fix(codepipeline): default cross-region S3 buckets allow public access (#17722)

david-richer-adsk · web-flow · commit 0b80db54e92f · 2021-12-09T17:16:32.000Z
The cross region S3 buckets that are created should have block public access by default. Fixes #16411 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts b/packages/@aws-cdk/aws-codepipeline/lib/private/cross-region-support-stack.ts
@@ -77,6 +77,7 @@ export class CrossRegionSupportConstruct extends Construct {
       bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
       encryption: encryptionAlias ? s3.BucketEncryption.KMS : s3.BucketEncryption.KMS_MANAGED,
       encryptionKey: encryptionAlias,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
     });
   }
 }
diff --git a/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts b/packages/@aws-cdk/aws-codepipeline/test/cross-env.test.ts
@@ -129,7 +129,14 @@ describe.each([
 
         // THEN
         expect(supportStack).not.toHaveResource('AWS::KMS::Key');
-        expect(supportStack).toHaveResource('AWS::S3::Bucket');
+        expect(supportStack).toHaveResourceLike('AWS::S3::Bucket', {
+          PublicAccessBlockConfiguration: {
+            BlockPublicAcls: true,
+            BlockPublicPolicy: true,
+            IgnorePublicAcls: true,
+            RestrictPublicBuckets: true,
+          },
+        });
       });
 
       test('when twiddling another stack', () => {

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ export class CrossRegionSupportConstruct extends Construct {`
`77`	`77`	`bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,`
`78`	`78`	`encryption: encryptionAlias ? s3.BucketEncryption.KMS : s3.BucketEncryption.KMS_MANAGED,`
`79`	`79`	`encryptionKey: encryptionAlias,`
	`80`	`+ blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,`
`80`	`81`	`});`
`81`	`82`	`}`
`82`	`83`	`}`