Pipeline s3 bucket allows HTTP access

[gabelton]

A recent pen test highlighted that the s3 bucket created after running copilot pipeline init didn't have SecureTransport: true in its configuration. Is this by design? Seems like the secure-by-default option would automatically set this to true, to prevent manipulation of data in transit.

[KollaAdithya]

Thanks @gabelton for bringing to our attention. It is one of the best practices of S3 that should be followed to deny HTTP request on transit. I will mark this issue as an enhancement.

[gabelton]

Thanks for the speedy reply @KollaAdithya . I don't suppose you're able to give an estimate for when that change might be made? Our security team are asking for remediation by november 27th this year, so just trying to work out whether we need to produce an interim solution for this or can wait for your enhancement.

[KollaAdithya]

Hello @gabelton !

I have a open PR #5393 which will go in the next release. I suppose there is no easy workaround for this, instead go to IAM Console and change the PipelieneArtifactBucketPolicy.

- Sid: ForceHTTPS
  Effect: Deny
  Principal: "*"
  Action: s3:*
  Resource:
    - !Sub ${PipelineBuiltArtifactBucket.Arn}
    - !Sub ${PipelineBuiltArtifactBucket.Arn}/*
  Condition:
    Bool:
      aws:SecureTransport: false

[gabelton]

Thanks again for this @KollaAdithya . If it's coming in the next release, I think that's soon enough for our timeline. Much appreciated!

[Lou1415926]

Hello all! AWS Copilot v1.32.0 is now released! https://github.com/aws/copilot-cli/releases/tag/v1.32.0 🎉🚀 We've enhanced the configuration to enforce HTTPS. Also check out our blog post for other very cool features ❤️ !