Amplify Buckets allow HTTP traffic by default - Githubissues

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.

Apache License 2.0

2.81k stars 821 forks source link

Amplify Buckets allow HTTP traffic by default #13596

Open vinnymachacek opened 7 months ago

vinnymachacek commented 7 months ago

Is this feature request related to a new or existing Amplify category?

storage, hosting

Is this related to another service?

S3

Describe the feature you'd like to request

https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

S3 Buckets allow http traffic by default. Per the above link, we should disable http access.

This causes downstream compliance alerts in Security Hub and is needed for customers who have compliance needs.

Describe the solution you'd like

Add

   "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }

to the bucket policy of the deployment bucket (https://github.com/aws-amplify/amplify-cli/blob/dev/packages/amplify-provider-awscloudformation/resources/rootStackTemplate.json)

Describe alternatives you've considered

External Automation to achieve this

Additional context

No response

Is this something that you'd be interested in working on?

[X] 👋 I may be able to implement this feature request

Would this feature include a breaking change?

[ ] ⚠️ This feature might incur a breaking change

ykethan commented 7 months ago

Hey, thank you for filing this. Marking this as feature request.