@aws-solutions-constructs/aws-cloudfront-s3 2.50.0 → 2.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (127) hide show
  1. package/.eslintignore +2 -0
  2. package/.jsii +51 -6
  3. package/integ.config.json +7 -0
  4. package/lib/index.js +1 -1
  5. package/package.json +14 -13
  6. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js +6 -3
  7. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.d.ts +30 -0
  8. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.js +127 -0
  9. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/cfn-response.js +1 -0
  10. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/consts.js +1 -0
  11. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/framework.js +3 -0
  12. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/outbound.js +1 -0
  13. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/util.js +1 -0
  14. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cdk.out +1 -0
  15. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.assets.json +45 -0
  16. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.template.json +960 -0
  17. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithcmkprovidedasexistingbucketIntegDefaultTestDeployAssertF6031114.assets.json +19 -0
  18. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithcmkprovidedasexistingbucketIntegDefaultTestDeployAssertF6031114.template.json +36 -0
  19. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/integ.json +12 -0
  20. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/manifest.json +221 -0
  21. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/tree.json +1326 -0
  22. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js +6 -3
  23. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cdk.out +1 -0
  24. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.assets.json +19 -0
  25. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.template.json +594 -0
  26. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithmanagedkeyprovidedasexistingbucketIntegDefaultTestDeployAssert03A82C16.assets.json +19 -0
  27. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithmanagedkeyprovidedasexistingbucketIntegDefaultTestDeployAssert03A82C16.template.json +36 -0
  28. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/integ.json +12 -0
  29. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/manifest.json +167 -0
  30. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/tree.json +790 -0
  31. package/test/integ.cfts3-bucket-with-http-origin.js +6 -3
  32. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cdk.out +1 -0
  33. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3-bucket-with-http-origin.assets.json +19 -0
  34. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3-bucket-with-http-origin.template.json +559 -0
  35. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3bucketwithhttporiginIntegDefaultTestDeployAssert75EB76AB.assets.json +19 -0
  36. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3bucketwithhttporiginIntegDefaultTestDeployAssert75EB76AB.template.json +36 -0
  37. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/integ.json +12 -0
  38. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/manifest.json +161 -0
  39. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/tree.json +753 -0
  40. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js +6 -3
  41. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.d.ts +30 -0
  42. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.js +127 -0
  43. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/cfn-response.js +1 -0
  44. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/consts.js +1 -0
  45. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/framework.js +3 -0
  46. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/outbound.js +1 -0
  47. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/util.js +1 -0
  48. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cdk.out +1 -0
