58 lines
1.5 KiB
Plaintext
58 lines
1.5 KiB
Plaintext
include::description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
All users, either authenticated or anonymous, have read and write permissions with the `PUBLIC_READ_WRITE` access control:
|
|
|
|
[source,javascript]
|
|
----
|
|
const s3 = require('aws-cdk-lib/aws-s3');
|
|
|
|
new s3.Bucket(this, 'bucket', {
|
|
accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE // Sensitive
|
|
});
|
|
|
|
new s3deploy.BucketDeployment(this, 'DeployWebsite', {
|
|
accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE // Sensitive
|
|
});
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
With the `PRIVATE` access control (default), only the bucket owner has the read/write permissions on the bucket and its ACL.
|
|
|
|
[source,javascript]
|
|
----
|
|
const s3 = require('aws-cdk-lib/aws-s3');
|
|
|
|
new s3.Bucket(this, 'bucket', {
|
|
accessControl: s3.BucketAccessControl.PRIVATE
|
|
});
|
|
|
|
new s3deploy.BucketDeployment(this, 'DeployWebsite', {
|
|
accessControl: s3.BucketAccessControl.PRIVATE
|
|
});
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html[AWS CDK version 2] - Class Bucket (construct)
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Primary: Make sure granting [PUBLIC_READ|PUBLIC_READ_WRITE|AUTHENTICATED_READ] access is safe here.
|
|
* Secondary: Propagated setting.
|
|
|
|
* Primary: Make sure allowing unrestricted access to objects from this bucket is safe here.
|
|
* Secondary: Propagated setting.
|
|
|
|
endif::env-github,rspecator-view[]
|