diff --git a/packages/static-website/src/index.ts b/packages/static-website/src/index.ts index b02214c9f..d0c7653d8 100644 --- a/packages/static-website/src/index.ts +++ b/packages/static-website/src/index.ts @@ -4,3 +4,4 @@ export * from "./cloudfront-web-acl"; export * from "./static-website"; export * from "./bucket-deployment-props"; export * from "./distribution-props"; +export * from "./lazy-token-renderer"; diff --git a/packages/static-website/src/lazy-token-renderer.ts b/packages/static-website/src/lazy-token-renderer.ts new file mode 100644 index 000000000..ee90483a8 --- /dev/null +++ b/packages/static-website/src/lazy-token-renderer.ts @@ -0,0 +1,33 @@ +/*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 */ +import { CfnJson, Lazy, Token } from "aws-cdk-lib"; +import { Construct } from "constructs"; + +const isUnresolved = (value: any) => + Token.isUnresolved(value) || + (typeof value === "string" && value.endsWith("}}")); + +const resolveTokens = (scope: Construct, payload: any) => { + const _runtimeConfig: Record = {}; + + Object.entries(payload).forEach(([key, value]) => { + if (isUnresolved(value)) { + _runtimeConfig[key] = new CfnJson(scope, `runtimeConfig-${key}`, { + value, + }).value; + } else if (typeof value === "object") { + _runtimeConfig[key] = resolveTokens(scope, value); + } else if (Array.isArray(value)) { + _runtimeConfig[key] = value.map((v) => resolveTokens(scope, v)); + } else { + _runtimeConfig[key] = value; + } + }); + + return _runtimeConfig; +}; + +export const lazilyRender = (scope: Construct, payload: any) => + Lazy.any({ + produce: () => resolveTokens(scope, payload), + }); diff --git a/packages/static-website/src/static-website.ts b/packages/static-website/src/static-website.ts index 62735585e..2da44aa54 100644 --- a/packages/static-website/src/static-website.ts +++ b/packages/static-website/src/static-website.ts @@ -5,13 +5,11 @@ import { CfnOutput, RemovalPolicy, Stack } from "aws-cdk-lib"; import { Distribution, IOrigin, - OriginAccessIdentity, OriginBindConfig, OriginBindOptions, ViewerProtocolPolicy, } from "aws-cdk-lib/aws-cloudfront"; -import { S3Origin } from "aws-cdk-lib/aws-cloudfront-origins"; -import { PolicyStatement } from "aws-cdk-lib/aws-iam"; +import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins"; import { Key } from "aws-cdk-lib/aws-kms"; import { BlockPublicAccess, @@ -26,6 +24,7 @@ import { Construct } from "constructs"; import { BucketDeploymentProps } from "./bucket-deployment-props"; import { CloudfrontWebAcl, CloudFrontWebAclProps } from "./cloudfront-web-acl"; import { DistributionProps } from "./distribution-props"; +import { lazilyRender } from "./lazy-token-renderer"; const DEFAULT_RUNTIME_CONFIG_FILENAME = "runtime-config.json"; @@ -196,18 +195,6 @@ export class StaticWebsite extends Construct { serverAccessLogsBucket: accessLogsBucket, }); - const originAccessIdentity = new OriginAccessIdentity( - this, - "OriginAccessIdentity" - ); - this.websiteBucket.addToResourcePolicy( - new PolicyStatement({ - resources: [this.websiteBucket.bucketArn], - actions: ["s3:ListBucket"], - principals: [originAccessIdentity.grantPrincipal], - }) - ); - const defaultRootObject = distributionProps?.defaultRootObject ?? "index.html"; this.cloudFrontDistribution = new Distribution( @@ -220,9 +207,7 @@ export class StaticWebsite extends Construct { logBucket: logBucket, defaultBehavior: { ...distributionProps?.defaultBehavior, - origin: new S3Origin(this.websiteBucket, { - originAccessIdentity, - }), + origin: S3BucketOrigin.withOriginAccessControl(this.websiteBucket), viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS, }, defaultRootObject, @@ -246,7 +231,7 @@ export class StaticWebsite extends Construct { Source.jsonData( props.runtimeOptions?.jsonFileName || DEFAULT_RUNTIME_CONFIG_FILENAME, - props.runtimeOptions?.jsonPayload + lazilyRender(this, props.runtimeOptions.jsonPayload) ), ] : []), diff --git a/packages/static-website/test/__snapshots__/static-website.test.ts.snap b/packages/static-website/test/__snapshots__/static-website.test.ts.snap index ef497dda7..f2fc644d6 100644 --- a/packages/static-website/test/__snapshots__/static-website.test.ts.snap +++ b/packages/static-website/test/__snapshots__/static-website.test.ts.snap @@ -883,18 +883,14 @@ exports[`Static Website Unit Tests Defaults - Nested 1`] = ` ], }, "Id": "NestedStackDefaultsCloudfrontDistributionOrigin1D3B56211", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "DefaultsOriginAccessIdentity7F5D47DF", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -908,6 +904,81 @@ exports[`Static Website Unit Tests Defaults - Nested 1`] = ` }, "Type": "AWS::CloudFront::Distribution", }, + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF": { + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "OriginAccessControlConfig": { + "Name": "NestedStackDefaultsCloudfronOrigin1S3OriginAccessControl48785B6C", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", + }, + }, + "Type": "AWS::CloudFront::OriginAccessControl", + }, "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", "Metadata": { @@ -1246,78 +1317,6 @@ exports[`Static Website Unit Tests Defaults - Nested 1`] = ` }, "Type": "AWS::S3::BucketPolicy", }, - "DefaultsOriginAccessIdentity7F5D47DF": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "DefaultsWebsiteAclCFAclCustomResource08DBB477": { "DeletionPolicy": "Delete", "Metadata": { @@ -2486,33 +2485,33 @@ exports[`Static Website Unit Tests Defaults - Nested 1`] = ` ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "DefaultsCloudfrontDistributionF4EA1054", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "DefaultsWebsiteBucket3263D025", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -3598,18 +3597,14 @@ exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "DefaultsOriginAccessIdentity7F5D47DF", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -3623,8 +3618,7 @@ exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = }, "Type": "AWS::CloudFront::Distribution", }, - "DefaultsDistributionLogBucket7EA741E2": { - "DeletionPolicy": "Delete", + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -3690,49 +3684,17 @@ exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = }, }, "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256", - }, - }, - ], - }, - "LoggingConfiguration": { - "DestinationBucketName": { - "Ref": "DefaultsAccessLogsBucket1E788CBC", - }, - "LogFilePrefix": "distribution-access-logs", - }, - "OwnershipControls": { - "Rules": [ - { - "ObjectOwnership": "BucketOwnerPreferred", - }, - ], - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true, + "OriginAccessControlConfig": { + "Name": "DefaultsCloudfrontDistributiOrigin1S3OriginAccessControlC8BD58BC", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", }, - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true", - }, - ], }, - "Type": "AWS::S3::Bucket", - "UpdateReplacePolicy": "Delete", + "Type": "AWS::CloudFront::OriginAccessControl", }, - "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { + "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", - "DependsOn": [ - "DefaultsDistributionLogBucketPolicyC6D11E8F", - ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -3798,13 +3760,121 @@ exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = }, }, "Properties": { - "BucketName": { - "Ref": "DefaultsDistributionLogBucket7EA741E2", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256", + }, + }, + ], }, - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn", + "LoggingConfiguration": { + "DestinationBucketName": { + "Ref": "DefaultsAccessLogsBucket1E788CBC", + }, + "LogFilePrefix": "distribution-access-logs", + }, + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerPreferred", + }, + ], + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true, + }, + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true", + }, + ], + }, + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Delete", + }, + "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { + "DeletionPolicy": "Delete", + "DependsOn": [ + "DefaultsDistributionLogBucketPolicyC6D11E8F", + ], + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "BucketName": { + "Ref": "DefaultsDistributionLogBucket7EA741E2", + }, + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn", ], }, }, @@ -3961,78 +4031,6 @@ exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = }, "Type": "AWS::S3::BucketPolicy", }, - "DefaultsOriginAccessIdentity7F5D47DF": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "DefaultsWebsiteAclCFAclCustomResource08DBB477": { "DeletionPolicy": "Delete", "Metadata": { @@ -5179,33 +5177,33 @@ exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "DefaultsCloudfrontDistributionF4EA1054", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "DefaultsWebsiteBucket3263D025", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -6318,18 +6316,14 @@ exports[`Static Website Unit Tests Defaults 1`] = ` ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "DefaultsOriginAccessIdentity7F5D47DF", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -6343,8 +6337,7 @@ exports[`Static Website Unit Tests Defaults 1`] = ` }, "Type": "AWS::CloudFront::Distribution", }, - "DefaultsDistributionLogBucket7EA741E2": { - "DeletionPolicy": "Delete", + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -6410,49 +6403,17 @@ exports[`Static Website Unit Tests Defaults 1`] = ` }, }, "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256", - }, - }, - ], - }, - "LoggingConfiguration": { - "DestinationBucketName": { - "Ref": "DefaultsAccessLogsBucket1E788CBC", - }, - "LogFilePrefix": "distribution-access-logs", - }, - "OwnershipControls": { - "Rules": [ - { - "ObjectOwnership": "BucketOwnerPreferred", - }, - ], - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true, + "OriginAccessControlConfig": { + "Name": "DefaultsCloudfrontDistributiOrigin1S3OriginAccessControlC8BD58BC", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", }, - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true", - }, - ], }, - "Type": "AWS::S3::Bucket", - "UpdateReplacePolicy": "Delete", + "Type": "AWS::CloudFront::OriginAccessControl", }, - "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { + "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", - "DependsOn": [ - "DefaultsDistributionLogBucketPolicyC6D11E8F", - ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -6518,15 +6479,123 @@ exports[`Static Website Unit Tests Defaults 1`] = ` }, }, "Properties": { - "BucketName": { - "Ref": "DefaultsDistributionLogBucket7EA741E2", - }, - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn", - ], - }, + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256", + }, + }, + ], + }, + "LoggingConfiguration": { + "DestinationBucketName": { + "Ref": "DefaultsAccessLogsBucket1E788CBC", + }, + "LogFilePrefix": "distribution-access-logs", + }, + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerPreferred", + }, + ], + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true, + }, + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true", + }, + ], + }, + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Delete", + }, + "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { + "DeletionPolicy": "Delete", + "DependsOn": [ + "DefaultsDistributionLogBucketPolicyC6D11E8F", + ], + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "BucketName": { + "Ref": "DefaultsDistributionLogBucket7EA741E2", + }, + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn", + ], + }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", @@ -6681,78 +6750,6 @@ exports[`Static Website Unit Tests Defaults 1`] = ` }, "Type": "AWS::S3::BucketPolicy", }, - "DefaultsOriginAccessIdentity7F5D47DF": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "DefaultsWebsiteAclCFAclCustomResource08DBB477": { "DeletionPolicy": "Delete", "Metadata": { @@ -7899,33 +7896,33 @@ exports[`Static Website Unit Tests Defaults 1`] = ` ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "DefaultsCloudfrontDistributionF4EA1054", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "DefaultsWebsiteBucket3263D025", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -9038,18 +9035,14 @@ exports[`Static Website Unit Tests Defaults and Geoblocking - using AwsPrototypi ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "DefaultsOriginAccessIdentity7F5D47DF", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -9072,8 +9065,7 @@ exports[`Static Website