fix(ses-actions): condition should use SourceAccount

[Lilja]

Issue

#29811

Reason for this change

Restricts the SES to come through the SourceAccount in question.

This will change does not affect bucket policy and ses rule action race condition, reported in #30143 and introduced in #29833 and reverted in #30375. That PR introduced the rule set name into the bucket policy, which added a dependency to the policy to the rule set(while the rule set requires that the policy is created first). Doing this change made a circular dependency between the two resources.

Description of changes

Simply use SourceAccount instead of Referer.

Describe any new or updated permissions being added

n/a

Description of how you validated changes

n/a

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.00%. Comparing base (74cbe27) to head (445af73).
Report is 34 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #34081      +/-   ##
==========================================
+ Coverage   83.98%   84.00%   +0.01%     
==========================================
  Files         120      121       +1     
  Lines        6976     6984       +8     
  Branches     1178     1179       +1     
==========================================
+ Hits         5859     5867       +8     
  Misses       1005     1005              
  Partials      112      112              

Flag	Coverage Δ
suite.unit	84.00% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	84.00% <ø> (+0.01%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Lilja-at-funnel]

Clarification Request please update your assessment

[QuantumNeuralCoder]

Breaking change!

[QuantumNeuralCoder]

Breaking change!

[QuantumNeuralCoder]

Breaking change! Can you please help us understand this? is the Referer deprecated now?
We do not allow breaking changes in stable modules unless its a changed necessitated by the underlying service.

[Lilja]

I would argue that the existing Referer header is a bug and it should use the SourceAccount property instead. We have an ongoing confused deputy problem because of this and I'm sure the correct behaviour would be to use the SourceAccount property.

Also, if you take a look at the changes made in https://github.com/aws/aws-cdk/pull/29833/files#diff-824a0448a198a71c623bc8daaae829a1cd482701129ebd395fca0ee665e96ffaR102-R112, it was merged without any consideration that it would be a breaking change.

[QuantumNeuralCoder]

Makes sense. Can you add a section to the README with a couple of lines explaining this.

[QuantumNeuralCoder]

LGTM. Ship it.

[QuantumNeuralCoder]

@Mergifyio requeue

[mergify]

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

[Lilja]

Hi @paulhcsun, any reason for this pull request not to be merged? (Judging by the label assigned to this PR)

[samson-keung]

Hi @paulhcsun, any reason for this pull request not to be merged? (Judging by the label assigned to this PR)

Hi @Lilja, it was because we wanted to evaluate if this change will break existing CDK applications. After some research, I guess at some point in the past, some SES example code out there uses aws:Referer (e.g. I found aws/serverless-application-model#1037 mentioning that). From my testing, both aws:Referer and aws:SourceAccount will work, meaning SES is able to put objects into the bucket. It seems to be me the value for these 2 keys are always the same. This leads me to the following question:

You mentioned that you are experiencing the confused deputy problem and this change will fix it. Do you mind explaining further in what scenario you believe the confused deputy problem will occur? I suspect we may need to look into adding the aws: SourceArn to solve your problem completely.
[Note: I wanted to ask to make sure your problem is solved. This is not a blocker to merging this PR and I will ensure we merge this PR while I look forward to your response]

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 0cb5d7c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.