Skip to content

Commit b941911

Browse files
mickychettamickychetta
committed
added condition to omit HTTPS only requests
1 parent 655c4af commit b941911

File tree

2 files changed

+177
-1
lines changed

2 files changed

+177
-1
lines changed

source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts

+3-1
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,9 @@ export function buildS3Bucket(scope: Construct,
168168

169169
const s3Bucket: s3.Bucket = new s3.Bucket(scope, _bucketId, customBucketProps);
170170

171-
applySecureBucketPolicy(s3Bucket);
171+
if (customBucketProps.enforceSSL !== false) {
172+
applySecureBucketPolicy(s3Bucket);
173+
}
172174

173175
return [s3Bucket, loggingBucket];
174176
}

source/patterns/@aws-solutions-constructs/core/test/s3-bucket.test.ts

+174
Original file line numberDiff line numberDiff line change
@@ -154,3 +154,177 @@ test('test createAlbLoggingBucket()', () => {
154154
BucketName: 'test-name'
155155
});
156156
});
157+
158+
test('Test bucket policy that only accepts SSL requests only', () => {
159+
const stack = new Stack();
160+
161+
defaults.buildS3Bucket(stack, {
162+
bucketProps: {
163+
enforceSSL: true
164+
}
165+
}, 'test-bucket');
166+
167+
expect(stack).toHaveResource("AWS::S3::BucketPolicy", {
168+
PolicyDocument: {
169+
Statement: [
170+
{
171+
Action: "s3:*",
172+
Condition: {
173+
Bool: {
174+
"aws:SecureTransport": "false"
175+
}
176+
},
177+
Effect: "Deny",
178+
Principal: {
179+
AWS: "*"
180+
},
181+
Resource: [
182+
{
183+
"Fn::GetAtt": [
184+
"testbucketS3Bucket87F6BFFC",
185+
"Arn"
186+
]
187+
},
188+
{
189+
"Fn::Join": [
190+
"",
191+
[
192+
{
193+
"Fn::GetAtt": [
194+
"testbucketS3Bucket87F6BFFC",
195+
"Arn"
196+
]
197+
},
198+
"/*"
199+
]
200+
]
201+
}
202+
]
203+
},
204+
{
205+
Action: "*",
206+
Condition: {
207+
Bool: {
208+
"aws:SecureTransport": "false"
209+
}
210+
},
211+
Effect: "Deny",
212+
Principal: {
213+
AWS: "*"
214+
},
215+
Resource: [
216+
{
217+
"Fn::Join": [
218+
"",
219+
[
220+
{
221+
"Fn::GetAtt": [
222+
"testbucketS3Bucket87F6BFFC",
223+
"Arn"
224+
]
225+
},
226+
"/*"
227+
]
228+
]
229+
},
230+
{
231+
"Fn::GetAtt": [
232+
"testbucketS3Bucket87F6BFFC",
233+
"Arn"
234+
]
235+
}
236+
],
237+
Sid: "HttpsOnly"
238+
},
239+
],
240+
Version: "2012-10-17"
241+
}
242+
});
243+
});
244+
245+
test('Test bucket policy that accepts any requests', () => {
246+
const stack = new Stack();
247+
248+
defaults.buildS3Bucket(stack, {
249+
bucketProps: {
250+
enforceSSL: false
251+
}
252+
}, 'test-bucket');
253+
254+
expect(stack).not.toHaveResource("AWS::S3::BucketPolicy", {
255+
PolicyDocument: {
256+
Statement: [
257+
{
258+
Action: "s3:*",
259+
Condition: {
260+
Bool: {
261+
"aws:SecureTransport": "false"
262+
}
263+
},
264+
Effect: "Deny",
265+
Principal: {
266+
AWS: "*"
267+
},
268+
Resource: [
269+
{
270+
"Fn::GetAtt": [
271+
"testbucketS3Bucket87F6BFFC",
272+
"Arn"
273+
]
274+
},
275+
{
276+
"Fn::Join": [
277+
"",
278+
[
279+
{
280+
"Fn::GetAtt": [
281+
"testbucketS3Bucket87F6BFFC",
282+
"Arn"
283+
]
284+
},
285+
"/*"
286+
]
287+
]
288+
}
289+
]
290+
},
291+
{
292+
Action: "*",
293+
Condition: {
294+
Bool: {
295+
"aws:SecureTransport": "false"
296+
}
297+
},
298+
Effect: "Deny",
299+
Principal: {
300+
AWS: "*"
301+
},
302+
Resource: [
303+
{
304+
"Fn::Join": [
305+
"",
306+
[
307+
{
308+
"Fn::GetAtt": [
309+
"testbucketS3Bucket87F6BFFC",
310+
"Arn"
311+
]
312+
},
313+
"/*"
314+
]
315+
]
316+
},
317+
{
318+
"Fn::GetAtt": [
319+
"testbucketS3Bucket87F6BFFC",
320+
"Arn"
321+
]
322+
}
323+
],
324+
Sid: "HttpsOnly"
325+
},
326+
],
327+
Version: "2012-10-17"
328+
}
329+
});
330+
});

0 commit comments

Comments
 (0)