feat: More secure S3 settings (#122)

Force SSL, block all public access and encrypt bucket where we save the layers. Lambda supports all those settings.

Fixes #121

Author: kichik

src/base.ts

@@ -19,6 +19,7 @@ import {
   Stack,
 } from 'aws-cdk-lib';
 import { RetentionDays } from 'aws-cdk-lib/aws-logs';
+import { BucketEncryption } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
 import { PackageCodebuildFunction } from './package-codebuild-function';
 import { PackageNodejsFunction } from './package-nodejs-function';
@@ -141,6 +142,9 @@ export class BaseDependencyPackager extends Construct implements iam.IGrantable,
 
     this.packagesBucket = new s3.Bucket(this, 'Bucket', {
       autoDeleteObjects: true,
+      enforceSSL: true,
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+      encryption: BucketEncryption.S3_MANAGED,
       removalPolicy: RemovalPolicy.DESTROY,
     });
 

test/default.integ.snapshot/Turbo-Layer-Test.assets.json

@@ -235,15 +235,15 @@
         }
       }
     },
-    "3ef59ef101f0ad12362a1e794aa4fbdf90192fc99e828202e7b8ffff7e888ca4": {
+    "eec3cdcb6f11b28abf2677fd100a9b04905082c33e1e8097ef11ac2dd1111390": {
       "source": {
         "path": "Turbo-Layer-Test.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "3ef59ef101f0ad12362a1e794aa4fbdf90192fc99e828202e7b8ffff7e888ca4.json",
+          "objectKey": "eec3cdcb6f11b28abf2677fd100a9b04905082c33e1e8097ef11ac2dd1111390.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }