@aws-solutions-constructs/aws-cloudfront-s3 2.51.0 → 2.52.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (127) hide show
  1. package/.eslintignore +2 -0
  2. package/.jsii +50 -5
  3. package/integ.config.json +7 -0
  4. package/lib/index.js +1 -1
  5. package/package.json +11 -10
  6. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js +6 -3
  7. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.d.ts +30 -0
  8. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.js +127 -0
  9. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/cfn-response.js +1 -0
  10. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/consts.js +1 -0
  11. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/framework.js +3 -0
  12. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/outbound.js +1 -0
  13. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/util.js +1 -0
  14. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cdk.out +1 -0
  15. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.assets.json +45 -0
  16. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.template.json +960 -0
  17. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithcmkprovidedasexistingbucketIntegDefaultTestDeployAssertF6031114.assets.json +19 -0
  18. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithcmkprovidedasexistingbucketIntegDefaultTestDeployAssertF6031114.template.json +36 -0
  19. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/integ.json +12 -0
  20. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/manifest.json +221 -0
  21. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/tree.json +1326 -0
  22. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js +6 -3
  23. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cdk.out +1 -0
  24. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.assets.json +19 -0
  25. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.template.json +594 -0
  26. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithmanagedkeyprovidedasexistingbucketIntegDefaultTestDeployAssert03A82C16.assets.json +19 -0
  27. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithmanagedkeyprovidedasexistingbucketIntegDefaultTestDeployAssert03A82C16.template.json +36 -0
  28. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/integ.json +12 -0
  29. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/manifest.json +167 -0
  30. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js.snapshot/tree.json +790 -0
  31. package/test/integ.cfts3-bucket-with-http-origin.js +6 -3
  32. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cdk.out +1 -0
  33. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3-bucket-with-http-origin.assets.json +19 -0
  34. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3-bucket-with-http-origin.template.json +559 -0
  35. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3bucketwithhttporiginIntegDefaultTestDeployAssert75EB76AB.assets.json +19 -0
  36. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/cfts3bucketwithhttporiginIntegDefaultTestDeployAssert75EB76AB.template.json +36 -0
  37. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/integ.json +12 -0
  38. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/manifest.json +161 -0
  39. package/test/integ.cfts3-bucket-with-http-origin.js.snapshot/tree.json +753 -0
  40. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js +6 -3
  41. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.d.ts +30 -0
  42. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f/index.js +127 -0
  43. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/cfn-response.js +1 -0
  44. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/consts.js +1 -0
  45. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/framework.js +3 -0
  46. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/outbound.js +1 -0
  47. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94/util.js +1 -0
  48. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cdk.out +1 -0
  49. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3-cmk-provided-as-bucket-prop.assets.json +45 -0
  50. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3-cmk-provided-as-bucket-prop.template.json +960 -0
  51. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3cmkprovidedasbucketpropIntegDefaultTestDeployAssert38E63D55.assets.json +19 -0
  52. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3cmkprovidedasbucketpropIntegDefaultTestDeployAssert38E63D55.template.json +36 -0
  53. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/integ.json +12 -0
  54. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/manifest.json +221 -0
  55. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/tree.json +1326 -0
  56. package/test/integ.cfts3-custom-headers.js +6 -3
  57. package/test/integ.cfts3-custom-headers.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  58. package/test/integ.cfts3-custom-headers.js.snapshot/cdk.out +1 -0
  59. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3-custom-headers.assets.json +32 -0
  60. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3-custom-headers.template.json +981 -0
  61. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3customheadersIntegDefaultTestDeployAssert6EEC9973.assets.json +19 -0
  62. package/test/integ.cfts3-custom-headers.js.snapshot/cfts3customheadersIntegDefaultTestDeployAssert6EEC9973.template.json +36 -0
  63. package/test/integ.cfts3-custom-headers.js.snapshot/integ.json +12 -0
  64. package/test/integ.cfts3-custom-headers.js.snapshot/manifest.json +215 -0
  65. package/test/integ.cfts3-custom-headers.js.snapshot/tree.json +1167 -0
  66. package/test/integ.cfts3-custom-originPath.js +6 -3
  67. package/test/integ.cfts3-custom-originPath.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  68. package/test/integ.cfts3-custom-originPath.js.snapshot/cdk.out +1 -0
  69. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3-custom-originPath.assets.json +32 -0
  70. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3-custom-originPath.template.json +950 -0
  71. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3customoriginPathIntegDefaultTestDeployAssert61F499B2.assets.json +19 -0
  72. package/test/integ.cfts3-custom-originPath.js.snapshot/cfts3customoriginPathIntegDefaultTestDeployAssert61F499B2.template.json +36 -0
  73. package/test/integ.cfts3-custom-originPath.js.snapshot/integ.json +12 -0
  74. package/test/integ.cfts3-custom-originPath.js.snapshot/manifest.json +209 -0
  75. package/test/integ.cfts3-custom-originPath.js.snapshot/tree.json +1117 -0
  76. package/test/integ.cfts3-customLoggingBuckets.js +6 -3
  77. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  78. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cdk.out +1 -0
  79. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3-customLoggingBuckets.assets.json +32 -0
  80. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3-customLoggingBuckets.template.json +987 -0
  81. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3customLoggingBucketsIntegDefaultTestDeployAssert4D171F9F.assets.json +19 -0
  82. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/cfts3customLoggingBucketsIntegDefaultTestDeployAssert4D171F9F.template.json +36 -0
  83. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/integ.json +12 -0
  84. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/manifest.json +209 -0
  85. package/test/integ.cfts3-customLoggingBuckets.js.snapshot/tree.json +1156 -0
  86. package/test/integ.cfts3-existing-bucket.js +6 -3
  87. package/test/integ.cfts3-existing-bucket.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  88. package/test/integ.cfts3-existing-bucket.js.snapshot/cdk.out +1 -0
  89. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3-existing-bucket.assets.json +32 -0
  90. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3-existing-bucket.template.json +1014 -0
  91. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3existingbucketIntegDefaultTestDeployAssertA6D4EB49.assets.json +19 -0
