Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3: add support for TlsVersion condition key in Bucket #27279

Closed
2 tasks
rittneje opened this issue Sep 25, 2023 · 2 comments · Fixed by #27297
Closed
2 tasks

s3: add support for TlsVersion condition key in Bucket #27279

rittneje opened this issue Sep 25, 2023 · 2 comments · Fixed by #27297
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1

Comments

@rittneje
Copy link

Describe the feature

Currently the aws_s3.Bucket constructor has a flag for enforce_ssl. However, this only mandates that TLS is used, not which version of TLS.

Recently, S3 added support for restriction which version of TLS is allowed via the s3:TlsVersion condition key. https://repost.aws/knowledge-center/s3-enforce-modern-tls

Please add another constructor parameter enforce_minimum_tls_version to specify the minimum version.

Open question: If enforce_minimum_tls_version is specified but enforce_ssl is not, what happens? I believe it should default to mandating TLS. If you don't want that, you must explicitly pass enforce_ssl=False.

Use Case

We want to follow modern security best practices.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.85.0

Environment details (OS name and version, etc.)

Alpine 3.18
@rittneje rittneje added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Sep 25, 2023
@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2023
@peterwoodworth
Copy link
Contributor

Thanks for the request 👍🏻

@lpizzinidev lpizzinidev mentioned this issue Sep 26, 2023
Merged
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Sep 27, 2023
@mergify
Merge branch 'main' into awsgh-27279
4ccad1d
@mergify mergify bot closed this as completed in #27297 Sep 27, 2023
mergify bot pushed a commit that referenced this issue Sep 27, 2023
@lpizzinidev
feat(s3): specify minimum TLS version (#27297)
f47d09c 
Leverages the `s3:TLSVersion` IAM condition key to allow specifying a minimum TLS version for S3 requests.
Requires `enforceSSL` to be enabled.

Example:
```
const bucket = new s3.Bucket(this, 'Bucket', {
  enforceSSL: true,
  minimumTLSVersion: 1.2,
});
```

Closes #27279.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(s3): specify minimum TLS version lpizzinidev/aws-cdk
2 participants
@rittneje @peterwoodworth