From e7776ff99324eaaab45e26b0d3b567e8ca5a805f Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Fri, 17 Jan 2025 20:00:12 +0000 Subject: [PATCH 1/7] chore(aws-s3): default BlockPublicAccess class properties to true for consistent behavior --- packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 8 +++--- .../aws-cdk-lib/aws-s3/test/bucket.test.ts | 28 +++++++++++++++++++ 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 27cb8fc6fde2b..e5cead93bf22a 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -1092,10 +1092,10 @@ export class BlockPublicAccess { public restrictPublicBuckets: boolean | undefined; constructor(options: BlockPublicAccessOptions) { - this.blockPublicAcls = options.blockPublicAcls; - this.blockPublicPolicy = options.blockPublicPolicy; - this.ignorePublicAcls = options.ignorePublicAcls; - this.restrictPublicBuckets = options.restrictPublicBuckets; + this.blockPublicAcls = options.blockPublicAcls ?? true; + this.blockPublicPolicy = options.blockPublicPolicy ?? true; + this.ignorePublicAcls = options.ignorePublicAcls ?? true; + this.restrictPublicBuckets = options.restrictPublicBuckets ?? true; } } diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts index 5ad2b8413bcb8..63047deded860 100644 --- a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts +++ b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts @@ -972,6 +972,34 @@ describe('bucket', () => { }); }); + test('unspecified blockPublicAccess properties should default to true', () => { + const stack = new cdk.Stack(); + new s3.Bucket(stack, 'MyBucket', { + blockPublicAccess: new s3.BlockPublicAccess({ + blockPublicPolicy: false, + restrictPublicBuckets: false, + }), + }); + + Template.fromStack(stack).templateMatches({ + 'Resources': { + 'MyBucketF68F3FF0': { + 'Type': 'AWS::S3::Bucket', + 'Properties': { + 'PublicAccessBlockConfiguration': { + 'BlockPublicAcls': true, + 'BlockPublicPolicy': false, + 'IgnorePublicAcls': true, + 'RestrictPublicBuckets': false, + }, + }, + 'DeletionPolicy': 'Retain', + 'UpdateReplacePolicy': 'Retain', + }, + }, + }); + }); + test('bucket with default block public access setting to throw error msg', () => { const stack = new cdk.Stack(); From d965576761f946dc97b72b9fa0f897b6e6ca16c8 Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Tue, 21 Jan 2025 18:11:19 -0600 Subject: [PATCH 2/7] Add integ tests --- .../aws-cdk-s3.assets.json | 19 ++ .../aws-cdk-s3.template.json | 69 +++++++ .../cdk.out | 1 + ...efaultTestDeployAssert2B4C2503.assets.json | 19 ++ ...aultTestDeployAssert2B4C2503.template.json | 36 ++++ .../integ.json | 12 ++ .../manifest.json | 125 ++++++++++++ .../tree.json | 181 ++++++++++++++++++ .../test/integ.bucket-block-public-access.ts | 33 ++++ 9 files changed, 495 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.assets.json new file mode 100644 index 0000000000000..22e5d2ee65a10 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "c710c83a4c828b1352a3a7f312c8de69a8adeff3ce6e267a649a8e81e6351599": { + "source": { + "path": "aws-cdk-s3.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c710c83a4c828b1352a3a7f312c8de69a8adeff3ce6e267a649a8e81e6351599.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.template.json new file mode 100644 index 0000000000000..e29da6867b22c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/aws-cdk-s3.template.json @@ -0,0 +1,69 @@ +{ + "Resources": { + "BucketWithDefaultAccessA1A49454": { + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketWithExplicitBlockAccess67F3DE07": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketWithPartialBlockAccessD49F8A59": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": false, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": false + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdk.out new file mode 100644 index 0000000000000..91e1a8b9901d5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets.json new file mode 100644 index 0000000000000..097fde47f6d19 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/integ.json new file mode 100644 index 0000000000000..d63a10f9cfe71 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "39.0.0", + "testCases": { + "cdk-integ-s3-bucket-block-public-access/DefaultTest": { + "stacks": [ + "aws-cdk-s3" + ], + "assertionStack": "cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert", + "assertionStackName": "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/manifest.json new file mode 100644 index 0000000000000..163b102fd1a0b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/manifest.json @@ -0,0 +1,125 @@ +{ + "version": "39.0.0", + "artifacts": { + "aws-cdk-s3.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-s3.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-s3": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-s3.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c710c83a4c828b1352a3a7f312c8de69a8adeff3ce6e267a649a8e81e6351599.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-s3.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-s3.assets" + ], + "metadata": { + "/aws-cdk-s3/BucketWithDefaultAccess/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketWithDefaultAccessA1A49454" + } + ], + "/aws-cdk-s3/BucketWithExplicitBlockAccess/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketWithExplicitBlockAccess67F3DE07" + } + ], + "/aws-cdk-s3/BucketWithPartialBlockAccess/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BucketWithPartialBlockAccessD49F8A59" + } + ], + "/aws-cdk-s3/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-s3/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-s3" + }, + "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "cdkintegs3bucketblockpublicaccessDefaultTestDeployAssert2B4C2503.assets" + ], + "metadata": { + "/cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/tree.json new file mode 100644 index 0000000000000..312a5c4263eed --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.js.snapshot/tree.json @@ -0,0 +1,181 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "aws-cdk-s3": { + "id": "aws-cdk-s3", + "path": "aws-cdk-s3", + "children": { + "BucketWithDefaultAccess": { + "id": "BucketWithDefaultAccess", + "path": "aws-cdk-s3/BucketWithDefaultAccess", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-s3/BucketWithDefaultAccess/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": {} + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, + "BucketWithExplicitBlockAccess": { + "id": "BucketWithExplicitBlockAccess", + "path": "aws-cdk-s3/BucketWithExplicitBlockAccess", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-s3/BucketWithExplicitBlockAccess/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "publicAccessBlockConfiguration": { + "blockPublicAcls": true, + "blockPublicPolicy": true, + "ignorePublicAcls": true, + "restrictPublicBuckets": true + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, + "BucketWithPartialBlockAccess": { + "id": "BucketWithPartialBlockAccess", + "path": "aws-cdk-s3/BucketWithPartialBlockAccess", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-s3/BucketWithPartialBlockAccess/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "publicAccessBlockConfiguration": { + "blockPublicAcls": true, + "blockPublicPolicy": false, + "ignorePublicAcls": true, + "restrictPublicBuckets": false + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-s3/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-s3/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "cdk-integ-s3-bucket-block-public-access": { + "id": "cdk-integ-s3-bucket-block-public-access", + "path": "cdk-integ-s3-bucket-block-public-access", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "cdk-integ-s3-bucket-block-public-access/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "cdk-integ-s3-bucket-block-public-access/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cdk-integ-s3-bucket-block-public-access/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts new file mode 100644 index 0000000000000..fafb0563de4bb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts @@ -0,0 +1,33 @@ +#!/usr/bin/env node +import * as cdk from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import * as s3 from 'aws-cdk-lib/aws-s3'; + +const app = new cdk.App(); + +const stack = new cdk.Stack(app, 'aws-cdk-s3'); + +// Bucket with default setting for `blockPublicAccess` +new s3.Bucket(stack, 'BucketWithDefaultAccess', {}); + +// Bucket with explicit setting for `blockPublicAccess` +new s3.Bucket(stack, 'BucketWithExplicitBlockAccess', { + blockPublicAccess: new s3.BlockPublicAccess({ + blockPublicAcls: true, + ignorePublicAcls: true, + blockPublicPolicy: true, + restrictPublicBuckets: true, + }), +}); + +// Bucket with partial setting for `blockPublicAccess` +new s3.Bucket(stack, 'BucketWithPartialBlockAccess', { + blockPublicAccess: new s3.BlockPublicAccess({ + blockPublicPolicy: false, + restrictPublicBuckets: false, + }), +}); + +new IntegTest(app, 'cdk-integ-s3-bucket-block-public-access', { + testCases: [stack], +}); From 41e1cb0477ae1abcdc5f9cc3fb5be6ad393866a9 Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Tue, 21 Jan 2025 19:03:27 -0600 Subject: [PATCH 3/7] Add feature flag for the bug fix --- .../test/integ.bucket-block-public-access.ts | 7 ++++- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 28 +++++++++++++++++-- packages/aws-cdk-lib/cx-api/README.md | 21 ++++++++++++++ packages/aws-cdk-lib/cx-api/lib/features.ts | 19 +++++++++++++ .../recommended-feature-flags.json | 3 +- 5 files changed, 74 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts index fafb0563de4bb..a0c98686ae190 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-public-access.ts @@ -2,8 +2,13 @@ import * as cdk from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as