2022-08-08 10:49:02 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
|
|
|
|
|
|
It's recommended to enforce HTTPS only access by setting ``++enforceSSL++`` property to ``++true++``
|
|
|
|
|
|
2022-08-08 10:49:02 +02:00
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
S3 bucket objects access through TLS is not enforced by default:
|
|
|
|
|
|
|
|
|
|
[source,javascript]
|
|
|
|
|
----
|
|
|
|
|
const s3 = require('aws-cdk-lib/aws-s3');
|
|
|
|
|
|
|
|
|
|
const bucket = new s3.Bucket(this, 'example'); // Sensitive
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
[source,javascript]
|
|
|
|
|
----
|
|
|
|
|
const s3 = require('aws-cdk-lib/aws-s3');
|
|
|
|
|
|
|
|
|
|
const bucket = new s3.Bucket(this, 'example', {
|
|
|
|
|
bucketName: 'example',
|
|
|
|
|
versioned: true,
|
|
|
|
|
publicReadAccess: false,
|
|
|
|
|
enforceSSL: true
|
|
|
|
|
});
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
|
|
|
|
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html[AWS CDK version 2] - Bucket
|
|
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
* Make sure authorizing HTTP requests is safe here.
|
|
|
|
|
* Omitting 'enforceSSL' authorize HTTP requests. Make sure it is safe here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== Highlighting
|
|
|
|
|
|
|
|
|
|
* ``++aws_cdk.aws_s3.Bucket.enforceSSL++`` property
|
|
|
|
|
* ``++aws_cdk.aws_s3.Bucket++`` constructor when ``++enforceSSL++`` property is missing
|
2022-08-08 10:49:02 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
