When deploying a Nextjs construct with SST 3, it creates 2 lambdas (DefaultFunction and ImageOptimizerFunction) that are "public access" (All Principles). These get flagged by the IAM access analyzer as a security risk. We need a way to tell the construct to prevent this.
I have found that I can do this:
export const frontend = new sst.aws.Nextjs('Frontend', {
path,
environment,
transform: {
// Attempt to lock down lambdas from public access.
server: {
url: {
//@ts-ignore
authorization: 'AWS_IAM',
},
},
},
});
This works, but there are two problems with it:
It fixes the "DefaultFunction", but not the "ImageOptimizerFunction". That one is still being flagged for public access. There does not seem to be a key available in the transform instructions that allows for transforming the ImageOptimizerFunction.
The typescript definition is incorrect. It says that "AWS_IAM" is not valid and expects authorization?: Input<"none" | "iam">;, however if I pass it "iam" instead of "AWS_IAM", the aws deploy fails with an error like: expected authorization_type to be one of ["NONE" "AWS_IAM"], got IAM.. The only way I can get it to work is with a //@ts-ignore directive.
When deploying a Nextjs construct with SST 3, it creates 2 lambdas (DefaultFunction and ImageOptimizerFunction) that are "public access" (All Principles). These get flagged by the IAM access analyzer as a security risk. We need a way to tell the construct to prevent this.
I have found that I can do this:
This works, but there are two problems with it:
authorization?: Input<"none" | "iam">;
, however if I pass it "iam" instead of "AWS_IAM", the aws deploy fails with an error like:expected authorization_type to be one of ["NONE" "AWS_IAM"], got IAM.
. The only way I can get it to work is with a//@ts-ignore
directive.