@aws-solutions-constructs/aws-cloudfront-s3 2.46.0 → 2.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/.eslintignore +2 -2
  2. package/.jsii +61 -24
  3. package/README.md +7 -6
  4. package/lib/index.d.ts +1 -0
  5. package/lib/index.js +70 -8
  6. package/package.json +7 -5
  7. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.expected.json +958 -0
  8. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js +44 -0
  9. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.expected.json +592 -0
  10. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js +39 -0
  11. package/test/integ.cfts3-bucket-with-http-origin.d.ts +13 -0
  12. package/test/integ.cfts3-bucket-with-http-origin.expected.json +559 -0
  13. package/test/integ.cfts3-bucket-with-http-origin.js +44 -0
  14. package/test/integ.cfts3-cmk-encryption.expected.json +527 -0
  15. package/test/integ.cfts3-cmk-provided-as-bucket-prop.d.ts +13 -0
  16. package/test/integ.cfts3-cmk-provided-as-bucket-prop.expected.json +958 -0
  17. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js +41 -0
  18. package/test/integ.cfts3-custom-headers.expected.json +307 -27
  19. package/test/integ.cfts3-custom-headers.js +6 -2
  20. package/test/integ.cfts3-custom-originPath.expected.json +307 -27
  21. package/test/integ.cfts3-custom-originPath.js +6 -2
  22. package/test/integ.cfts3-customCloudFrontLoggingBucket.expected.json +54 -23
  23. package/test/integ.cfts3-customLoggingBuckets.d.ts +13 -0
  24. package/test/{integ.cfts3-customLoggingBucket.expected.json → integ.cfts3-customLoggingBuckets.expected.json} +285 -31
  25. package/test/integ.cfts3-customLoggingBuckets.js +58 -0
  26. package/test/integ.cfts3-existing-bucket.expected.json +493 -80
  27. package/test/integ.cfts3-existing-bucket.js +2 -2
  28. package/test/integ.cfts3-no-arguments.expected.json +430 -27
  29. package/test/integ.cfts3-no-arguments.js +5 -2
  30. package/test/integ.cfts3-no-security-headers.expected.json +307 -27
  31. package/test/integ.cfts3-no-security-headers.js +5 -1
  32. package/test/test.cloudfront-s3.test.js +149 -28
  33. package/test/integ.cfts3-customCloudFrontLoggingBucket.js +0 -39
  34. package/test/integ.cfts3-customLoggingBucket.js +0 -42
  35. /package/test/{integ.cfts3-customCloudFrontLoggingBucket.d.ts → integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.d.ts} +0 -0
  36. /package/test/{integ.cfts3-customLoggingBucket.d.ts → integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.d.ts} +0 -0
@@ -0,0 +1,958 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-s3",
3
+ "Resources": {
4
+ "cmkKey598B20B2": {
5
+ "Type": "AWS::KMS::Key",
6
+ "Properties": {
7
+ "EnableKeyRotation": true,
8
+ "KeyPolicy": {
9
+ "Statement": [
10
+ {
11
+ "Action": "kms:*",
12
+ "Effect": "Allow",
13
+ "Principal": {
14
+ "AWS": {
15
+ "Fn::Join": [
16
+ "",
17
+ [
18
+ "arn:",
19
+ {
20
+ "Ref": "AWS::Partition"
21
+ },
22
+ ":iam::",
23
+ {
24
+ "Ref": "AWS::AccountId"
25
+ },
26
+ ":root"
27
+ ]
28
+ ]
29
+ }
30
+ },
31
+ "Resource": "*"
32
+ }
33
+ ],
34
+ "Version": "2012-10-17"
35
+ }
36
+ },
37
+ "UpdateReplacePolicy": "Delete",
38
+ "DeletionPolicy": "Delete"
39
+ },
40
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B": {
41
+ "Type": "AWS::S3::Bucket",
42
+ "Properties": {
43
+ "BucketEncryption": {
