Skip to content

Commit 9da0780

Browse files
PatMyronPatMyron
authored
chore(codepipeline): enforce SSL on implicitly-created S3 buckets (#18268)
could pass another bucket, but automatically created buckets are convenient/popular, so worth improving defaults https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-codepipeline.Pipeline.html https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html --- ```sh # updated integ snapshots packages/@aws-cdk/aws-events-targets $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run packages/@aws-cdk/aws-codepipeline-actions $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run packages/@aws-cdk/pipelines $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run ``` --- ```sh # eslint fix /workspace/aws-cdk/node_modules/eslint/bin/eslint.js packages/@aws-cdk/aws-codepipeline-actions/test/ --ext=.ts --fix ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent ccea069 commit 9da0780

20 files changed

+792
-56
lines changed

packages/@aws-cdk/aws-codepipeline-actions/test/cloudformation/cloudformation-pipeline-actions.test.ts

+13
Original file line numberDiff line numberDiff line change
@@ -666,6 +666,19 @@ describe('CloudFormation Pipeline Actions', () => {
666666
expect(pipelineStack).toHaveResourceLike('AWS::S3::BucketPolicy', {
667667
'PolicyDocument': {
668668
'Statement': [
669+
{
670+
'Action': 's3:*',
671+
'Condition': {
672+
'Bool': { 'aws:SecureTransport': 'false' },
673+
},
674+
'Effect': 'Deny',
675+
'Principal': {
676+
'AWS': '*',
677+
},
678+
'Resource': [
679+
680+
],
681+
},
669682
{
670683
'Action': [
671684
's3:GetObject*',

packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json

+58-11
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,20 @@
4141
"UpdateReplacePolicy": "Delete",
4242
"DeletionPolicy": "Delete"
4343
},
44+
"PipelineArtifactsBucketEncryptionKeyAlias5C510EEE": {
45+
"Type": "AWS::KMS::Alias",
46+
"Properties": {
47+
"AliasName": "alias/codepipeline-awscdkcodepipelinecloudformationpipeline7dbde619",
48+
"TargetKeyId": {
49+
"Fn::GetAtt": [
50+
"PipelineArtifactsBucketEncryptionKey01D58D69",
51+
"Arn"
52+
]
53+
}
54+
},
55+
"UpdateReplacePolicy": "Delete",
56+
"DeletionPolicy": "Delete"
57+
},
4458
"PipelineArtifactsBucket22248F97": {
4559
"Type": "AWS::S3::Bucket",
4660
"Properties": {
@@ -69,19 +83,52 @@
6983
"UpdateReplacePolicy": "Retain",
7084
"DeletionPolicy": "Retain"
7185
},
72-
"PipelineArtifactsBucketEncryptionKeyAlias5C510EEE": {
73-
"Type": "AWS::KMS::Alias",
86+
"PipelineArtifactsBucketPolicyD4F9712A": {
87+
"Type": "AWS::S3::BucketPolicy",
7488
"Properties": {
75-
"AliasName": "alias/codepipeline-awscdkcodepipelinecloudformationpipeline7dbde619",
76-
"TargetKeyId": {
77-
"Fn::GetAtt": [
78-
"PipelineArtifactsBucketEncryptionKey01D58D69",
79-
"Arn"
80-
]
89+
"Bucket": {
90+
"Ref": "PipelineArtifactsBucket22248F97"
91+
},
92+
"PolicyDocument": {
93+
"Statement": [
94+
{
95+
"Action": "s3:*",
96+
"Condition": {
97+
"Bool": {
98+
"aws:SecureTransport": "false"
99+
}
100+
},
101+
"Effect": "Deny",
102+
"Principal": {
103+
"AWS": "*"
104+
},
105+
"Resource": [
106+
{
107+
"Fn::GetAtt": [
108+
"PipelineArtifactsBucket22248F97",
109+
"Arn"
110+
]
111+
},
112+
{
113+
"Fn::Join": [
114+
"",
115+
[
116+
{
117+
"Fn::GetAtt": [
118+
"PipelineArtifactsBucket22248F97",
119+
"Arn"
120+
]
121+
},
122+
"/*"
123+
]
124+
]
125+
}
126+
]
127+
}
128+
],
129+
"Version": "2012-10-17"
81130
}
82-
},
83-
"UpdateReplacePolicy": "Delete",
84-
"DeletionPolicy": "Delete"
131+
}
85132
},
86133
"PipelineRoleD68726F7": {
87134
"Type": "AWS::IAM::Role",

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

+58-11
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,20 @@
3535
"UpdateReplacePolicy": "Delete",
3636
"DeletionPolicy": "Delete"
3737
},
38+
"PipelineArtifactsBucketEncryptionKeyAlias5C510EEE": {
39+
"Type": "AWS::KMS::Alias",
40+
"Properties": {
41+
"AliasName": "alias/codepipeline-pipelinestackpipeline9db740af",
42+
"TargetKeyId": {
43+
"Fn::GetAtt": [
44+
"PipelineArtifactsBucketEncryptionKey01D58D69",
45+
"Arn"
46+
]
47+
}
48+
},
49+
"UpdateReplacePolicy": "Delete",
50+
"DeletionPolicy": "Delete"
51+
},
3852
"PipelineArtifactsBucket22248F97": {
3953
"Type": "AWS::S3::Bucket",
4054
"Properties": {
@@ -63,19 +77,52 @@
6377
"UpdateReplacePolicy": "Retain",
6478
"DeletionPolicy": "Retain"
6579
},
66-
"PipelineArtifactsBucketEncryptionKeyAlias5C510EEE": {
67-
"Type": "AWS::KMS::Alias",
80+
"PipelineArtifactsBucketPolicyD4F9712A": {
81+
"Type": "AWS::S3::BucketPolicy",
6882
"Properties": {
69-
"AliasName": "alias/codepipeline-pipelinestackpipeline9db740af",
70-
"TargetKeyId": {
71-
"Fn::GetAtt": [
72-
"PipelineArtifactsBucketEncryptionKey01D58D69",
73-
"Arn"
74-
]
83+
"Bucket": {
84+
"Ref": "PipelineArtifactsBucket22248F97"
85+
},
86+
"PolicyDocument": {
87+
"Statement": [
88+
{
89+
"Action": "s3:*",
90+
"Condition": {
91+
"Bool": {
92+
"aws:SecureTransport": "false"
93+
}
94+
},
95+
"Effect": "Deny",
96+
"Principal": {
97+
"AWS": "*"
98+
},
99+
"Resource": [
100+
{
101+
"Fn::GetAtt": [
102+
"PipelineArtifactsBucket22248F97",
103+
"Arn"
104+
]
105+
},
106+
{
107+
"Fn::Join": [
108+
"",
109+
[
110+
{
111+
"Fn::GetAtt": [
112+
"PipelineArtifactsBucket22248F97",
113+
"Arn"
114+
]
115+
},
116+
"/*"
117+
]
118+
]
119+
}
120+
]
121+
}
122+
],
123+
"Version": "2012-10-17"
75124
}
76-
},
77-
"UpdateReplacePolicy": "Delete",
78-
"DeletionPolicy": "Delete"
125+
}
79126
},
80127
"PipelineRoleD68726F7": {
81128
"Type": "AWS::IAM::Role",

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json

+48-1
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,53 @@
7777
"UpdateReplacePolicy": "Retain",
7878
"DeletionPolicy": "Retain"
7979
},
80+
"PipelineArtifactsBucketPolicyD4F9712A": {
81+
"Type": "AWS::S3::BucketPolicy",
82+
"Properties": {
83+
"Bucket": {
84+
"Ref": "PipelineArtifactsBucket22248F97"
85+
},
86+
"PolicyDocument": {
87+
"Statement": [
88+
{
89+
"Action": "s3:*",
90+
"Condition": {
91+
"Bool": {
92+
"aws:SecureTransport": "false"
93+
}
94+
},
95+
"Effect": "Deny",
96+
"Principal": {
97+
"AWS": "*"
98+
},
99+
"Resource": [
100+
{
101+
"Fn::GetAtt": [
102+
"PipelineArtifactsBucket22248F97",
103+
"Arn"
104+
]
105+
},
106+
{
107+
"Fn::Join": [
108+
"",
109+
[
110+
{
111+
"Fn::GetAtt": [
112+
"PipelineArtifactsBucket22248F97",
113+
"Arn"
114+
]
115+
},
116+
"/*"
117+
]
118+
]
119+
}
120+
]
121+
}
122+
],
123+
"Version": "2012-10-17"
124+
}
125+
}
126+
},
80127
"PipelineRoleD68726F7": {
81128
"Type": "AWS::IAM::Role",
82129
"Properties": {
@@ -788,4 +835,4 @@
788835
]
789836
}
790837
}
791-
}
838+
}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json

+47
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,53 @@
8787
"UpdateReplacePolicy": "Retain",
8888
"DeletionPolicy": "Retain"
8989
},
90+
"PipelineArtifactsBucketPolicyD4F9712A": {
91+
"Type": "AWS::S3::BucketPolicy",
92+
"Properties": {
93+
"Bucket": {
94+
"Ref": "PipelineArtifactsBucket22248F97"
95+
},
96+
"PolicyDocument": {
97+
"Statement": [
98+
{
99+
"Action": "s3:*",
100+
"Condition": {
101+
"Bool": {
102+
"aws:SecureTransport": "false"
103+
}
104+
},
105+
"Effect": "Deny",
106+
"Principal": {
107+
"AWS": "*"
108+
},
109+
"Resource": [
110+
{
111+
"Fn::GetAtt": [
112+
"PipelineArtifactsBucket22248F97",
113+
"Arn"
114+
]
115+
},
116+
{
117+
"Fn::Join": [
118+
"",
119+
[
120+
{
121+
"Fn::GetAtt": [
122+
"PipelineArtifactsBucket22248F97",
123+
"Arn"
124+
]
125+
},
126+
"/*"
127+
]
128+
]
129+
}
130+
]
131+
}
132+
],
133+
"Version": "2012-10-17"
134+
}
135+
}
136+
},
90137
"PipelineRoleD68726F7": {
91138
"Type": "AWS::IAM::Role",
92139
"Properties": {

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json

+47
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,53 @@
7777
"UpdateReplacePolicy": "Retain",
7878
"DeletionPolicy": "Retain"
7979
},
80+
"PipelineArtifactsBucketPolicyD4F9712A": {
81+
"Type": "AWS::S3::BucketPolicy",
82+
"Properties": {
83+
"Bucket": {
84+
"Ref": "PipelineArtifactsBucket22248F97"
85+
},
86+
"PolicyDocument": {
87+
"Statement": [
88+
{
89+
"Action": "s3:*",
90+
"Condition": {
91+
"Bool": {
92+
"aws:SecureTransport": "false"
93+
}
94+
},
95+
"Effect": "Deny",
96+
"Principal": {
97+
"AWS": "*"
98+
},
99+
"Resource": [
100+
{
101+
"Fn::GetAtt": [
102+
"PipelineArtifactsBucket22248F97",
103+
"Arn"
104+
]
105+
},
106+
{
107+
"Fn::Join": [
108+
"",
109+
[
110+
{
111+
"Fn::GetAtt": [
112+
"PipelineArtifactsBucket22248F97",
113+
"Arn"
114+
]
115+
},
116+
"/*"
117+
]
118+
]
119+
}
120+
]
121+
}
122+
],
123+
"Version": "2012-10-17"
124+
}
125+
}
126+
},
80127
"PipelineRoleD68726F7": {
81128
"Type": "AWS::IAM::Role",
82129
"Properties": {

0 commit comments

Comments
 (0)