fix(codepipeline): default cross-region S3 buckets allow public access (

#17722) The cross region S3 buckets that are created should have block public access by default. Fixes #16411 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Dec 9, 2021 · 0b80db5 · 0b80db5
1 parent cc3bb1f
commit 0b80db5
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts b/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts
@@ -77,6 +77,7 @@ export class CrossRegionSupportConstruct extends Construct {
       bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
       encryption: encryptionAlias ? s3.BucketEncryption.KMS : s3.BucketEncryption.KMS_MANAGED,
       encryptionKey: encryptionAlias,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
     });
   }
 }

diff --git a/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts b/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts
@@ -129,7 +129,14 @@ describe.each([
 
         // THEN
         expect(supportStack).not.toHaveResource('AWS::KMS::Key');
-        expect(supportStack).toHaveResource('AWS::S3::Bucket');
+        expect(supportStack).toHaveResourceLike('AWS::S3::Bucket', {
+          PublicAccessBlockConfiguration: {
+            BlockPublicAcls: true,
+            BlockPublicPolicy: true,
+            IgnorePublicAcls: true,
+            RestrictPublicBuckets: true,
+          },
+        });
       });
 
       test('when twiddling another stack', () => {