From 3cf089e347a89977a2069a359da388038b0cfc3e Mon Sep 17 00:00:00 2001 From: Tim Brust Date: Fri, 3 Nov 2023 09:43:52 +0000 Subject: [PATCH 1/2] fix: update S3 bucket policy to deny HTTP traffic --- serverless.yml | 51 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 43 insertions(+), 8 deletions(-) diff --git a/serverless.yml b/serverless.yml index d4fbd11..e1ec636 100644 --- a/serverless.yml +++ b/serverless.yml @@ -441,21 +441,56 @@ resources: OriginAccessControlOriginType: s3 SigningBehavior: no-override SigningProtocol: sigv4 - PolicyForCloudFrontPrivateContent: Type: 'AWS::S3::BucketPolicy' Properties: - Bucket: - Ref: FrontendBucket + Bucket: !Ref FrontendBucket PolicyDocument: - Version: '2008-10-17' + Version: '2012-10-17' Statement: - Sid: AllowCloudFrontServicePrincipal Effect: Allow Principal: - Service: cloudfront.amazonaws.com - Action: s3:GetObject - Resource: arn:aws:s3:::${self:provider.environment.COMPANY_ABBREVIATION}-lara-frontend-${self:custom.stage}/* + AWS:Service: cloudfront.amazonaws.com + Action: 's3:GetObject' + Resource: + Fn::Sub: 'arn:aws:s3:::${self:provider.environment.COMPANY_ABBREVIATION}-lara-frontend-${self:custom.stage}/*' Condition: StringEquals: - AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${FrontendDistribution.Id} + aws:SourceArn: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${FrontendDistribution.Id}' + + FrontendBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref FrontendBucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AllowSSLRequestsOnly" + Effect: Deny + Principal: "*" + Action: "s3:*" + Resource: + - !Sub "arn:aws:s3:::${FrontendBucket}" + - !Sub "arn:aws:s3:::${FrontendBucket}/*" + Condition: + Bool: + "aws:SecureTransport": "false" + + AttachmentsBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref AttachmentsBucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AllowSSLRequestsOnly" + Effect: Deny + Principal: "*" + Action: "s3:*" + Resource: + - !Sub "arn:aws:s3:::${AttachmentsBucket}" + - !Sub "arn:aws:s3:::${AttachmentsBucket}/*" + Condition: + Bool: + "aws:SecureTransport": "false" From ad0f1ce0defe8d0cccfbae4cf4a9e94d5d6ae3be Mon Sep 17 00:00:00 2001 From: Tim Brust Date: Fri, 3 Nov 2023 09:45:18 +0000 Subject: [PATCH 2/2] style: fix quotes --- serverless.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/serverless.yml b/serverless.yml index e1ec636..2698ef1 100644 --- a/serverless.yml +++ b/serverless.yml @@ -441,6 +441,7 @@ resources: OriginAccessControlOriginType: s3 SigningBehavior: no-override SigningProtocol: sigv4 + PolicyForCloudFrontPrivateContent: Type: 'AWS::S3::BucketPolicy' Properties: @@ -464,33 +465,33 @@ resources: Properties: Bucket: !Ref FrontendBucket PolicyDocument: - Version: "2012-10-17" + Version: '2012-10-17' Statement: - - Sid: "AllowSSLRequestsOnly" + - Sid: 'AllowSSLRequestsOnly' Effect: Deny - Principal: "*" - Action: "s3:*" + Principal: '*' + Action: 's3:*' Resource: - - !Sub "arn:aws:s3:::${FrontendBucket}" - - !Sub "arn:aws:s3:::${FrontendBucket}/*" + - !Sub 'arn:aws:s3:::${FrontendBucket}' + - !Sub 'arn:aws:s3:::${FrontendBucket}/*' Condition: Bool: - "aws:SecureTransport": "false" + 'aws:SecureTransport': 'false' AttachmentsBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref AttachmentsBucket PolicyDocument: - Version: "2012-10-17" + Version: '2012-10-17' Statement: - - Sid: "AllowSSLRequestsOnly" + - Sid: 'AllowSSLRequestsOnly' Effect: Deny - Principal: "*" - Action: "s3:*" + Principal: '*' + Action: 's3:*' Resource: - - !Sub "arn:aws:s3:::${AttachmentsBucket}" - - !Sub "arn:aws:s3:::${AttachmentsBucket}/*" + - !Sub 'arn:aws:s3:::${AttachmentsBucket}' + - !Sub 'arn:aws:s3:::${AttachmentsBucket}/*' Condition: Bool: - "aws:SecureTransport": "false" + 'aws:SecureTransport': 'false'