-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix (MediaStore policy fix to deny anonymous user-agents access aws-cloudfront-mediastore) #253
Conversation
…dfront-mediastore module
…ault.expected.json file for new policy output. Tested deploying and see that requests to MediaStore are not allowed directly, only requests to CloudFront now make it to MediaStore. How it should be working I presume.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is failing in the build process - should be a simple format change:
@aws-solutions-constructs/aws-cloudfront-mediastore: /codebuild/output/src194484854/src/github.com/awslabs/aws-solutions-constructs/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts
@aws-solutions-constructs/aws-cloudfront-mediastore: 99:1 error Expected indentation of 18 spaces but found 20 indent
@aws-solutions-constructs/aws-cloudfront-mediastore: 102:1 error Expected indentation of 18 spaces but found 20 indent
@aws-solutions-constructs/aws-cloudfront-mediastore: ✖ 2 problems (2 errors, 0 warnings)
@aws-solutions-constructs/aws-cloudfront-mediastore: 2 errors and 0 warnings potentially fixable with the `--fix` option.
Fix indent spaces.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested that the change fixes the issue.
Issue #, if available:
#252
Description of changes:
Modified the AWS MediaStore policy condition to only allow the AWS CloudFront user agent. Look at the bug description for more details.
#252
Tested changes to make sure they have the intended effect of only allowing access to GET request files from the Amazon CloudFront endpoint. GET requests directly to MediaStore endpoint now just return a generic 403 access denied response.
Condition: { StringEquals: { 'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName }, Bool: { 'aws:SecureTransport': 'true' }
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
BREAKING CHANGE: The construct docs say Mediastore requests are only accepted from CloudFront. The policy as written did not enforce this. If your app relied on the undocumented behavior and made Mediastore requests directly this change will break your app as the policy is now implemented as documented - only calls through CloudFront are accepted.