From 39171fab2b570fa24d541848ea4b336be836cf85 Mon Sep 17 00:00:00 2001 From: Hogan Bobertz Date: Thu, 10 Oct 2024 03:39:49 -0400 Subject: [PATCH] chore: update bucket ownership message (#127) - **update error messaging** Updating error messaging to the approved messaging from appsec Fixes # --- lib/private/handlers/files.ts | 18 +++++++++++++++++- test/files.test.ts | 4 +++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/lib/private/handlers/files.ts b/lib/private/handlers/files.ts index dd912d4..ee28270 100644 --- a/lib/private/handlers/files.ts +++ b/lib/private/handlers/files.ts @@ -87,7 +87,23 @@ export class FileAssetHandler implements IAssetHandler { case BucketOwnership.SOMEONE_ELSES_AND_HAVE_ACCESS: if (!allowCrossAccount) { throw new Error( - `Bucket named '${destination.bucketName}' exists, but not in account ${await account()}. Wrong account?` + `❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗ + + We've detected that the S3 bucket ${destination.bucketName} was + originally created in account ${await account()} as part of the CloudFormation stack CDKToolkit, + but now resides in a different AWS account. To prevent cross-account asset bucket access of your + deployments, CDK will stop now. + + If this situation is intentional and you own the AWS account that the bucket has moved to, remove the + resource named StagingBucket from the template of CloudFormation stack CDKToolkit and try again. + + If this situation is not intentional, we strongly recommend auditing your account to make sure all + resources are configured the way you expect them [1]. For questions or concerns, please contact + AWS Support [2]. + + [1] https://repost.aws/knowledge-center/potential-account-compromise + + [2] https://aws.amazon.com/support` ); } break; diff --git a/test/files.test.ts b/test/files.test.ts index d64cbba..3f1c970 100644 --- a/test/files.test.ts +++ b/test/files.test.ts @@ -436,7 +436,9 @@ test('fails when cross account is required but not allowed', async () => { return { promise: () => Promise.resolve() }; }); - await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow('Wrong account?'); + await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow( + '❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗' + ); }); test('succeeds when bucket doesnt belong to us but doesnt contain account id - cross account', async () => {