  92. package/test/integ.cfts3-existing-bucket.js.snapshot/cfts3existingbucketIntegDefaultTestDeployAssertA6D4EB49.template.json +36 -0
  93. package/test/integ.cfts3-existing-bucket.js.snapshot/integ.json +12 -0
  94. package/test/integ.cfts3-existing-bucket.js.snapshot/manifest.json +221 -0
  95. package/test/integ.cfts3-existing-bucket.js.snapshot/tree.json +1229 -0
  96. package/test/integ.cfts3-no-arguments.js +6 -3
  97. package/test/integ.cfts3-no-arguments.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  98. package/test/integ.cfts3-no-arguments.js.snapshot/cdk.out +1 -0
  99. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3-no-arguments.assets.json +32 -0
  100. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3-no-arguments.template.json +959 -0
  101. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3noargumentsIntegDefaultTestDeployAssertBA5AFA25.assets.json +19 -0
  102. package/test/integ.cfts3-no-arguments.js.snapshot/cfts3noargumentsIntegDefaultTestDeployAssertBA5AFA25.template.json +36 -0
  103. package/test/integ.cfts3-no-arguments.js.snapshot/integ.json +12 -0
  104. package/test/integ.cfts3-no-arguments.js.snapshot/manifest.json +209 -0
  105. package/test/integ.cfts3-no-arguments.js.snapshot/tree.json +1117 -0
  106. package/test/integ.cfts3-no-security-headers.js +6 -3
  107. package/test/integ.cfts3-no-security-headers.js.snapshot/asset.b7f33614a69548d6bafe224d751a7ef238cde19097415e553fe8b63a4c8fd8a6/index.js +1 -0
  108. package/test/integ.cfts3-no-security-headers.js.snapshot/cdk.out +1 -0
  109. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3-no-security-headers.assets.json +32 -0
  110. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3-no-security-headers.template.json +926 -0
  111. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3nosecurityheadersIntegDefaultTestDeployAssert38FE05BE.assets.json +19 -0
  112. package/test/integ.cfts3-no-security-headers.js.snapshot/cfts3nosecurityheadersIntegDefaultTestDeployAssert38FE05BE.template.json +36 -0
  113. package/test/integ.cfts3-no-security-headers.js.snapshot/integ.json +12 -0
  114. package/test/integ.cfts3-no-security-headers.js.snapshot/manifest.json +203 -0
  115. package/test/integ.cfts3-no-security-headers.js.snapshot/tree.json +1076 -0
  116. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.expected.json +0 -960
  117. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.expected.json +0 -594
  118. package/test/integ.cfts3-bucket-with-http-origin.expected.json +0 -559
  119. package/test/integ.cfts3-cmk-encryption.expected.json +0 -527
  120. package/test/integ.cfts3-cmk-provided-as-bucket-prop.expected.json +0 -960
  121. package/test/integ.cfts3-custom-headers.expected.json +0 -981
  122. package/test/integ.cfts3-custom-originPath.expected.json +0 -950
  123. package/test/integ.cfts3-customCloudFrontLoggingBucket.expected.json +0 -700
  124. package/test/integ.cfts3-customLoggingBuckets.expected.json +0 -987
  125. package/test/integ.cfts3-existing-bucket.expected.json +0 -1014
  126. package/test/integ.cfts3-no-arguments.expected.json +0 -959
  127. package/test/integ.cfts3-no-security-headers.expected.json +0 -926
@@ -0,0 +1,960 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-s3",
3
+ "Resources": {
4
+ "cmkKey598B20B2": {
5
+ "Type": "AWS::KMS::Key",
6
+ "Properties": {
7
+ "EnableKeyRotation": true,
8
+ "KeyPolicy": {
9
+ "Statement": [
10
+ {
11
+ "Action": "kms:*",
12
+ "Effect": "Allow",
13
+ "Principal": {
14
+ "AWS": {
15
+ "Fn::Join": [
16
+ "",
17
+ [
18
+ "arn:",
19
+ {
20
+ "Ref": "AWS::Partition"
21
+ },
22
+ ":iam::",
23
+ {
24
+ "Ref": "AWS::AccountId"
25
+ },
26
+ ":root"
27
+ ]
28
+ ]
29
+ }
30
+ },
31
+ "Resource": "*"
32
+ }
33
+ ],
34
+ "Version": "2012-10-17"
35
+ }
36
+ },
37
+ "UpdateReplacePolicy": "Delete",
38
+ "DeletionPolicy": "Delete"
39
+ },
40
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B": {
41
+ "Type": "AWS::S3::Bucket",
42
+ "Properties": {
43
