amplify-backend
amplify-backend copied to clipboard
aws-amplify
Create Amplify resources in acc to Control Tower enforced policies
Environment information
N/A
Description
S3 buckets used for storing metadata like data schema does not follow Control Tower enforced policies as they are the best recommendations documented by AWS -
For e.g. the buckets don't have the following -
- There's no versioning enabled.
- No logging policy is applied.
This discrepancy between AWS's recommended deployment practices with Amplify Gen 2 vs the Control Tower's enforced policies
https://docs.aws.amazon.com/controltower/latest/controlreference/s3-rules.html
Same as Gen1 FR - https://github.com/aws-amplify/amplify-cli/issues/13617
Hey, thank you for filing this feature request. Marking this as feature request for further prioritization by the Amplify team.
The following workaround can be used meanwhile.
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
import { Aspects } from 'aws-cdk-lib';
import { IConstruct } from 'constructs';
import { Bucket, CfnBucket } from "aws-cdk-lib/aws-s3";
import {Effect, PolicyStatement, StarPrincipal} from 'aws-cdk-lib/aws-iam';
/**
* @see https://docs.amplify.aws/react/build-a-backend/ to add storage, functions, and more
*/
const backend = defineBackend({
auth,
data,
});
Aspects.of(backend.stack).add({
visit(node: IConstruct) {
if (node instanceof Bucket) {
node.addToResourcePolicy(
new PolicyStatement({
effect: Effect.DENY,
principals: [new StarPrincipal()],
resources: [node.bucketArn + "/*"],
actions: ["s3:*"],
conditions: {
"Bool": {
"aws:SecureTransport": false
}
}
})
);
(node.node.defaultChild as CfnBucket).addPropertyOverride('VersioningConfiguration', {
Status: 'Enabled'
});
}
},
});