  49. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3-cmk-provided-as-bucket-prop.assets.json +45 -0
  50. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3-cmk-provided-as-bucket-prop.template.json +960 -0
  51. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3cmkprovidedasbucketpropIntegDefaultTestDeployAssert38E63D55.assets.json +19 -0
  52. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3cmkprovidedasbucketpropIntegDefaultTestDeployAssert38E63D55.template.json +36 -0
  53. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/integ.json +12 -0
  54. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/manifest.json +221 -0
  55. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/tree.json +1326 -0
  56. package/test/integ.cfts3-custom-headers.js +6 -3
  57. package/test/integ.cfts3-custom-headers.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  58. package/test/integ.cfts3-custom-headers.js.snapshot/cdk.out +1 -0
  59. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3-custom-headers.assets.json +32 -0
  60. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3-custom-headers.template.json +981 -0
  61. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3customheadersIntegDefaultTestDeployAssert6EEC9973.assets.json +19 -0
  62. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3customheadersIntegDefaultTestDeployAssert6EEC9973.template.json +36 -0
  63. package/test/integ.cfts3-custom-headers.js.snapshot/integ.json +12 -0
  64. package/test/integ.cfts3-custom-headers.js.snapshot/manifest.json +215 -0
  65. package/test/integ.cfts3-custom-headers.js.snapshot/tree.json +1167 -0
  66. package/test/integ.cfts3-custom-originPath.js +6 -3
  67. package/test/integ.cfts3-custom-originPath.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  68. package/test/integ.cfts3-custom-originPath.js.snapshot/cdk.out +1 -0
  69. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3-custom-originPath.assets.json +32 -0
  70. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3-custom-originPath.template.json +950 -0
  71. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3customoriginPathIntegDefaultTestDeployAssert61F499B2.assets.json +19 -0
  72. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3customoriginPathIntegDefaultTestDeployAssert61F499B2.template.json +36 -0
  73. package/test/integ.cfts3-custom-originPath.js.snapshot/integ.json +12 -0
  74. package/test/integ.cfts3-custom-originPath.js.snapshot/manifest.json +209 -0
  75. package/test/integ.cfts3-custom-originPath.js.snapshot/tree.json +1117 -0
  76. package/test/integ.cfts3-customLoggingBuckets.js +6 -3
  77. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  78. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cdk.out +1 -0
  79. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3-customLoggingBuckets.assets.json +32 -0
  80. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3-customLoggingBuckets.template.json +987 -0
  81. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3customLoggingBucketsIntegDefaultTestDeployAssert4D171F9F.assets.json +19 -0
  82. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3customLoggingBucketsIntegDefaultTestDeployAssert4D171F9F.template.json +36 -0
  83. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/integ.json +12 -0
  84. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/manifest.json +209 -0
  85. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/tree.json +1156 -0
  86. package/test/integ.cfts3-existing-bucket.js +6 -3
  87. package/test/integ.cfts3-existing-bucket.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  88. package/test/integ.cfts3-existing-bucket.js.snapshot/cdk.out +1 -0
  89. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3-existing-bucket.assets.json +32 -0
  90. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3-existing-bucket.template.json +1014 -0
  91. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3existingbucketIntegDefaultTestDeployAssertA6D4EB49.assets.json +19 -0
