search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
354 stars 205 forks source link

Add S3-Version or Checksum Check to BuildSpec #150

Open akefirad opened 1 year ago

akefirad commented 1 year ago

Is your feature request related to a problem? Please describe. Looking at the logs, I can see:

[Container] 2023/02/18 19:32:11 Running command aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.2/custom-control-tower-scripts.zip $current

Essentially it's downloading the scripts from the bucket (which I assume is maintained by you guys?) The problem is that there's no way to verify that the zip file is not tampered.

Describe the feature you'd like Would be nice to either pin down the S3 version of the zip file (which requires to use s3api command) or to check the downloaded file checksum.

Additional context N/A

balltrev commented 1 year ago

Hey @akefirad thanks for bringing this up. I've gone ahead and made a backlog with the team to consider increasing the security posture here.