@aws-solutions-constructs/aws-cloudfront-oai-s3 2.79.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (108) hide show
  1. package/.jsii +4403 -0
  2. package/README.md +109 -0
  3. package/architecture.png +0 -0
  4. package/integ.config.json +7 -0
  5. package/lib/index.d.ts +118 -0
  6. package/lib/index.js +106 -0
  7. package/package.json +95 -0
  8. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.d.ts +13 -0
  9. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js +56 -0
  10. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  11. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cdk.out +1 -0
  12. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.assets.json +32 -0
  13. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.template.json +1061 -0
  14. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cftoais3bucketencryptedwithmanagedkeyprovidedasexistingbucketIntegDefaultTestDeployAssert105E804F.assets.json +19 -0
  15. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cftoais3bucketencryptedwithmanagedkeyprovidedasexistingbucketIntegDefaultTestDeployAssert105E804F.template.json +36 -0
  16. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/integ.json +12 -0
  17. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/manifest.json +215 -0
  18. package/test/integ.cftoais3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/tree.json +1105 -0
  19. package/test/integ.cftoais3-custom-headers.d.ts +13 -0
  20. package/test/integ.cftoais3-custom-headers.js +71 -0
  21. package/test/integ.cftoais3-custom-headers.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  22. package/test/integ.cftoais3-custom-headers.js.snapshot/cdk.out +1 -0
  23. package/test/integ.cftoais3-custom-headers.js.snapshot/cftoais3-custom-headers.assets.json +32 -0
  24. package/test/integ.cftoais3-custom-headers.js.snapshot/cftoais3-custom-headers.template.json +1116 -0
  25. package/test/integ.cftoais3-custom-headers.js.snapshot/cftoais3customheadersIntegDefaultTestDeployAssert5AA11BA9.assets.json +19 -0
  26. package/test/integ.cftoais3-custom-headers.js.snapshot/cftoais3customheadersIntegDefaultTestDeployAssert5AA11BA9.template.json +36 -0
  27. package/test/integ.cftoais3-custom-headers.js.snapshot/integ.json +12 -0
  28. package/test/integ.cftoais3-custom-headers.js.snapshot/manifest.json +227 -0
  29. package/test/integ.cftoais3-custom-headers.js.snapshot/tree.json +1196 -0
  30. package/test/integ.cftoais3-custom-originPath.d.ts +13 -0
  31. package/test/integ.cftoais3-custom-originPath.js +48 -0
  32. package/test/integ.cftoais3-custom-originPath.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  33. package/test/integ.cftoais3-custom-originPath.js.snapshot/cdk.out +1 -0
  34. package/test/integ.cftoais3-custom-originPath.js.snapshot/cftoais3-custom-originPath.assets.json +32 -0
  35. package/test/integ.cftoais3-custom-originPath.js.snapshot/cftoais3-custom-originPath.template.json +1085 -0
  36. package/test/integ.cftoais3-custom-originPath.js.snapshot/cftoais3customoriginPathIntegDefaultTestDeployAssert1C351914.assets.json +19 -0
  37. package/test/integ.cftoais3-custom-originPath.js.snapshot/cftoais3customoriginPathIntegDefaultTestDeployAssert1C351914.template.json +36 -0
  38. package/test/integ.cftoais3-custom-originPath.js.snapshot/integ.json +12 -0
  39. package/test/integ.cftoais3-custom-originPath.js.snapshot/manifest.json +221 -0
  40. package/test/integ.cftoais3-custom-originPath.js.snapshot/tree.json +1147 -0
  41. package/test/integ.cftoais3-customLoggingBuckets.d.ts +13 -0
  42. package/test/integ.cftoais3-customLoggingBuckets.js +64 -0
  43. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  44. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/cdk.out +1 -0
  45. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/cftoais3-customLoggingBuckets.assets.json +32 -0
  46. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/cftoais3-customLoggingBuckets.template.json +1109 -0
  47. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/cftoais3customLoggingBucketsIntegDefaultTestDeployAssert8F33EF2A.assets.json +19 -0
