From e323e1eb27dae696d3dd8a6147496adc5f3af275 Mon Sep 17 00:00:00 2001 From: Amir Szekely Date: Wed, 24 Jan 2024 18:58:09 -0500 Subject: [PATCH] feat: More secure S3 settings (#122) Force SSL, block all public access and encrypt bucket where we save the layers. Lambda supports all those settings. Fixes #121 --- src/base.ts | 4 + .../Turbo-Layer-Test.assets.json | 4 +- .../Turbo-Layer-Test.template.json | 906 +++++++++++++++++- 3 files changed, 900 insertions(+), 14 deletions(-) diff --git a/src/base.ts b/src/base.ts index b29e608..e595836 100644 --- a/src/base.ts +++ b/src/base.ts @@ -19,6 +19,7 @@ import { Stack, } from 'aws-cdk-lib'; import { RetentionDays } from 'aws-cdk-lib/aws-logs'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; import { Construct } from 'constructs'; import { PackageCodebuildFunction } from './package-codebuild-function'; import { PackageNodejsFunction } from './package-nodejs-function'; @@ -141,6 +142,9 @@ export class BaseDependencyPackager extends Construct implements iam.IGrantable, this.packagesBucket = new s3.Bucket(this, 'Bucket', { autoDeleteObjects: true, + enforceSSL: true, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + encryption: BucketEncryption.S3_MANAGED, removalPolicy: RemovalPolicy.DESTROY, }); diff --git a/test/default.integ.snapshot/Turbo-Layer-Test.assets.json b/test/default.integ.snapshot/Turbo-Layer-Test.assets.json index a7a67ff..54ad757 100644 --- a/test/default.integ.snapshot/Turbo-Layer-Test.assets.json +++ b/test/default.integ.snapshot/Turbo-Layer-Test.assets.json @@ -235,7 +235,7 @@ } } }, - "3ef59ef101f0ad12362a1e794aa4fbdf90192fc99e828202e7b8ffff7e888ca4": { + "eec3cdcb6f11b28abf2677fd100a9b04905082c33e1e8097ef11ac2dd1111390": { "source": { "path": "Turbo-Layer-Test.template.json", "packaging": "file" @@ -243,7 +243,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "3ef59ef101f0ad12362a1e794aa4fbdf90192fc99e828202e7b8ffff7e888ca4.json", + "objectKey": "eec3cdcb6f11b28abf2677fd100a9b04905082c33e1e8097ef11ac2dd1111390.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/test/default.integ.snapshot/Turbo-Layer-Test.template.json b/test/default.integ.snapshot/Turbo-Layer-Test.template.json index db1da6c..7aa30fb 100644 --- a/test/default.integ.snapshot/Turbo-Layer-Test.template.json +++ b/test/default.integ.snapshot/Turbo-Layer-Test.template.json @@ -3,6 +3,21 @@ "Python39CodeBuildx64PackagerBucket67BD7B46": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -21,6 +36,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Python39CodeBuildx64PackagerBucket67BD7B46", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Python39CodeBuildx64PackagerBucket67BD7B46", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -2402,6 +2451,21 @@ "Python39Lambdax64PackagerBucket70830FD9": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -2420,6 +2484,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Python39Lambdax64PackagerBucket70830FD9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Python39Lambdax64PackagerBucket70830FD9", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -3327,6 +3425,21 @@ "Python39CodeBuildarm64PackagerBucketD4C397D6": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -3345,6 +3458,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Python39CodeBuildarm64PackagerBucketD4C397D6", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Python39CodeBuildarm64PackagerBucketD4C397D6", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -4514,6 +4661,21 @@ "Python39Lambdaarm64PackagerBucket34D81964": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -4532,6 +4694,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Python39Lambdaarm64PackagerBucket34D81964", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Python39Lambdaarm64PackagerBucket34D81964", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -5439,6 +5635,21 @@ "Nodejs16CodeBuildx64PackagerBucket37D1B55F": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -5457,6 +5668,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs16CodeBuildx64PackagerBucket37D1B55F", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs16CodeBuildx64PackagerBucket37D1B55F", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -6478,6 +6723,21 @@ "Nodejs16Lambdax64PackagerBucket48E2EDC3": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -6496,6 +6756,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs16Lambdax64PackagerBucket48E2EDC3", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs16Lambdax64PackagerBucket48E2EDC3", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -7242,6 +7536,21 @@ "Nodejs18CodeBuildx64PackagerBucket10636D9C": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -7260,6 +7569,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs18CodeBuildx64PackagerBucket10636D9C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs18CodeBuildx64PackagerBucket10636D9C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -8281,6 +8624,21 @@ "Nodejs18Lambdax64PackagerBucket43758CE7": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -8300,18 +8658,52 @@ "PolicyDocument": { "Statement": [ { - "Action": [ - "s3:GetBucket*", - "s3:List*", - "s3:DeleteObject*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs18Lambdax64PackagerBucket43758CE7", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs18Lambdax64PackagerBucket43758CE7", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:GetBucket*", + "s3:List*", + "s3:DeleteObject*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] } }, "Resource": [ @@ -9045,6 +9437,21 @@ "Nodejs16CodeBuildarm64PackagerBucketE8B803B5": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -9063,6 +9470,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs16CodeBuildarm64PackagerBucketE8B803B5", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs16CodeBuildarm64PackagerBucketE8B803B5", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -10084,6 +10525,21 @@ "Nodejs16Lambdaarm64PackagerBucket6A5D0391": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -10102,6 +10558,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs16Lambdaarm64PackagerBucket6A5D0391", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs16Lambdaarm64PackagerBucket6A5D0391", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -10848,6 +11338,21 @@ "Nodejs18CodeBuildarm64PackagerBucket86D29D14": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -10866,6 +11371,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs18CodeBuildarm64PackagerBucket86D29D14", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs18CodeBuildarm64PackagerBucket86D29D14", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -11887,6 +12426,21 @@ "Nodejs18Lambdaarm64PackagerBucket254D7AB3": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -11905,6 +12459,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Nodejs18Lambdaarm64PackagerBucket254D7AB3", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Nodejs18Lambdaarm64PackagerBucket254D7AB3", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -12651,6 +13239,21 @@ "Ruby27CodeBuildx64PackagerBucketC764EF01": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -12669,6 +13272,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Ruby27CodeBuildx64PackagerBucketC764EF01", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Ruby27CodeBuildx64PackagerBucketC764EF01", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -13350,6 +13987,21 @@ "Ruby27Lambdax64PackagerBucketEA8431DF": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -13368,6 +14020,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Ruby27Lambdax64PackagerBucketEA8431DF", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Ruby27Lambdax64PackagerBucketEA8431DF", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -13797,6 +14483,21 @@ "Ruby27CodeBuildarm64PackagerBucketF36349D3": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -13815,6 +14516,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Ruby27CodeBuildarm64PackagerBucketF36349D3", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Ruby27CodeBuildarm64PackagerBucketF36349D3", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -14496,6 +15231,21 @@ "Ruby27Lambdaarm64PackagerBucketB7849BE3": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -14514,6 +15264,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Ruby27Lambdaarm64PackagerBucketB7849BE3", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Ruby27Lambdaarm64PackagerBucketB7849BE3", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -14943,6 +15727,21 @@ "Java11CodeBuildx64PackagerBucket16005C98": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -14961,6 +15760,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Java11CodeBuildx64PackagerBucket16005C98", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Java11CodeBuildx64PackagerBucket16005C98", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*", @@ -15637,6 +16470,21 @@ "Java11CodeBuildarm64PackagerBucket7F159EBC": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -15655,6 +16503,40 @@ }, "PolicyDocument": { "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Java11CodeBuildarm64PackagerBucket7F159EBC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Java11CodeBuildarm64PackagerBucket7F159EBC", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, { "Action": [ "s3:GetBucket*",