search

sst / ion

❍ — a new engine for SST
https://ion.sst.dev
MIT License
1.09k stars 127 forks source link

Prevent Public Access to Nextjs Lambdas #611

Open cgcompassion opened 4 days ago

cgcompassion commented 4 days ago

When deploying a Nextjs construct with SST 3, it creates 2 lambdas (DefaultFunction and ImageOptimizerFunction) that are "public access" (All Principles). These get flagged by the IAM access analyzer as a security risk. We need a way to tell the construct to prevent this.

I have found that I can do this:

export const frontend = new sst.aws.Nextjs('Frontend', {
  path,
  environment,
  transform: {
    // Attempt to lock down lambdas from public access.
    server: {
      url: {
        //@ts-ignore
        authorization: 'AWS_IAM',
      },
    },
  },
});

This works, but there are two problems with it:

  1. It fixes the "DefaultFunction", but not the "ImageOptimizerFunction". That one is still being flagged for public access. There does not seem to be a key available in the transform instructions that allows for transforming the ImageOptimizerFunction.
  2. The typescript definition is incorrect. It says that "AWS_IAM" is not valid and expects authorization?: Input<"none" | "iam">;, however if I pass it "iam" instead of "AWS_IAM", the aws deploy fails with an error like: expected authorization_type to be one of ["NONE" "AWS_IAM"], got IAM.. The only way I can get it to work is with a //@ts-ignore directive.
cgcompassion commented 4 days ago

Note that in SST 2 this can be easily resolved with this arg which works for both lambdas: https://docs.sst.dev/constructs/NextjsSite#regionalenableserverurliamauth