  48. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/cftoais3customLoggingBucketsIntegDefaultTestDeployAssert8F33EF2A.template.json +36 -0
  49. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/integ.json +12 -0
  50. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/manifest.json +221 -0
  51. package/test/integ.cftoais3-customLoggingBuckets.js.snapshot/tree.json +1172 -0
  52. package/test/integ.cftoais3-existing-bucket.d.ts +13 -0
  53. package/test/integ.cftoais3-existing-bucket.js +59 -0
  54. package/test/integ.cftoais3-existing-bucket.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  55. package/test/integ.cftoais3-existing-bucket.js.snapshot/cdk.out +1 -0
  56. package/test/integ.cftoais3-existing-bucket.js.snapshot/cftoais3-existing-bucket.assets.json +32 -0
  57. package/test/integ.cftoais3-existing-bucket.js.snapshot/cftoais3-existing-bucket.template.json +1131 -0
  58. package/test/integ.cftoais3-existing-bucket.js.snapshot/cftoais3existingbucketIntegDefaultTestDeployAssertB7627F26.assets.json +19 -0
  59. package/test/integ.cftoais3-existing-bucket.js.snapshot/cftoais3existingbucketIntegDefaultTestDeployAssertB7627F26.template.json +36 -0
  60. package/test/integ.cftoais3-existing-bucket.js.snapshot/integ.json +12 -0
  61. package/test/integ.cftoais3-existing-bucket.js.snapshot/manifest.json +233 -0
  62. package/test/integ.cftoais3-existing-bucket.js.snapshot/tree.json +1240 -0
  63. package/test/integ.cftoais3-no-arguments.d.ts +13 -0
  64. package/test/integ.cftoais3-no-arguments.js +53 -0
  65. package/test/integ.cftoais3-no-arguments.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  66. package/test/integ.cftoais3-no-arguments.js.snapshot/cdk.out +1 -0
  67. package/test/integ.cftoais3-no-arguments.js.snapshot/cftoais3-no-arguments.assets.json +32 -0
  68. package/test/integ.cftoais3-no-arguments.js.snapshot/cftoais3-no-arguments.template.json +1094 -0
  69. package/test/integ.cftoais3-no-arguments.js.snapshot/cftoais3noargumentsIntegDefaultTestDeployAssert5CF03E3D.assets.json +19 -0
  70. package/test/integ.cftoais3-no-arguments.js.snapshot/cftoais3noargumentsIntegDefaultTestDeployAssert5CF03E3D.template.json +36 -0
  71. package/test/integ.cftoais3-no-arguments.js.snapshot/integ.json +12 -0
  72. package/test/integ.cftoais3-no-arguments.js.snapshot/manifest.json +356 -0
  73. package/test/integ.cftoais3-no-arguments.js.snapshot/tree.json +1146 -0
  74. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.d.ts +13 -0
  75. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js +60 -0
  76. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  77. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/cdk.out +1 -0
  78. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/cftoais3-no-cloudfront-s3-access-logs.assets.json +32 -0
  79. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/cftoais3-no-cloudfront-s3-access-logs.template.json +743 -0
  80. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/cftoais3nocloudfronts3accesslogsIntegDefaultTestDeployAssert6D810275.assets.json +19 -0
  81. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/cftoais3nocloudfronts3accesslogsIntegDefaultTestDeployAssert6D810275.template.json +36 -0
  82. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/integ.json +12 -0
  83. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/manifest.json +185 -0
  84. package/test/integ.cftoais3-no-cloudfront-s3-access-logs.js.snapshot/tree.json +726 -0
  85. package/test/integ.cftoais3-no-logging.d.ts +13 -0
  86. package/test/integ.cftoais3-no-logging.js +56 -0
  87. package/test/integ.cftoais3-no-logging.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  88. package/test/integ.cftoais3-no-logging.js.snapshot/cdk.out +1 -0
  89. package/test/integ.cftoais3-no-logging.js.snapshot/cftoais3-no-logging.assets.json +32 -0
  90. package/test/integ.cftoais3-no-logging.js.snapshot/cftoais3-no-logging.template.json +576 -0
  91. package/test/integ.cftoais3-no-logging.js.snapshot/cftoais3nologgingIntegDefaultTestDeployAssertCED06EE4.assets.json +19 -0
