aws - deployment bucket policy for HTTPS only.

2026-01-25 15:07:39 +00:00 · 2019-10-11 22:33:16 -04:00 · 2019-10-11 22:33:16 -04:00 · 060dc2c050
commit 060dc2c050
parent aba4e09c7b
2 changed files with 66 additions and 0 deletions
--- a/lib/plugins/aws/package/lib/core-cloudformation-template.json
+++ b/lib/plugins/aws/package/lib/core-cloudformation-template.json
@ -15,6 +15,36 @@
          ]
        }
      }
+    },
+    "ServerlessDeploymentBucketPolicy": {
+      "Type": "AWS::S3::BucketPolicy",
+      "Properties": {
+        "Bucket": {
+          "Ref": "ServerlessDeploymentBucket"
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Effect": "Deny",
+              "Principal": "*",
+              "Resource": [
+                { "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:s3:::",
+                    { "Ref": "ServerlessDeploymentBucket" },
+                    "/*"
+                  ]
+                ]}
+              ],
+              "Condition":{
+                "Bool": { "aws:SecureTransport": false }
+              }
+            }
+          ]
+        }
+      }
    }
  },
  "Outputs": {
--- a/lib/plugins/aws/package/lib/generateCoreTemplate.test.js
+++ b/lib/plugins/aws/package/lib/generateCoreTemplate.test.js
@ -45,6 +45,42 @@ describe('#generateCoreTemplate()', () => {
    };
  });

+  it('should reject non-HTTPS requests to the deployment bucket', () => {
+    return expect(awsPlugin.generateCoreTemplate()).to.be.fulfilled.then(() => {
+      const serverlessDeploymentBucketPolicy = awsPlugin.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.ServerlessDeploymentBucketPolicy;
+
+      expect(serverlessDeploymentBucketPolicy).to.exist;
+      expect(serverlessDeploymentBucketPolicy.Type).to.equal('AWS::S3::BucketPolicy');
+      expect(serverlessDeploymentBucketPolicy.Properties).to.exist;
+      expect(serverlessDeploymentBucketPolicy.Properties.Bucket).to.deep.equal({
+        Ref: 'ServerlessDeploymentBucket',
+      });
+
+      expect(serverlessDeploymentBucketPolicy.Properties.PolicyDocument).to.exist;
+      expect(serverlessDeploymentBucketPolicy.Properties.PolicyDocument.Statement).to.exist;
+
+      expect(serverlessDeploymentBucketPolicy.Properties.PolicyDocument.Statement).to.deep.include({
+        Action: 's3:*',
+        Effect: 'Deny',
+        Principal: '*',
+        Resource: [
+          { 'Fn::Join': [
+            '',
+            [
+              'arn:aws:s3:::',
+              { Ref: 'ServerlessDeploymentBucket' },
+              '/*',
+            ],
+          ]},
+        ],
+        Condition: {
+          Bool: { 'aws:SecureTransport': false },
+        },
+      });
+    });
+  });
+
  it('should use a custom bucket if specified', () => {
    const bucketName = 'com.serverless.deploys';