Unit Tests Defaults and Geoblocking - using AwsPrototypi }, "Type": "AWS::CloudFront::Distribution", }, - "DefaultsDistributionLogBucket7EA741E2": { - "DeletionPolicy": "Delete", + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -9139,27 +9131,103 @@ exports[`Static Website Unit Tests Defaults and Geoblocking - using AwsPrototypi }, }, "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256", - }, - }, - ], - }, - "LoggingConfiguration": { - "DestinationBucketName": { - "Ref": "DefaultsAccessLogsBucket1E788CBC", - }, - "LogFilePrefix": "distribution-access-logs", + "OriginAccessControlConfig": { + "Name": "DefaultsCloudfrontDistributiOrigin1S3OriginAccessControlC8BD58BC", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", }, - "OwnershipControls": { - "Rules": [ + }, + "Type": "AWS::CloudFront::OriginAccessControl", + }, + "DefaultsDistributionLogBucket7EA741E2": { + "DeletionPolicy": "Delete", + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ { - "ObjectOwnership": "BucketOwnerPreferred", + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, - ], + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256", + }, + }, + ], + }, + "LoggingConfiguration": { + "DestinationBucketName": { + "Ref": "DefaultsAccessLogsBucket1E788CBC", + }, + "LogFilePrefix": "distribution-access-logs", + }, + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerPreferred", + }, + ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, @@ -9410,78 +9478,6 @@ exports[`Static Website Unit Tests Defaults and Geoblocking - using AwsPrototypi }, "Type": "AWS::S3::BucketPolicy", }, - "DefaultsOriginAccessIdentity7F5D47DF": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "DefaultsWebsiteAclCFAclCustomResource08DBB477": { "DeletionPolicy": "Delete", "Metadata": { @@ -10628,33 +10624,33 @@ exports[`Static Website Unit Tests Defaults and Geoblocking - using AwsPrototypi ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "DefaultsCloudfrontDistributionF4EA1054", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "DefaultsWebsiteBucket3263D025", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -11833,18 +11829,14 @@ exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPro ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "DefaultsOriginAccessIdentity7F5D47DF", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -11858,8 +11850,7 @@ exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPro }, "Type": "AWS::CloudFront::Distribution", }, - "DefaultsDistributionLogBucket7EA741E2": { - "DeletionPolicy": "Delete", + "DefaultsCloudfrontDistributionOrigin1S3OriginAccessControl6814E8FF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -11929,49 +11920,17 @@ exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPro }, }, "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256", - }, - }, - ], - }, - "LoggingConfiguration": { - "DestinationBucketName": { - "Ref": "DefaultsAccessLogsBucket1E788CBC", - }, - "LogFilePrefix": "distribution-access-logs", - }, - "OwnershipControls": { - "Rules": [ - { - "ObjectOwnership": "BucketOwnerPreferred", - }, - ], - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true, + "OriginAccessControlConfig": { + "Name": "DefaultsCloudfrontDistributiOrigin1S3OriginAccessControlC8BD58BC", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", }, - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true", - }, - ], }, - "Type": "AWS::S3::Bucket", - "UpdateReplacePolicy": "Delete", + "Type": "AWS::CloudFront::OriginAccessControl", }, - "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { + "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", - "DependsOn": [ - "DefaultsDistributionLogBucketPolicyC6D11E8F", - ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -12041,13 +12000,125 @@ exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPro }, }, "Properties": { - "BucketName": { - "Ref": "DefaultsDistributionLogBucket7EA741E2", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256", + }, + }, + ], }, - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn", + "LoggingConfiguration": { + "DestinationBucketName": { + "Ref": "DefaultsAccessLogsBucket1E788CBC", + }, + "LogFilePrefix": "distribution-access-logs", + }, + "OwnershipControls": { + "Rules": [ + { + "ObjectOwnership": "BucketOwnerPreferred", + }, + ], + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true, + }, + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true", + }, + ], + }, + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Delete", + }, + "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { + "DeletionPolicy": "Delete", + "DependsOn": [ + "DefaultsDistributionLogBucketPolicyC6D11E8F", + ], + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", + "reason": "This is a supression reason", + }, + ], + }, + }, + "Properties": { + "BucketName": { + "Ref": "DefaultsDistributionLogBucket7EA741E2", + }, + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn", ], }, }, @@ -12208,82 +12279,6 @@ exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPro }, "Type": "AWS::S3::BucketPolicy", }, - "DefaultsOriginAccessIdentity7F5D47DF": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", - "reason": "This is a supression reason", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "DefaultsWebsiteAclCFAclCustomResource08DBB477": { "DeletionPolicy": "Delete", "Metadata": { @@ -13466,33 +13461,33 @@ exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPro ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "DefaultsCloudfrontDistributionF4EA1054", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "DefaultsWebsiteBucket3263D025", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "DefaultsOriginAccessIdentity7F5D47DF", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -14613,18 +14608,14 @@ exports[`Static Website Unit Tests Disable Web ACL 1`] = ` ], }, "Id": "WithoutWebAclCloudfrontDistributionOrigin1FA8DDFBE", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "WithoutWebAclCloudfrontDistributionOrigin1S3OriginAccessControl3A3CA07F", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "WithoutWebAclOriginAccessIdentity44AFE92A", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -14632,11 +14623,7 @@ exports[`Static Website Unit Tests Disable Web ACL 1`] = ` }, "Type": "AWS::CloudFront::Distribution", }, - "WithoutWebAclDistributionLogBucketAutoDeleteObjectsCustomResource6B7F8E37": { - "DeletionPolicy": "Delete", - "DependsOn": [ - "WithoutWebAclDistributionLogBucketPolicy76B66889", - ], + "WithoutWebAclCloudfrontDistributionOrigin1S3OriginAccessControl3A3CA07F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -14702,21 +14689,20 @@ exports[`Static Website Unit Tests Disable Web ACL 1`] = ` }, }, "Properties": { - "BucketName": { - "Ref": "WithoutWebAclDistributionLogBucketD44A0A31", - }, - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn", - ], + "OriginAccessControlConfig": { + "Name": "WithoutWebAclCloudfrontDistrOrigin1S3OriginAccessControl03D012B7", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", }, }, - "Type": "Custom::S3AutoDeleteObjects", - "UpdateReplacePolicy": "Delete", + "Type": "AWS::CloudFront::OriginAccessControl", }, - "WithoutWebAclDistributionLogBucketD44A0A31": { + "WithoutWebAclDistributionLogBucketAutoDeleteObjectsCustomResource6B7F8E37": { "DeletionPolicy": "Delete", + "DependsOn": [ + "WithoutWebAclDistributionLogBucketPolicy76B66889", + ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ @@ -14782,24 +14768,104 @@ exports[`Static Website Unit Tests Disable Web ACL 1`] = ` }, }, "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256", - }, - }, - ], + "BucketName": { + "Ref": "WithoutWebAclDistributionLogBucketD44A0A31", }, - "LoggingConfiguration": { - "DestinationBucketName": { - "Ref": "WithoutWebAclAccessLogsBucket79EA9931", - }, - "LogFilePrefix": "distribution-access-logs", + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn", + ], }, - "OwnershipControls": { - "Rules": [ - { + }, + "Type": "Custom::S3AutoDeleteObjects", + "UpdateReplacePolicy": "Delete", + }, + "WithoutWebAclDistributionLogBucketD44A0A31": { + "DeletionPolicy": "Delete", + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256", + }, + }, + ], + }, + "LoggingConfiguration": { + "DestinationBucketName": { + "Ref": "WithoutWebAclAccessLogsBucket79EA9931", + }, + "LogFilePrefix": "distribution-access-logs", + }, + "OwnershipControls": { + "Rules": [ + { "ObjectOwnership": "BucketOwnerPreferred", }, ], @@ -14970,78 +15036,6 @@ exports[`Static Website Unit Tests Disable Web ACL 1`] = ` }, "Type": "AWS::S3::BucketPolicy", }, - "WithoutWebAclOriginAccessIdentity44AFE92A": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "WithoutWebAclWebsiteBucket86DBF045": { "DeletionPolicy": "Delete", "Metadata": { @@ -15382,33 +15376,33 @@ exports[`Static Website Unit Tests Disable Web ACL 1`] = ` ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "WithoutWebAclOriginAccessIdentity44AFE92A", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "WithoutWebAclCloudfrontDistribution079C1AED", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "WithoutWebAclWebsiteBucket86DBF045", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "WithoutWebAclOriginAccessIdentity44AFE92A", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -16521,18 +16515,14 @@ exports[`Static Website Unit Tests With Provided WebAclId, should configure the ], }, "Id": "WebAclIdProvidedCloudfrontDistributionOrigin129E9BD2F", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "WebAclIdProvidedCloudfrontDistributionOrigin1S3OriginAccessControlA55B491E", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "WebAclIdProvidedOriginAccessIdentity16B3A296", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -16541,6 +16531,81 @@ exports[`Static Website Unit Tests With Provided WebAclId, should configure the }, "Type": "AWS::CloudFront::Distribution", }, + "WebAclIdProvidedCloudfrontDistributionOrigin1S3OriginAccessControlA55B491E": { + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "OriginAccessControlConfig": { + "Name": "WebAclIdProvidedCloudfrontDiOrigin1S3OriginAccessControl287C13D9", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", + }, + }, + "Type": "AWS::CloudFront::OriginAccessControl", + }, "WebAclIdProvidedDistributionLogBucket2B00498C": { "DeletionPolicy": "Delete", "Metadata": { @@ -16849,107 +16914,35 @@ exports[`Static Website Unit Tests With Provided WebAclId, should configure the "Arn", ], }, - }, - "Resource": [ - { - "Fn::GetAtt": [ - "WebAclIdProvidedDistributionLogBucket2B00498C", - "Arn", - ], - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "WebAclIdProvidedDistributionLogBucket2B00498C", - "Arn", - ], - }, - "/*", - ], - ], - }, - ], - }, - ], - "Version": "2012-10-17", - }, - }, - "Type": "AWS::S3::BucketPolicy", - }, - "WebAclIdProvidedOriginAccessIdentity16B3A296": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ + }, + "Resource": [ { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + "Fn::GetAtt": [ + "WebAclIdProvidedDistributionLogBucket2B00498C", + "Arn", + ], }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebAclIdProvidedDistributionLogBucket2B00498C", + "Arn", + ], + }, + "/*", + ], + ], }, ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", }, ], + "Version": "2012-10-17", }, }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", + "Type": "AWS::S3::BucketPolicy", }, "WebAclIdProvidedWebsiteBucket00CB0B79": { "DeletionPolicy": "Delete", @@ -17291,33 +17284,33 @@ exports[`Static Website Unit Tests With Provided WebAclId, should configure the ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "WebAclIdProvidedOriginAccessIdentity16B3A296", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "WebAclIdProvidedCloudfrontDistribution4D164817", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "WebAclIdProvidedWebsiteBucket00CB0B79", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "WebAclIdProvidedOriginAccessIdentity16B3A296", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [ @@ -18197,18 +18190,14 @@ exports[`Static Website Unit Tests With custom bucket deployment props 1`] = ` ], }, "Id": "CustomBucketDeploymentPropsCloudfrontDistributionOrigin1A81BA7D6", + "OriginAccessControlId": { + "Fn::GetAtt": [ + "CustomBucketDeploymentPropsCloudfrontDistributionOrigin1S3OriginAccessControl01C2C4C6", + "Id", + ], + }, "S3OriginConfig": { - "OriginAccessIdentity": { - "Fn::Join": [ - "", - [ - "origin-access-identity/cloudfront/", - { - "Ref": "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD", - }, - ], - ], - }, + "OriginAccessIdentity": "", }, }, ], @@ -18222,6 +18211,81 @@ exports[`Static Website Unit Tests With custom bucket deployment props 1`] = ` }, "Type": "AWS::CloudFront::Distribution", }, + "CustomBucketDeploymentPropsCloudfrontDistributionOrigin1S3OriginAccessControl01C2C4C6": { + "Metadata": { + "cdk_nag": { + "rules_to_suppress": [ + { + "id": "AwsSolutions-L1", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "id": "AwsPrototyping-LambdaLatestVersion", + "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsSolutions-IAM5", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Action::s3:.*$/g", + }, + { + "regex": "/^Resource::.*$/g", + }, + ], + "id": "AwsPrototyping-IAMNoWildcardPermissions", + "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsSolutions-IAM4", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "applies_to": [ + { + "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", + }, + ], + "id": "AwsPrototyping-IAMNoManagedPolicies", + "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", + }, + { + "id": "AwsSolutions-S1", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + { + "id": "AwsPrototyping-S3BucketLoggingEnabled", + "reason": "Access Log buckets should not have s3 bucket logging", + }, + ], + }, + }, + "Properties": { + "OriginAccessControlConfig": { + "Name": "CustomBucketDeploymentPropsCOrigin1S3OriginAccessControl47A0850A", + "OriginAccessControlOriginType": "s3", + "SigningBehavior": "always", + "SigningProtocol": "sigv4", + }, + }, + "Type": "AWS::CloudFront::OriginAccessControl", + }, "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2": { "DeletionPolicy": "Delete", "Metadata": { @@ -18560,78 +18624,6 @@ exports[`Static Website Unit Tests With custom bucket deployment props 1`] = ` }, "Type": "AWS::S3::BucketPolicy", }, - "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD": { - "Metadata": { - "cdk_nag": { - "rules_to_suppress": [ - { - "id": "AwsSolutions-L1", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "id": "AwsPrototyping-LambdaLatestVersion", - "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsSolutions-IAM5", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Action::s3:.*$/g", - }, - { - "regex": "/^Resource::.*$/g", - }, - ], - "id": "AwsPrototyping-IAMNoWildcardPermissions", - "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsSolutions-IAM4", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "applies_to": [ - { - "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", - }, - ], - "id": "AwsPrototyping-IAMNoManagedPolicies", - "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", - }, - { - "id": "AwsSolutions-S1", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - { - "id": "AwsPrototyping-S3BucketLoggingEnabled", - "reason": "Access Log buckets should not have s3 bucket logging", - }, - ], - }, - }, - "Properties": { - "CloudFrontOriginAccessIdentityConfig": { - "Comment": "Allows CloudFront to reach the bucket", - }, - }, - "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", - }, "CustomBucketDeploymentPropsWebsiteAclCFAclCustomResource88ECBD3C": { "DeletionPolicy": "Delete", "Metadata": { @@ -19778,33 +19770,33 @@ exports[`Static Website Unit Tests With custom bucket deployment props 1`] = ` ], }, { - "Action": "s3:ListBucket", - "Effect": "Allow", - "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD", - "S3CanonicalUserId", - ], + "Action": "s3:GetObject", + "Condition": { + "StringEquals": { + "AWS:SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":cloudfront::", + { + "Ref": "AWS::AccountId", + }, + ":distribution/", + { + "Ref": "CustomBucketDeploymentPropsCloudfrontDistributionB6A5E893", + }, + ], + ], + }, }, }, - "Resource": { - "Fn::GetAtt": [ - "CustomBucketDeploymentPropsWebsiteBucket36644456", - "Arn", - ], - }, - }, - { - "Action": "s3:GetObject", "Effect": "Allow", "Principal": { - "CanonicalUser": { - "Fn::GetAtt": [ - "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD", - "S3CanonicalUserId", - ], - }, + "Service": "cloudfront.amazonaws.com", }, "Resource": { "Fn::Join": [