Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent Public Access to Nextjs Lambdas #4483

Closed
cgcompassion opened this issue Jun 28, 2024 · 8 comments
Closed

Prevent Public Access to Nextjs Lambdas #4483

cgcompassion opened this issue Jun 28, 2024 · 8 comments
Assignees

Comments

@cgcompassion
Copy link

When deploying a Nextjs construct with SST 3, it creates 2 lambdas (DefaultFunction and ImageOptimizerFunction) that are "public access" (All Principles). These get flagged by the IAM access analyzer as a security risk. We need a way to tell the construct to prevent this.

I have found that I can do this:

export const frontend = new sst.aws.Nextjs('Frontend', {
  path,
  environment,
  transform: {
    // Attempt to lock down lambdas from public access.
    server: {
      url: {
        //@ts-ignore
        authorization: 'AWS_IAM',
      },
    },
  },
});

This works, but there are two problems with it:

  1. It fixes the "DefaultFunction", but not the "ImageOptimizerFunction". That one is still being flagged for public access. There does not seem to be a key available in the transform instructions that allows for transforming the ImageOptimizerFunction.
  2. The typescript definition is incorrect. It says that "AWS_IAM" is not valid and expects authorization?: Input<"none" | "iam">;, however if I pass it "iam" instead of "AWS_IAM", the aws deploy fails with an error like: expected authorization_type to be one of ["NONE" "AWS_IAM"], got IAM.. The only way I can get it to work is with a //@ts-ignore directive.
@cgcompassion
Copy link
Author

Note that in SST 2 this can be easily resolved with this arg which works for both lambdas: https://docs.sst.dev/constructs/NextjsSite#regionalenableserverurliamauth

@jayair
Copy link
Contributor

jayair commented Jul 3, 2024

Thanks! We'll take a look.

@fwang
Copy link
Contributor

fwang commented Jul 17, 2024

@cgcompassion I just released v0.0.534

  • Fixed url authorization issue. Specifying "iam" should now work.
  • Added transform.imageOptimization similar to transform.server

For now lemme know if this works for you. We will likely add a convenient prop to enable IAM auth if more ppl ask.

@fwang fwang closed this as completed Jul 17, 2024
@cgcompassion
Copy link
Author

Amazing, thank you!!

@cgcompassion
Copy link
Author

Okay, this has unblocked the next step. Cloudfront needs to be able to access the lambda. We can do that with OAC. See: #4684

@cgcompassion
Copy link
Author

@fwang Would it be easy to expose the imageOptimization function to the output nodes as well? It shows in the transform, but can't access it through the nodes. See: #4684

@jayair
Copy link
Contributor

jayair commented Aug 2, 2024

@cgcompassion open a new issue?

@cgcompassion
Copy link
Author

@jayair I've detailed it in this issue here: #4684

@thdxr thdxr transferred this issue from sst/ion Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants