Skip to content

feat(s3-deployment): apply least privilege to destination bucket policies #35663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(s3-deployment): apply least privilege to destination bucket policies #35663

wants to merge 7 commits into from

Conversation

@amandladev
Copy link
Contributor

@amandladev amandladev commented Oct 2, 2025
edited
Loading

Introduction

This change improves security by scoping IAM policies to the specific
destination key prefix instead of granting access to all bucket objects.

Changes:

  • IAM policies now grant access to /<destinationKeyPrefix>/* instead of /*
  • When destinationKeyPrefix is specified (e.g., 'deploy/here/', 'efs/'),
    the Lambda execution role only receives permissions for that specific prefix
  • Deployments without a prefix continue to work as before with /* access
  • Applies to both standard deployments and EFS-backed deployments

Security Benefits:

  • Follows the principle of least privilege
  • Multiple deployments to the same bucket are now isolated by prefix
  • Reduces blast radius if deployment Lambda credentials are compromised
  • Prevents accidental cross-deployment modifications

Affected Use Cases:
✅ Deployment with prefix: destinationKeyPrefix: 'deploy/here/'
✅ EFS-backed deployment: destinationKeyPrefix: 'efs/', useEfs: true
✅ Multiple deployments to same bucket with different prefixes
✅ Deployments without prefix (unchanged behavior)

Testing:

  • Updated integration tests for all deployment scenarios
  • Verified snapshots for standard, EFS, and prefixed deployments
  • All existing functionality preserved with improved security posture

Fixes #35610

@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 labels Oct 2, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team October 2, 2025 19:32
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Oct 2, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 2, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 2, 2025
View reviewed changes
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 2, 2025 20:51

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@amandladev amandladev force-pushed the feature/s3-deployment-permissions-least-privilege branch from a4fd28a to f17cf5b Compare October 2, 2025 21:27
@abidhasan-aws abidhasan-aws self-assigned this Oct 15, 2025
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

5 similar comments
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Oct 21, 2025
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

3 similar comments
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

abidhasan-aws
abidhasan-aws requested changes Oct 30, 2025
View reviewed changes
Copy link
Contributor

@abidhasan-aws abidhasan-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @amandladev ,
Thanks for your contribution. I have left a few comments.

packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts
* @param prefix prefix string
* @returns normalized prefix string
*/
normalizePrefix(prefix?: string): string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can make this a private method.

packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts
? `${this.normalizePrefix(props.destinationKeyPrefix)}*`
: '*';

this.destinationBucket.grantReadWrite(handler, objectPattern);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default prune is true, which means when we remove source files from the CDK app, the lambda tries to clean up the corresponding files in S3. But it fails because it doesn't have delete permissions for paths that are no longer in the app.

I tested this by:

  • deploying a cdk app with stuff in app/frontend and app/backend
  • removing app/backend source and deploying it again
  • second deployment fails because lambda can't delete the old backend files

We should give the lambda delete permissions for the whole bucket (*) to make deletion work properly.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

@github-actions github-actions bot mentioned this pull request Nov 1, 2025
Open
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

1 similar comment
@aws-cdk-automation
Copy link
Collaborator

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abidhasan-aws abidhasan-aws abidhasan-aws requested changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Requested changes must be addressed to merge this pull request.

Assignees

@abidhasan-aws abidhasan-aws

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-s3-deployment): BucketDeployment grants itself wider permissions than needed

3 participants

@amandladev @aws-cdk-automation @abidhasan-aws