  92. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3existingbucketIntegDefaultTestDeployAssertA6D4EB49.template.json +36 -0
  93. package/test/integ.cfts3-existing-bucket.js.snapshot/integ.json +12 -0
  94. package/test/integ.cfts3-existing-bucket.js.snapshot/manifest.json +221 -0
  95. package/test/integ.cfts3-existing-bucket.js.snapshot/tree.json +1229 -0
  96. package/test/integ.cfts3-no-arguments.js +6 -3
  97. package/test/integ.cfts3-no-arguments.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  98. package/test/integ.cfts3-no-arguments.js.snapshot/cdk.out +1 -0
  99. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3-no-arguments.assets.json +32 -0
  100. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3-no-arguments.template.json +959 -0
  101. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3noargumentsIntegDefaultTestDeployAssertBA5AFA25.assets.json +19 -0
  102. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3noargumentsIntegDefaultTestDeployAssertBA5AFA25.template.json +36 -0
  103. package/test/integ.cfts3-no-arguments.js.snapshot/integ.json +12 -0
  104. package/test/integ.cfts3-no-arguments.js.snapshot/manifest.json +209 -0
  105. package/test/integ.cfts3-no-arguments.js.snapshot/tree.json +1117 -0
  106. package/test/integ.cfts3-no-security-headers.js +6 -3
  107. package/test/integ.cfts3-no-security-headers.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  108. package/test/integ.cfts3-no-security-headers.js.snapshot/cdk.out +1 -0
  109. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3-no-security-headers.assets.json +32 -0
  110. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3-no-security-headers.template.json +926 -0
  111. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3nosecurityheadersIntegDefaultTestDeployAssert38FE05BE.assets.json +19 -0
  112. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3nosecurityheadersIntegDefaultTestDeployAssert38FE05BE.template.json +36 -0
  113. package/test/integ.cfts3-no-security-headers.js.snapshot/integ.json +12 -0
  114. package/test/integ.cfts3-no-security-headers.js.snapshot/manifest.json +203 -0
  115. package/test/integ.cfts3-no-security-headers.js.snapshot/tree.json +1076 -0
  116. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.expected.json +0 -960
  117. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.expected.json +0 -594
  118. package/test/integ.cfts3-bucket-with-http-origin.expected.json +0 -559
  119. package/test/integ.cfts3-cmk-encryption.expected.json +0 -527
  120. package/test/integ.cfts3-cmk-provided-as-bucket-prop.expected.json +0 -960
  121. package/test/integ.cfts3-custom-headers.expected.json +0 -981
  122. package/test/integ.cfts3-custom-originPath.expected.json +0 -950
  123. package/test/integ.cfts3-customCloudFrontLoggingBucket.expected.json +0 -700
  124. package/test/integ.cfts3-customLoggingBuckets.expected.json +0 -987
  125. package/test/integ.cfts3-existing-bucket.expected.json +0 -1014
  126. package/test/integ.cfts3-no-arguments.expected.json +0 -959
  127. package/test/integ.cfts3-no-security-headers.expected.json +0 -926
@@ -1,960 +0,0 @@
1
- {
2
- "Description": "Integration Test for aws-cloudfront-s3",
3
- "Resources": {
4
- "cmkKey598B20B2": {
5
- "Type": "AWS::KMS::Key",
6
- "Properties": {
7
- "EnableKeyRotation": true,
8
- "KeyPolicy": {
9
- "Statement": [
10
- {
11
- "Action": "kms:*",
12
- "Effect": "Allow",
13
- "Principal": {
14
- "AWS": {
15
- "Fn::Join": [
16
- "",
17
- [
18
- "arn:",
19
- {
20
- "Ref": "AWS::Partition"
21
- },
22
- ":iam::",
23
- {
24
- "Ref": "AWS::AccountId"
25
- },
26
- ":root"
27
- ]
28
- ]
29
- }
30
- },
31
- "Resource": "*"
32
- }
33
- ],
34
- "Version": "2012-10-17"
35
- }
36
- },
37
- "UpdateReplacePolicy": "Delete",
38
- "DeletionPolicy": "Delete"
39
- },
40
- "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B": {
41
- "Type": "AWS::S3::Bucket",
42
- "Properties": {
43
- "BucketEncryption": {
44
- "ServerSideEncryptionConfiguration": [