  92. package/test/integ.cftoais3-no-logging.js.snapshot/cftoais3nologgingIntegDefaultTestDeployAssertCED06EE4.template.json +36 -0
  93. package/test/integ.cftoais3-no-logging.js.snapshot/integ.json +12 -0
  94. package/test/integ.cftoais3-no-logging.js.snapshot/manifest.json +167 -0
  95. package/test/integ.cftoais3-no-logging.js.snapshot/tree.json +542 -0
  96. package/test/integ.cftoais3-no-security-headers.d.ts +13 -0
  97. package/test/integ.cftoais3-no-security-headers.js +50 -0
  98. package/test/integ.cftoais3-no-security-headers.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
  99. package/test/integ.cftoais3-no-security-headers.js.snapshot/cdk.out +1 -0
  100. package/test/integ.cftoais3-no-security-headers.js.snapshot/cftoais3-no-security-headers.assets.json +32 -0
  101. package/test/integ.cftoais3-no-security-headers.js.snapshot/cftoais3-no-security-headers.template.json +1061 -0
  102. package/test/integ.cftoais3-no-security-headers.js.snapshot/cftoais3nosecurityheadersIntegDefaultTestDeployAssertAB4B2F28.assets.json +19 -0
  103. package/test/integ.cftoais3-no-security-headers.js.snapshot/cftoais3nosecurityheadersIntegDefaultTestDeployAssertAB4B2F28.template.json +36 -0
  104. package/test/integ.cftoais3-no-security-headers.js.snapshot/integ.json +12 -0
  105. package/test/integ.cftoais3-no-security-headers.js.snapshot/manifest.json +215 -0
  106. package/test/integ.cftoais3-no-security-headers.js.snapshot/tree.json +1105 -0
  107. package/test/test.cloudfront-oai-s3.test.d.ts +13 -0
  108. package/test/test.cloudfront-oai-s3.test.js +702 -0
@@ -0,0 +1,1061 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-oai-s3",
3
+ "Resources": {
4
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A": {
5
+ "Type": "AWS::S3::Bucket",
6
+ "Properties": {
7
+ "BucketEncryption": {
8
+ "ServerSideEncryptionConfiguration": [
9
+ {
10
+ "ServerSideEncryptionByDefault": {
11
+ "SSEAlgorithm": "AES256"
12
+ }
13
+ }
14
+ ]
15
+ },
16
+ "PublicAccessBlockConfiguration": {
17
+ "BlockPublicAcls": true,
18
+ "BlockPublicPolicy": true,
19
+ "IgnorePublicAcls": true,
20
+ "RestrictPublicBuckets": true
21
+ },
22
+ "Tags": [
23
+ {
24
+ "Key": "aws-cdk:auto-delete-objects",
25
+ "Value": "true"
26
+ }
27
+ ],
28
+ "VersioningConfiguration": {
29
+ "Status": "Enabled"
30
+ }
31
+ },
32
+ "UpdateReplacePolicy": "Delete",
33
+ "DeletionPolicy": "Delete",
34
+ "Metadata": {
35
+ "cfn_nag": {
36
+ "rules_to_suppress": [
37
+ {
38
+ "id": "W35",
39
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
40
+ }
41
+ ]
42
+ }
43
+ }
44
+ },
45
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketPolicy51E4C355": {
46
+ "Type": "AWS::S3::BucketPolicy",
47
+ "Properties": {
48
+ "Bucket": {
49
+ "Ref": "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A"
50
+ },
51
+ "PolicyDocument": {
52
+ "Statement": [
53
+ {
54
+ "Action": "s3:*",
55
+ "Condition": {
56
+ "Bool": {
57
+ "aws:SecureTransport": "false"
58
+ }
59
+ },
60
+ "Effect": "Deny",
61
+ "Principal": {
62
+ "AWS": "*"
63
+ },
64
+ "Resource": [
65
+ {
66
+ "Fn::GetAtt": [
67
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A",
68
+ "Arn"
69
+ ]
70
+ },
71
+ {
72
+ "Fn::Join": [
73
+ "",
74
+ [
75
+ {
76
+ "Fn::GetAtt": [
77
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A",
78
+ "Arn"
79
+ ]
80
+ },
81
+ "/*"
82
+ ]
83
+ ]
84
+ }
85
+ ]
86
+ },
87
+ {
88
+ "Action": [
89
+ "s3:DeleteObject*",
90
+ "s3:GetBucket*",
91
+ "s3:List*",
92
+ "s3:PutBucketPolicy"
93
+ ],
94
+ "Effect": "Allow",
95
+ "Principal": {
96
+ "AWS": {
97
+ "Fn::GetAtt": [
98
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
99
+ "Arn"
100
+ ]
101
+ }
102
+ },
103
+ "Resource": [
104
+ {
105
+ "Fn::GetAtt": [
106
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A",
107
+ "Arn"
108
+ ]
109
+ },
110
+ {
111
+ "Fn::Join": [
112
+ "",
113
+ [
114
+ {
115
+ "Fn::GetAtt": [
116
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A",
117
+ "Arn"
118
+ ]
119
+ },
120
+ "/*"
121
+ ]
122
+ ]
123
+ }
124
+ ]
125
+ },
126
+ {
127
+ "Action": "s3:PutObject",
128
+ "Condition": {
129
+ "ArnLike": {
130
+ "aws:SourceArn": {
131
+ "Fn::GetAtt": [
132
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
133
+ "Arn"
134
+ ]
135
+ }
136
+ },
137
+ "StringEquals": {
138
+ "aws:SourceAccount": {
139
+ "Ref": "AWS::AccountId"
140
+ }
141
+ }
142
+ },
143
+ "Effect": "Allow",
144
+ "Principal": {
145
+ "Service": "logging.s3.amazonaws.com"
146
+ },
147
+ "Resource": {
148
+ "Fn::Join": [
149
+ "",
150
+ [
151
+ {
152
+ "Fn::GetAtt": [
153
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A",
154
+ "Arn"
155
+ ]
156
+ },
157
+ "/*"
158
+ ]
159
+ ]
160
+ }
161
+ }
162
+ ],
163
+ "Version": "2012-10-17"
164
+ }
165
+ }
166
+ },
167
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketAutoDeleteObjectsCustomResource44CC423E": {
168
+ "Type": "Custom::S3AutoDeleteObjects",
169
+ "Properties": {
170
+ "ServiceToken": {
171
+ "Fn::GetAtt": [
172
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
173
+ "Arn"
174
+ ]
175
+ },
176
+ "BucketName": {
177
+ "Ref": "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A"
178
+ }
179
+ },
180
+ "DependsOn": [
181
+ "testcloudfrontoais3nosecurityheadersS3LoggingBucketPolicy51E4C355"
182
+ ],
183
+ "UpdateReplacePolicy": "Delete",
184
+ "DeletionPolicy": "Delete"
185
+ },
186
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04": {
187
+ "Type": "AWS::S3::Bucket",
188
+ "Properties": {
189
+ "BucketEncryption": {
190
+ "ServerSideEncryptionConfiguration": [
191
+ {
192
+ "ServerSideEncryptionByDefault": {
193
+ "SSEAlgorithm": "AES256"
194
+ }
195
+ }
196
+ ]
197
+ },
198
+ "LifecycleConfiguration": {
199
+ "Rules": [
200
+ {
201
+ "NoncurrentVersionTransitions": [
202
+ {
203
+ "StorageClass": "GLACIER",
204
+ "TransitionInDays": 90
205
+ }
206
+ ],
207
+ "Status": "Enabled"
208
+ }
209
+ ]
210
+ },
211
+ "LoggingConfiguration": {
212
+ "DestinationBucketName": {
213
+ "Ref": "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A"
214
+ }
215
+ },
216
+ "PublicAccessBlockConfiguration": {
217
+ "BlockPublicAcls": true,
218
+ "BlockPublicPolicy": true,
219
+ "IgnorePublicAcls": true,
220
+ "RestrictPublicBuckets": true
221
+ },
222
+ "Tags": [
223
+ {
224
+ "Key": "aws-cdk:auto-delete-objects",
225
+ "Value": "true"
226
+ }
227
+ ],
228
+ "VersioningConfiguration": {
229
+ "Status": "Enabled"
230
+ }
231
+ },
232
+ "UpdateReplacePolicy": "Delete",
233
+ "DeletionPolicy": "Delete"
234
+ },
235
+ "testcloudfrontoais3nosecurityheadersS3BucketPolicyCF0521EF": {
236
+ "Type": "AWS::S3::BucketPolicy",
237
+ "Properties": {
238
+ "Bucket": {
239
+ "Ref": "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04"
240
+ },
241
+ "PolicyDocument": {
242
+ "Statement": [
243
+ {
244
+ "Action": "s3:*",
245
+ "Condition": {
246
+ "Bool": {
247
+ "aws:SecureTransport": "false"
248
+ }
249
+ },
250
+ "Effect": "Deny",
251
+ "Principal": {
252
+ "AWS": "*"
253
+ },
254
+ "Resource": [
255
+ {
256
+ "Fn::GetAtt": [
257
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
258
+ "Arn"
259
+ ]
260
+ },
261
+ {
262
+ "Fn::Join": [
263
+ "",
264
+ [
265
+ {
266
+ "Fn::GetAtt": [
267
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
268
+ "Arn"
269
+ ]
270
+ },
271
+ "/*"
272
+ ]
273
+ ]
274
+ }
275
+ ]
276
+ },
277
+ {
278
+ "Action": [
279
+ "s3:DeleteObject*",
280
+ "s3:GetBucket*",
281
+ "s3:List*",
282
+ "s3:PutBucketPolicy"
283
+ ],
284
+ "Effect": "Allow",
285
+ "Principal": {
286
+ "AWS": {
287
+ "Fn::GetAtt": [
288
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
289
+ "Arn"
290
+ ]
291
+ }
292
+ },
293
+ "Resource": [
294
+ {
295
+ "Fn::GetAtt": [
296
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
297
+ "Arn"
298
+ ]
299
+ },
300
+ {
301
+ "Fn::Join": [
302
+ "",
303
+ [
304
+ {
305
+ "Fn::GetAtt": [
306
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
307
+ "Arn"
308
+ ]
309
+ },
310
+ "/*"
311
+ ]
312
+ ]
313
+ }
314
+ ]
315
+ },
316
+ {
317
+ "Action": "s3:GetObject",
318
+ "Effect": "Allow",
319
+ "Principal": {
320
+ "CanonicalUser": {
321
+ "Fn::GetAtt": [
322
+ "testcloudfrontoais3nosecurityheadersCloudFrontDistributionOrigin1S3OriginED98FCA5",
323
+ "S3CanonicalUserId"
324
+ ]
325
+ }
326
+ },
327
+ "Resource": {
328
+ "Fn::Join": [
329
+ "",
330
+ [
331
+ {
332
+ "Fn::GetAtt": [
333
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
334
+ "Arn"
335
+ ]
336
+ },
337
+ "/*"
338
+ ]
339
+ ]
340
+ }
341
+ },
342
+ {
343
+ "Action": "s3:GetObject",
344
+ "Condition": {
345
+ "StringEquals": {
346
+ "AWS:SourceArn": {
347
+ "Fn::Join": [
348
+ "",
349
+ [
350
+ "arn:",
351
+ {
352
+ "Ref": "AWS::Partition"
353
+ },
354
+ ":cloudfront::",
355
+ {
356
+ "Ref": "AWS::AccountId"
357
+ },
358
+ ":distribution/",
359
+ {
360
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudFrontDistributionA0E35616"
361
+ }
362
+ ]
363
+ ]
364
+ }
365
+ }
366
+ },
367
+ "Effect": "Allow",
368
+ "Principal": {
369
+ "Service": "cloudfront.amazonaws.com"
370
+ },
371
+ "Resource": {
372
+ "Fn::Join": [
373
+ "",
374
+ [
375
+ {
376
+ "Fn::GetAtt": [
377
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
378
+ "Arn"
379
+ ]
380
+ },
381
+ "/*"
382
+ ]
383
+ ]
384
+ }
385
+ }
386
+ ],
387
+ "Version": "2012-10-17"
388
+ }
389
+ },
390
+ "Metadata": {
391
+ "cfn_nag": {
392
+ "rules_to_suppress": [
393
+ {
394
+ "id": "F16",
395
+ "reason": "Public website bucket policy requires a wildcard principal"
396
+ }
397
+ ]
398
+ }
399
+ }
400
+ },
401
+ "testcloudfrontoais3nosecurityheadersS3BucketAutoDeleteObjectsCustomResourceAE2013E4": {
402
+ "Type": "Custom::S3AutoDeleteObjects",
403
+ "Properties": {
404
+ "ServiceToken": {
405
+ "Fn::GetAtt": [
406
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
407
+ "Arn"
408
+ ]
409
+ },
410
+ "BucketName": {
411
+ "Ref": "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04"
412
+ }
413
+ },
414
+ "DependsOn": [
415
+ "testcloudfrontoais3nosecurityheadersS3BucketPolicyCF0521EF"
416
+ ],
417
+ "UpdateReplacePolicy": "Delete",
418
+ "DeletionPolicy": "Delete"
419
+ },
420
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C": {
421
+ "Type": "AWS::S3::Bucket",
422
+ "Properties": {
423
+ "BucketEncryption": {
424
+ "ServerSideEncryptionConfiguration": [
425
+ {
426
+ "ServerSideEncryptionByDefault": {
427
+ "SSEAlgorithm": "AES256"
428
+ }
429
+ }
430
+ ]
431
+ },
432
+ "PublicAccessBlockConfiguration": {
433
+ "BlockPublicAcls": true,
434
+ "BlockPublicPolicy": true,
435
+ "IgnorePublicAcls": true,
436
+ "RestrictPublicBuckets": true
437
+ },
438
+ "Tags": [
439
+ {
440
+ "Key": "aws-cdk:auto-delete-objects",
441
+ "Value": "true"
442
+ }
443
+ ],
444
+ "VersioningConfiguration": {
445
+ "Status": "Enabled"
446
+ }
447
+ },
448
+ "UpdateReplacePolicy": "Delete",
449
+ "DeletionPolicy": "Delete",
450
+ "Metadata": {
451
+ "cfn_nag": {
452
+ "rules_to_suppress": [
453
+ {
454
+ "id": "W35",
455
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
456
+ }
457
+ ]
458
+ }
459
+ }
460
+ },
461
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogPolicyDBD57155": {
462
+ "Type": "AWS::S3::BucketPolicy",
463
+ "Properties": {
464
+ "Bucket": {
465
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C"
466
+ },
467
+ "PolicyDocument": {
468
+ "Statement": [
469
+ {
470
+ "Action": "s3:*",
471
+ "Condition": {
472
+ "Bool": {
473
+ "aws:SecureTransport": "false"
474
+ }
475
+ },
476
+ "Effect": "Deny",
477
+ "Principal": {
478
+ "AWS": "*"
479
+ },
480
+ "Resource": [
481
+ {
482
+ "Fn::GetAtt": [
483
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C",
484
+ "Arn"
485
+ ]
486
+ },
487
+ {
488
+ "Fn::Join": [
489
+ "",
490
+ [
491
+ {
492
+ "Fn::GetAtt": [
493
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C",
494
+ "Arn"
495
+ ]
496
+ },
497
+ "/*"
498
+ ]
499
+ ]
500
+ }
501
+ ]
502
+ },
503
+ {
504
+ "Action": [
505
+ "s3:DeleteObject*",
506
+ "s3:GetBucket*",
507
+ "s3:List*",
508
+ "s3:PutBucketPolicy"
509
+ ],
510
+ "Effect": "Allow",
511
+ "Principal": {
512
+ "AWS": {
513
+ "Fn::GetAtt": [
514
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
515
+ "Arn"
516
+ ]
517
+ }
518
+ },
519
+ "Resource": [
520
+ {
521
+ "Fn::GetAtt": [
522
