fix (MediaStore policy fix to deny anonymous user-agents access aws-c…

…loudfront-mediastore) (#253) * Fix for issue #252 mediastore policy bug found in the aws-cloudfront-mediastore module * Fix for issue #252 mediastore policy bug updated the integ.default.expected.json file for new policy output. Tested deploying and see that requests to MediaStore are not allowed directly, only requests to CloudFront now make it to MediaStore. How it should be working I presume. * Update index.ts Fix indent spaces. * Updated integ tests
awslabs · Jul 1, 2021 · 2ed481c · 2ed481c
1 parent f0a05aa
commit 2ed481c
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 7 deletions.
diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts
@@ -95,8 +95,10 @@ export class CloudFrontToMediaStore extends Construct {
               ],
               Resource: `arn:${Aws.PARTITION}:mediastore:${Aws.REGION}:${Aws.ACCOUNT_ID}:container/${Aws.STACK_NAME}/*`,
               Condition: {
+                StringEquals: {
+                  'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName
+                },
                 Bool: {
-                  'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName,
                   'aws:SecureTransport': 'true'
                 }
               }

diff --git a/...onstructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap b/...onstructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap
@@ -285,11 +285,11 @@ Object {
               Object {
                 "Ref": "AWS::StackName",
               },
-              "/*\\",\\"Condition\\":{\\"Bool\\":{\\"aws:UserAgent\\":\\"",
+              "/*\\",\\"Condition\\":{\\"StringEquals\\":{\\"aws:UserAgent\\":\\"",
               Object {
                 "Ref": "testcloudfrontmediastoreCloudFrontOriginAccessIdentity966405A0",
               },
-              "\\",\\"aws:SecureTransport\\":\\"true\\"}}}]}",
+              "\\"},\\"Bool\\":{\\"aws:SecureTransport\\":\\"true\\"}}}]}",
             ],
           ],
         },

diff --git a/...erns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.default.expected.json b/...erns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.default.expected.json
@@ -71,11 +71,11 @@
               {
                 "Ref": "AWS::StackName"
               },
-              "/*\",\"Condition\":{\"Bool\":{\"aws:UserAgent\":\"",
+              "/*\",\"Condition\":{\"StringEquals\":{\"aws:UserAgent\":\"",
               {
                 "Ref": "testcloudfrontmediastoreCloudFrontOriginAccessIdentity966405A0"
               },
-              "\",\"aws:SecureTransport\":\"true\"}}}]}"
+              "\"},\"Bool\":{\"aws:SecureTransport\":\"true\"}}}]}"
             ]
           ]
         }

diff --git a/...-constructs/aws-cloudfront-mediastore/test/integ.withoutHttpSecurityHeaders.expected.json b/...-constructs/aws-cloudfront-mediastore/test/integ.withoutHttpSecurityHeaders.expected.json
@@ -71,11 +71,11 @@
               {
                 "Ref": "AWS::StackName"
               },
-              "/*\",\"Condition\":{\"Bool\":{\"aws:UserAgent\":\"",
+              "/*\",\"Condition\":{\"StringEquals\":{\"aws:UserAgent\":\"",
               {
                 "Ref": "testcloudfrontmediastoreCloudFrontOriginAccessIdentity966405A0"
               },
-              "\",\"aws:SecureTransport\":\"true\"}}}]}"
+              "\"},\"Bool\":{\"aws:SecureTransport\":\"true\"}}}]}"
             ]
           ]
         }