Create Amplify resources in acc to Control Tower enforced policies

[vishal-dms]

Environment information

N/A

Description

S3 buckets used for storing metadata like data schema does not follow Control Tower enforced policies as they are the best recommendations documented by AWS -

For e.g. the buckets don't have the following -

• There's no versioning enabled.
• No logging policy is applied.

This discrepancy between AWS's recommended deployment practices with Amplify Gen 2 vs the Control Tower's enforced policies

https://docs.aws.amazon.com/controltower/latest/controlreference/s3-rules.html

Same as Gen1 FR - aws-amplify/amplify-cli#13617

[ykethan]

Hey, thank you for filing this feature request. Marking this as feature request for further prioritization by the Amplify team.

[jposadaa]

Hi any update here? thanks

[sobolk]

The following workaround can be used meanwhile.

import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
import { Aspects } from 'aws-cdk-lib';
import { IConstruct } from 'constructs';
import { Bucket, CfnBucket } from "aws-cdk-lib/aws-s3";
import {Effect, PolicyStatement, StarPrincipal} from 'aws-cdk-lib/aws-iam';

/**
 * @see https://docs.amplify.aws/react/build-a-backend/ to add storage, functions, and more
 */
const backend = defineBackend({
    auth,
    data,
});

Aspects.of(backend.stack).add({
    visit(node: IConstruct) {
        if (node instanceof Bucket) {
            node.addToResourcePolicy(
                new PolicyStatement({
                    effect: Effect.DENY,
                    principals: [new StarPrincipal()],
                    resources: [node.bucketArn + "/*"],
                    actions: ["s3:*"],
                    conditions: {
                        "Bool": {
                            "aws:SecureTransport": false
                        }
                    }
                })
            );

            (node.node.defaultChild as CfnBucket).addPropertyOverride('VersioningConfiguration', {
                Status: 'Enabled'
            });
        }
    },
});