CORS Configuration

Finding: CORS is wide open for the S3 bucket

Location: Lines 206-213 in wa_genai_stack.py

python
cors=[
    s3.CorsRule(
        allowed_methods=[s3.HttpMethods.GET, s3.HttpMethods.PUT],
        allowed_origins=["*"],  # ⚠️ SECURITY RISK
        allowed_headers=["*"],  # ⚠️ SECURITY RISK
    )
]

1. allowed_origins=["*"] - Allows any website to make requests to this S3 bucket
2. allowed_headers=["*"] - Permits any HTTP headers in cross-origin requests
3. Data exposure - Malicious websites can potentially access stored analysis results
4. CSRF attacks - Enables cross-site request forgery from any domain

python
cors=[
    s3.CorsRule(
        allowed_methods=[s3.HttpMethods.GET, s3.HttpMethods.PUT],
        allowed_origins=[
            f"https://{alb_dns}",  # Only allow the frontend ALB
            "https://your-domain.com"  # Add specific domains as needed
        ],
        allowed_headers=[
            "Content-Type",
            "Authorization",
            "x-amz-date",
            "x-amz-security-token"
        ],
        max_age=3600  # Cache preflight requests for 1 hour
    )
]

• **SEC03-BP02**: Enforce encryption in transit
• **SEC05-BP01**: Reduce attack surface
• **SEC06-BP01**: Implement secure network controls

Severity: HIGH - This configuration exposes the S3 bucket to potential data access from any website on the internet.

Author: ibrahimcesar

README.md

@@ -141,6 +141,11 @@ Once complete, you'll find a new CloudFormation stack named **WA-IaC-Analyzer-{r
 
 1. If you enabled authentication with a custom domain:
    - Create a DNS record (CNAME or Alias) pointing to the ALB domain name
+   - **For custom domains**: Set the `CUSTOM_DOMAIN` environment variable and redeploy to update CORS configuration:
+     ```bash
+     export CUSTOM_DOMAIN=wa-analyzer.example.com
+     cdk deploy  # or re-run your deployment method
+     ```
 
 2. If you created a new Cognito user pool:
    - Navigate to the Amazon Cognito console

ecs_fargate_app/wa_genai_stack.py

@@ -398,20 +398,17 @@ def __init__(self, scope: Construct, construct_id: str, **kwarg) -> None:
         KB_ID = kb.knowledge_base_id
 
         # Create S3 bucket and DynamoDB table for storage layer
+        # Get the ALB DNS name for CORS configuration
+        # This will be set after the frontend service is created
+        cors_origins = []
+        
         # Create S3 bucket for storing analysis results
         analysis_storage_bucket = s3.Bucket(
             self,
             "AnalysisStorageBucket",
             removal_policy=RemovalPolicy.DESTROY,
             auto_delete_objects=True,
             enforce_ssl=True,
-            cors=[
-                s3.CorsRule(
-                    allowed_methods=[s3.HttpMethods.GET, s3.HttpMethods.PUT],
-                    allowed_origins=["*"],
-                    allowed_headers=["*"],
-                )
-            ],
         )
 
         # Create DynamoDB table for metadata
@@ -957,6 +954,35 @@ def __init__(self, scope: Construct, construct_id: str, **kwarg) -> None:
         # Get the ALB DNS name after frontend service is created
         alb_dns = frontend_service.load_balancer.load_balancer_dns_name
 
+        # Configure CORS for S3 bucket with specific origins
+        cors_origins = [f"http://{alb_dns}"]
+        if auth_config["enabled"]:
+            cors_origins.append(f"https://{alb_dns}")
+            
+        # Add custom domain support from environment variable
+        custom_domain = os.environ.get("CUSTOM_DOMAIN", "")
+        if custom_domain:
+            cors_origins.extend([f"http://{custom_domain}", f"https://{custom_domain}"])
+            
+        # Add CORS configuration to the S3 bucket
+        cfn_bucket = analysis_storage_bucket.node.default_child
+        cfn_bucket.cors_configuration = {
+            "corsRules": [
+                {
+                    "allowedMethods": ["GET", "PUT"],
+                    "allowedOrigins": cors_origins,
+                    "allowedHeaders": [
+                        "Content-Type",
+                        "Content-Length",
+                        "Authorization",
+                        "x-amz-date",
+                        "x-amz-security-token"
+                    ],
+                    "maxAge": 3000
+                }
+            ]
+        }
+
         # Configure health check for ALB
         frontend_service.target_group.configure_health_check(path="/healthz")