-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNS: Enforce SSL with Prop #29142
Comments
I am not sure if we should expose that to the L2 props but feel free to submit a PR to move this forward. Thank you! |
Adds a statement to match the document in the [docs](https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit): ``` { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPublishThroughSSLOnly", "Action": "SNS:Publish", "Effect": "Deny", "Resource": [ "arn:aws:sns:us-east-1:1234567890:test-topic" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } ``` Closes #29142. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Adds a statement to match the document in the [docs](https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit): ``` { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPublishThroughSSLOnly", "Action": "SNS:Publish", "Effect": "Deny", "Resource": [ "arn:aws:sns:us-east-1:1234567890:test-topic" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } ``` Closes #29142. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Hello, Does this work? I've tried both python and typescript, cdk latest and 2.129.0 (the release notes for the one it was added to) and neither add a topicpolicy when the enforceSSL/enforce_ssl property is set to true/True The synth is the same whether I add that property or not |
That is because the enforceSSL is only added if you use the "addToResourcePolicy" afterwards. I would expect to have id added, in any case. |
Describe the feature
I'd like the ability to enforce SSL on an SNS topic in a similar fashion as the Bucket construct. The Bucket construct has a property,
enforceSSL
, that will automatically update the bucket policy and enforce SSL. I'd like something similar that will automatically update the topic policy.https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#enforcessl
Use Case
In the
AwsSolutionsChecks
within cdk-nag, there is a rule that requires SSL on SNS Topics,AwsSolutions-SNS3
. Given that is a recommended practice, I believe setting an SNS Topic's policy so that it requires SSL would be a typical scenario. Since it's a typical scenario, I'd like a property to do it for me rather than having to write up a TopicPolicy every time.https://github.com/cdklabs/cdk-nag/blob/main/RULES.md
Proposed Solution
Other Information
No response
Acknowledgements
CDK version used
2.126.0
Environment details (OS name and version, etc.)
macOS 14.3
The text was updated successfully, but these errors were encountered: