Describe the bug
When creating an S3 bucket using CDK’s Bucket construct, CDK automatically creates a Lambda (BucketNotificationsHandler) and attaches a default IAM policy:
{ "Action": "s3:PutBucketNotification", "Effect": "Allow", "Resource": "*" }
This policy uses a wildcard (*) for the Resource instead of restricting it to the specific bucket ARN.
The snippet code is here.
`
export class TestBucketExample extends Bucket {
constructor(stack: Stack) {
const bucketName = 'test-input';
super(stack, 'TestBucketExample', {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
encryption: BucketEncryption.S3_MANAGED,
enforceSSL: true,
bucketName,
removalPolicy: RemovalPolicy.RETAIN,
autoDeleteObjects: false,
versioned: false,
eventBridgeEnabled: true
});
}
}
`
Regression Issue
Last Known Working CDK Library Version
No response
Expected Behavior
The IAM policy should restrict the resource to only the bucket ARN instead of "*" for improved security.
Current Behavior
When you deploy the TestBucketExample construct:
CDK automatically creates a Lambda named something like BucketNotificationsHandler… to handle S3 notifications.
CDK attaches a default IAM policy to this Lambda:
{
"Action": "s3:PutBucketNotification",
"Effect": "Allow",
"Resource": "*"
}
The Resource is a wildcard *, meaning the Lambda could potentially modify notifications for any S3 bucket in the account.
This happens even though you are only using this Lambda for a specific bucket (test-input).
There is currently no CDK option to restrict this policy to the specific bucket ARN.
Reproduction Steps
Steps to reproduce the behavior:
- Deploy the above CDK construct.
- Check the generated CloudFormation template or IAM policies.
- Observe the BucketNotificationsHandlerDefaultPolicy using "Resource": "".
Possible Solution
No response
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.201.0
AWS CDK CLI version
2.1018.1
Node.js Version
22.16.0
OS
Windows 11
Language
TypeScript
Language Version
4.5.0
Other information
No response
Describe the bug
When creating an S3 bucket using CDK’s Bucket construct, CDK automatically creates a Lambda (BucketNotificationsHandler) and attaches a default IAM policy:
{ "Action": "s3:PutBucketNotification", "Effect": "Allow", "Resource": "*" }This policy uses a wildcard (*) for the Resource instead of restricting it to the specific bucket ARN.
The snippet code is here.
`
export class TestBucketExample extends Bucket {
constructor(stack: Stack) {
const bucketName = 'test-input';
}
`
Regression Issue
Last Known Working CDK Library Version
No response
Expected Behavior
The IAM policy should restrict the resource to only the bucket ARN instead of "*" for improved security.
Current Behavior
When you deploy the TestBucketExample construct:
CDK automatically creates a Lambda named something like BucketNotificationsHandler… to handle S3 notifications.
CDK attaches a default IAM policy to this Lambda:
{
"Action": "s3:PutBucketNotification",
"Effect": "Allow",
"Resource": "*"
}
The Resource is a wildcard *, meaning the Lambda could potentially modify notifications for any S3 bucket in the account.
This happens even though you are only using this Lambda for a specific bucket (test-input).
There is currently no CDK option to restrict this policy to the specific bucket ARN.
Reproduction Steps
Steps to reproduce the behavior:
Possible Solution
No response
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.201.0
AWS CDK CLI version
2.1018.1
Node.js Version
22.16.0
OS
Windows 11
Language
TypeScript
Language Version
4.5.0
Other information
No response