From a75f447d6dc9ad8b1b00a7faebdd8aadc3d25e28 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Tue, 20 Feb 2024 11:19:05 -0500 Subject: [PATCH] feat(sns): enforce ssl with topic policy (#29144) Adds a statement to match the document in the [docs](https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit): ``` { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPublishThroughSSLOnly", "Action": "SNS:Publish", "Effect": "Deny", "Resource": [ "arn:aws:sns:us-east-1:1234567890:test-topic" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } ``` Closes #29142. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...efaultTestDeployAssert005CA6BA.assets.json | 19 ++ ...aultTestDeployAssert005CA6BA.template.json | 36 +++ .../SNSTopicPolicyStack.assets.json | 19 ++ .../SNSTopicPolicyStack.template.json | 132 +++++++++ .../cdk.out | 1 + .../integ.json | 13 + .../manifest.json | 131 +++++++++ .../tree.json | 267 ++++++++++++++++++ .../aws-sns/test/integ.sns-topic-policy.ts | 47 +++ packages/aws-cdk-lib/aws-sns/README.md | 38 +++ packages/aws-cdk-lib/aws-sns/lib/policy.ts | 33 ++- .../aws-cdk-lib/aws-sns/lib/topic-base.ts | 31 +- packages/aws-cdk-lib/aws-sns/lib/topic.ts | 11 + packages/aws-cdk-lib/aws-sns/test/sns.test.ts | 86 ++++++ 14 files changed, 861 insertions(+), 3 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json new file mode 100644 index 0000000000000..3a6d49824aa28 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.assets.json new file mode 100644 index 0000000000000..106268b0f976a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "14fdbf9da76c6d2a9fd9d7ecce1e6fb899d1bd67a967d68ab86428209e729203": { + "source": { + "path": "SNSTopicPolicyStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "14fdbf9da76c6d2a9fd9d7ecce1e6fb899d1bd67a967d68ab86428209e729203.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.template.json new file mode 100644 index 0000000000000..c6af60e302553 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/SNSTopicPolicyStack.template.json @@ -0,0 +1,132 @@ +{ + "Resources": { + "TopicBFC7AF6E": { + "Type": "AWS::SNS::Topic", + "Properties": { + "DisplayName": "fooDisplay", + "TopicName": "fooTopic" + } + }, + "TopicPolicyA24B096F": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "TopicBFC7AF6E" + }, + "Sid": "0" + }, + { + "Action": "sns:Publish", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": { + "Ref": "TopicBFC7AF6E" + }, + "Sid": "AllowPublishThroughSSLOnly" + } + ], + "Version": "2012-10-17" + }, + "Topics": [ + { + "Ref": "TopicBFC7AF6E" + } + ] + } + }, + "TopicAddPolicy7DB03706": { + "Type": "AWS::SNS::Topic", + "Properties": { + "DisplayName": "topicDisplayNameAddPolicy", + "TopicName": "topicAddPolicy" + } + }, + "TopicAddPolicyAEA24A5A": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "TopicAddPolicy7DB03706" + }, + "Sid": "0" + }, + { + "Action": "sns:Publish", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": { + "Ref": "TopicAddPolicy7DB03706" + }, + "Sid": "AllowPublishThroughSSLOnly" + } + ], + "Version": "2012-10-17" + }, + "Topics": [ + { + "Ref": "TopicAddPolicy7DB03706" + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..99eb1a0d311f1 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "36.0.0", + "testCases": { + "SNSTopicPolicyInteg/DefaultTest": { + "stacks": [ + "SNSTopicPolicyStack" + ], + "stackUpdateWorkflow": false, + "assertionStack": "SNSTopicPolicyInteg/DefaultTest/DeployAssert", + "assertionStackName": "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..1c70ea54b89c0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/manifest.json @@ -0,0 +1,131 @@ +{ + "version": "36.0.0", + "artifacts": { + "SNSTopicPolicyStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "SNSTopicPolicyStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "SNSTopicPolicyStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "SNSTopicPolicyStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/14fdbf9da76c6d2a9fd9d7ecce1e6fb899d1bd67a967d68ab86428209e729203.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "SNSTopicPolicyStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "SNSTopicPolicyStack.assets" + ], + "metadata": { + "/SNSTopicPolicyStack/Topic/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TopicBFC7AF6E" + } + ], + "/SNSTopicPolicyStack/TopicPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TopicPolicyA24B096F" + } + ], + "/SNSTopicPolicyStack/TopicAddPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TopicAddPolicy7DB03706" + } + ], + "/SNSTopicPolicyStack/TopicAddPolicy/Policy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TopicAddPolicyAEA24A5A" + } + ], + "/SNSTopicPolicyStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/SNSTopicPolicyStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "SNSTopicPolicyStack" + }, + "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "SNSTopicPolicyIntegDefaultTestDeployAssert005CA6BA.assets" + ], + "metadata": { + "/SNSTopicPolicyInteg/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/SNSTopicPolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "SNSTopicPolicyInteg/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..f65edb84ed63b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.js.snapshot/tree.json @@ -0,0 +1,267 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "SNSTopicPolicyStack": { + "id": "SNSTopicPolicyStack", + "path": "SNSTopicPolicyStack", + "children": { + "Topic": { + "id": "Topic", + "path": "SNSTopicPolicyStack/Topic", + "children": { + "Resource": { + "id": "Resource", + "path": "SNSTopicPolicyStack/Topic/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SNS::Topic", + "aws:cdk:cloudformation:props": { + "displayName": "fooDisplay", + "topicName": "fooTopic" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.CfnTopic", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.Topic", + "version": "0.0.0" + } + }, + "TopicPolicy": { + "id": "TopicPolicy", + "path": "SNSTopicPolicyStack/TopicPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "SNSTopicPolicyStack/TopicPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SNS::TopicPolicy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "TopicBFC7AF6E" + }, + "Sid": "0" + }, + { + "Action": "sns:Publish", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": { + "Ref": "TopicBFC7AF6E" + }, + "Sid": "AllowPublishThroughSSLOnly" + } + ], + "Version": "2012-10-17" + }, + "topics": [ + { + "Ref": "TopicBFC7AF6E" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.CfnTopicPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.TopicPolicy", + "version": "0.0.0" + } + }, + "TopicAddPolicy": { + "id": "TopicAddPolicy", + "path": "SNSTopicPolicyStack/TopicAddPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "SNSTopicPolicyStack/TopicAddPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SNS::Topic", + "aws:cdk:cloudformation:props": { + "displayName": "topicDisplayNameAddPolicy", + "topicName": "topicAddPolicy" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.CfnTopic", + "version": "0.0.0" + } + }, + "Policy": { + "id": "Policy", + "path": "SNSTopicPolicyStack/TopicAddPolicy/Policy", + "children": { + "Resource": { + "id": "Resource", + "path": "SNSTopicPolicyStack/TopicAddPolicy/Policy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SNS::TopicPolicy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Resource": { + "Ref": "TopicAddPolicy7DB03706" + }, + "Sid": "0" + }, + { + "Action": "sns:Publish", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": "*", + "Resource": { + "Ref": "TopicAddPolicy7DB03706" + }, + "Sid": "AllowPublishThroughSSLOnly" + } + ], + "Version": "2012-10-17" + }, + "topics": [ + { + "Ref": "TopicAddPolicy7DB03706" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.CfnTopicPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.TopicPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sns.Topic", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "SNSTopicPolicyStack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "SNSTopicPolicyStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "SNSTopicPolicyInteg": { + "id": "SNSTopicPolicyInteg", + "path": "SNSTopicPolicyInteg", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "SNSTopicPolicyInteg/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "SNSTopicPolicyInteg/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "SNSTopicPolicyInteg/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "SNSTopicPolicyInteg/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "SNSTopicPolicyInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.ts new file mode 100644 index 0000000000000..9aa9b9c73b58b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns-topic-policy.ts @@ -0,0 +1,47 @@ +import { App, Stack } from 'aws-cdk-lib'; +import { Topic, TopicPolicy } from 'aws-cdk-lib/aws-sns'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { PolicyDocument, PolicyStatement, ServicePrincipal } from 'aws-cdk-lib/aws-iam'; + +const app = new App(); + +const stack = new Stack(app, 'SNSTopicPolicyStack'); + +const topic = new Topic(stack, 'Topic', { + topicName: 'fooTopic', + displayName: 'fooDisplay', +}); + +const policyDocument = new PolicyDocument({ + assignSids: true, + statements: [ + new PolicyStatement({ + actions: ['sns:Publish'], + principals: [new ServicePrincipal('s3.amazonaws.com')], + resources: [topic.topicArn], + }), + ], +}); + +new TopicPolicy(stack, 'TopicPolicy', { + topics: [topic], + policyDocument, + enforceSSL: true, +}); + +const topicAddPolicy = new Topic(stack, 'TopicAddPolicy', { + topicName: 'topicAddPolicy', + displayName: 'topicDisplayNameAddPolicy', + enforceSSL: true, +}); + +topicAddPolicy.addToResourcePolicy(new PolicyStatement({ + principals: [new ServicePrincipal('s3.amazonaws.com')], + actions: ['sns:Publish'], + resources: [topicAddPolicy.topicArn], +})); + +new IntegTest(app, 'SNSTopicPolicyInteg', { + testCases: [stack], + stackUpdateWorkflow: false, +}); diff --git a/packages/aws-cdk-lib/aws-sns/README.md b/packages/aws-cdk-lib/aws-sns/README.md index 1f5219fb24bfd..0db9e79a0938e 100644 --- a/packages/aws-cdk-lib/aws-sns/README.md +++ b/packages/aws-cdk-lib/aws-sns/README.md @@ -208,6 +208,44 @@ const topicPolicy = new sns.TopicPolicy(this, 'Policy', { }); ``` +### Enforce encryption of data in transit when publishing to a topic + +You can enforce SSL when creating a topic policy by setting the `enforceSSL` flag: + +```ts +const topic = new sns.Topic(this, 'Topic'); +const policyDocument = new iam.PolicyDocument({ + assignSids: true, + statements: [ + new iam.PolicyStatement({ + actions: ["sns:Publish"], + principals: [new iam.ServicePrincipal('s3.amazonaws.com')], + resources: [topic.topicArn], + }), + ], +}); + +const topicPolicy = new sns.TopicPolicy(this, 'Policy', { + topics: [topic], + policyDocument, + enforceSSL: true, +}); +``` + +Similiarly you can enforce SSL by setting the `enforceSSL` flag on the topic: + +```ts +const topic = new sns.Topic(this, 'TopicAddPolicy', { + enforceSSL: true, +}); + +topic.addToResourcePolicy(new iam.PolicyStatement({ + principals: [new iam.ServicePrincipal('s3.amazonaws.com')], + actions: ['sns:Publish'], + resources: [topic.topicArn], +})); +``` + ## Delivery status logging Amazon SNS provides support to log the delivery status of notification messages sent to topics with the following Amazon SNS endpoints: diff --git a/packages/aws-cdk-lib/aws-sns/lib/policy.ts b/packages/aws-cdk-lib/aws-sns/lib/policy.ts index 56b555397a93b..2d663b733fa90 100644 --- a/packages/aws-cdk-lib/aws-sns/lib/policy.ts +++ b/packages/aws-cdk-lib/aws-sns/lib/policy.ts @@ -1,7 +1,7 @@ import { Construct } from 'constructs'; import { CfnTopicPolicy } from './sns.generated'; import { ITopic } from './topic-base'; -import { PolicyDocument } from '../../aws-iam'; +import { Effect, PolicyDocument, PolicyStatement, StarPrincipal } from '../../aws-iam'; import { Resource } from '../../core'; /** @@ -12,12 +12,21 @@ export interface TopicPolicyProps { * The set of topics this policy applies to. */ readonly topics: ITopic[]; + /** * IAM policy document to apply to topic(s). * @default empty policy document */ readonly policyDocument?: PolicyDocument; + /** + * Adds a statement to enforce encryption of data in transit when publishing to the topic. + * + * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. + * + * @default false + */ + readonly enforceSSL?: boolean; } /** @@ -51,9 +60,31 @@ export class TopicPolicy extends Resource { this.document = props.policyDocument ?? this.document; + if (props.enforceSSL) { + props.topics.map(t => this.document.addStatements(this.createSSLPolicyDocument(t.topicArn))); + } + new CfnTopicPolicy(this, 'Resource', { policyDocument: this.document, topics: props.topics.map(t => t.topicArn), }); } + + /** + * Adds a statement to enforce encryption of data in transit when publishing to the topic. + * + * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. + */ + protected createSSLPolicyDocument(topicArn: string): PolicyStatement { + return new PolicyStatement ({ + sid: 'AllowPublishThroughSSLOnly', + actions: ['sns:Publish'], + effect: Effect.DENY, + resources: [topicArn], + conditions: { + Bool: { 'aws:SecureTransport': 'false' }, + }, + principals: [new StarPrincipal()], + }); + } } diff --git a/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts b/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts index 602d83f866369..7e91e89038a6c 100644 --- a/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts +++ b/packages/aws-cdk-lib/aws-sns/lib/topic-base.ts @@ -48,7 +48,7 @@ export interface ITopic extends IResource, notifications.INotificationRuleTarget * Adds a statement to the IAM resource policy associated with this topic. * * If this topic was created in this stack (`new Topic`), a topic policy - * will be automatically created upon the first call to `addToPolicy`. If + * will be automatically created upon the first call to `addToResourcePolicy`. If * the topic is imported (`Topic.import`), then this is a no-op. */ addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult; @@ -78,6 +78,11 @@ export abstract class TopicBase extends Resource implements ITopic { */ protected abstract readonly autoCreatePolicy: boolean; + /** + * Adds a statement to enforce encryption of data in transit when publishing to the topic. + */ + protected enforceSSL?: boolean; + private policy?: TopicPolicy; constructor(scope: Construct, id: string, props: ResourceProps = {}) { @@ -122,7 +127,7 @@ export abstract class TopicBase extends Resource implements ITopic { * Adds a statement to the IAM resource policy associated with this topic. * * If this topic was created in this stack (`new Topic`), a topic policy - * will be automatically created upon the first call to `addToPolicy`. If + * will be automatically created upon the first call to `addToResourcePolicy`. If * the topic is imported (`Topic.import`), then this is a no-op. */ public addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult { @@ -132,11 +137,33 @@ export abstract class TopicBase extends Resource implements ITopic { if (this.policy) { this.policy.document.addStatements(statement); + + if (this.enforceSSL) { + this.policy.document.addStatements(this.createSSLPolicyDocument()); + } return { statementAdded: true, policyDependable: this.policy }; } return { statementAdded: false }; } + /** + * Adds a statement to enforce encryption of data in transit when publishing to the topic. + * + * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. + */ + protected createSSLPolicyDocument(): iam.PolicyStatement { + return new iam.PolicyStatement ({ + sid: 'AllowPublishThroughSSLOnly', + actions: ['sns:Publish'], + effect: iam.Effect.DENY, + resources: [this.topicArn], + conditions: { + Bool: { 'aws:SecureTransport': 'false' }, + }, + principals: [new iam.StarPrincipal()], + }); + } + /** * Grant topic publishing permissions to the given identity */ diff --git a/packages/aws-cdk-lib/aws-sns/lib/topic.ts b/packages/aws-cdk-lib/aws-sns/lib/topic.ts index bd55859014bcc..341548644e70d 100644 --- a/packages/aws-cdk-lib/aws-sns/lib/topic.ts +++ b/packages/aws-cdk-lib/aws-sns/lib/topic.ts @@ -67,6 +67,15 @@ export interface TopicProps { * @default - do not archive messages */ readonly messageRetentionPeriodInDays?: number; + + /** + * Adds a statement to enforce encryption of data in transit when publishing to the topic. + * + * For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. + * + * @default false + */ + readonly enforceSSL?: boolean; } /** @@ -174,6 +183,8 @@ export class Topic extends TopicBase { physicalName: props.topicName, }); + this.enforceSSL = props.enforceSSL; + if (props.contentBasedDeduplication && !props.fifo) { throw new Error('Content based deduplication can only be enabled for FIFO SNS topics.'); } diff --git a/packages/aws-cdk-lib/aws-sns/test/sns.test.ts b/packages/aws-cdk-lib/aws-sns/test/sns.test.ts index edc79b90530af..4cb1ee8a8b275 100644 --- a/packages/aws-cdk-lib/aws-sns/test/sns.test.ts +++ b/packages/aws-cdk-lib/aws-sns/test/sns.test.ts @@ -186,6 +186,51 @@ describe('Topic', () => { }); + test('can enforce ssl when creating the topic', () => { + // GIVEN + const stack = new cdk.Stack(); + const topic = new sns.Topic(stack, 'Topic', { + enforceSSL: true, + }); + + // WHEN + topic.addToResourcePolicy(new iam.PolicyStatement({ + resources: ['*'], + actions: ['sns:*'], + principals: [new iam.ArnPrincipal('arn')], + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::SNS::TopicPolicy', { + PolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + 'Sid': '0', + 'Action': 'sns:*', + 'Effect': 'Allow', + 'Principal': { 'AWS': 'arn' }, + 'Resource': '*', + }, + { + 'Sid': 'AllowPublishThroughSSLOnly', + 'Action': 'sns:Publish', + 'Effect': 'Deny', + 'Resource': { + 'Ref': 'TopicBFC7AF6E', + }, + 'Condition': { + 'Bool': { + 'aws:SecureTransport': 'false', + }, + }, + 'Principal': '*', + }, + ], + }, + }); + }); + test('give publishing permissions', () => { // GIVEN const stack = new cdk.Stack(); @@ -281,6 +326,47 @@ describe('Topic', () => { }); + test('Create topic policy and enforce ssl', () => { + // GIVEN + const stack = new cdk.Stack(); + const topic = new sns.Topic(stack, 'MyTopic'); + + // WHEN + new sns.TopicPolicy(stack, 'TopicPolicy', { + topics: [topic], + enforceSSL: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::SNS::TopicPolicy', { + 'PolicyDocument': { + 'Statement': [ + { + 'Sid': 'AllowPublishThroughSSLOnly', + 'Action': 'sns:Publish', + 'Effect': 'Deny', + 'Resource': { + 'Ref': 'MyTopic86869434', + }, + 'Condition': { + 'Bool': { + 'aws:SecureTransport': 'false', + }, + }, + 'Principal': '*', + }, + ], + 'Version': '2012-10-17', + }, + 'Topics': [ + { + 'Ref': 'MyTopic86869434', + }, + ], + }); + + }); + test('topic resource policy includes unique SIDs', () => { const stack = new cdk.Stack();