From 62296021a02d428c838a7748de4654e45c149924 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Fri, 12 Apr 2024 19:37:48 -0600 Subject: [PATCH] fix(ses-actions): permissions too wide for S3 action --- packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts | 3 ++- .../aws-ses-actions/test/actions.test.ts | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts index 5fa01ce1c91be..fab3b52a92436 100644 --- a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts +++ b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts @@ -55,7 +55,8 @@ export class S3 implements ses.IReceiptRuleAction { resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)], conditions: { StringEquals: { - 'aws:Referer': cdk.Aws.ACCOUNT_ID, + 'aws:SourceAccount': cdk.Aws.ACCOUNT_ID, + 'aws:SourceArn': `arn:${cdk.Aws.PARTITION}:ses:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:receipt-rule-set/*:receipt-rule/*`, }, }, }); diff --git a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts index f53bf29a2306b..23ac0deb4f5d9 100644 --- a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts +++ b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts @@ -193,9 +193,23 @@ test('add s3 action', () => { Action: 's3:PutObject', Condition: { StringEquals: { - 'aws:Referer': { + 'aws:SourceAccount': { Ref: 'AWS::AccountId', }, + 'aws:SourceArn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':ses:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':receipt-rule-set/*:receipt-rule/*', + ], + ], + }, }, }, Effect: 'Allow',