Skip to content

Commit f68b947

Browse files
authored
fix(ses-actions): condition should use SourceAccount (#34081)
### Issue #29811 ### Reason for this change Restricts the SES to come through the SourceAccount in question. This will change does not affect bucket policy and ses rule action race condition, reported in #30143 and introduced in #29833 and reverted in #30375. That PR introduced the rule set name into the bucket policy, which added a dependency to the policy to the rule set(while the rule set requires that the policy is created first). Doing this change made a circular dependency between the two resources. ### Description of changes Simply use SourceAccount instead of Referer. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes n/a ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 8d8c120 commit f68b947

File tree

4 files changed

+9
-3
lines changed

4 files changed

+9
-3
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,7 @@
8686
"Action": "s3:PutObject",
8787
"Condition": {
8888
"StringEquals": {
89-
"aws:Referer": {
89+
"aws:SourceAccount": {
9090
"Ref": "AWS::AccountId"
9191
}
9292
}

packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ export class S3 implements ses.IReceiptRuleAction {
5555
resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
5656
conditions: {
5757
StringEquals: {
58-
'aws:Referer': cdk.Aws.ACCOUNT_ID,
58+
'aws:SourceAccount': cdk.Aws.ACCOUNT_ID,
5959
},
6060
},
6161
});

packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ test('add s3 action', () => {
190190
Action: 's3:PutObject',
191191
Condition: {
192192
StringEquals: {
193-
'aws:Referer': {
193+
'aws:SourceAccount': {
194194
Ref: 'AWS::AccountId',
195195
},
196196
},

packages/aws-cdk-lib/aws-ses/README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,12 @@ new ses.AllowListReceiptFilter(this, 'AllowList', {
103103

104104
This will first create a block all filter and then create allow filters for the listed ip addresses.
105105

106+
### AWS Service Principal permissions
107+
108+
When adding an s3 action to a receipt rule, the CDK will automatically create a policy statement that allows the ses service principal to get write access to the bucket. This is done with the `SourceAccount` condition key, which is automatically added to the policy statement.
109+
Previously, the policy used the `Referer` condition key, which caused confused deputy problems when the bucket policy allowed access to the bucket for all principals.
110+
See more information in [this github issue](https://github.com/aws/aws-cdk/issues/29811)
111+
106112
## Email sending
107113

108114
### Dedicated IP pools

0 commit comments

Comments
 (0)