Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mediastore policy bug found in the aws-cloudfront-mediastore module #252

Closed
eggoynes opened this issue Jul 1, 2021 · 0 comments · Fixed by #253
Closed

mediastore policy bug found in the aws-cloudfront-mediastore module #252

eggoynes opened this issue Jul 1, 2021 · 0 comments · Fixed by #253
Assignees
@eggoynes
Labels
bug Something isn't working needs-triage The issue or PR still needs to be triaged

Comments

@eggoynes
Copy link
Contributor

eggoynes commented Jul 1, 2021
edited
Loading

description of the bug:

The AWS MediaStore policy generated from the construct allows anonymous requests directly to the AWS MediaStore container, and the requests do not have to come through Amazon CloudFront. It looks like the AWS MediaStore policy code is trying to limit access to just the Amazon CloudFront distribution with this code, but I am still able to curl files directly from the AWS MediaStore container.

aws-solutions-constructs/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts

Lines 86 to 103 in f0a05aa

policy: JSON.stringify({
Version: '2012-10-17',
Statement: [{
Sid: 'MediaStoreDefaultPolicy',
Effect: 'Allow',
Principal: '*',
Action: [
'mediastore:GetObject',
'mediastore:DescribeObject'
],
Resource: `arn:${Aws.PARTITION}:mediastore:${Aws.REGION}:${Aws.ACCOUNT_ID}:container/${Aws.STACK_NAME}/*`,
Condition: {
Bool: {
'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName,
'aws:SecureTransport': 'true'
}
}
}]

Reproduction Steps

  1. Deploy the contruct

  2. Upload files to AWS MediaStore container.

  3. curl files directly from MediaStore container.

curl https://somecontainer.data.mediastore.us-east-1.amazonaws.com/my_file

But it should only allow downloading from CFN distribution.

curl https://somecode.cloudfront.com/my_file

How to Fix

I am testing and looking at the code to see what needs to change to fix this.

This is 🐛 Bug Report
@eggoynes eggoynes added bug Something isn't working needs-triage The issue or PR still needs to be triaged labels Jul 1, 2021
eggoynes added a commit to eggoynes/aws-solutions-constructs that referenced this issue Jul 1, 2021
@eggoynes
Fix for issue awslabs#252 mediastore policy bug found in the aws-clou…
49f1541 
…dfront-mediastore module
eggoynes added a commit to eggoynes/aws-solutions-constructs that referenced this issue Jul 1, 2021
@eggoynes
Fix for issue awslabs#252 mediastore policy bug updated the integ.def…
7906c78 
…ault.expected.json file for new policy output. Tested deploying and see that requests to MediaStore are not allowed directly, only requests to CloudFront now make it to MediaStore. How it should be working I presume.
@eggoynes eggoynes mentioned this issue Jul 1, 2021
Merged
@hnishar hnishar linked a pull request Jul 1, 2021 that will close this issue
fix (MediaStore policy fix to deny anonymous user-agents access aws-cloudfront-mediastore) #253
Merged
biffgaut pushed a commit that referenced this issue Jul 1, 2021
@eggoynes
fix (MediaStore policy fix to deny anonymous user-agents access aws-c…
2ed481c 
…loudfront-mediastore) (#253)

* Fix for issue #252 mediastore policy bug found in the aws-cloudfront-mediastore module

* Fix for issue #252 mediastore policy bug updated the integ.default.expected.json file for new policy output. Tested deploying and see that requests to MediaStore are not allowed directly, only requests to CloudFront now make it to MediaStore. How it should be working I presume.

* Update index.ts

Fix indent spaces.

* Updated integ tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eggoynes eggoynes

Labels
bug Something isn't working needs-triage The issue or PR still needs to be triaged
Projects
None yet
Milestone
No milestone
1 participant
@eggoynes