cxapi from 'aws-cdk-lib/cx-api'; -const app = new cdk.App(); +const myFeatureFlag = { [cxapi.S3_BUCKET_DEFAULT_BLOCK_PUBLIC_ACCESS_PROPERTIES_TO_TRUE]: true }; + +const app = new cdk.App({ + context: myFeatureFlag, +}); const stack = new cdk.Stack(app, 'aws-cdk-s3'); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 955542ef2b803..c8bbda229fc4f 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -86,8 +86,9 @@ Flags come in three types: | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | | [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | | [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | -| [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | +| [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | 2.176.0 | (fix) | | [@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections](#aws-cdkaws-iamoidcrejectunauthorizedconnections) | When enabled, the default behaviour of OIDC provider will reject unauthorized connections | V2NEXT | (fix) | +| [@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue](#aws-cdkaws-s3blockpublicaccesspropertiesdefaulttotrue) | When enabled, the properties of class BlockPublicAccess will default to true | V2NEXT | (fix) | @@ -163,7 +164,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, - "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true, + "@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue": true } } ``` @@ -1670,4 +1672,26 @@ thumbprints from unsecure connections. **Compatibility with old behavior:** Disable the feature flag to allow unsecure OIDC connection. +### @aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue + +*When enabled, the properties of class BlockPublicAccess will default to true* (fix) + +Without this flag, the 'blockPublicAccess' property has a counter-intuitive and inconsistent behavior. +When the property value is not specified, then all the 4 member properties (blockPublicAcls, +ignorePublicAcls, blockPublicPolicy and restrictPublicBuckets) will default to 'true'. However in +cases where selected properties are explicitly set to false, the remaining properties for which no value +was specified will also default to 'false'. + +Intuitively, if the property is not set explicitly, it must default to 'true'. Enabling this flag will exhibit +this behavior. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + +**Compatibility with old behavior:** Disable the feature flag to avoid accidental changes to bucket visibility settings. + + diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 7c9457aec56f2..023dcf9bc0940 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -594,3 +594,24 @@ _cdk.json_ } } ``` + +* `@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue` + +Without this flag, the 'blockPublicAccess' property has a counter-intuitive and inconsistent behavior. +When the property value is not specified, then all the 4 member properties (blockPublicAcls, +ignorePublicAcls, blockPublicPolicy and restrictPublicBuckets) will default to 'true'. However in +cases where selected properties are explicitly set to false, the remaining properties for which no value +was specified will also default to 'false'. + +Intuitively, if the property is not set explicitly, it must default to 'true'. Enabling this flag will exhibit +this behavior. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 5991642b93bed..7ec22787d4e21 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -122,6 +122,7 @@ export const Enable_IMDS_Blocking_Deprecated_Feature = '@aws-cdk/aws-ecs:enableI export const Disable_ECS_IMDS_Blocking = '@aws-cdk/aws-ecs:disableEcsImdsBlocking'; export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault'; export const IAM_OIDC_REJECT_UNAUTHORIZED_CONNECTIONS = '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections'; +export const S3_BUCKET_DEFAULT_BLOCK_PUBLIC_ACCESS_PROPERTIES_TO_TRUE = '@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1371,6 +1372,24 @@ export const FLAGS: Record = { recommendedValue: true, compatibilityWithOldBehaviorMd: 'Disable the feature flag to allow unsecure OIDC connection.', }, + + ////////////////////////////////////////////////////////////////////// + [S3_BUCKET_DEFAULT_BLOCK_PUBLIC_ACCESS_PROPERTIES_TO_TRUE]: { + type: FlagType.BugFix, + summary: 'When enabled, the properties of class BlockPublicAccess will default to true', + detailsMd: ` + Without this flag, the 'blockPublicAccess' property has a counter-intuitive and inconsistent behavior. + When the property value is not specified, then all the 4 member properties (blockPublicAcls, + ignorePublicAcls, blockPublicPolicy and restrictPublicBuckets) will default to 'true'. However in + cases where selected properties are explicitly set to false, the remaining properties for which no value + was specified will also default to 'false'. + + Intuitively, if the property is not set explicitly, it must default to 'true'. Enabling this flag will exhibit + this behavior.`, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + compatibilityWithOldBehaviorMd: 'Disable the feature flag to avoid accidental changes to bucket visibility settings.', + }, }; const CURRENT_MV = 'v2'; diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index 4e9774c6af5e5..2e81457afd6c5 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -63,5 +63,6 @@ "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, - "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true, + "@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue": true } \ No newline at end of file From 74287fe07c3e7576779fe6945f3ce00668a011f6 Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Wed, 22 Jan 2025 10:41:24 -0600 Subject: [PATCH 4/7] Update packages/aws-cdk-lib/cx-api/lib/features.ts Thanks for the suggestion. Co-authored-by: Luca Pizzini --- packages/aws-cdk-lib/cx-api/lib/features.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 7ec22787d4e21..a1e41190984e5 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1378,13 +1378,13 @@ export const FLAGS: Record = { type: FlagType.BugFix, summary: 'When enabled, the properties of class BlockPublicAccess will default to true', detailsMd: ` - Without this flag, the 'blockPublicAccess' property has a counter-intuitive and inconsistent behavior. - When the property value is not specified, then all the 4 member properties (blockPublicAcls, - ignorePublicAcls, blockPublicPolicy and restrictPublicBuckets) will default to 'true'. However in - cases where selected properties are explicitly set to false, the remaining properties for which no value - was specified will also default to 'false'. + Without this flag, the \`blockPublicAccess\` property has a counter-intuitive and inconsistent behavior. + When the property value is not specified, then all the 4 member properties (\`blockPublicAcls\`, + \`ignorePublicAcls\`, \`blockPublicPolicy\` and \`restrictPublicBuckets\`) will default to \`true\`. However, in + cases where selected properties are explicitly set to \`false\`, the remaining properties for which no value + was specified will also default to \`false\`. - Intuitively, if the property is not set explicitly, it must default to 'true'. Enabling this flag will exhibit + Intuitively, if the property is not set explicitly, it must default to \`true\`. Enabling this flag will exhibit this behavior.`, introducedIn: { v2: 'V2NEXT' }, recommendedValue: true, From c42e87ef6a2920c8691526c006832dd3b94d15fb Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Wed, 22 Jan 2025 10:41:47 -0600 Subject: [PATCH 5/7] Update packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md Co-authored-by: Luca Pizzini --- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index c8bbda229fc4f..d77a2560e32ad 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -1674,15 +1674,15 @@ thumbprints from unsecure connections. ### @aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue -*When enabled, the properties of class BlockPublicAccess will default to true* (fix) +*When enabled, the properties of class `BlockPublicAccess` will default to `true`* (fix) -Without this flag, the 'blockPublicAccess' property has a counter-intuitive and inconsistent behavior. -When the property value is not specified, then all the 4 member properties (blockPublicAcls, -ignorePublicAcls, blockPublicPolicy and restrictPublicBuckets) will default to 'true'. However in -cases where selected properties are explicitly set to false, the remaining properties for which no value -was specified will also default to 'false'. +Without this flag, the `blockPublicAccess` property has a counter-intuitive and inconsistent behavior. +When the property value is not specified, then all the 4 member properties (`blockPublicAcls`, +`ignorePublicAcls`, `blockPublicPolicy` and `restrictPublicBuckets`) will default to `true`. However, in +cases where selected properties are explicitly set to `false`, the remaining properties for which no value +was specified will also default to `false`. -Intuitively, if the property is not set explicitly, it must default to 'true'. Enabling this flag will exhibit +Intuitively, if the property is not set explicitly, it must default to `true`. Enabling this flag will exhibit this behavior. From 33d386fab5a54bb5e8aa93ea9bbed095981e2c06 Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Wed, 22 Jan 2025 10:43:18 -0600 Subject: [PATCH 6/7] Update packages/aws-cdk-lib/cx-api/README.md Co-authored-by: Luca Pizzini --- packages/aws-cdk-lib/cx-api/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 023dcf9bc0940..e18913ea03e41 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -597,13 +597,13 @@ _cdk.json_ * `@aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue` -Without this flag, the 'blockPublicAccess' property