fix(bootstrap): remove Security Hub finding [S3.10]

**NOTE**: This PR bumps the version of the bootstrap stack to `16`, but there is no need to update your bootstrap stacks, unless it is to get rid of the Security Hub finding; this change has no effect on the functionality of any CDK app deployed to the environment. [Security Hub Finding S3.10](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-10) says: > S3 buckets with versioning enabled should have lifecycle policies configured Presumably so you're not unknowingly accumulating a bigger and bigger S3 bucket as you are overwriting existing files. CDK will never do that, as files are content-addressed and immutable, but Security Hub can't know that and so it complains. Add a lifecycle rule to the S3 bucket to get rid of the finding. Expiration time of non-current files is set to 1 year. This should give enough opportunity to diagnose potential issues and audit the any funkiness in the bucket if the assumption that files are never overwritten should ever be violated.
aws · Feb 15, 2023 · 5c3f29c · 5c3f29c
1 parent 0071ca0
commit 5c3f29c
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -199,6 +199,13 @@ Resources:
           - Ref: AWS::NoValue
       VersioningConfiguration:
         Status: Enabled
+      LifecycleConfiguration:
+        Rules:
+          # Exising objects will never be overwritten but Security Hub wants this rule to exist
+          - Id: CleanupOldVersions
+            Status: Enabled
+            NoncurrentVersionExpiration:
+              NoncurrentDays: 365
     UpdateReplacePolicy: Retain
     DeletionPolicy: Retain
   StagingBucketPolicy: