-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(bootstrap): remove Security Hub finding S3.10 #24175
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**NOTE**: This PR bumps the version of the bootstrap stack to `16`, but there is no need to update your bootstrap stacks, unless it is to get rid of the Security Hub finding; this change has no effect on the functionality of any CDK app deployed to the environment. [Security Hub Finding S3.10](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-10) says: > S3 buckets with versioning enabled should have lifecycle policies configured Presumably so you're not unknowingly accumulating a bigger and bigger S3 bucket as you are overwriting existing files. CDK will never do that, as files are content-addressed and immutable, but Security Hub can't know that and so it complains. Add a lifecycle rule to the S3 bucket to get rid of the finding. Expiration time of non-current files is set to 1 year. This should give enough opportunity to diagnose potential issues and audit the any funkiness in the bucket if the assumption that files are never overwritten should ever be violated.
rix0rrr
changed the title
fix(bootstrap): remove Security Hub finding [S3.10]
fix(bootstrap): remove Security Hub finding S3.10
Feb 15, 2023
rix0rrr
added
pr-linter/exempt-test
The PR linter will not require test changes
pr-linter/exempt-integ-test
The PR linter will not require integ test changes
labels
Feb 15, 2023
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Naumel
approved these changes
Feb 15, 2023
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This was referenced Mar 21, 2023
mergify bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
…because of missing lifecycle policy (#24735) After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub, I am always frustrated when I see failed checks. Similar to #24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding. I know that there is an RFC for garbage collection in the works but this is a simple immediate fix. _This is heavily inspired by https://github.com/aws/aws-cdk/pull/24175_ Closes #24723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk
pushed a commit
to homakk/aws-cdk
that referenced
this pull request
Mar 28, 2023
…because of missing lifecycle policy (aws#24735) After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub, I am always frustrated when I see failed checks. Similar to aws#24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding. I know that there is an RFC for garbage collection in the works but this is a simple immediate fix. _This is heavily inspired by https://github.com/aws/aws-cdk/pull/24175_ Closes aws#24723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This was referenced Sep 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
contribution/core
This is a PR that came from AWS.
p2
pr-linter/exempt-integ-test
The PR linter will not require integ test changes
pr-linter/exempt-test
The PR linter will not require test changes
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NOTE: This PR bumps the version of the bootstrap stack to
16
, but there is no need to update your bootstrap stacks, unless it is to get rid of the Security Hub finding; this change has no effect on the functionality of any CDK app deployed to the environment.Security Hub Finding S3.10 says:
Presumably so you're not unknowingly accumulating a bigger and bigger S3 bucket as you are overwriting existing files.
CDK will never do that, as files are content-addressed and immutable, but Security Hub can't know that and so it complains.
Add a lifecycle rule to the S3 bucket to get rid of the finding. Expiration time of non-current files is set to 1 year. This should give enough opportunity to diagnose potential issues and audit the any funkiness in the bucket if the assumption that files are never overwritten should ever be violated.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license