The buckets get created with a very permissive policy, something isn't a problem in itself since they don't contain anything secret, but is something that all security tools complain about. It seems like it shouldn't be necessary since the static assets are served by CloudFront and not directory from the bucket, if I understand things correctly. Would you be open to a PR that removes the permissive bucket policy, or am I missing something that makes it necessary?
Good point! Certainly the current policy is too permissive and should allow the access only from the CloudFront distributions. I'm definitely open to the PR to fix this. Thank you!
The buckets get created with a very permissive policy, something isn't a problem in itself since they don't contain anything secret, but is something that all security tools complain about. It seems like it shouldn't be necessary since the static assets are served by CloudFront and not directory from the bucket, if I understand things correctly. Would you be open to a PR that removes the permissive bucket policy, or am I missing something that makes it necessary?