+ "BucketEncryption": {
44
+ "ServerSideEncryptionConfiguration": [
45
+ {
46
+ "ServerSideEncryptionByDefault": {
47
+ "SSEAlgorithm": "AES256"
48
+ }
49
+ }
50
+ ]
51
+ },
52
+ "PublicAccessBlockConfiguration": {
53
+ "BlockPublicAcls": true,
54
+ "BlockPublicPolicy": true,
55
+ "IgnorePublicAcls": true,
56
+ "RestrictPublicBuckets": true
57
+ },
58
+ "VersioningConfiguration": {
59
+ "Status": "Enabled"
60
+ }
61
+ },
62
+ "UpdateReplacePolicy": "Retain",
63
+ "DeletionPolicy": "Retain",
64
+ "Metadata": {
65
+ "cfn_nag": {
66
+ "rules_to_suppress": [
67
+ {
68
+ "id": "W35",
69
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
70
+ }
71
+ ]
72
+ }
73
+ }
74
+ },
75
+ "existings3bucketencryptedwithcmkS3LoggingBucketPolicy4A3AC1CB": {
76
+ "Type": "AWS::S3::BucketPolicy",
77
+ "Properties": {
78
+ "Bucket": {
79
+ "Ref": "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B"
80
+ },
81
+ "PolicyDocument": {
82
+ "Statement": [
83
+ {
84
+ "Action": "s3:*",
85
+ "Condition": {
86
+ "Bool": {
87
+ "aws:SecureTransport": "false"
88
+ }
89
+ },
90
+ "Effect": "Deny",
91
+ "Principal": {
92
+ "AWS": "*"
93
+ },
94
+ "Resource": [
95
+ {
96
+ "Fn::GetAtt": [
97
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
98
+ "Arn"
99
+ ]
100
+ },
101
+ {
102
+ "Fn::Join": [
103
+ "",
104
+ [
105
+ {
106
+ "Fn::GetAtt": [
107
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
108
+ "Arn"
109
+ ]
110
+ },
111
+ "/*"
112
+ ]
113
+ ]
114
+ }
115
+ ]
116
+ },
117
+ {
118
+ "Action": "s3:PutObject",
119
+ "Condition": {
120
+ "ArnLike": {
121
+ "aws:SourceArn": {
122
+ "Fn::GetAtt": [
123
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
124
+ "Arn"
125
+ ]
126
+ }
127
+ },
128
+ "StringEquals": {
129
+ "aws:SourceAccount": {
130
+ "Ref": "AWS::AccountId"
131
+ }
132
+ }
133
+ },
134
+ "Effect": "Allow",
135
+ "Principal": {
136
+ "Service": "logging.s3.amazonaws.com"
137
+ },
138
+ "Resource": {
139
+ "Fn::Join": [
140
+ "",
141
+ [
142
+ {
143
+ "Fn::GetAtt": [
144
+ "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B",
145
+ "Arn"
146
+ ]
147
+ },
148
+ "/*"
149
+ ]
150
+ ]
151
+ }
152
+ }
153
+ ],
154
+ "Version": "2012-10-17"
155
+ }
156
+ }
157
+ },
158
+ "existings3bucketencryptedwithcmkS3BucketCC461491": {
159
+ "Type": "AWS::S3::Bucket",
160
+ "Properties": {
161
+ "BucketEncryption": {
162
+ "ServerSideEncryptionConfiguration": [
163
+ {
164
+ "ServerSideEncryptionByDefault": {
165
+ "KMSMasterKeyID": {
166
+ "Fn::GetAtt": [
167
+ "cmkKey598B20B2",
168
+ "Arn"
169
+ ]
170
+ },
171
+ "SSEAlgorithm": "aws:kms"
172
+ }
173
+ }
174
+ ]
175
+ },
176
+ "LifecycleConfiguration": {
177
+ "Rules": [
178
+ {
179
+ "NoncurrentVersionTransitions": [
180
+ {
181
+ "StorageClass": "GLACIER",
182
+ "TransitionInDays": 90
183
+ }
184
+ ],
185
+ "Status": "Enabled"
186
+ }
187
+ ]
188
+ },
189
+ "LoggingConfiguration": {
190
+ "DestinationBucketName": {
191
+ "Ref": "existings3bucketencryptedwithcmkS3LoggingBucket2B2DE39B"
192
+ }
193
+ },
194
+ "PublicAccessBlockConfiguration": {
195
+ "BlockPublicAcls": true,
196
+ "BlockPublicPolicy": true,
197
+ "IgnorePublicAcls": true,
198
+ "RestrictPublicBuckets": true
199
+ },
200
+ "VersioningConfiguration": {
201
+ "Status": "Enabled"
202
+ }
203
+ },
204
+ "UpdateReplacePolicy": "Retain",
205
+ "DeletionPolicy": "Retain"
206
+ },
207
+ "existings3bucketencryptedwithcmkS3BucketPolicyA1A37425": {
208
+ "Type": "AWS::S3::BucketPolicy",
209
+ "Properties": {
210
+ "Bucket": {
211
+ "Ref": "existings3bucketencryptedwithcmkS3BucketCC461491"
212
+ },
213
+ "PolicyDocument": {
214
+ "Statement": [
215
+ {
216
+ "Action": "s3:*",
217
+ "Condition": {
218
+ "Bool": {
219
+ "aws:SecureTransport": "false"
220
+ }
221
+ },
222
+ "Effect": "Deny",
223
+ "Principal": {
224
+ "AWS": "*"
225
+ },
226
+ "Resource": [
227
+ {
228
+ "Fn::GetAtt": [
229
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
230
+ "Arn"
231
+ ]
232
+ },
233
+ {
234
+ "Fn::Join": [
235
+ "",
236
+ [
237
+ {
238
+ "Fn::GetAtt": [
239
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