45
- {
46
- "ServerSideEncryptionByDefault": {
47
- "SSEAlgorithm": "AES256"
48
- }
49
- }
50
- ]
51
- },
52
- "PublicAccessBlockConfiguration": {
53
- "BlockPublicAcls": true,
54
- "BlockPublicPolicy": true,
55
- "IgnorePublicAcls": true,
56
- "RestrictPublicBuckets": true
57
- },
58
- "VersioningConfiguration": {
59
- "Status": "Enabled"
60
- }
61
- },
62
- "UpdateReplacePolicy": "Retain",
63
- "DeletionPolicy": "Retain",
64
- "Metadata": {
65
- "cfn_nag": {
66
- "rules_to_suppress": [
67
- {
68
- "id": "W35",
69
- "reason": "This S3 bucket is used as the access logging bucket for another bucket"
70
- }
71
- ]
72
- }
73
- }
74
- },
75
- "existings3bucketencryptedwithcmkS3LoggingBucketPolicy4A3AC1CB": {
76
- "Type": "AWS::S3::BucketPolicy",
77
- "Properties": {
78
- "Bucket": {
79
- "Ref": "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B"
80
- },
81
- "PolicyDocument": {
82
- "Statement": [
83
- {
84
- "Action": "s3:*",
85
- "Condition": {
86
- "Bool": {
87
- "aws:SecureTransport": "false"
88
- }
89
- },
90
- "Effect": "Deny",
91
- "Principal": {
92
- "AWS": "*"
93
- },
94
- "Resource": [
95
- {
96
- "Fn::GetAtt": [
97
- "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
98
- "Arn"
99
- ]
100
- },
101
- {
102
- "Fn::Join": [
103
- "",
104
- [
105
- {
106
- "Fn::GetAtt": [
107
- "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
108
- "Arn"
109
- ]
110
- },
111
- "/*"
112
- ]
113
- ]
114
- }
115
- ]
116
- },
117
- {
118
- "Action": "s3:PutObject",
119
- "Condition": {
120
- "ArnLike": {
121
- "aws:SourceArn": {
122
- "Fn::GetAtt": [
123
- "existings3bucketencryptedwithcmkS3BucketCC461491",
124
- "Arn"
125
- ]
126
- }
127
- },
128
- "StringEquals": {
129
- "aws:SourceAccount": {
130
- "Ref": "AWS::AccountId"
131
- }
132
- }
133
- },
134
- "Effect": "Allow",
135
- "Principal": {
136
- "Service": "logging.s3.amazonaws.com"
137
- },
138
- "Resource": {
139
- "Fn::Join": [
140
- "",
141
- [
142
- {
143
- "Fn::GetAtt": [
144
- "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
145
- "Arn"
146
- ]
147
- },
148
- "/*"
149
- ]
150
- ]
151
- }
152
- }
153
- ],
154
- "Version": "2012-10-17"
155
- }
156
- }
157
- },
158
- "existings3bucketencryptedwithcmkS3BucketCC461491": {
159
- "Type": "AWS::S3::Bucket",
160
- "Properties": {
161
- "BucketEncryption": {
162
- "ServerSideEncryptionConfiguration": [
163
- {
164
- "ServerSideEncryptionByDefault": {
165
- "KMSMasterKeyID": {
166
- "Fn::GetAtt": [
167
- "cmkKey598B20B2",
168
- "Arn"
169
- ]
170
- },
171
- "SSEAlgorithm": "aws:kms"
172
- }
173
- }
174
- ]
175
- },
176
- "LifecycleConfiguration": {
177
- "Rules": [
178
- {
179
- "NoncurrentVersionTransitions": [
180
- {
181
- "StorageClass": "GLACIER",
182
- "TransitionInDays": 90
183
- }
184
- ],
185
- "Status": "Enabled"
186
- }
187
- ]
188
- },
189
- "LoggingConfiguration": {
190
- "DestinationBucketName": {
191
- "Ref": "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B"
192
- }
193
- },
194
- "PublicAccessBlockConfiguration": {
195
- "BlockPublicAcls": true,
196
- "BlockPublicPolicy": true,
197
- "IgnorePublicAcls": true,
198
- "RestrictPublicBuckets": true
199
- },
200
- "VersioningConfiguration": {
201
- "Status": "Enabled"
202
- }
203
- },
204
- "UpdateReplacePolicy": "Retain",
205
- "DeletionPolicy": "Retain"
206
- },
207
- "existings3bucketencryptedwithcmkS3BucketPolicyA1A37425": {
208
- "Type": "AWS::S3::BucketPolicy",
209
- "Properties": {
210
- "Bucket": {
211
- "Ref": "existings3bucketencryptedwithcmkS3BucketCC461491"
212
- },
213
- "PolicyDocument": {
214
- "Statement": [
215
- {
216
- "Action": "s3:*",
217
- "Condition": {
218
- "Bool": {
219
- "aws:SecureTransport": "false"
220
- }
221
- },
222
- "Effect": "Deny",
223
- "Principal": {
224
- "AWS": "*"
225
- },
226
- "Resource": [
227
- {
228
- "Fn::GetAtt": [
229
- "existings3bucketencryptedwithcmkS3BucketCC461491",
230
- "Arn"
231
- ]
232
- },
233
- {
234
- "Fn::Join": [
235
- "",
236
- [
237
- {
238
- "Fn::GetAtt": [
239
- "existings3bucketencryptedwithcmkS3BucketCC461491",
240
- "Arn"
241
- ]
242
- },
243
- "/*"
244
- ]
245
- ]
246
- }
247
- ]
248
- },
249
- {
250
- "Action": "s3:GetObject",
251
- "Condition": {
252
- "StringEquals": {
253
- "AWS:SourceArn": {
254
- "Fn::Join": [
255
- "",
256
- [
257
- "arn:aws:cloudfront::",
258
- {
259
- "Ref": "AWS::AccountId"
260
- },
261
- ":distribution/",
262
- {
263
- "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
264
- }
265
- ]
266
- ]
267
- }
268
- }
269
- },
270
- "Effect": "Allow",
271
- "Principal": {
272
- "Service": "cloudfront.amazonaws.com"
273
- },
274
- "Resource": {
275
- "Fn::Join": [
276
- "",
277
- [
278
- {
279
- "Fn::GetAtt": [
280
- "existings3bucketencryptedwithcmkS3BucketCC461491",
281
- "Arn"
282
- ]
283
- },
284
- "/*"
285
- ]
286
- ]
287
- }
288
- }
289
- ],
290
- "Version": "2012-10-17"
291
- }
292
- },
293
- "Metadata": {
294
- "cfn_nag": {
295
- "rules_to_suppress": [
296
- {
297
- "id": "F16",
298
- "reason": "Public website bucket policy requires a wildcard principal"
299
- }
300
- ]
301
- }
302
- }
303
- },
304
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C": {
305
- "Type": "AWS::S3::Bucket",
306
- "Properties": {
307
- "BucketEncryption": {
308
- "ServerSideEncryptionConfiguration": [
309
- {
310
- "ServerSideEncryptionByDefault": {
311
- "SSEAlgorithm": "AES256"
312
- }
313
- }
314
- ]
315
- },
316
- "OwnershipControls": {
317
- "Rules": [
318
- {
319
- "ObjectOwnership": "ObjectWriter"
320
- }
321
- ]
322
- },
323
- "PublicAccessBlockConfiguration": {
324
- "BlockPublicAcls": true,
325
- "BlockPublicPolicy": true,
326
- "IgnorePublicAcls": true,
327
- "RestrictPublicBuckets": true
328
- },
329
- "VersioningConfiguration": {
330
- "Status": "Enabled"
331
- }
332
- },
333
- "UpdateReplacePolicy": "Retain",
334
- "DeletionPolicy": "Retain",
335
- "Metadata": {
336
- "cfn_nag": {
337
- "rules_to_suppress": [
338
- {
339
- "id": "W35",
340
- "reason": "This S3 bucket is used as the access logging bucket for another bucket"
341
- }
342
- ]
343
- }
344
- }
345
- },
346
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLogPolicy8F931BD7": {
347
- "Type": "AWS::S3::BucketPolicy",
348
- "Properties": {
349
- "Bucket": {
350
- "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C"
351
- },
352
- "PolicyDocument": {
353
- "Statement": [
354
- {
355
- "Action": "s3:*",
356
- "Condition": {
357
- "Bool": {
358
- "aws:SecureTransport": "false"
359
- }
360
- },
361
- "Effect": "Deny",
362
- "Principal": {
363
- "AWS": "*"
364
- },
365
- "Resource": [
366
- {
367
- "Fn::GetAtt": [
368
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
369
- "Arn"
370
- ]
371
- },
372
- {
373
- "Fn::Join": [
374
- "",
375
- [
376
- {
377
- "Fn::GetAtt": [
378
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
379
- "Arn"
380
- ]
381
- },
382
- "/*"
383
- ]
384
- ]
385
- }
386
- ]
387
- },
388
- {
389
- "Action": "s3:PutObject",
390
- "Condition": {
391
- "ArnLike": {
392
- "aws:SourceArn": {
393
- "Fn::GetAtt": [
394
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
395
- "Arn"
396
- ]
397
- }
398
- },
399
- "StringEquals": {
400
- "aws:SourceAccount": {
401
- "Ref": "AWS::AccountId"
402
- }
403
- }
404
- },
405
- "Effect": "Allow",
406
- "Principal": {
407
- "Service": "logging.s3.amazonaws.com"
408
- },
409
- "Resource": {
410
- "Fn::Join": [
411
- "",
412
- [
413
- {
414
- "Fn::GetAtt": [
415
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
416
- "Arn"
417
- ]
418
- },
419
- "/*"
420
- ]
421
- ]
422
- }
423
- }
424
- ],
425
- "Version": "2012-10-17"
426
- }
427
- }
428
- },
429
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD": {
430
- "Type": "AWS::S3::Bucket",
431
- "Properties": {
432
- "AccessControl": "LogDeliveryWrite",
433
- "BucketEncryption": {
434
- "ServerSideEncryptionConfiguration": [
435
- {
436
- "ServerSideEncryptionByDefault": {
437
- "SSEAlgorithm": "AES256"
438
- }
439
- }
440
- ]
441
- },
442
- "LoggingConfiguration": {
443
- "DestinationBucketName": {
444
- "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C"
445
- }
446
- },
447
- "OwnershipControls": {
448
- "Rules": [
449
- {
450
- "ObjectOwnership": "ObjectWriter"
451
- }
452
- ]
453
- },
454
- "PublicAccessBlockConfiguration": {
455
- "BlockPublicAcls": true,
456
- "BlockPublicPolicy": true,
457
- "IgnorePublicAcls": true,
458
- "RestrictPublicBuckets": true
459
- },
460
- "VersioningConfiguration": {
461
- "Status": "Enabled"
462
- }
463
- },
464
- "UpdateReplacePolicy": "Retain",
465
- "DeletionPolicy": "Retain"
466
- },
467
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketPolicy5E737735": {
468
- "Type": "AWS::S3::BucketPolicy",
469
- "Properties": {
470
- "Bucket": {
471
- "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD"
472
- },
473
- "PolicyDocument": {
474
- "Statement": [
475
- {
476
- "Action": "s3:*",
477
- "Condition": {
478
- "Bool": {
479
- "aws:SecureTransport": "false"
480
- }
481
- },
482
- "Effect": "Deny",
483
- "Principal": {
484
- "AWS": "*"
485
- },
486
- "Resource": [
487
- {
488
- "Fn::GetAtt": [
489
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
490
- "Arn"
491
- ]
492
- },
493
- {
494
- "Fn::Join": [
495
- "",
496
- [
497
- {
498
- "Fn::GetAtt": [
499
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
500
- "Arn"
501
- ]
502
- },
503
- "/*"
504
- ]
505
- ]
506
- }
507
- ]
508
- }
509
- ],
510
- "Version": "2012-10-17"
511
- }
512
- }
513
- },
514
- "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9": {
515
- "Type": "AWS::CloudFront::OriginAccessControl",
516
- "Properties": {
517
- "OriginAccessControlConfig": {
518
- "Description": "Origin access control provisioned by aws-cloudfront-s3",
519
- "Name": {
520
- "Fn::Join": [
521
- "",
522
- [
523
- "aws-cloudfront-s3-testn-key-",
524
- {
525
- "Fn::Select": [
526
- 2,
527
- {
528
- "Fn::Split": [
529
- "/",
530
- {
531
- "Ref": "AWS::StackId"
532
- }
533
- ]
534
- }
535
- ]
536
- }
537
- ]
538
- ]
539
- },
540
- "OriginAccessControlOriginType": "s3",
541
- "SigningBehavior": "always",
542
- "SigningProtocol": "sigv4"
543
- }
544
- }
545
- },
546
- "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907": {
547
- "Type": "AWS::CloudFront::Distribution",
548
- "Properties": {
549
- "DistributionConfig": {
550
- "DefaultCacheBehavior": {
551
- "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
552
- "Compress": true,
553
- "TargetOriginId": "cfts3bucketencryptedwithcmkprovidedasexistingbuckettestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin128E2E2A5",
554
- "ViewerProtocolPolicy": "redirect-to-https"
555
- },
556
- "DefaultRootObject": "index.html",
557
- "Enabled": true,
558
- "HttpVersion": "http2",
559
- "IPV6Enabled": true,
560
- "Logging": {
561
- "Bucket": {
562
- "Fn::GetAtt": [
563
- "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
564
- "RegionalDomainName"
565
- ]
566
- }
567
- },
568
- "Origins": [
569
- {
570
- "DomainName": {
571
- "Fn::GetAtt": [
572
- "existings3bucketencryptedwithcmkS3BucketCC461491",
573
- "RegionalDomainName"
574
- ]
575
- },
576
- "Id": "cfts3bucketencryptedwithcmkprovidedasexistingbuckettestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin128E2E2A5",
577
- "OriginAccessControlId": {
578
- "Fn::GetAtt": [
579
- "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9",
580
- "Id"
581
- ]
582
- },
583
- "S3OriginConfig": {
584
- "OriginAccessIdentity": ""
585
- }
586
- }
587
- ]
588
- }
589
- },
590
- "Metadata": {
591
- "cfn_nag": {
592
- "rules_to_suppress": [
593
- {
594
- "id": "W70",
595
- "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
596
- }
597
- ]
598
- }
599
- }
600
- },
601
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2": {
602
- "Type": "AWS::IAM::Role",
603
- "Properties": {
604
- "AssumeRolePolicyDocument": {
605
- "Statement": [
606
- {
607
- "Action": "sts:AssumeRole",
608
- "Effect": "Allow",
609
- "Principal": {
610
- "Service": "lambda.amazonaws.com"
611
- }
612
- }
613
- ],
614
- "Version": "2012-10-17"
615
- },
616
