Skip to content

feat(s3-deployment): apply least privilege to destination bucket policies #35663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
+34,148 −27
Open

feat(s3-deployment): apply least privilege to destination bucket policies #35663

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c352176
feat(aws-s3-deployment): deployment permission update
amandladev Oct 1, 2025
db0d1d0
feat(aws-s3-deployment): integration test updt
amandladev Oct 2, 2025
b6a92f3
feat(aws-s3-deployment) readme update
amandladev Oct 2, 2025
f17cf5b
feat(aws-s3-deployment) integration test file added
amandladev Oct 2, 2025
c6b1794
Merge branch 'main' into feature/s3-deployment-permissions-least-priv…
amandladev Oct 2, 2025
7db67ef
Merge branch 'main' into feature/s3-deployment-permissions-least-priv…
amandladev Oct 21, 2025
15a29fe
Merge branch 'main' into feature/s3-deployment-permissions-least-priv…
abidhasan-aws Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ...ent/test/integ.bucket-deployment-data.js.snapshot/TestBucketDeploymentContent.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...t/test/integ.bucket-deployment-data.js.snapshot/TestBucketDeploymentContent.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,7 +470,7 @@
"Arn"
]
},
"/*"
"/deploy/here/*"
]
]
}
Expand Down
Binary file modified ...ta.js.snapshot/asset.c49d356cac773d491c5f7ac148995a1181498a8e289429f8612a7f7e3814f535.zip
View file
Open in desktop
Binary file not shown.
6 changes: 3 additions & 3 deletions ...data.js.snapshot/integtestbucketdeploymentdataDefaultTestDeployAssert6FF3075D.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...ta.js.snapshot/integtestbucketdeploymentdataDefaultTestDeployAssert6FF3075D.template.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/manifest.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...work-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/tree.json
View file
Open in desktop

Large diffs are not rendered by default.

Binary file modified ...nt.js.snapshot/asset.c49d356cac773d491c5f7ac148995a1181498a8e289429f8612a7f7e3814f535.zip
View file
Open in desktop
Binary file not shown.
6 changes: 3 additions & 3 deletions ...loyment.js.snapshot/integtestbucketdeploymentsDefaultTestDeployAssertCF25A2DF.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...yment.js.snapshot/integtestbucketdeploymentsDefaultTestDeployAssertCF25A2DF.template.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...ework-integ/test/aws-s3-deployment/test/integ.bucket-deployment.js.snapshot/manifest.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions ...3-deployment/test/integ.bucket-deployment.js.snapshot/test-bucket-deployments.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...deployment/test/integ.bucket-deployment.js.snapshot/test-bucket-deployments.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,7 @@
"Arn"
]
},
"/*"
"/deploy/here/*"
]
]
},
Expand Down Expand Up @@ -1282,7 +1282,7 @@
"Arn"
]
},
"/*"
"/efs/*"
]
]
}
Expand Down
2 changes: 1 addition & 1 deletion ...framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment.js.snapshot/tree.json
View file
Open in desktop

Large diffs are not rendered by default.

17 changes: 15 additions & 2 deletions packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -400,9 +400,13 @@

this.sources = props.sources.map((source: ISource) => source.bind(this, { handlerRole: this.handlerRole }));

this.destinationBucket.grantReadWrite(handler);
const objectPattern = props.destinationKeyPrefix
? `${this.normalizePrefix(props.destinationKeyPrefix)}*`
: '*';

this.destinationBucket.grantReadWrite(handler, objectPattern);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default prune is true, which means when we remove source files from the CDK app, the lambda tries to clean up the corresponding files in S3. But it fails because it doesn't have delete permissions for paths that are no longer in the app.

I tested this by:

  • deploying a cdk app with stuff in app/frontend and app/backend
  • removing app/backend source and deploying it again
  • second deployment fails because lambda can't delete the old backend files

We should give the lambda delete permissions for the whole bucket (*) to make deletion work properly.

if (props.accessControl) {
this.destinationBucket.grantPutAcl(handler);
this.destinationBucket.grantPutAcl(handler, objectPattern);
}
if (props.distribution) {
handler.addToRolePolicy(new iam.PolicyStatement({
Expand Down Expand Up @@ -645,6 +649,15 @@
const uuid = `BucketDeploymentEFS-VPC-${fileSystemProps.vpc.node.addr}`;
return stack.node.tryFindChild(uuid) as efs.FileSystem ?? new efs.FileSystem(scope, uuid, fileSystemProps);
}
/**
* Normalize the prefix for S3 object keys.
* @param prefix prefix string
* @returns normalized prefix string
*/
normalizePrefix(prefix?: string): string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can make this a private method.

if (!prefix) return '';
return prefix.replace(/^\/+/, '').replace(/\/+$/, '') + '/';
}
}

export interface DeployTimeSubstitutedFileProps {
Expand Down
37 changes: 37 additions & 0 deletions packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1765,3 +1765,40 @@ test('outputObjectKeys default value is true', () => {
OutputObjectKeys: true,
});
});

test.each([
['my-prefix', '/my-prefix/*'],
['my-prefix/', '/my-prefix/*'],
['/my-prefix', '/my-prefix/*'],
['/my-prefix/', '/my-prefix/*'],
[undefined, '/*'],
])('lambda execution role gets permissions with destinationKeyPrefix "%s"', (prefix, expectedSuffix) => {
const stack = new cdk.Stack();
const bucket = new s3.Bucket(stack, 'Dest');
new s3deploy.BucketDeployment(stack, 'Deploy', {
sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website.zip'))],
destinationBucket: bucket,
destinationKeyPrefix: prefix,
});

Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: Match.objectLike({
Statement: Match.arrayWith([
Match.objectLike({
Resource: Match.arrayWith([
{ 'Fn::GetAtt': ['DestC383B82A', 'Arn'] },
{
'Fn::Join': [
'',
[
{ 'Fn::GetAtt': ['DestC383B82A', 'Arn'] },
expectedSuffix,
],
],
},
]),
}),
]),
}),
});
});
Loading