ref": "DeploymentBucketName"
49+
},
50+
"/*"
51+
]
52+
]
53+
},
54+
{
55+
"Fn::Join": [
56+
"",
57+
[
58+
"arn:aws:s3:::",
59+
{
60+
"Ref": "DeploymentBucketName"
61+
}
62+
]
63+
]
64+
}
65+
],
66+
"Condition": {
67+
"Bool": {
68+
"aws:SecureTransport": false
69+
}
70+
}
71+
}
72+
]
73+
}
74+
}
75+
},
2976
"AuthRole": {
3077
"Type": "AWS::IAM::Role",
3178
"Properties": {

packages/amplify-provider-awscloudformation/src/__tests__/root-stack-builder/__snapshots__/root-stack-builder.test.ts.snap

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,53 @@ exports[`Check RootStack Template generates root stack Template 1`] = `
104104
"Type": "AWS::S3::Bucket",
105105
"UpdateReplacePolicy": "Retain",
106106
},
107+
"DeploymentBucketBlockHTTP": {
108+
"Properties": {
109+
"Bucket": {
110+
"Ref": "DeploymentBucketName",
111+
},
112+
"PolicyDocument": {
113+
"Statement": [
114+
{
115+
"Action": "s3:*",
116+
"Condition": {
117+
"Bool": {
118+
"aws:SecureTransport": false,
119+
},
120+
},
121+
"Effect": "Deny",
122+
"Principal": "*",
123+
"Resource": [
124+
{
125+
"Fn::Join": [
126+
"",
127+
[
128+
"arn:aws:s3:::",
129+
{
130+
"Ref": "DeploymentBucketName",
131+
},
132+
"/*",
133+
],
134+
],
135+
},
136+
{
137+
"Fn::Join": [
138+
"",
139+
[
140+
"arn:aws:s3:::",
141+
{
142+
"Ref": "DeploymentBucketName",
143+
},
144+
],
145+
],
146+
},
147+
],
148+
},
149+
],
150+
},
151+
},
152+
"Type": "AWS::S3::BucketPolicy",
153+
},
107154
"UnauthRole": {
108155
"Properties": {
109156
"AssumeRolePolicyDocument": {

packages/amplify-provider-awscloudformation/src/__tests__/root-stack-builder/__snapshots__/root-stack-transform.test.ts.snap

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,53 @@ exports[`Root stack template tests Generated root stack template during init 1`]
125125
"Type": "AWS::S3::Bucket",
126126
"UpdateReplacePolicy": "Retain",
127127
},
128+
"DeploymentBucketBlockHTTP": {
129+
"Properties": {
130+
"Bucket": {
131+
"Ref": "DeploymentBucketName",
132+
},
133+
"PolicyDocument": {
134+
"Statement": [
135+
{
136+
"Action": "s3:*",
137+
"Condition": {
138+
"Bool": {
139+
"aws:SecureTransport": false,
140+
},
141+
},
142+
"Effect": "Deny",
143+
"Principal": "*",
144+
"Resource": [
145+
{
146+
"Fn::Join": [
147+
"",
148+
[
149+
"arn:aws:s3:::",
150+
{
151+
"Ref": "DeploymentBucketName",
152+
},
153+
"/*",
154+
],
155+
],
156+
},
157+
{
158+
"Fn::Join": [
159+
"",
160+
[
161+
"arn:aws:s3:::",
162+
{
163+
"Ref": "DeploymentBucketName",
164+
},
165+
],
166+
],
167+
},
168+
],
169+
},
170+
],
171+
},
172+
},
173+
"Type": "AWS::S3::BucketPolicy",
174+
},
128175
"UnauthRole": {
129176
"Properties": {
130177
"AssumeRolePolicyDocument": {

packages/amplify-provider-awscloudformation/src/root-stack-builder/root-stack-builder.ts

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,12 +90,32 @@ export class AmplifyRootStack extends cdk.Stack implements AmplifyRootStackTempl
9090
}
9191

9292
generateRootStackResources = async (): Promise<void> => {
93+
const bucketName = this._cfnParameterMap.get('DeploymentBucketName').valueAsString;
9394
this.deploymentBucket = new s3.CfnBucket(this, 'DeploymentBucket', {
94-
bucketName: this._cfnParameterMap.get('DeploymentBucketName').valueAsString,
95+
bucketName: bucketName,
9596
});
9697

9798
this.deploymentBucket.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);
9899

100+
new s3.CfnBucketPolicy(this, 'DeploymentBucketBlockHTTP', {
101+
bucket: bucketName,
102+
policyDocument: {
103+
Statement: [
104+
{
105+
Action: 's3:*',
106+
Effect: 'Deny',
107+
Principal: '*',
108+
Resource: [`arn:aws:s3:::${bucketName}/*`, `arn:aws:s3:::${bucketName}`],
109+
Condition: {
110+
Bool: {
111+
'aws:SecureTransport': false,
112+
},
113+
},
114+
},
115+
],
116+
},
117+
});
118+
99119
this.authRole = new iam.CfnRole(this, 'AuthRole', {
100120
roleName: this._cfnParameterMap.get('AuthRoleName').valueAsString,
101121
assumeRolePolicyDocument: {

0 commit comments

Comments
 (0)