From 4ecb826739b0ed41daa23f5a5a5779f4562aa145 Mon Sep 17 00:00:00 2001 From: HBobertz Date: Wed, 9 Oct 2024 12:11:25 -0400 Subject: [PATCH 1/6] update error messaging --- lib/private/handlers/files.ts | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/lib/private/handlers/files.ts b/lib/private/handlers/files.ts index dd912d4..1e39708 100644 --- a/lib/private/handlers/files.ts +++ b/lib/private/handlers/files.ts @@ -84,13 +84,29 @@ export class FileAssetHandler implements IAssetHandler { throw new Error( `Bucket named '${destination.bucketName}' exists, but we dont have access to it.` ); - case BucketOwnership.SOMEONE_ELSES_AND_HAVE_ACCESS: - if (!allowCrossAccount) { - throw new Error( - `Bucket named '${destination.bucketName}' exists, but not in account ${await account()}. Wrong account?` - ); - } - break; + case BucketOwnership.SOMEONE_ELSES_AND_HAVE_ACCESS: + if (!allowCrossAccount) { + throw new Error( + `❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗ + + We've detected that the S3 bucket cdk-hnb659fds-assets-${await account()}-${destination.region} was + originally created in account ${await account()} as part of the CloudFormation stack CDKToolkit, + but now resides in a different AWS account. To prevent cross-account asset bucket access of your + deployments, CDK will stop now. + + If this situation is intentional and you own the AWS account that the bucket has moved to, remove the + resource named StagingBucket from the template of CloudFormation stack CDKToolkit and try again. + + If this situation is not intentional, we strongly recommend auditing your account to make sure all + resources are configured the way you expect them [1]. For questions or concerns, please contact + AWS Support [2]. + + [1] https://repost.aws/knowledge-center/potential-account-compromise + + [2] https://aws.amazon.com/support` + ); + } + break; } if (await objectExists(s3, destination.bucketName, destination.objectKey)) { From 71840212b584ac6c2c75570842bd7274479ae2d5 Mon Sep 17 00:00:00 2001 From: HBobertz Date: Wed, 9 Oct 2024 12:13:44 -0400 Subject: [PATCH 2/6] fix white space --- lib/private/handlers/files.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/private/handlers/files.ts b/lib/private/handlers/files.ts index 1e39708..ebc32fa 100644 --- a/lib/private/handlers/files.ts +++ b/lib/private/handlers/files.ts @@ -104,8 +104,8 @@ export class FileAssetHandler implements IAssetHandler { [1] https://repost.aws/knowledge-center/potential-account-compromise [2] https://aws.amazon.com/support` - ); - } + ); + } break; } From b3692bfe90c2ee83b6df75945a3800c95f9c85c8 Mon Sep 17 00:00:00 2001 From: HBobertz Date: Wed, 9 Oct 2024 12:17:29 -0400 Subject: [PATCH 3/6] update test --- test/files.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/files.test.ts b/test/files.test.ts index d64cbba..ba448f2 100644 --- a/test/files.test.ts +++ b/test/files.test.ts @@ -436,7 +436,7 @@ test('fails when cross account is required but not allowed', async () => { return { promise: () => Promise.resolve() }; }); - await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow('Wrong account?'); + await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow('❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗'); }); test('succeeds when bucket doesnt belong to us but doesnt contain account id - cross account', async () => { From 24c3d5521330572770244b31916231623a363753 Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 9 Oct 2024 16:18:54 +0000 Subject: [PATCH 4/6] chore: self mutation Signed-off-by: github-actions --- lib/private/handlers/files.ts | 14 +++++++------- test/files.test.ts | 4 +++- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/private/handlers/files.ts b/lib/private/handlers/files.ts index ebc32fa..a002343 100644 --- a/lib/private/handlers/files.ts +++ b/lib/private/handlers/files.ts @@ -84,10 +84,10 @@ export class FileAssetHandler implements IAssetHandler { throw new Error( `Bucket named '${destination.bucketName}' exists, but we dont have access to it.` ); - case BucketOwnership.SOMEONE_ELSES_AND_HAVE_ACCESS: - if (!allowCrossAccount) { - throw new Error( - `❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗ + case BucketOwnership.SOMEONE_ELSES_AND_HAVE_ACCESS: + if (!allowCrossAccount) { + throw new Error( + `❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗ We've detected that the S3 bucket cdk-hnb659fds-assets-${await account()}-${destination.region} was originally created in account ${await account()} as part of the CloudFormation stack CDKToolkit, @@ -104,9 +104,9 @@ export class FileAssetHandler implements IAssetHandler { [1] https://repost.aws/knowledge-center/potential-account-compromise [2] https://aws.amazon.com/support` - ); - } - break; + ); + } + break; } if (await objectExists(s3, destination.bucketName, destination.objectKey)) { diff --git a/test/files.test.ts b/test/files.test.ts index ba448f2..3f1c970 100644 --- a/test/files.test.ts +++ b/test/files.test.ts @@ -436,7 +436,9 @@ test('fails when cross account is required but not allowed', async () => { return { promise: () => Promise.resolve() }; }); - await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow('❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗'); + await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow( + '❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗' + ); }); test('succeeds when bucket doesnt belong to us but doesnt contain account id - cross account', async () => { From 3376c89238f1b1c13f66f219ae890caff1e03d17 Mon Sep 17 00:00:00 2001 From: HBobertz Date: Wed, 9 Oct 2024 12:41:32 -0400 Subject: [PATCH 5/6] update string --- lib/private/handlers/files.ts | 2 +- test/files.test.ts | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/private/handlers/files.ts b/lib/private/handlers/files.ts index a002343..ee28270 100644 --- a/lib/private/handlers/files.ts +++ b/lib/private/handlers/files.ts @@ -89,7 +89,7 @@ export class FileAssetHandler implements IAssetHandler { throw new Error( `❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗ - We've detected that the S3 bucket cdk-hnb659fds-assets-${await account()}-${destination.region} was + We've detected that the S3 bucket ${destination.bucketName} was originally created in account ${await account()} as part of the CloudFormation stack CDKToolkit, but now resides in a different AWS account. To prevent cross-account asset bucket access of your deployments, CDK will stop now. diff --git a/test/files.test.ts b/test/files.test.ts index 3f1c970..ba448f2 100644 --- a/test/files.test.ts +++ b/test/files.test.ts @@ -436,9 +436,7 @@ test('fails when cross account is required but not allowed', async () => { return { promise: () => Promise.resolve() }; }); - await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow( - '❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗' - ); + await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow('❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗'); }); test('succeeds when bucket doesnt belong to us but doesnt contain account id - cross account', async () => { From 2635360f24d5681ea6f832897d1fa97acd6f2867 Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 9 Oct 2024 16:48:47 +0000 Subject: [PATCH 6/6] chore: self mutation Signed-off-by: github-actions --- test/files.test.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/files.test.ts b/test/files.test.ts index ba448f2..3f1c970 100644 --- a/test/files.test.ts +++ b/test/files.test.ts @@ -436,7 +436,9 @@ test('fails when cross account is required but not allowed', async () => { return { promise: () => Promise.resolve() }; }); - await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow('❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗'); + await expect(pub.publish({ allowCrossAccount: false })).rejects.toThrow( + '❗❗ UNEXPECTED BUCKET OWNER DETECTED ❗❗' + ); }); test('succeeds when bucket doesnt belong to us but doesnt contain account id - cross account', async () => {