feat(bootstrap): require aws:SecureTransport for staging bucket
#7192
Conversation
Many of our customers are going to run the open source tool `Scout2` over their AWS accounts to determine their security posture. By default, this tool is going to report the lack of an `aws:SecureTransport` restriction on S3 buckets with "medium" severity, which will alarm users and for those in enterprise environments require them to address the situation. The bootstrap stack is one which users don't have a lot of control over (without going to a full-fledged custom template), and enabling this flag out of the box seems like a good default, so that the most common posture-checking tool won't trip over a default CDK setup.
| Resource: | ||
| - { 'Fn::Sub': '${StagingBucket.Arn}' } | ||
| - { 'Fn::Sub': '${StagingBucket.Arn}/*' } |
There was a problem hiding this comment.
Could this not just be *? This is a Deny within a BucketPolicy, so I don't see what being so specific adds... beyond maybe a risk of inadvertently not including something?
There was a problem hiding this comment.
I guess. This is just the way the recommended policy looks.
There was a problem hiding this comment.
Well then! This is unironically...
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
rix0rrr
added
the
pr-linter/exempt-readme
rix0rrr
added
the
pr-linter/exempt-test
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…s#7192) Many of our customers are going to run the open source tool `Scout2` over their AWS accounts to determine their security posture. By default, this tool is going to report the lack of an `aws:SecureTransport` restriction on S3 buckets with "medium" severity, which will alarm users and for those in enterprise environments require them to address the situation. The bootstrap stack is one which users don't have a lot of control over (without going to a full-fledged custom template), and enabling this flag out of the box seems like a good default, so that the most common posture-checking tool won't trip over a default CDK setup.
Commit Message
Many of our customers are going to run the open source tool
Scout2over their AWS accounts to determine their security posture.
By default, this tool is going to report the lack of an
aws:SecureTransportrestriction on S3 buckets with "medium" severity,which will alarm users and for those in enterprise environments
require them to address the situation.
The bootstrap stack is one which users don't have a lot of control over
(without going to a full-fledged custom template), and enabling this
flag out of the box seems like a good default, so that the most common
posture-checking tool won't trip over a default CDK setup.
End Commit Message
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license