From f47d09c08871517f06c1895a5ed262c8e87ee05b Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Wed, 27 Sep 2023 15:54:43 +0200 Subject: [PATCH] feat(s3): specify minimum TLS version (#27297) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Leverages the `s3:TLSVersion` IAM condition key to allow specifying a minimum TLS version for S3 requests. Requires `enforceSSL` to be enabled. Example: ``` const bucket = new s3.Bucket(this, 'Bucket', { enforceSSL: true, minimumTLSVersion: 1.2, }); ``` Closes #27279. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...aws-cdk-s3-minimum-tls-version.assets.json | 19 ++ ...s-cdk-s3-minimum-tls-version.template.json | 124 ++++++++++ ...efaultTestDeployAssert7BC7B4EF.assets.json | 19 ++ ...aultTestDeployAssert7BC7B4EF.template.json | 36 +++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 119 ++++++++++ .../tree.json | 222 ++++++++++++++++++ .../test/integ.bucket-minimum-tls-version.ts | 17 ++ packages/aws-cdk-lib/aws-s3/README.md | 9 + packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 35 +++ .../aws-cdk-lib/aws-s3/test/bucket.test.ts | 97 ++++++++ 12 files changed, 710 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.assets.json new file mode 100644 index 0000000000000..5c086c1803b9d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.assets.json @@ -0,0 +1,19 @@ +{ + "version": "33.0.0", + "files": { + "f2e43c7b225e4a3bb913b8e3255e177873b0cf9eeb474e63af30152e8a0bdd01": { + "source": { + "path": "aws-cdk-s3-minimum-tls-version.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "f2e43c7b225e4a3bb913b8e3255e177873b0cf9eeb474e63af30152e8a0bdd01.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.template.json new file mode 100644 index 0000000000000..f06c2bc7ee48a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/aws-cdk-s3-minimum-tls-version.template.json @@ -0,0 +1,124 @@ +{ + "Resources": { + "Bucket83908E77": { + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketPolicyE9A3008A": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "Bucket83908E77" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:*", + "Condition": { + "NumericLessThan": { + "s3:TlsVersion": 1.2 + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets.json new file mode 100644 index 0000000000000..51ac0ad0f3837 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets.json @@ -0,0 +1,19 @@ +{ + "version": "33.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/cdk.out new file mode 100644 index 0000000000000..560dae10d018f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"33.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/integ.json new file mode 100644 index 0000000000000..0eaebbea20b42 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "33.0.0", + "testCases": { + "aws-cdk-s3-minimum-tls-version-integration/DefaultTest": { + "stacks": [ + "aws-cdk-s3-minimum-tls-version" + ], + "assertionStack": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert", + "assertionStackName": "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/manifest.json new file mode 100644 index 0000000000000..96e720314df8e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/manifest.json @@ -0,0 +1,119 @@ +{ + "version": "33.0.0", + "artifacts": { + "aws-cdk-s3-minimum-tls-version.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-s3-minimum-tls-version.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-s3-minimum-tls-version": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-s3-minimum-tls-version.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f2e43c7b225e4a3bb913b8e3255e177873b0cf9eeb474e63af30152e8a0bdd01.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-s3-minimum-tls-version.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-s3-minimum-tls-version.assets" + ], + "metadata": { + "/aws-cdk-s3-minimum-tls-version/Bucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Bucket83908E77" + } + ], + "/aws-cdk-s3-minimum-tls-version/Bucket/Policy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketPolicyE9A3008A" + } + ], + "/aws-cdk-s3-minimum-tls-version/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-s3-minimum-tls-version/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-s3-minimum-tls-version" + }, + "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "awscdks3minimumtlsversionintegrationDefaultTestDeployAssert7BC7B4EF.assets" + ], + "metadata": { + "/aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/tree.json new file mode 100644 index 0000000000000..8a200316e8dc8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.js.snapshot/tree.json @@ -0,0 +1,222 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "aws-cdk-s3-minimum-tls-version": { + "id": "aws-cdk-s3-minimum-tls-version", + "path": "aws-cdk-s3-minimum-tls-version", + "children": { + "Bucket": { + "id": "Bucket", + "path": "aws-cdk-s3-minimum-tls-version/Bucket", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-s3-minimum-tls-version/Bucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": {} + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + }, + "Policy": { + "id": "Policy", + "path": "aws-cdk-s3-minimum-tls-version/Bucket/Policy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-s3-minimum-tls-version/Bucket/Policy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", + "aws:cdk:cloudformation:props": { + "bucket": { + "Ref": "Bucket83908E77" + }, + "policyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:*", + "Condition": { + "NumericLessThan": { + "s3:TlsVersion": 