Add S3-Version or Checksum Check to BuildSpec

[akefirad]

trafficstars

Is your feature request related to a problem? Please describe. Looking at the logs, I can see:

[Container] 2023/02/18 19:32:11 Running command aws s3 cp --quiet s3://control-tower-cfct-assets-prod/customizations-for-aws-control-tower/v2.5.2/custom-control-tower-scripts.zip $current

Essentially it's downloading the scripts from the bucket (which I assume is maintained by you guys?) The problem is that there's no way to verify that the zip file is not tampered.

Describe the feature you'd like Would be nice to either pin down the S3 version of the zip file (which requires to use s3api command) or to check the downloaded file checksum.

Additional context N/A

[balltrev]

Hey @akefirad thanks for bringing this up. I've gone ahead and made a backlog with the team to consider increasing the security posture here.