has a counter-intuitive and inconsistent behavior. -When the property value is not specified, then all the 4 member properties (blockPublicAcls, -ignorePublicAcls, blockPublicPolicy and restrictPublicBuckets) will default to 'true'. However in -cases where selected properties are explicitly set to false, the remaining properties for which no value -was specified will also default to 'false'. +Without this flag, the `blockPublicAccess` property has a counter-intuitive and inconsistent behavior. +When the property value is not specified, then all the 4 member properties (`blockPublicAcls`, +`ignorePublicAcls`, `blockPublicPolicy` and `restrictPublicBuckets`) will default to `true`. However, in +cases where selected properties are explicitly set to `false`, the remaining properties for which no value +was specified will also default to `false`. -Intuitively, if the property is not set explicitly, it must default to 'true'. Enabling this flag will exhibit +Intuitively, if the property is not set explicitly, it must default to `true`. Enabling this flag will exhibit this behavior. _cdk.json_ From 25436a43ff6427ee4a9cdd9c07d1fa0555493395 Mon Sep 17 00:00:00 2001 From: Manan Pancholi Date: Thu, 6 Feb 2025 19:28:25 +0530 Subject: [PATCH 7/7] Enable feature flagging based on @gracelu0's suggestion --- packages/aws-cdk-lib/aws-s3/lib/bucket.ts | 14 ++++++++++---- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 8 +++++--- packages/aws-cdk-lib/cx-api/lib/features.ts | 3 +-- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts index 122cdff2e2ca5..f0cb6a7d53335 100644 --- a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts +++ b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts @@ -35,6 +35,7 @@ import * as regionInformation from '../../region-info'; const AUTO_DELETE_OBJECTS_RESOURCE_TYPE = 'Custom::S3AutoDeleteObjects'; const AUTO_DELETE_OBJECTS_TAG = 'aws-cdk:auto-delete-objects'; +var s3BucketDefaultBlockPublicAccessPropertiesToTrueFeatureFlag: boolean = false; export interface IBucket extends IResource { /** @@ -1094,10 +1095,11 @@ export class BlockPublicAccess { public restrictPublicBuckets: boolean | undefined; constructor(options: BlockPublicAccessOptions) { - this.blockPublicAcls = options.blockPublicAcls ?? true; - this.blockPublicPolicy = options.blockPublicPolicy ?? true; - this.ignorePublicAcls = options.ignorePublicAcls ?? true; - this.restrictPublicBuckets = options.restrictPublicBuckets ?? true; + const defaultToTrue = s3BucketDefaultBlockPublicAccessPropertiesToTrueFeatureFlag; + this.blockPublicAcls = defaultToTrue ? options.blockPublicAcls ?? true : options.blockPublicAcls; + this.blockPublicPolicy = defaultToTrue ? options.blockPublicPolicy ?? true : options.blockPublicPolicy; + this.ignorePublicAcls = defaultToTrue ? options.ignorePublicAcls ?? true : options.ignorePublicAcls; + this.restrictPublicBuckets = defaultToTrue ? options.restrictPublicBuckets ?? true : options.restrictPublicBuckets; } } @@ -2188,6 +2190,10 @@ export class Bucket extends BucketBase { // Enhanced CDK Analytics Telemetry addConstructMetadata(this, props); + // Set the S3_BUCKET_DEFAULT_BLOCK_PUBLIC_ACCESS_PROPERTIES_TO_TRUE feature flag + s3BucketDefaultBlockPublicAccessPropertiesToTrueFeatureFlag = FeatureFlags.of(this) + .isEnabled(cxapi.S3_BUCKET_DEFAULT_BLOCK_PUBLIC_ACCESS_PROPERTIES_TO_TRUE) ?? false; + this.notificationsHandlerRole = props.notificationsHandlerRole; this.notificationsSkipDestinationValidation = props.notificationsSkipDestinationValidation; diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 9a3771d8856e5..80a61e6282eac 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -1682,15 +1682,17 @@ When this feature flag is enabled, CDK expands the scope of usage data collectio * L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects. * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. * L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type. - + + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.178.0 | `false` | `true` | - + + ### @aws-cdk/aws-s3:blockPublicAccessPropertiesDefaultToTrue -*When enabled, the properties of class `BlockPublicAccess` will default to `true`* (fix) +*When enabled, the properties of class BlockPublicAccess will default to true* (fix) Without this flag, the `blockPublicAccess` property has a counter-intuitive and inconsistent behavior. When the property value is not specified, then all the 4 member properties (`blockPublicAcls`, diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index cd9dd65f6e297..5f14be67cc0a8 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1387,8 +1387,7 @@ export const FLAGS: Record = { introducedIn: { v2: '2.178.0' }, recommendedValue: true, }, - - + ////////////////////////////////////////////////////////////////////// [S3_BUCKET_DEFAULT_BLOCK_PUBLIC_ACCESS_PROPERTIES_TO_TRUE]: { type: FlagType.BugFix,