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C",
523
+ "Arn"
524
+ ]
525
+ },
526
+ {
527
+ "Fn::Join": [
528
+ "",
529
+ [
530
+ {
531
+ "Fn::GetAtt": [
532
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C",
533
+ "Arn"
534
+ ]
535
+ },
536
+ "/*"
537
+ ]
538
+ ]
539
+ }
540
+ ]
541
+ },
542
+ {
543
+ "Action": "s3:PutObject",
544
+ "Condition": {
545
+ "ArnLike": {
546
+ "aws:SourceArn": {
547
+ "Fn::GetAtt": [
548
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A",
549
+ "Arn"
550
+ ]
551
+ }
552
+ },
553
+ "StringEquals": {
554
+ "aws:SourceAccount": {
555
+ "Ref": "AWS::AccountId"
556
+ }
557
+ }
558
+ },
559
+ "Effect": "Allow",
560
+ "Principal": {
561
+ "Service": "logging.s3.amazonaws.com"
562
+ },
563
+ "Resource": {
564
+ "Fn::Join": [
565
+ "",
566
+ [
567
+ {
568
+ "Fn::GetAtt": [
569
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C",
570
+ "Arn"
571
+ ]
572
+ },
573
+ "/*"
574
+ ]
575
+ ]
576
+ }
577
+ }
578
+ ],
579
+ "Version": "2012-10-17"
580
+ }
581
+ }
582
+ },
583
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogAutoDeleteObjectsCustomResourceE05B0E7C": {
584
+ "Type": "Custom::S3AutoDeleteObjects",
585
+ "Properties": {
586
+ "ServiceToken": {
587
+ "Fn::GetAtt": [
588
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
589
+ "Arn"
590
+ ]
591
+ },
592
+ "BucketName": {
593
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C"
594
+ }
595
+ },
596
+ "DependsOn": [
597
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogPolicyDBD57155"
598
+ ],
599
+ "UpdateReplacePolicy": "Delete",
600
+ "DeletionPolicy": "Delete"
601
+ },
602
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A": {
603
+ "Type": "AWS::S3::Bucket",
604
+ "Properties": {
605
+ "AccessControl": "LogDeliveryWrite",
606
+ "BucketEncryption": {
607
+ "ServerSideEncryptionConfiguration": [
608
+ {
609
+ "ServerSideEncryptionByDefault": {
610
+ "SSEAlgorithm": "AES256"
611
+ }
612
+ }
613
+ ]
614
+ },
615
+ "LoggingConfiguration": {
616
+ "DestinationBucketName": {
617
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAccessLogCC3AB11C"
618
+ }
619
+ },
620
+ "OwnershipControls": {
621
+ "Rules": [
622
+ {
623
+ "ObjectOwnership": "ObjectWriter"
624
+ }
625
+ ]
626
+ },
627
+ "PublicAccessBlockConfiguration": {
628
+ "BlockPublicAcls": true,
629
+ "BlockPublicPolicy": true,
630
+ "IgnorePublicAcls": true,
631
+ "RestrictPublicBuckets": true
632
+ },
633
+ "Tags": [
634
+ {
635
+ "Key": "aws-cdk:auto-delete-objects",
636
+ "Value": "true"
637
+ }
638
+ ],
639
+ "VersioningConfiguration": {
640
+ "Status": "Enabled"
641
+ }
642
+ },
643
+ "UpdateReplacePolicy": "Delete",
644
+ "DeletionPolicy": "Delete"
645
+ },
646
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketPolicy0BF7E435": {
647
+ "Type": "AWS::S3::BucketPolicy",
648
+ "Properties": {
649
+ "Bucket": {
650
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A"
651
+ },
652
+ "PolicyDocument": {
653
+ "Statement": [
654
+ {
655
+ "Action": "s3:*",
656
+ "Condition": {
657
+ "Bool": {
658
+ "aws:SecureTransport": "false"
659
+ }
660
+ },
661
+ "Effect": "Deny",
662
+ "Principal": {
663
+ "AWS": "*"
664
+ },
665
+ "Resource": [
666
+ {
667
+ "Fn::GetAtt": [
668
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A",
669
+ "Arn"
670
+ ]
671
+ },
672
+ {
673
+ "Fn::Join": [
674
+ "",
675
+ [
676
+ {
677
+ "Fn::GetAtt": [
678
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A",
679
+ "Arn"
680
+ ]
681
+ },
682
+ "/*"
683
+ ]
684
+ ]
685
+ }
686
+ ]
687
+ },
688
+ {
689
+ "Action": [
690
+ "s3:DeleteObject*",
691
+ "s3:GetBucket*",
692
+ "s3:List*",
693
+ "s3:PutBucketPolicy"
694
+ ],
695
+ "Effect": "Allow",
696
+ "Principal": {
697
+ "AWS": {
698
+ "Fn::GetAtt": [
699
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
700
+ "Arn"
701
+ ]
702
+ }
703
+ },
704
+ "Resource": [
705
+ {
706
+ "Fn::GetAtt": [
707
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A",
708
+ "Arn"
709
+ ]
710
+ },
711
+ {
712
+ "Fn::Join": [
713
+ "",
714
+ [
715
+ {
716
+ "Fn::GetAtt": [
717
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A",
718
+ "Arn"