44
+ "ServerSideEncryptionConfiguration": [
45
+ {
46
+ "ServerSideEncryptionByDefault": {
47
+ "SSEAlgorithm": "AES256"
48
+ }
49
+ }
50
+ ]
51
+ },
52
+ "PublicAccessBlockConfiguration": {
53
+ "BlockPublicAcls": true,
54
+ "BlockPublicPolicy": true,
55
+ "IgnorePublicAcls": true,
56
+ "RestrictPublicBuckets": true
57
+ },
58
+ "VersioningConfiguration": {
59
+ "Status": "Enabled"
60
+ }
61
+ },
62
+ "UpdateReplacePolicy": "Retain",
63
+ "DeletionPolicy": "Retain",
64
+ "Metadata": {
65
+ "cfn_nag": {
66
+ "rules_to_suppress": [
67
+ {
68
+ "id": "W35",
69
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
70
+ }
71
+ ]
72
+ }
73
+ }
74
+ },
75
+ "existings3bucketencryptedwithcmkS3LoggingBucketPolicy4A3AC1CB": {
76
+ "Type": "AWS::S3::BucketPolicy",
77
+ "Properties": {
78
+ "Bucket": {
79
+ "Ref": "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B"
80
+ },
81
+ "PolicyDocument": {
82
+ "Statement": [
83
+ {
84
+ "Action": "s3:*",
85
+ "Condition": {
86
+ "Bool": {
87
+ "aws:SecureTransport": "false"
88
+ }
89
+ },
90
+ "Effect": "Deny",
91
+ "Principal": {
92
+ "AWS": "*"
93
+ },
94
+ "Resource": [
95
+ {
96
+ "Fn::GetAtt": [
97
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
98
+ "Arn"
99
+ ]
100
+ },
101
+ {
102
+ "Fn::Join": [
103
+ "",
104
+ [
105
+ {
106
+ "Fn::GetAtt": [
107
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
108
+ "Arn"
109
+ ]
110
+ },
111
+ "/*"
112
+ ]
113
+ ]
114
+ }
115
+ ]
116
+ },
117
+ {
118
+ "Action": "s3:PutObject",
119
+ "Condition": {
120
+ "ArnLike": {
121
+ "aws:SourceArn": {
122
+ "Fn::GetAtt": [
123
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
124
+ "Arn"
125
+ ]
126
+ }
127
+ },
128
+ "StringEquals": {
129
+ "aws:SourceAccount": {
130
+ "Ref": "AWS::AccountId"
131
+ }
132
+ }
133
+ },
134
+ "Effect": "Allow",
135
+ "Principal": {
136
+ "Service": "logging.s3.amazonaws.com"
137
+ },
138
+ "Resource": {
139
+ "Fn::Join": [
140
+ "",
141
+ [
142
+ {
143
+ "Fn::GetAtt": [
144
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
145
+ "Arn"
146
+ ]
147
+ },
148
+ "/*"
149
+ ]
150
+ ]
151
+ }
152
+ }
153
+ ],
154
+ "Version": "2012-10-17"
155
+ }
156
+ }
157
+ },
158
+ "existings3bucketencryptedwithcmkS3BucketCC461491": {
159
+ "Type": "AWS::S3::Bucket",
160
+ "Properties": {
161
+ "BucketEncryption": {
162
+ "ServerSideEncryptionConfiguration": [
163
+ {
164
+ "ServerSideEncryptionByDefault": {
165
+ "KMSMasterKeyID": {
166
+ "Fn::GetAtt": [
167
+ "cmkKey598B20B2",
168
+ "Arn"
169
+ ]
170
+ },
171
+ "SSEAlgorithm": "aws:kms"
172
+ }
173
+ }
174
+ ]
175
+ },
176
+ "LifecycleConfiguration": {
177
+ "Rules": [
178
+ {
179
+ "NoncurrentVersionTransitions": [
180
+ {
181
+ "StorageClass": "GLACIER",
182
+ "TransitionInDays": 90
183
+ }
184
+ ],
185
+ "Status": "Enabled"
186
+ }
187
+ ]
188
+ },
189
+ "LoggingConfiguration": {
190
+ "DestinationBucketName": {
191
+ "Ref": "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B"
192
+ }
193
+ },
194
+ "PublicAccessBlockConfiguration": {
195
+ "BlockPublicAcls": true,
196
+ "BlockPublicPolicy": true,
197
+ "IgnorePublicAcls": true,
198
+ "RestrictPublicBuckets": true
199
+ },
200
+ "VersioningConfiguration": {
201
+ "Status": "Enabled"
202
+ }
203
+ },
204
+ "UpdateReplacePolicy": "Retain",
205
+ "DeletionPolicy": "Retain"
206
+ },
207
+ "existings3bucketencryptedwithcmkS3BucketPolicyA1A37425": {
208
+ "Type": "AWS::S3::BucketPolicy",
209
+ "Properties": {
210
+ "Bucket": {
211
+ "Ref": "existings3bucketencryptedwithcmkS3BucketCC461491"
212
+ },
213
+ "PolicyDocument": {
214
+ "Statement": [
215
+ {
216
+ "Action": "s3:*",
217
+ "Condition": {
218
+ "Bool": {
219
+ "aws:SecureTransport": "false"
220
+ }
221
+ },
222
+ "Effect": "Deny",
223
+ "Principal": {
224
+ "AWS": "*"
225
+ },
226
+ "Resource": [
227
+ {
228
+ "Fn::GetAtt": [
229
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
230
+ "Arn"
231
+ ]
232
+ },
233
+ {
234
+ "Fn::Join": [
235
+ "",
236
+ [
237
+ {
238
+ "Fn::GetAtt": [
239
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
240
+ "Arn"
241
+ ]
242
+ },
243
+ "/*"
244
+ ]
245
+ ]
246
+ }
247
+ ]
248
+ },
249
+ {
250
+ "Action": "s3:GetObject",
251
+ "Condition": {
252
+ "StringEquals": {
253
+ "AWS:SourceArn": {
254
+ "Fn::Join": [
255
+ "",
256
+ [
257
+ "arn:aws:cloudfront::",
258
+ {
259
+ "Ref": "AWS::AccountId"
260
+ },
261
+ ":distribution/",
262
+ {
263
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
264
+ }
265
+ ]
266
+ ]
267
+ }
268
+ }
269
+ },
270
+ "Effect": "Allow",
271
+ "Principal": {
272
+ "Service": "cloudfront.amazonaws.com"
273
+ },
274
+ "Resource": {
275
+ "Fn::Join": [
276
+ "",
277
+ [
278
+ {
279
+ "Fn::GetAtt": [
280
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
281
+ "Arn"
282
+ ]
283
+ },
284
+ "/*"
285
+ ]
286
+ ]
287
+ }
288
+ }
289
+ ],
290
+ "Version": "2012-10-17"
291
+ }
292
+ },
293
+ "Metadata": {
294
+ "cfn_nag": {
295
+ "rules_to_suppress": [
296
+ {
297
+ "id": "F16",
298
+ "reason": "Public website bucket policy requires a wildcard principal"
299
+ }
300
+ ]
301
+ }
302
+ }
303
+ },
304
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C": {
305
+ "Type": "AWS::S3::Bucket",
306
+ "Properties": {
307
+ "BucketEncryption": {
308
+ "ServerSideEncryptionConfiguration": [
309
+ {
310
+ "ServerSideEncryptionByDefault": {
311
+ "SSEAlgorithm": "AES256"
312
+ }
313
+ }
314
+ ]
315
+ },
316
+ "OwnershipControls": {
317
+ "Rules": [
318
+ {
319
+ "ObjectOwnership": "ObjectWriter"
320
+ }
321
+ ]
322
+ },
323
+ "PublicAccessBlockConfiguration": {
324
+ "BlockPublicAcls": true,
325
+ "BlockPublicPolicy": true,
326
+ "IgnorePublicAcls": true,
327
+ "RestrictPublicBuckets": true
328
+ },
329
+ "VersioningConfiguration": {
330
+ "Status": "Enabled"
331
+ }
332
+ },
333
+ "UpdateReplacePolicy": "Retain",
334
+ "DeletionPolicy": "Retain",
335
+ "Metadata": {
336
+ "cfn_nag": {
337
+ "rules_to_suppress": [
338
+ {
339
+ "id": "W35",
340
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
341
+ }
342
+ ]
343
+ }
344
+ }
345
+ },
346
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLogPolicy8F931BD7": {
347
+ "Type": "AWS::S3::BucketPolicy",
348
+ "Properties": {
349
+ "Bucket": {
350
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C"
351
+ },
352
+ "PolicyDocument": {
353
+ "Statement": [
354
+ {
355
+ "Action": "s3:*",
356
+ "Condition": {
357
+ "Bool": {
358
+ "aws:SecureTransport": "false"
359
+ }
360
+ },
361
+ "Effect": "Deny",
362
+ "Principal": {
363
+ "AWS": "*"
364
+ },
365
+ "Resource": [
366
+ {
367
+ "Fn::GetAtt": [
368
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
369
+ "Arn"
370
+ ]
371
+ },
372
+ {
373
+ "Fn::Join": [
374
+ "",
375
+ [
376
+ {
377
+ "Fn::GetAtt": [
378
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
379
+ "Arn"
380
+ ]
381
+ },
382
+ "/*"
383
+ ]
384
+ ]
385
+ }
386
+ ]
387
+ },
388
+ {
389
+ "Action": "s3:PutObject",
390
+ "Condition": {
391
+ "ArnLike": {
392
+ "aws:SourceArn": {
393
+ "Fn::GetAtt": [
394
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
395
+ "Arn"
396
+ ]
397
+ }
398
+ },
399
+ "StringEquals": {
400
+ "aws:SourceAccount": {
401
+ "Ref": "AWS::AccountId"
402
+ }
403
+ }
404
+ },
405
+ "Effect": "Allow",
406
+ "Principal": {
407
+ "Service": "logging.s3.amazonaws.com"
408
+ },
409
+ "Resource": {
410
+ "Fn::Join": [
411
+ "",
412
+ [
413
+ {
414
+ "Fn::GetAtt": [
415
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
416
+ "Arn"
417
+ ]
418
+ },
419
+ "/*"
420
+ ]
421
+ ]
422
+ }
423
+ }
424
+ ],
425
+ "Version": "2012-10-17"
426
+ }
427
+ }
428
+ },
429
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD": {
430
+ "Type": "AWS::S3::Bucket",
431
+ "Properties": {
432
+ "AccessControl": "LogDeliveryWrite",
433
+ "BucketEncryption": {
434
+ "ServerSideEncryptionConfiguration": [
435
+ {
436
+ "ServerSideEncryptionByDefault": {
437
+ "SSEAlgorithm": "AES256"
438
+ }
439
+ }
440
+ ]
441
+ },
442
+ "LoggingConfiguration": {
443
+ "DestinationBucketName": {
444
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C"
445
+ }
446
+ },
447
+ "OwnershipControls": {
448
+ "Rules": [
449
+ {
450
+ "ObjectOwnership": "ObjectWriter"
451
+ }
452
+ ]
453
+ },
454
+ "PublicAccessBlockConfiguration": {
455
+ "BlockPublicAcls": true,
456
+ "BlockPublicPolicy": true,
457
+ "IgnorePublicAcls": true,
458
+ "RestrictPublicBuckets": true
459
+ },
460
+ "VersioningConfiguration": {
461
+ "Status": "Enabled"
462
+ }
463
+ },
464
+ "UpdateReplacePolicy": "Retain",
465
+ "DeletionPolicy": "Retain"
466
+ },
467
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketPolicy5E737735": {
468
+ "Type": "AWS::S3::BucketPolicy",
469
+ "Properties": {
470
+ "Bucket": {
471
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD"
472
+ },
473
+ "PolicyDocument": {
474
+ "Statement": [
475
+ {
476
+ "Action": "s3:*",
477
+ "Condition": {
478
+ "Bool": {
479
+ "aws:SecureTransport": "false"
480
+ }
481
+ },
482
+ "Effect": "Deny",
483
+ "Principal": {
484
+ "AWS": "*"
485
+ },
486
+ "Resource": [
487
+ {
488
+ "Fn::GetAtt": [
489
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
490
+ "Arn"
491
+ ]
492
+ },
493
+ {
494
+ "Fn::Join": [
495
+ "",
496
+ [
497
+ {
498
+ "Fn::GetAtt": [
499
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
500
+ "Arn"
501
+ ]
502
+ },
503
+ "/*"
504
+ ]
505
+ ]
506
+ }
507
+ ]
508
+ }
509
+ ],
510
+ "Version": "2012-10-17"
511
+ }
512
+ }
513
+ },
514
+ "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9": {
515
+ "Type": "AWS::CloudFront::OriginAccessControl",
516
+ "Properties": {
517
+ "OriginAccessControlConfig": {
518
+ "Description": "Origin access control provisioned by aws-cloudfront-s3",
519
+ "Name": {
520
+ "Fn::Join": [
521
+ "",
522
+ [
523
+ "aws-cloudfront-s3-testn-key-",
524
+ {
525
+ "Fn::Select": [
526
+ 2,
527
+ {
528
+ "Fn::Split": [
529
+ "/",
530
+ {
531
+ "Ref": "AWS::StackId"
532
+ }
533
+ ]
534
+ }
535
+ ]
536
+ }
537
+ ]
538
+ ]
539
+ },
540
+ "OriginAccessControlOriginType": "s3",
541
+ "SigningBehavior": "always",
542
+ "SigningProtocol": "sigv4"
543
+ }
544
+ }
545
+ },
546
+ "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907": {
547
+ "Type": "AWS::CloudFront::Distribution",
548
+ "Properties": {
549
+ "DistributionConfig": {
550
+ "DefaultCacheBehavior": {
551
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
552
+ "Compress": true,
553
+ "TargetOriginId": "cfts3bucketencryptedwithcmkprovidedasexistingbuckettestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin128E2E2A5",
554
+ "ViewerProtocolPolicy": "redirect-to-https"
555
+ },
556
+ "DefaultRootObject": "index.html",
557
+ "Enabled": true,
558
+ "HttpVersion": "http2",
559
+ "IPV6Enabled": true,
560
+ "Logging": {
561
+ "Bucket": {
562
+ "Fn::GetAtt": [
563
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
564
+ "RegionalDomainName"
565
+ ]
566
+ }
567
+ },
568
+ "Origins": [
569
+ {
570
+ "DomainName": {
571
+ "Fn::GetAtt": [
572
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
573
+ "RegionalDomainName"
574
+ ]
575
+ },
576
+ "Id": "cfts3bucketencryptedwithcmkprovidedasexistingbuckettestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin128E2E2A5",
577
+ "OriginAccessControlId": {
578
+ "Fn::GetAtt": [
579
+ "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9",
580
+ "Id"
581
+ ]
582
+ },
583
+ "S3OriginConfig": {}
584
+ }
585
+ ]
586
+ }
587
+ },
588
+ "Metadata": {
589
+ "cfn_nag": {
590
+ "rules_to_suppress": [
591
+ {
592
+ "id": "W70",
593
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
594
+ }
595
+ ]
596
+ }
597
+ }
598
+ },
599
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2": {
600
+ "Type": "AWS::IAM::Role",
601
+ "Properties": {
602
+ "AssumeRolePolicyDocument": {
603
+ "Statement": [
604
+ {
605
+ "Action": "sts:AssumeRole",
606
+ "Effect": "Allow",
607
+ "Principal": {
608
+ "Service": "lambda.amazonaws.com"
609
+ }
610
+ }
611
+ ],
612
+ "Version": "2012-10-17"
613
+ },
614
+ "Description": "Role to update kms key policy to allow CloudFront access",
615
+ "Policies": [
616
+ {
617
+ "PolicyDocument": {
618
+ "Statement": [
619
+ {
620
+ "Action": [
621
+ "kms:PutKeyPolicy",
622
+ "kms:GetKeyPolicy",
623
+ "kms:DescribeKey"
624
+ ],
625
+ "Effect": "Allow",
626
+ "Resource": {
627
+ "Fn::GetAtt": [
628
+ "cmkKey598B20B2",
629
+ "Arn"
630
+ ]
631
+ }
632
+ }
633
+ ],
634
+ "Version": "2012-10-17"
635
+ },
636
+ "PolicyName": "KmsPolicy"
637
+ }
638
+ ]
639
+ }
640
+ },
641
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF": {
642
+ "Type": "AWS::IAM::Policy",
643
+ "Properties": {
644
+ "PolicyDocument": {
645
+ "Statement": [
646
+ {
647
+ "Action": [
648
+ "xray:PutTraceSegments",
649
+ "xray:PutTelemetryRecords"
650
+ ],
651
+ "Effect": "Allow",
652
+ "Resource": "*"
653
+ }
654
+ ],
655
+ "Version": "2012-10-17"
656
+ },
657
+ "PolicyName": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF",
658
+ "Roles": [
659
+ {
660
+ "Ref": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2"
661
+ }
662
+ ]
663
+ },
664
+ "Metadata": {
665
+ "cfn_nag": {
666
+ "rules_to_suppress": [
667
+ {
668
+ "id": "W12",
669
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
670
+ }
671
+ ]
672
+ }
673
+ }
674
+ },
675
+ "testcloudfronts3cmkencryptionkeyLambdaFunctionServiceRole85783D1D": {
676
+ "Type": "AWS::IAM::Role",
677
+ "Properties": {
678
+ "AssumeRolePolicyDocument": {
679
+ "Statement": [
680
+ {
681
+ "Action": "sts:AssumeRole",
682
+ "Effect": "Allow",
683
+ "Principal": {
684
+ "Service": "lambda.amazonaws.com"
685
+ }
686
+ }
687
+ ],
688
+ "Version": "2012-10-17"
689
+ },
690
+ "Policies": [
691
+ {
692
+ "PolicyDocument": {
693
+ "Statement": [
694
+ {
695
+ "Action": [
696
+ "logs:CreateLogGroup",
697
+ "logs:CreateLogStream",
698
+ "logs:PutLogEvents"
699
+ ],
700
+ "Effect": "Allow",
701
+ "Resource": {
702
+ "Fn::Join": [
703
+ "",
704
+ [
705
+ "arn:",
706
+ {
707
+ "Ref": "AWS::Partition"
708
+ },
709
+ ":logs:",
710
+ {
711
+ "Ref": "AWS::Region"
712
+ },
713
+ ":",
714
+ {
715
+ "Ref": "AWS::AccountId"
716
+ },
717
+ ":log-group:/aws/lambda/*"
718
+ ]
719
+ ]
720
+ }
721
+ }
722
+ ],
723
+ "Version": "2012-10-17"
724
+ },
725
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
726
+ }
727
+ ]
728
+ }
729
+ },
730
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E": {
731
+ "Type": "AWS::Lambda::Function",
732
+ "Properties": {
733
+ "Code": {
734
+ "S3Bucket": {
735
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
736
+ },
737
+ "S3Key": "4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f.zip"
738
+ },
739
+ "Description": "Custom resource function that updates a provided key policy to allow CloudFront access.",
740
+ "Handler": "index.handler",
741
+ "Role": {
742
+ "Fn::GetAtt": [
743
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2",
744
+ "Arn"
745
+ ]
746
+ },
747
+ "Runtime": "nodejs18.x",
748
+ "TracingConfig": {
749
+ "Mode": "Active"
750
+ }
751
+ },
752
+ "DependsOn": [
753
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF",
754
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2"
755
+ ],
756
+ "Metadata": {
757
+ "cfn_nag": {
758
+ "rules_to_suppress": [
759
+ {
760
+ "id": "W58",
761
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
762
+ },
763
+ {
764
+ "id": "W89",
765
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
766
+ },
767
+ {
768
+ "id": "W92",
769
+ "reason": "Impossible for us to define the correct concurrency for clients"
770
+ }
771
+ ]
772
+ }
773
+ }
774
+ },
775
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD": {
776
+ "Type": "AWS::IAM::Role",
777
+ "Properties": {
778
+ "AssumeRolePolicyDocument": {
779
+ "Statement": [
780
+ {
781
+ "Action": "sts:AssumeRole",
782
+ "Effect": "Allow",
783
+ "Principal": {
784
+ "Service": "lambda.amazonaws.com"
785
+ }
786
+ }
787
+ ],
788
+ "Version": "2012-10-17"
789
+ },
790
+ "ManagedPolicyArns": [
791
+ {
792
+ "Fn::Join": [
793
+ "",
794
+ [
795
+ "arn:",
796
+ {
797
+ "Ref": "AWS::Partition"
798
+ },
799
+ ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
800
+ ]
801
+ ]
802
+ }
803
+ ]
804
+ }
805
+ },
806
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751": {
807
+ "Type": "AWS::IAM::Policy",
808
+ "Properties": {
809
+ "PolicyDocument": {
810
+ "Statement": [
811
+ {
812
+ "Action": "lambda:InvokeFunction",
813
+ "Effect": "Allow",
814
+ "Resource": [
815
+ {
816
+ "Fn::GetAtt": [
817
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
818
+ "Arn"
819
+ ]
820
+ },
821
+ {
822
+ "Fn::Join": [
823
+ "",
824
+ [
825
+ {
826
+ "Fn::GetAtt": [
827
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
828
+ "Arn"
829
+ ]
830
+ },
831
+ ":*"
832
+ ]
833
+ ]
834
+ }
835
+ ]
836
+ }
837
+ ],
838
+ "Version": "2012-10-17"
839
+ },
840
+ "PolicyName": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751",
841
+ "Roles": [
842
+ {
843
+ "Ref": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD"
844
+ }
845
+ ]
846
+ }
847
+ },
848
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEvent8BCBFC59": {
849
+ "Type": "AWS::Lambda::Function",
850
+ "Properties": {
851
+ "Code": {
852
+ "S3Bucket": {
853
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
854
+ },
855
+ "S3Key": "7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
856
+ },
857
+ "Description": "AWS CDK resource provider framework - onEvent (cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket/test-cloudfront-s3-cmk-encryption-key/KmsKeyPolicyUpdateProvider)",
858
+ "Environment": {
859
+ "Variables": {
860
+ "USER_ON_EVENT_FUNCTION_ARN": {
861
+ "Fn::GetAtt": [
862
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
863
+ "Arn"
864
+ ]
865
+ }
866
+ }
867
+ },
868
+ "Handler": "framework.onEvent",
869
+ "Role": {
870
+ "Fn::GetAtt": [
871
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD",
872
+ "Arn"
873
+ ]
874
+ },
875
+ "Runtime": "nodejs18.x",
876
+ "Timeout": 900
877
+ },
878
+ "DependsOn": [
879
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751",
880
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD"
881
+ ],
882
+ "Metadata": {
883
+ "cfn_nag": {
884
+ "rules_to_suppress": [
885
+ {
886
+ "id": "W58",
887
+ "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework has an IAM role with the arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Managed Policy attached, which grants permission to write to CloudWatch Logs"
888
+ },
889
+ {
890
+ "id": "W89",
891
+ "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework does not access VPC resources"
892
+ },
893
+ {
894
+ "id": "W92",
895
+ "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework does not define ReservedConcurrentExecutions"
896
+ }
897
+ ]
898
+ }
899
+ }
900
+ },
901
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdaterFAFEBF0F": {
902
+ "Type": "Custom::KmsKeyPolicyUpdater",
903
+ "Properties": {
904
+ "ServiceToken": {
905
+ "Fn::GetAtt": [
906
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEvent8BCBFC59",
907
+ "Arn"
908
+ ]
909
+ },
910
+ "KmsKeyId": {
911
+ "Ref": "cmkKey598B20B2"
912
+ },
913
+ "CloudFrontDistributionId": {
914
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
915
+ },
916
+ "AccountId": {
917
+ "Ref": "AWS::AccountId"
918
+ }
919
+ },
920
+ "UpdateReplacePolicy": "Delete",
921
+ "DeletionPolicy": "Delete"
922
+ }
923
+ },
924
+ "Parameters": {
925
+ "BootstrapVersion": {
926
+ "Type": "AWS::SSM::Parameter::Value<String>",
927
+ "Default": "/cdk-bootstrap/hnb659fds/version",
928
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
929
+ }
930
+ },
931
+ "Rules": {
932
+ "CheckBootstrapVersion": {
933
+ "Assertions": [
934
+ {
935
+ "Assert": {
936
+ "Fn::Not": [
937
+ {
938
+ "Fn::Contains": [
939
+ [
940
+ "1",
941
+ "2",
942
+ "3",
943
+ "4",
944
+ "5"
945
+ ],
946
+ {
947
+ "Ref": "BootstrapVersion"
948
+ }
949
+ ]
950
+ }
951
+ ]
952
+ },
953
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
954
+ }
955
+ ]
956
+ }
957
+ }
958
+ }