SNS: Enforce SSL with Prop #29142
Comments
jlosito
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-sns
jlosito
changed the title
|
I am not sure if we should expose that to the L2 props but feel free to submit a PR to move this forward. Thank you! |
pahud
added
p2
effort/medium
Adds a statement to match the document in the [docs](https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit): ``` { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPublishThroughSSLOnly", "Action": "SNS:Publish", "Effect": "Deny", "Resource": [ "arn:aws:sns:us-east-1:1234567890:test-topic" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } ``` Closes #29142. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Adds a statement to match the document in the [docs](https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit): ``` { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPublishThroughSSLOnly", "Action": "SNS:Publish", "Effect": "Deny", "Resource": [ "arn:aws:sns:us-east-1:1234567890:test-topic" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } ``` Closes #29142. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Hello, Does this work? I've tried both python and typescript, cdk latest and 2.129.0 (the release notes for the one it was added to) and neither add a topicpolicy when the enforceSSL/enforce_ssl property is set to true/True The synth is the same whether I add that property or not |
|
That is because the enforceSSL is only added if you use the "addToResourcePolicy" afterwards. I would expect to have id added, in any case. |
Describe the feature
I'd like the ability to enforce SSL on an SNS topic in a similar fashion as the Bucket construct. The Bucket construct has a property,
enforceSSL, that will automatically update the bucket policy and enforce SSL. I'd like something similar that will automatically update the topic policy.https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#enforcessl
Use Case
In the
AwsSolutionsCheckswithin cdk-nag, there is a rule that requires SSL on SNS Topics,AwsSolutions-SNS3. Given that is a recommended practice, I believe setting an SNS Topic's policy so that it requires SSL would be a typical scenario. Since it's a typical scenario, I'd like a property to do it for me rather than having to write up a TopicPolicy every time.https://github.com/cdklabs/cdk-nag/blob/main/RULES.md
Proposed Solution
Other Information
No response
Acknowledgements
CDK version used
2.126.0
Environment details (OS name and version, etc.)
macOS 14.3
The text was updated successfully, but these errors were encountered: