Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix (MediaStore policy fix to deny anonymous user-agents access aws-cloudfront-mediastore) #253

Merged
merged 4 commits into from
Jul 1, 2021

Conversation

eggoynes
Copy link
Contributor

@eggoynes eggoynes commented Jul 1, 2021

Issue #, if available:
#252

Description of changes:
Modified the AWS MediaStore policy condition to only allow the AWS CloudFront user agent. Look at the bug description for more details.
#252

Tested changes to make sure they have the intended effect of only allowing access to GET request files from the Amazon CloudFront endpoint. GET requests directly to MediaStore endpoint now just return a generic 403 access denied response.

Condition: { StringEquals: { 'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName }, Bool: { 'aws:SecureTransport': 'true' }

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

BREAKING CHANGE: The construct docs say Mediastore requests are only accepted from CloudFront. The policy as written did not enforce this. If your app relied on the undocumented behavior and made Mediastore requests directly this change will break your app as the policy is now implemented as documented - only calls through CloudFront are accepted.

eggoynes added 2 commits July 1, 2021 00:15
…ault.expected.json file for new policy output. Tested deploying and see that requests to MediaStore are not allowed directly, only requests to CloudFront now make it to MediaStore. How it should be working I presume.
@eggoynes eggoynes requested review from biffgaut and hnishar as code owners July 1, 2021 07:27
@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: codebuildgithubautobuildPro-fkVQbXRiQi6A
  • Commit ID: 7906c78
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@biffgaut biffgaut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is failing in the build process - should be a simple format change:

@aws-solutions-constructs/aws-cloudfront-mediastore: /codebuild/output/src194484854/src/github.com/awslabs/aws-solutions-constructs/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts
@aws-solutions-constructs/aws-cloudfront-mediastore:    99:1  error  Expected indentation of 18 spaces but found 20  indent
@aws-solutions-constructs/aws-cloudfront-mediastore:   102:1  error  Expected indentation of 18 spaces but found 20  indent
@aws-solutions-constructs/aws-cloudfront-mediastore: ✖ 2 problems (2 errors, 0 warnings)
@aws-solutions-constructs/aws-cloudfront-mediastore:   2 errors and 0 warnings potentially fixable with the `--fix` option.

@hnishar hnishar requested a review from beomseoklee July 1, 2021 15:12
@hnishar hnishar linked an issue Jul 1, 2021 that may be closed by this pull request
Fix indent spaces.
@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: codebuildgithubautobuildPro-fkVQbXRiQi6A
  • Commit ID: 59dabb5
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: codebuildgithubautobuildPro-fkVQbXRiQi6A
  • Commit ID: 3c9b6f7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@biffgaut biffgaut merged commit 2ed481c into awslabs:main Jul 1, 2021
Copy link
Contributor

@beomseoklee beomseoklee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested that the change fixes the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

mediastore policy bug found in the aws-cloudfront-mediastore module
4 participants