240
+ "Arn"
241
+ ]
242
+ },
243
+ "/*"
244
+ ]
245
+ ]
246
+ }
247
+ ]
248
+ },
249
+ {
250
+ "Action": "s3:GetObject",
251
+ "Condition": {
252
+ "StringEquals": {
253
+ "AWS:SourceArn": {
254
+ "Fn::Join": [
255
+ "",
256
+ [
257
+ "arn:aws:cloudfront::",
258
+ {
259
+ "Ref": "AWS::AccountId"
260
+ },
261
+ ":distribution/",
262
+ {
263
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
264
+ }
265
+ ]
266
+ ]
267
+ }
268
+ }
269
+ },
270
+ "Effect": "Allow",
271
+ "Principal": {
272
+ "Service": "cloudfront.amazonaws.com"
273
+ },
274
+ "Resource": {
275
+ "Fn::Join": [
276
+ "",
277
+ [
278
+ {
279
+ "Fn::GetAtt": [
280
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
281
+ "Arn"
282
+ ]
283
+ },
284
+ "/*"
285
+ ]
286
+ ]
287
+ }
288
+ }
289
+ ],
290
+ "Version": "2012-10-17"
291
+ }
292
+ },
293
+ "Metadata": {
294
+ "cfn_nag": {
295
+ "rules_to_suppress": [
296
+ {
297
+ "id": "F16",
298
+ "reason": "Public website bucket policy requires a wildcard principal"
299
+ }
300
+ ]
301
+ }
302
+ }
303
+ },
304
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C": {
305
+ "Type": "AWS::S3::Bucket",
306
+ "Properties": {
307
+ "BucketEncryption": {
308
+ "ServerSideEncryptionConfiguration": [
309
+ {
310
+ "ServerSideEncryptionByDefault": {
311
+ "SSEAlgorithm": "AES256"
312
+ }
313
+ }
314
+ ]
315
+ },
316
+ "OwnershipControls": {
317
+ "Rules": [
318
+ {
319
+ "ObjectOwnership": "ObjectWriter"
320
+ }
321
+ ]
322
+ },
323
+ "PublicAccessBlockConfiguration": {
324
+ "BlockPublicAcls": true,
325
+ "BlockPublicPolicy": true,
326
+ "IgnorePublicAcls": true,
327
+ "RestrictPublicBuckets": true
328
+ },
329
+ "VersioningConfiguration": {
330
+ "Status": "Enabled"
331
+ }
332
+ },
333
+ "UpdateReplacePolicy": "Retain",
334
+ "DeletionPolicy": "Retain",
335
+ "Metadata": {
336
+ "cfn_nag": {
337
+ "rules_to_suppress": [
338
+ {
339
+ "id": "W35",
340
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
341
+ }
342
+ ]
343
+ }
344
+ }
345
+ },
346
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLogPolicy8F931BD7": {
347
+ "Type": "AWS::S3::BucketPolicy",
348
+ "Properties": {
349
+ "Bucket": {
350
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C"
351
+ },
352
+ "PolicyDocument": {
353
+ "Statement": [
354
+ {
355
+ "Action": "s3:*",
356
+ "Condition": {
357
+ "Bool": {
358
+ "aws:SecureTransport": "false"
359
+ }
360
+ },
361
+ "Effect": "Deny",
362
+ "Principal": {
363
+ "AWS": "*"
364
+ },
365
+ "Resource": [
366
+ {
367
+ "Fn::GetAtt": [
368
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
369
+ "Arn"
370
+ ]
371
+ },
372
+ {
373
+ "Fn::Join": [
374
+ "",
375
+ [
376
+ {
377
+ "Fn::GetAtt": [
378
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
379
+ "Arn"
380
+ ]
381
+ },
382
+ "/*"
383
+ ]
384
+ ]
385
+ }
386
+ ]
387
+ },
388
+ {
389
+ "Action": "s3:PutObject",
390
+ "Condition": {
391
+ "ArnLike": {
392
+ "aws:SourceArn": {
393
+ "Fn::GetAtt": [
394
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
395
+ "Arn"
396
+ ]
397
+ }
398
+ },
399
+ "StringEquals": {
400
+ "aws:SourceAccount": {
401
+ "Ref": "AWS::AccountId"
402
+ }
403
+ }
404
+ },
405
+ "Effect": "Allow",
406
+ "Principal": {
407
+ "Service": "logging.s3.amazonaws.com"
408
+ },
409
+ "Resource": {
410
+ "Fn::Join": [
411
+ "",
412
+ [
413
+ {
414
+ "Fn::GetAtt": [
415
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C",
416
+ "Arn"
417
+ ]
418
+ },
419
+ "/*"
420
+ ]
421
+ ]
422
+ }
423
+ }
424
+ ],
425
+ "Version": "2012-10-17"
426
+ }
427
+ }
428
+ },
429
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD": {
430
+ "Type": "AWS::S3::Bucket",
431
+ "Properties": {
432
+ "AccessControl": "LogDeliveryWrite",
433
+ "BucketEncryption": {
434
+ "ServerSideEncryptionConfiguration": [
435
+ {
436
+ "ServerSideEncryptionByDefault": {
437
+ "SSEAlgorithm": "AES256"
438
+ }
439
+ }
440
+ ]
441
+ },
442
+ "LoggingConfiguration": {
443
+ "DestinationBucketName": {
444
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketAccessLog8863921C"