- "Description": "Role to update kms key policy to allow CloudFront access",
617
- "Policies": [
618
- {
619
- "PolicyDocument": {
620
- "Statement": [
621
- {
622
- "Action": [
623
- "kms:PutKeyPolicy",
624
- "kms:GetKeyPolicy",
625
- "kms:DescribeKey"
626
- ],
627
- "Effect": "Allow",
628
- "Resource": {
629
- "Fn::GetAtt": [
630
- "cmkKey598B20B2",
631
- "Arn"
632
- ]
633
- }
634
- }
635
- ],
636
- "Version": "2012-10-17"
637
- },
638
- "PolicyName": "KmsPolicy"
639
- }
640
- ]
641
- }
642
- },
643
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF": {
644
- "Type": "AWS::IAM::Policy",
645
- "Properties": {
646
- "PolicyDocument": {
647
- "Statement": [
648
- {
649
- "Action": [
650
- "xray:PutTraceSegments",
651
- "xray:PutTelemetryRecords"
652
- ],
653
- "Effect": "Allow",
654
- "Resource": "*"
655
- }
656
- ],
657
- "Version": "2012-10-17"
658
- },
659
- "PolicyName": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF",
660
- "Roles": [
661
- {
662
- "Ref": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2"
663
- }
664
- ]
665
- },
666
- "Metadata": {
667
- "cfn_nag": {
668
- "rules_to_suppress": [
669
- {
670
- "id": "W12",
671
- "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
672
- }
673
- ]
674
- }
675
- }
676
- },
677
- "testcloudfronts3cmkencryptionkeyLambdaFunctionServiceRole85783D1D": {
678
- "Type": "AWS::IAM::Role",
679
- "Properties": {
680
- "AssumeRolePolicyDocument": {
681
- "Statement": [
682
- {
683
- "Action": "sts:AssumeRole",
684
- "Effect": "Allow",
685
- "Principal": {
686
- "Service": "lambda.amazonaws.com"
687
- }
688
- }
689
- ],
690
- "Version": "2012-10-17"
691
- },
692
- "Policies": [
693
- {
694
- "PolicyDocument": {
695
- "Statement": [
696
- {
697
- "Action": [
698
- "logs:CreateLogGroup",
699
- "logs:CreateLogStream",
700
- "logs:PutLogEvents"
701
- ],
702
- "Effect": "Allow",
703
- "Resource": {
704
- "Fn::Join": [
705
- "",
706
- [
707
- "arn:",
708
- {
709
- "Ref": "AWS::Partition"
710
- },
711
- ":logs:",
712
- {
713
- "Ref": "AWS::Region"
714
- },
715
- ":",
716
- {
717
- "Ref": "AWS::AccountId"
718
- },
719
- ":log-group:/aws/lambda/*"
720
- ]
721
- ]
722
- }
723
- }
724
- ],
725
- "Version": "2012-10-17"
726
- },
727
- "PolicyName": "LambdaFunctionServiceRolePolicy"
728
- }
729
- ]
730
- }
731
- },
732
- "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E": {
733
- "Type": "AWS::Lambda::Function",
734
- "Properties": {
735
- "Code": {
736
- "S3Bucket": {
737
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
738
- },
739
- "S3Key": "4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f.zip"
740
- },
741
- "Description": "Custom resource function that updates a provided key policy to allow CloudFront access.",
742
- "Handler": "index.handler",
743
- "Role": {
744
- "Fn::GetAtt": [
745
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2",
746
- "Arn"
747
- ]
748
- },
749
- "Runtime": "nodejs18.x",
750
- "TracingConfig": {
751
- "Mode": "Active"
752
- }
753
- },
754
- "DependsOn": [
755
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF",
756
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2"
757
- ],
758
- "Metadata": {
759
- "cfn_nag": {
760
- "rules_to_suppress": [
761
- {
762
- "id": "W58",
763
- "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
764
- },
765
- {
766
- "id": "W89",
767
- "reason": "This is not a rule for the general case, just for specific use cases/industries"
768
- },
769
- {
770
- "id": "W92",
771
- "reason": "Impossible for us to define the correct concurrency for clients"
772
- }
773
- ]
774
- }
775
- }
776
- },
777
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD": {
778
- "Type": "AWS::IAM::Role",
779
- "Properties": {
780
- "AssumeRolePolicyDocument": {
781
- "Statement": [
782
- {
783
- "Action": "sts:AssumeRole",
784
- "Effect": "Allow",
785
- "Principal": {
786
- "Service": "lambda.amazonaws.com"
787
- }
788
- }
789
- ],
790
- "Version": "2012-10-17"
791
- },
792
- "ManagedPolicyArns": [
793
- {
794
- "Fn::Join": [
795
- "",
796
- [
797
- "arn:",
798
- {
799
- "Ref": "AWS::Partition"
800
- },
801
- ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
802
- ]
803
- ]
804
- }
805
- ]
806
- }
807
- },
808
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751": {
809
- "Type": "AWS::IAM::Policy",
810
- "Properties": {
811
- "PolicyDocument": {
812
- "Statement": [
813
- {
814
- "Action": "lambda:InvokeFunction",
815
- "Effect": "Allow",
816
- "Resource": [
817
- {
818
- "Fn::GetAtt": [
819
- "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
820
- "Arn"
821
- ]
822
- },
823
- {
824
- "Fn::Join": [
825
- "",
826
- [
827
- {
828
- "Fn::GetAtt": [
829
- "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
830
- "Arn"
831
- ]
832
- },
833
- ":*"
834
- ]
835
- ]
836
- }
837
- ]
838
- }
839
- ],
840
- "Version": "2012-10-17"
841
- },
842
- "PolicyName": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751",
843
- "Roles": [
844
- {
845
- "Ref": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD"
846
- }
847
- ]
848
- }
849
- },
850
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEvent8BCBFC59": {
851
- "Type": "AWS::Lambda::Function",
852
- "Properties": {
853
- "Code": {
854
- "S3Bucket": {
855
- "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
856
- },
857
- "S3Key": "7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
858
- },
859
- "Description": "AWS CDK resource provider framework - onEvent (cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket/test-cloudfront-s3-cmk-encryption-key/KmsKeyPolicyUpdateProvider)",
860
- "Environment": {
861
- "Variables": {
862
- "USER_ON_EVENT_FUNCTION_ARN": {
863
- "Fn::GetAtt": [
864
- "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
865
- "Arn"
866
- ]
867
- }
868
- }
869
- },
870
- "Handler": "framework.onEvent",
871
- "Role": {
872
- "Fn::GetAtt": [
873
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD",
874
- "Arn"
875
- ]
876
- },
877
- "Runtime": "nodejs18.x",
878
- "Timeout": 900
879
- },
880
- "DependsOn": [
881
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751",
882
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD"
883
- ],
884
- "Metadata": {
885
- "cfn_nag": {
886
- "rules_to_suppress": [
887
- {
888
- "id": "W58",
889
- "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework has an IAM role with the arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Managed Policy attached, which grants permission to write to CloudWatch Logs"
890
- },
891
- {
892
- "id": "W89",
893
- "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework does not access VPC resources"
894
- },
895
- {
896
- "id": "W92",
897
- "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework does not define ReservedConcurrentExecutions"
898
- }
899
- ]
900
- }
901
- }
902
- },
903
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdaterFAFEBF0F": {
904
- "Type": "Custom::KmsKeyPolicyUpdater",
905
- "Properties": {
906
- "ServiceToken": {
907
- "Fn::GetAtt": [
908
- "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEvent8BCBFC59",
909
- "Arn"
910
- ]
911
- },
912
- "KmsKeyId": {
913
- "Ref": "cmkKey598B20B2"
914
- },
915
- "CloudFrontDistributionId": {
916
- "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
917
- },
918
- "AccountId": {
919
- "Ref": "AWS::AccountId"
920
- }
921
- },
922
- "UpdateReplacePolicy": "Delete",
923
- "DeletionPolicy": "Delete"
924
- }
925
- },
926
- "Parameters": {
927
- "BootstrapVersion": {
928
- "Type": "AWS::SSM::Parameter::Value<String>",
929
- "Default": "/cdk-bootstrap/hnb659fds/version",
930
- "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
931
- }
932
- },
933
- "Rules": {
934
- "CheckBootstrapVersion": {
935
- "Assertions": [
936
- {
937
- "Assert": {
938
- "Fn::Not": [
939
- {
940
- "Fn::Contains": [
941
- [
942
- "1",
943
- "2",
944
- "3",
945
- "4",
946
- "5"
947
- ],
948
- {
949
- "Ref": "BootstrapVersion"
950
- }
951
- ]
952
- }
953
- ]
954
- },
955
- "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
956
- }
957
- ]
958
- }
959
- }
960
- }