Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cdk): (cdk deploys S3 buckets that don't comply with Security Hub compliance packs) #21868

Closed
dzenana-s opened this issue Sep 1, 2022 · 2 comments
Closed

(aws-cdk): (cdk deploys S3 buckets that don't comply with Security Hub compliance packs) #21868

dzenana-s opened this issue Sep 1, 2022 · 2 comments
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. cause/not-a-bug Not a bug (might still be a documentation issue, might still need work)

Comments

@dzenana-s
Copy link

Describe the bug

We have several Security Hub issues for S3 buckets created when deploying with the CDK with title S3.13 S3 buckets should have lifecycle policies configured (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-13).

Expected Behavior

I would expect S3 buckets CDK deploys to enforce definitions for lifecycle policies to avoid breaching Security Hub policies.

Current Behavior

They do not have lifecycle policies defined OOB.

Reproduction Steps

  • Deploy
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as cdk from 'aws-cdk-lib';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const s3Bucket = new s3.Bucket(this, 's3-bucket')
  }
}
  • Go to Security Hub and see an issue created about a lifecycle policy not existing on the S3 bucket

Possible Solution

Few options:

  • Deploying a default lifecycle policy when something is created with CDK
  • Mitigate this warning in some way with Security Hub so these are not always picked up as a concern
  • Make the lifecyclePolicy prop required (this is probably overdoing it)
  • Do nothing, push this out to users of CDK (making us responsible for having the lifecyclePolicy parameter always defined

Additional Information/Context

No response

CDK CLI Version

2.35.0

Framework Version

No response

Node.js Version

v16.15.1

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response
@dzenana-s dzenana-s added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 1, 2022
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Sep 1, 2022
@peterwoodworth peterwoodworth added cause/not-a-bug Not a bug (might still be a documentation issue, might still need work) and removed needs-triage This issue or PR still needs to be triaged. labels Sep 1, 2022
@peterwoodworth
Copy link
Contributor

We don't necessarily support Security Hub guidelines by default. Here's some discussion around potential way we may be able to accomplish this in the future easily, but for now you can configure this with lifecyclePolicy prop

@github-actions
Copy link

github-actions bot commented Sep 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@peterwoodworth peterwoodworth mentioned this issue Sep 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. cause/not-a-bug Not a bug (might still be a documentation issue, might still need work)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@otaviomacedo @peterwoodworth @dzenana-s