445
+ }
446
+ },
447
+ "OwnershipControls": {
448
+ "Rules": [
449
+ {
450
+ "ObjectOwnership": "ObjectWriter"
451
+ }
452
+ ]
453
+ },
454
+ "PublicAccessBlockConfiguration": {
455
+ "BlockPublicAcls": true,
456
+ "BlockPublicPolicy": true,
457
+ "IgnorePublicAcls": true,
458
+ "RestrictPublicBuckets": true
459
+ },
460
+ "VersioningConfiguration": {
461
+ "Status": "Enabled"
462
+ }
463
+ },
464
+ "UpdateReplacePolicy": "Retain",
465
+ "DeletionPolicy": "Retain"
466
+ },
467
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketPolicy5E737735": {
468
+ "Type": "AWS::S3::BucketPolicy",
469
+ "Properties": {
470
+ "Bucket": {
471
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD"
472
+ },
473
+ "PolicyDocument": {
474
+ "Statement": [
475
+ {
476
+ "Action": "s3:*",
477
+ "Condition": {
478
+ "Bool": {
479
+ "aws:SecureTransport": "false"
480
+ }
481
+ },
482
+ "Effect": "Deny",
483
+ "Principal": {
484
+ "AWS": "*"
485
+ },
486
+ "Resource": [
487
+ {
488
+ "Fn::GetAtt": [
489
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
490
+ "Arn"
491
+ ]
492
+ },
493
+ {
494
+ "Fn::Join": [
495
+ "",
496
+ [
497
+ {
498
+ "Fn::GetAtt": [
499
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
500
+ "Arn"
501
+ ]
502
+ },
503
+ "/*"
504
+ ]
505
+ ]
506
+ }
507
+ ]
508
+ }
509
+ ],
510
+ "Version": "2012-10-17"
511
+ }
512
+ }
513
+ },
514
+ "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9": {
515
+ "Type": "AWS::CloudFront::OriginAccessControl",
516
+ "Properties": {
517
+ "OriginAccessControlConfig": {
518
+ "Description": "Origin access control provisioned by aws-cloudfront-s3",
519
+ "Name": {
520
+ "Fn::Join": [
521
+ "",
522
+ [
523
+ "aws-cloudfront-s3-testn-key-",
524
+ {
525
+ "Fn::Select": [
526
+ 2,
527
+ {
528
+ "Fn::Split": [
529
+ "/",
530
+ {
531
+ "Ref": "AWS::StackId"
532
+ }
533
+ ]
534
+ }
535
+ ]
536
+ }
537
+ ]
538
+ ]
539
+ },
540
+ "OriginAccessControlOriginType": "s3",
541
+ "SigningBehavior": "always",
542
+ "SigningProtocol": "sigv4"
543
+ }
544
+ }
545
+ },
546
+ "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907": {
547
+ "Type": "AWS::CloudFront::Distribution",
548
+ "Properties": {
549
+ "DistributionConfig": {
550
+ "DefaultCacheBehavior": {
551
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
552
+ "Compress": true,
553
+ "TargetOriginId": "cfts3bucketencryptedwithcmkprovidedasexistingbuckettestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin128E2E2A5",
554
+ "ViewerProtocolPolicy": "redirect-to-https"
555
+ },
556
+ "DefaultRootObject": "index.html",
557
+ "Enabled": true,
558
+ "HttpVersion": "http2",
559
+ "IPV6Enabled": true,
560
+ "Logging": {
561
+ "Bucket": {
562
+ "Fn::GetAtt": [
563
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
564
+ "RegionalDomainName"
565
+ ]
566
+ }
567
+ },
568
+ "Origins": [
569
+ {
570
+ "DomainName": {
571
+ "Fn::GetAtt": [
572
+ "existings3bucketencryptedwithcmkS3BucketCC461491",
573
+ "RegionalDomainName"
574
+ ]
575
+ },
576
+ "Id": "cfts3bucketencryptedwithcmkprovidedasexistingbuckettestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin128E2E2A5",
577
+ "OriginAccessControlId": {
578
+ "Fn::GetAtt": [
579
+ "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9",
580
+ "Id"
581
+ ]
582
+ },
583
+ "S3OriginConfig": {
584
+ "OriginAccessIdentity": ""
585
+ }
586
+ }
587
+ ]
588
+ }
589
+ },
590
+ "Metadata": {
591
+ "cfn_nag": {
592
+ "rules_to_suppress": [
593
+ {
594
+ "id": "W70",
595
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
596
+ }
597
+ ]
598
+ }
599
+ }
600
+ },
601
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2": {
602
+ "Type": "AWS::IAM::Role",
603
+ "Properties": {
604
+ "AssumeRolePolicyDocument": {
605
+ "Statement": [
606
+ {
607
+ "Action": "sts:AssumeRole",
608
+ "Effect": "Allow",
609
+ "Principal": {
610
+ "Service": "lambda.amazonaws.com"
611
+ }
612
+ }
613
+ ],
614
+ "Version": "2012-10-17"
615
+ },
616
+ "Description": "Role to update kms key policy to allow CloudFront access",
617
+ "Policies": [
618
+ {
619
+ "PolicyDocument": {
620
+ "Statement": [
621
+ {
622
+ "Action": [
623
+ "kms:DescribeKey",
624
+ "kms:GetKeyPolicy",
625
+ "kms:PutKeyPolicy"
626
+ ],
627
+ "Effect": "Allow",
628
+ "Resource": {
629
+ "Fn::GetAtt": [
630
+ "cmkKey598B20B2",
631
+ "Arn"
632
+ ]
633
+ }
634
+ }
635
+ ],
636
+ "Version": "2012-10-17"
637
+ },
638
+ "PolicyName": "KmsPolicy"
639
+ }
640
+ ]
641
+ }
642
+ },
643
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF": {
644
+ "Type": "AWS::IAM::Policy",
645
+ "Properties": {
646
+ "PolicyDocument": {
647
+ "Statement": [
648
+ {
649
+ "Action": [
650
+ "xray:PutTelemetryRecords",
651
+ "xray:PutTraceSegments"
652
+ ],
653
+ "Effect": "Allow",
654
+ "Resource": "*"
655
+ }
656
+ ],
657
+ "Version": "2012-10-17"
658
+ },
659
+ "PolicyName": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF",
660
+ "Roles": [
661
+ {
662
+ "Ref": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2"
663
+ }
664
+ ]
665
+ },
666
+ "Metadata": {
667
+ "cfn_nag": {
668
+ "rules_to_suppress": [
669
+ {
670
+ "id": "W12",
671
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
672
+ }
673
+ ]
674
+ }
675
+ }
676
+ },
677
+ "testcloudfronts3cmkencryptionkeyLambdaFunctionServiceRole85783D1D": {
678
+ "Type": "AWS::IAM::Role",
679
+ "Properties": {
680
+ "AssumeRolePolicyDocument": {
681
+ "Statement": [
682
+ {
683
+ "Action": "sts:AssumeRole",
684
+ "Effect": "Allow",
685
+ "Principal": {
686
+ "Service": "lambda.amazonaws.com"
687
+ }
688
+ }
689
+ ],
690
+ "Version": "2012-10-17"
691
+ },
692
+ "Policies": [
693
+ {
694
+ "PolicyDocument": {
695
+ "Statement": [
696
+ {
697
+ "Action": [
698
+ "logs:CreateLogGroup",
699
+ "logs:CreateLogStream",
700
+ "logs:PutLogEvents"
701
+ ],
702
+ "Effect": "Allow",
703
+ "Resource": {
704
+ "Fn::Join": [
705
+ "",
706
+ [
707
+ "arn:",
708
+ {
709
+ "Ref": "AWS::Partition"
710
+ },
711
+ ":logs:",
712
+ {
713
+ "Ref": "AWS::Region"
714
+ },
715
+ ":",
716
+ {
717
+ "Ref": "AWS::AccountId"
718
+ },
719
+ ":log-group:/aws/lambda/*"
720
+ ]
721
+ ]
722
+ }
723
+ }
724
+ ],
725
+ "Version": "2012-10-17"
726
+ },
727
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
728
+ }
729
+ ]
730
+ }
731
+ },
732
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E": {
733
+ "Type": "AWS::Lambda::Function",
734
+ "Properties": {
735
+ "Code": {
736
+ "S3Bucket": {
737
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
738
+ },
739
+ "S3Key": "4a4b024f310aca2784b69bcb790e9ccaef785e9ad5d1b73624144f88c4465b4f.zip"
740
+ },
741
+ "Description": "Custom resource function that updates a provided key policy to allow CloudFront access.",
742
+ "Handler": "index.handler",
743
+ "Role": {
744
+ "Fn::GetAtt": [
745
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2",
746
+ "Arn"
747
+ ]
748
+ },
749
+ "Runtime": "nodejs18.x",
750
+ "TracingConfig": {
751
+ "Mode": "Active"
752
+ }
753
+ },
754
+ "DependsOn": [
755
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleDefaultPolicy0E93FCDF",
756
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateLambdaRoleB7BBA8A2"
757
+ ],
758
+ "Metadata": {
759
+ "cfn_nag": {
760
+ "rules_to_suppress": [
761
+ {
762
+ "id": "W58",
763
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
764
+ },
765
+ {
766
+ "id": "W89",
767
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
768
+ },
769
+ {
770
+ "id": "W92",
771
+ "reason": "Impossible for us to define the correct concurrency for clients"
772
+ }
773
+ ]
774
+ }
775
+ }
776
+ },
777
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD": {
778
+ "Type": "AWS::IAM::Role",
779
+ "Properties": {
780
+ "AssumeRolePolicyDocument": {
781
+ "Statement": [
782
+ {
783
+ "Action": "sts:AssumeRole",
784
+ "Effect": "Allow",
785
+ "Principal": {
786
+ "Service": "lambda.amazonaws.com"
787
+ }
788
+ }
789
+ ],
790
+ "Version": "2012-10-17"
791
+ },
792
+ "ManagedPolicyArns": [
793
+ {
794
+ "Fn::Join": [
795
+ "",
796
+ [
797
+ "arn:",
798
+ {
799
+ "Ref": "AWS::Partition"
800
+ },
801
+ ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
802
+ ]
803
+ ]
804
+ }
805
+ ]
806
+ }
807
+ },
808
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751": {
809
+ "Type": "AWS::IAM::Policy",
810
+ "Properties": {
811
+ "PolicyDocument": {
812
+ "Statement": [
813
+ {
814
+ "Action": "lambda:InvokeFunction",
815
+ "Effect": "Allow",
816
+ "Resource": [
817
+ {
818
+ "Fn::GetAtt": [
819
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
820
+ "Arn"
821
+ ]
822
+ },
823
+ {
824
+ "Fn::Join": [
825
+ "",
826
+ [
827
+ {
828
+ "Fn::GetAtt": [
829
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
830
+ "Arn"
831
+ ]
832
+ },
833
+ ":*"
834
+ ]
835
+ ]
836
+ }
837
+ ]
838
+ }
839
+ ],
840
+ "Version": "2012-10-17"
841
+ },
842
+ "PolicyName": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751",
843
+ "Roles": [
844
+ {
845
+ "Ref": "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD"
846
+ }
847
+ ]
848
+ }
849
+ },
850
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEvent8BCBFC59": {
851
+ "Type": "AWS::Lambda::Function",
852
+ "Properties": {
853
+ "Code": {
854
+ "S3Bucket": {
855
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
856
+ },
857
+ "S3Key": "7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
858
+ },
859
+ "Description": "AWS CDK resource provider framework - onEvent (cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket/test-cloudfront-s3-cmk-encryption-key/KmsKeyPolicyUpdateProvider)",
860
+ "Environment": {
861
+ "Variables": {
862
+ "USER_ON_EVENT_FUNCTION_ARN": {
863
+ "Fn::GetAtt": [
864
+ "testcloudfronts3cmkencryptionkeyLambdaFunction4DCD662E",
865
+ "Arn"
866
+ ]
867
+ }
868
+ }
869
+ },
870
+ "Handler": "framework.onEvent",
871
+ "Role": {
872
+ "Fn::GetAtt": [
873
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD",
874
+ "Arn"
875
+ ]
876
+ },
877
+ "Runtime": "nodejs18.x",
878
+ "Timeout": 900
879
+ },
880
+ "DependsOn": [
881
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRoleDefaultPolicy066CD751",
882
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEventServiceRole3D4040AD"
883
+ ],
884
+ "Metadata": {
885
+ "cfn_nag": {
886
+ "rules_to_suppress": [
887
+ {
888
+ "id": "W58",
889
+ "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework has an IAM role with the arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Managed Policy attached, which grants permission to write to CloudWatch Logs"
890
+ },
891
+ {
892
+ "id": "W89",
893
+ "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework does not access VPC resources"
894
+ },
895
+ {
896
+ "id": "W92",
897
+ "reason": "The CDK-provided lambda function that backs their Custom Resource Provider framework does not define ReservedConcurrentExecutions"
898
+ }
899
+ ]
900
+ }
901
+ }
902
+ },
903
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdaterFAFEBF0F": {
904
+ "Type": "Custom::KmsKeyPolicyUpdater",
905
+ "Properties": {
906
+ "ServiceToken": {
907
+ "Fn::GetAtt": [
908
+ "testcloudfronts3cmkencryptionkeyKmsKeyPolicyUpdateProviderframeworkonEvent8BCBFC59",
909
+ "Arn"
910
+ ]
911
+ },
912
+ "KmsKeyId": {
913
+ "Ref": "cmkKey598B20B2"
914
+ },
915
+ "CloudFrontDistributionId": {
916
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
917
+ },
918
+ "AccountId": {
919
+ "Ref": "AWS::AccountId"
920
+ }
921
+ },
922
+ "UpdateReplacePolicy": "Delete",
923
+ "DeletionPolicy": "Delete"
924
+ }
925
+ },
926
+ "Parameters": {
927
+ "BootstrapVersion": {
928
+ "Type": "AWS::SSM::Parameter::Value<String>",
929
+ "Default": "/cdk-bootstrap/hnb659fds/version",
930
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
931
+ }
932
+ },
933
+ "Rules": {
934
+ "CheckBootstrapVersion": {
935
+ "Assertions": [
936
+ {
937
+ "Assert": {
938
+ "Fn::Not": [
939
+ {
940
+ "Fn::Contains": [
941
+ [
942
+ "1",
943
+ "2",
944
+ "3",
945
+ "4",
946
+ "5"
947
+ ],
948
+ {
949
+ "Ref": "BootstrapVersion"
950
+ }
951
+ ]
952
+ }
953
+ ]
954
+ },
955
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
956
+ }
957
+ ]
958
+ }
959
+ }
960
+ }