719
+ ]
720
+ },
721
+ "/*"
722
+ ]
723
+ ]
724
+ }
725
+ ]
726
+ }
727
+ ],
728
+ "Version": "2012-10-17"
729
+ }
730
+ }
731
+ },
732
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketAutoDeleteObjectsCustomResource0C7072C4": {
733
+ "Type": "Custom::S3AutoDeleteObjects",
734
+ "Properties": {
735
+ "ServiceToken": {
736
+ "Fn::GetAtt": [
737
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
738
+ "Arn"
739
+ ]
740
+ },
741
+ "BucketName": {
742
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A"
743
+ }
744
+ },
745
+ "DependsOn": [
746
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucketPolicy0BF7E435"
747
+ ],
748
+ "UpdateReplacePolicy": "Delete",
749
+ "DeletionPolicy": "Delete"
750
+ },
751
+ "testcloudfrontoais3nosecurityheadersCloudFrontDistributionOrigin1S3OriginED98FCA5": {
752
+ "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
753
+ "Properties": {
754
+ "CloudFrontOriginAccessIdentityConfig": {
755
+ "Comment": "Identity for cftoais3nosecurityheaderstestcloudfrontoais3nosecurityheadersCloudFrontDistributionOrigin1006A2B62"
756
+ }
757
+ }
758
+ },
759
+ "testcloudfrontoais3nosecurityheadersCloudFrontDistributionA0E35616": {
760
+ "Type": "AWS::CloudFront::Distribution",
761
+ "Properties": {
762
+ "DistributionConfig": {
763
+ "DefaultCacheBehavior": {
764
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
765
+ "Compress": true,
766
+ "TargetOriginId": "cftoais3nosecurityheaderstestcloudfrontoais3nosecurityheadersCloudFrontDistributionOrigin1006A2B62",
767
+ "ViewerProtocolPolicy": "redirect-to-https"
768
+ },
769
+ "DefaultRootObject": "index.html",
770
+ "Enabled": true,
771
+ "HttpVersion": "http2",
772
+ "IPV6Enabled": true,
773
+ "Logging": {
774
+ "Bucket": {
775
+ "Fn::GetAtt": [
776
+ "testcloudfrontoais3nosecurityheadersCloudfrontLoggingBucket7C4DB70A",
777
+ "RegionalDomainName"
778
+ ]
779
+ }
780
+ },
781
+ "Origins": [
782
+ {
783
+ "DomainName": {
784
+ "Fn::GetAtt": [
785
+ "testcloudfrontoais3nosecurityheadersS3Bucket824FFD04",
786
+ "RegionalDomainName"
787
+ ]
788
+ },
789
+ "Id": "cftoais3nosecurityheaderstestcloudfrontoais3nosecurityheadersCloudFrontDistributionOrigin1006A2B62",
790
+ "S3OriginConfig": {
791
+ "OriginAccessIdentity": {
792
+ "Fn::Join": [
793
+ "",
794
+ [
795
+ "origin-access-identity/cloudfront/",
796
+ {
797
+ "Ref": "testcloudfrontoais3nosecurityheadersCloudFrontDistributionOrigin1S3OriginED98FCA5"
798
+ }
799
+ ]
800
+ ]
801
+ }
802
+ }
803
+ }
804
+ ]
805
+ }
806
+ },
807
+ "Metadata": {
808
+ "cfn_nag": {
809
+ "rules_to_suppress": [
810
+ {
811
+ "id": "W70",
812
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
813
+ }
814
+ ]
815
+ }
816
+ }
817
+ },
818
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": {
819
+ "Type": "AWS::IAM::Role",
820
+ "Properties": {
821
+ "AssumeRolePolicyDocument": {
822
+ "Version": "2012-10-17",
823
+ "Statement": [
824
+ {
825
+ "Action": "sts:AssumeRole",
826
+ "Effect": "Allow",
827
+ "Principal": {
828
+ "Service": "lambda.amazonaws.com"
829
+ }
830
+ }
831
+ ]
832
+ },
833
+ "ManagedPolicyArns": [
834
+ {
835
+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
836
+ }
837
+ ]
838
+ }
839
+ },
840
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": {
841
+ "Type": "AWS::Lambda::Function",
842
+ "Properties": {
843
+ "Code": {
844
+ "S3Bucket": {
845
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
846
+ },
847
+ "S3Key": "faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6.zip"
848
+ },
849
+ "Timeout": 900,
850
+ "MemorySize": 128,
851
+ "Handler": "index.handler",
852
+ "Role": {
853
+ "Fn::GetAtt": [
854
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
855
+ "Arn"
856
+ ]
857
+ },
858
+ "Runtime": {
859
+ "Fn::FindInMap": [
860
+ "LatestNodeRuntimeMap",
861
+ {
862
+ "Ref": "AWS::Region"
863
+ },
864
+ "value"
865
+ ]
866
+ },
867
+ "Description": {
868
+ "Fn::Join": [
869
+ "",
870
+ [
871
+ "Lambda function for auto-deleting objects in ",
872
+ {
873
+ "Ref": "testcloudfrontoais3nosecurityheadersS3LoggingBucketAFBEC93A"
874
+ },
875
+ " S3 bucket."
