feat(s3-deployment): apply least privilege to destination bucket policies #35663
+34,148
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
effort/medium
github-actions
bot
added
the
beginning-contributor
aws-cdk-automation
previously requested changes
Oct 2, 2025
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
amandladev
force-pushed
the
feature/s3-deployment-permissions-least-privilege
branch
from
a4fd28a to
f17cf5b
Compare
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
2 similar comments
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduction
This change improves security by scoping IAM policies to the specific
destination key prefix instead of granting access to all bucket objects.
Changes:
/<destinationKeyPrefix>/*instead of/*destinationKeyPrefixis specified (e.g., 'deploy/here/', 'efs/'),the Lambda execution role only receives permissions for that specific prefix
/*accessSecurity Benefits:
Affected Use Cases:
✅ Deployment with prefix:
destinationKeyPrefix: 'deploy/here/'✅ EFS-backed deployment:
destinationKeyPrefix: 'efs/', useEfs: true✅ Multiple deployments to same bucket with different prefixes
✅ Deployments without prefix (unchanged behavior)
Testing:
Fixes #35610