1.2 + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-s3-minimum-tls-version/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-s3-minimum-tls-version/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "aws-cdk-s3-minimum-tls-version-integration": { + "id": "aws-cdk-s3-minimum-tls-version-integration", + "path": "aws-cdk-s3-minimum-tls-version-integration", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-s3-minimum-tls-version-integration/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.ts new file mode 100644 index 0000000000000..7c61d16487053 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-minimum-tls-version.ts @@ -0,0 +1,17 @@ +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as s3 from 'aws-cdk-lib/aws-s3'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-s3-minimum-tls-version'); + +new s3.Bucket(stack, 'Bucket', { + enforceSSL: true, + minimumTLSVersion: 1.2, +}); + +new integ.IntegTest(app, 'aws-cdk-s3-minimum-tls-version-integration', { + testCases: [stack], +}); + +app.synth(); diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md index 90ac7386d1196..5be9a411c8860 100644 --- a/packages/aws-cdk-lib/aws-s3/README.md +++ b/packages/aws-cdk-lib/aws-s3/README.md @@ -168,6 +168,15 @@ const bucket = new s3.Bucket(this, 'Bucket', { }); ``` +To require a minimum TLS version for all requests: + +```ts +const bucket = new s3.Bucket(this, 'Bucket', { + enforceSSL: true, + minimumTLSVersion: 1.2, +}); +``` + ## Sharing buckets between stacks To use a bucket in a different stack in the same CDK application, pass the object to the other stack: diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 349e0e6916b51..e7496415b15c1 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -1585,6 +1585,17 @@ export interface BucketProps { * @default No Intelligent Tiiering Configurations. */ readonly intelligentTieringConfigurations?: IntelligentTieringConfiguration[]; + + /** + * Enforces minimum TLS version for requests. + * + * Requires `enforceSSL` to be enabled. + * + * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#example-object-tls-version + * + * @default No minimum TLS version is enforced. + */ + readonly minimumTLSVersion?: number; } /** @@ -1879,6 +1890,9 @@ export class Bucket extends BucketBase { // Enforce AWS Foundational Security Best Practice if (props.enforceSSL) { this.enforceSSLStatement(); + this.minimumTLSVersionStatement(props.minimumTLSVersion); + } else if (props.minimumTLSVersion) { + throw new Error('\'enforceSSL\' must be enabled for \'minimumTLSVersion\' to be applied'); } if (props.serverAccessLogsBucket instanceof Bucket) { @@ -1982,6 +1996,27 @@ export class Bucket extends BucketBase { this.addToResourcePolicy(statement); } + /** + * Adds an iam statement to allow requests with a minimum TLS + * version only. + */ + private minimumTLSVersionStatement(minimumTLSVersion?: number) { + if (!minimumTLSVersion) return; + const statement = new iam.PolicyStatement({ + actions: ['s3:*'], + conditions: { + NumericLessThan: { 's3:TlsVersion': minimumTLSVersion }, + }, + effect: iam.Effect.DENY, + resources: [ + this.bucketArn, + this.arnForObjects('*'), + ], + principals: [new iam.AnyPrincipal()], + }); + this.addToResourcePolicy(statement); + } + /** * Set up key properties and return the Bucket encryption property from the * user's configuration, according to the following table: diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 7f7b672f5df00..989f8e06caaa8 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -439,6 +439,103 @@ describe('bucket', () => { }); }); + test('with minimumTLSVersion', () => { + const stack = new cdk.Stack(); + new s3.Bucket(stack, 'MyBucket', { + enforceSSL: true, + minimumTLSVersion: 1.2, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { + 'PolicyDocument': { + 'Statement': [ + { + 'Action': 's3:*', + 'Condition': { + 'Bool': { + 'aws:SecureTransport': 'false', + }, + }, + 'Effect': 'Deny', + 'Principal': { AWS: '*' }, + 'Resource': [ + { + 'Fn::GetAtt': [ + 'MyBucketF68F3FF0', + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + 'MyBucketF68F3FF0', + 'Arn', + ], + }, + '/*', + ], + ], + }, + ], + }, + { + 'Action': 's3:*', + 'Condition': { + 'NumericLessThan': { + 's3:TlsVersion': 1.2, + }, + }, + 'Effect': 'Deny', + 'Principal': { AWS: '*' }, + 'Resource': [ + { + 'Fn::GetAtt': [ + 'MyBucketF68F3FF0', + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + 'MyBucketF68F3FF0', + 'Arn', + ], + }, + '/*', + ], + ], + }, + ], + }, + ], + 'Version': '2012-10-17', + }, + }); + }); + + test('enforceSSL must be enabled for minimumTLSVersion to work', () => { + const stack = new cdk.Stack(); + + expect(() => { + new s3.Bucket(stack, 'MyBucket1', { + enforceSSL: false, + minimumTLSVersion: 1.2, + }); + }).toThrow(/'enforceSSL' must be enabled for 'minimumTLSVersion' to be applied/); + + expect(() => { + new s3.Bucket(stack, 'MyBucket2', { + minimumTLSVersion: 1.2, + }); + }).toThrow(/'enforceSSL' must be enabled for 'minimumTLSVersion' to be applied/); + }); + test.each([s3.BucketEncryption.KMS, s3.BucketEncryption.KMS_MANAGED])('bucketKeyEnabled can be enabled with %p encryption', (encryption) => { const stack = new cdk.Stack();