876
+ ]
877
+ ]
878
+ }
879
+ },
880
+ "DependsOn": [
881
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092"
882
+ ],
883
+ "Metadata": {
884
+ "cfn_nag": {
885
+ "rules_to_suppress": [
886
+ {
887
+ "id": "W58",
888
+ "reason": "CDK generated custom resource"
889
+ },
890
+ {
891
+ "id": "W89",
892
+ "reason": "CDK generated custom resource"
893
+ },
894
+ {
895
+ "id": "W92",
896
+ "reason": "CDK generated custom resource"
897
+ }
898
+ ]
899
+ }
900
+ }
901
+ }
902
+ },
903
+ "Mappings": {
904
+ "LatestNodeRuntimeMap": {
905
+ "af-south-1": {
906
+ "value": "nodejs20.x"
907
+ },
908
+ "ap-east-1": {
909
+ "value": "nodejs20.x"
910
+ },
911
+ "ap-northeast-1": {
912
+ "value": "nodejs20.x"
913
+ },
914
+ "ap-northeast-2": {
915
+ "value": "nodejs20.x"
916
+ },
917
+ "ap-northeast-3": {
918
+ "value": "nodejs20.x"
919
+ },
920
+ "ap-south-1": {
921
+ "value": "nodejs20.x"
922
+ },
923
+ "ap-south-2": {
924
+ "value": "nodejs20.x"
925
+ },
926
+ "ap-southeast-1": {
927
+ "value": "nodejs20.x"
928
+ },
929
+ "ap-southeast-2": {
930
+ "value": "nodejs20.x"
931
+ },
932
+ "ap-southeast-3": {
933
+ "value": "nodejs20.x"
934
+ },
935
+ "ap-southeast-4": {
936
+ "value": "nodejs20.x"
937
+ },
938
+ "ap-southeast-5": {
939
+ "value": "nodejs20.x"
940
+ },
941
+ "ap-southeast-7": {
942
+ "value": "nodejs20.x"
943
+ },
944
+ "ca-central-1": {
945
+ "value": "nodejs20.x"
946
+ },
947
+ "ca-west-1": {
948
+ "value": "nodejs20.x"
949
+ },
950
+ "cn-north-1": {
951
+ "value": "nodejs18.x"
952
+ },
953
+ "cn-northwest-1": {
954
+ "value": "nodejs18.x"
955
+ },
956
+ "eu-central-1": {
957
+ "value": "nodejs20.x"
958
+ },
959
+ "eu-central-2": {
960
+ "value": "nodejs20.x"
961
+ },
962
+ "eu-isoe-west-1": {
963
+ "value": "nodejs18.x"
964
+ },
965
+ "eu-north-1": {
966
+ "value": "nodejs20.x"
967
+ },
968
+ "eu-south-1": {
969
+ "value": "nodejs20.x"
970
+ },
971
+ "eu-south-2": {
972
+ "value": "nodejs20.x"
973
+ },
974
+ "eu-west-1": {
975
+ "value": "nodejs20.x"
976
+ },
977
+ "eu-west-2": {
978
+ "value": "nodejs20.x"
979
+ },
980
+ "eu-west-3": {
981
+ "value": "nodejs20.x"
982
+ },
983
+ "il-central-1": {
984
+ "value": "nodejs20.x"
985
+ },
986
+ "me-central-1": {
987
+ "value": "nodejs20.x"
988
+ },
989
+ "me-south-1": {
990
+ "value": "nodejs20.x"
991
+ },
992
+ "mx-central-1": {
993
+ "value": "nodejs20.x"
994
+ },
995
+ "sa-east-1": {
996
+ "value": "nodejs20.x"
997
+ },
998
+ "us-east-1": {
999
+ "value": "nodejs20.x"
1000
+ },
1001
+ "us-east-2": {
1002
+ "value": "nodejs20.x"
1003
+ },
1004
+ "us-gov-east-1": {
1005
+ "value": "nodejs18.x"
1006
+ },
1007
+ "us-gov-west-1": {
1008
+ "value": "nodejs18.x"
1009
+ },
1010
+ "us-iso-east-1": {
1011
+ "value": "nodejs18.x"
1012
+ },
1013
+ "us-iso-west-1": {
1014
+ "value": "nodejs18.x"
1015
+ },
1016
+ "us-isob-east-1": {
1017
+ "value": "nodejs18.x"
1018
+ },
1019
+ "us-west-1": {
1020
+ "value": "nodejs20.x"
1021
+ },
1022
+ "us-west-2": {
1023
+ "value": "nodejs20.x"
1024
+ }
1025
+ }
1026
+ },
1027
+ "Parameters": {
1028
+ "BootstrapVersion": {
1029
+ "Type": "AWS::SSM::Parameter::Value<String>",
1030
+ "Default": "/cdk-bootstrap/hnb659fds/version",
1031
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
1032
+ }
1033
+ },
1034
+ "Rules": {
1035
+ "CheckBootstrapVersion": {
1036
+ "Assertions": [
1037
+ {
1038
+ "Assert": {
1039
+ "Fn::Not": [
1040
+ {
1041
+ "Fn::Contains": [
1042
+ [
1043
+ "1",
1044
+ "2",
1045
+ "3",
1046
+ "4",
1047
+ "5"
1048
+ ],
1049
+ {
1050
+ "Ref": "BootstrapVersion"
1051
+ }
1052
+ ]
1053
+ }
1054
+ ]
1055
+ },
1056
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
1057
+ }
1058
+ ]
1059
+ }
1060
+ }
1061
+ }