fix(ses-actions): permissions too wide for S3 action (#29833)

### Issue # (if applicable) Closes #29811, continuation of @msambol 's #29823 ### Reason for this change Reduce overly broad permissions allocated to SES for the S3 receipt rule action ### Description of changes * Restrain by both rule set and rule name, as recommended in the [docs](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html#receiving-email-permissions-s3) * Accomplished by generating the permission lazily, when the rule is rendering the actions for CloudFormation ### Description of how you validated changes Updated the unit and integration tests. The integration now uses a free test WorkMail domain. It's a bit of manual setup upfront, but doesn't require the contributor to use one of their own domains ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Apr 19, 2024 · 2da544f · 2da544f
1 parent 9eb21bd
commit 2da544f
Show file tree

Hide file tree

Showing 14 changed files with 325 additions and 401 deletions.
diff --git a/...napshot/asset.96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34/index.d.ts b/...napshot/asset.96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34/index.d.ts
diff --git a/....snapshot/asset.96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34/index.js b/....snapshot/asset.96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34/index.js
diff --git a/....snapshot/asset.96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34/index.ts b/....snapshot/asset.96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34/index.ts
diff --git a/...integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json b/...integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json
diff --git a/...teg/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json b/...teg/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json
@@ -86,8 +86,31 @@
        "Action": "s3:PutObject",
        "Condition": {
         "StringEquals": {
-         "aws:Referer": {
+         "aws:SourceAccount": {
           "Ref": "AWS::AccountId"
+         },
+         "aws:SourceArn": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":ses:",
+            {
+             "Ref": "AWS::Region"
+            },
+            ":",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":receipt-rule-set/INBOUND_MAIL:receipt-rule/",
+            {
+             "Ref": "RuleSetFirstRule0A27C8CC"
+            }
+           ]
+          ]
          }
         }
        },
@@ -172,40 +195,9 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "RuleSetE30C6C48": {
-   "Type": "AWS::SES::ReceiptRuleSet"
-  },
-  "RuleSetDropSpamRule5809F51B": {
-   "Type": "AWS::SES::ReceiptRule",
-   "Properties": {
-    "Rule": {
-     "Actions": [
-      {
-       "LambdaAction": {
-        "FunctionArn": {
-         "Fn::GetAtt": [
-          "SingletonLambda224e77f9a32e4b4dac32983477abba164533EA15",
-          "Arn"
-         ]
-        },
-        "InvocationType": "RequestResponse"
-       }
-      }
-     ],
-     "Enabled": true,
-     "ScanEnabled": true
-    },
-    "RuleSetName": {
-     "Ref": "RuleSetE30C6C48"
-    }
-   }
-  },
   "RuleSetFirstRule0A27C8CC": {
    "Type": "AWS::SES::ReceiptRule",
    "Properties": {
-    "After": {
-     "Ref": "RuleSetDropSpamRule5809F51B"
-    },
     "Rule": {
      "Actions": [
       {
@@ -256,7 +248,7 @@
       {
        "BounceAction": {
         "Message": "Message content rejected",
-        "Sender": "cdk-ses-receipt-test@yopmail.com",
+        "Sender": "test@cdk-test-123.awsapps.com",
         "SmtpReplyCode": "500",
         "StatusCode": "5.6.1",
         "TopicArn": {
@@ -268,17 +260,14 @@
      "Enabled": true,
      "Name": "FirstRule",
      "Recipients": [
-      "cdk-ses-receipt-test@yopmail.com"
+      "test@cdk-test-123.awsapps.com"
      ],
      "ScanEnabled": true,
      "TlsPolicy": "Require"
     },
-    "RuleSetName": {
-     "Ref": "RuleSetE30C6C48"
-    }
+    "RuleSetName": "INBOUND_MAIL"
    },
    "DependsOn": [
-    "BucketPolicyE9A3008A",
     "FunctionAllowSes1829904A"
    ]
   },
@@ -301,79 +290,66 @@
      ],
      "Enabled": true
     },
-    "RuleSetName": {
-     "Ref": "RuleSetE30C6C48"
-    }
+    "RuleSetName": "INBOUND_MAIL"
    }
   },
-  "SingletonLambda224e77f9a32e4b4dac32983477abba16ServiceRole3037F5B4": {
-   "Type": "AWS::IAM::Role",
+  "NotificationQueue36610CC1": {
+   "Type": "AWS::SQS::Queue",
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "NotificationQueuePolicyCC060EA6": {
+   "Type": "AWS::SQS::QueuePolicy",
    "Properties": {
-    "AssumeRolePolicyDocument": {
+    "PolicyDocument": {
      "Statement": [
       {
-       "Action": "sts:AssumeRole",
+       "Action": "sqs:SendMessage",
+       "Condition": {
+        "ArnEquals": {
+         "aws:SourceArn": {
+          "Ref": "TopicBFC7AF6E"
+         }
+        }
+       },
        "Effect": "Allow",
        "Principal": {
-        "Service": "lambda.amazonaws.com"
+        "Service": "sns.amazonaws.com"
+       },
+       "Resource": {
+        "Fn::GetAtt": [
+         "NotificationQueue36610CC1",
+         "Arn"
+        ]
        }
       }
      ],
      "Version": "2012-10-17"
     },
-    "ManagedPolicyArns": [
+    "Queues": [
      {
-      "Fn::Join": [
-       "",
-       [
-        "arn:",
-        {
-         "Ref": "AWS::Partition"
-        },
-        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-       ]
-      ]
+      "Ref": "NotificationQueue36610CC1"
      }
     ]
    }
   },
-  "SingletonLambda224e77f9a32e4b4dac32983477abba164533EA15": {
-   "Type": "AWS::Lambda::Function",
+  "NotificationQueueawscdksesreceiptTopicE9CA2388E8E96C33": {
+   "Type": "AWS::SNS::Subscription",
    "Properties": {
-    "Code": {
-     "S3Bucket": {
-      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
-     },
-     "S3Key": "96d0b6be9a64ae309bf89a86f5515453f0fa1d07b4f6b37198051cc98e251f34.zip"
-    },
-    "Handler": "index.handler",
-    "Role": {
+    "Endpoint": {
      "Fn::GetAtt": [
-      "SingletonLambda224e77f9a32e4b4dac32983477abba16ServiceRole3037F5B4",
+      "NotificationQueue36610CC1",
       "Arn"
      ]
     },
-    "Runtime": "nodejs18.x"
+    "Protocol": "sqs",
+    "TopicArn": {
+     "Ref": "TopicBFC7AF6E"
+    }
    },
    "DependsOn": [
-    "SingletonLambda224e77f9a32e4b4dac32983477abba16ServiceRole3037F5B4"
+    "NotificationQueuePolicyCC060EA6"
    ]
-  },
-  "SingletonLambda224e77f9a32e4b4dac32983477abba16AllowSesB42DF904": {
-   "Type": "AWS::Lambda::Permission",
-   "Properties": {
-    "Action": "lambda:InvokeFunction",
-    "FunctionName": {
-     "Fn::GetAtt": [
-      "SingletonLambda224e77f9a32e4b4dac32983477abba164533EA15",
-      "Arn"
-     ]
-    },
-    "Principal": "ses.amazonaws.com",
-    "SourceAccount": {
-     "Ref": "AWS::AccountId"
-    }
-   }
   }
  },
  "Parameters": {

diff --git a/...s-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/cdk.out b/...s-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/cdk.out
diff --git a/...dk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/integ.json b/...dk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/integ.json