@aws-solutions-constructs/aws-cloudfront-s3 2.93.0 → 2.94.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,1363 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-s3",
3
+ "Resources": {
4
+ "scrapBucketLog7B53B25C": {
5
+ "Type": "AWS::S3::Bucket",
6
+ "Properties": {
7
+ "BucketEncryption": {
8
+ "ServerSideEncryptionConfiguration": [
9
+ {
10
+ "ServerSideEncryptionByDefault": {
11
+ "SSEAlgorithm": "AES256"
12
+ }
13
+ }
14
+ ]
15
+ },
16
+ "Tags": [
17
+ {
18
+ "Key": "aws-cdk:auto-delete-objects",
19
+ "Value": "true"
20
+ }
21
+ ],
22
+ "VersioningConfiguration": {
23
+ "Status": "Enabled"
24
+ }
25
+ },
26
+ "UpdateReplacePolicy": "Delete",
27
+ "DeletionPolicy": "Delete",
28
+ "Metadata": {
29
+ "cfn_nag": {
30
+ "rules_to_suppress": [
31
+ {
32
+ "id": "W35",
33
+ "reason": "This is a log bucket"
34
+ }
35
+ ]
36
+ }
37
+ }
38
+ },
39
+ "scrapBucketLogPolicy2972C573": {
40
+ "Type": "AWS::S3::BucketPolicy",
41
+ "Properties": {
42
+ "Bucket": {
43
+ "Ref": "scrapBucketLog7B53B25C"
44
+ },
45
+ "PolicyDocument": {
46
+ "Statement": [
47
+ {
48
+ "Action": "s3:*",
49
+ "Condition": {
50
+ "Bool": {
51
+ "aws:SecureTransport": "false"
52
+ }
53
+ },
54
+ "Effect": "Deny",
55
+ "Principal": {
56
+ "AWS": "*"
57
+ },
58
+ "Resource": [
59
+ {
60
+ "Fn::GetAtt": [
61
+ "scrapBucketLog7B53B25C",
62
+ "Arn"
63
+ ]
64
+ },
65
+ {
66
+ "Fn::Join": [
67
+ "",
68
+ [
69
+ {
70
+ "Fn::GetAtt": [
71
+ "scrapBucketLog7B53B25C",
72
+ "Arn"
73
+ ]
74
+ },
75
+ "/*"
76
+ ]
77
+ ]
78
+ }
79
+ ]
80
+ },
81
+ {
82
+ "Action": [
83
+ "s3:DeleteObject*",
84
+ "s3:GetBucket*",
85
+ "s3:List*",
86
+ "s3:PutBucketPolicy"
87
+ ],
88
+ "Effect": "Allow",
89
+ "Principal": {
90
+ "AWS": {
91
+ "Fn::GetAtt": [
92
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
93
+ "Arn"
94
+ ]
95
+ }
96
+ },
97
+ "Resource": [
98
+ {
99
+ "Fn::GetAtt": [
100
+ "scrapBucketLog7B53B25C",
101
+ "Arn"
102
+ ]
103
+ },
104
+ {
105
+ "Fn::Join": [
106
+ "",
107
+ [
108
+ {
109
+ "Fn::GetAtt": [
110
+ "scrapBucketLog7B53B25C",
111
+ "Arn"
112
+ ]
113
+ },
114
+ "/*"
115
+ ]
116
+ ]
117
+ }
118
+ ]
119
+ },
120
+ {
121
+ "Action": "s3:PutObject",
122
+ "Condition": {
123
+ "ArnLike": {
124
+ "aws:SourceArn": {
125
+ "Fn::GetAtt": [
126
+ "scrapBucketB11863B7",
127
+ "Arn"
128
+ ]
129
+ }
130
+ },
131
+ "StringEquals": {
132
+ "aws:SourceAccount": {
133
+ "Ref": "AWS::AccountId"
134
+ }
135
+ }
136
+ },
137
+ "Effect": "Allow",
138
+ "Principal": {
139
+ "Service": "logging.s3.amazonaws.com"
140
+ },
141
+ "Resource": {
142
+ "Fn::Join": [
143
+ "",
144
+ [
145
+ {
146
+ "Fn::GetAtt": [
147
+ "scrapBucketLog7B53B25C",
148
+ "Arn"
149
+ ]
150
+ },
151
+ "/*"
152
+ ]
153
+ ]
154
+ }
155
+ }
156
+ ],
157
+ "Version": "2012-10-17"
158
+ }
159
+ }
160
+ },
161
+ "scrapBucketLogAutoDeleteObjectsCustomResource307F3D47": {
162
+ "Type": "Custom::S3AutoDeleteObjects",
163
+ "Properties": {
164
+ "ServiceToken": {
165
+ "Fn::GetAtt": [
166
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
167
+ "Arn"
168
+ ]
169
+ },
170
+ "BucketName": {
171
+ "Ref": "scrapBucketLog7B53B25C"
172
+ }
173
+ },
174
+ "DependsOn": [
175
+ "scrapBucketLogPolicy2972C573"
176
+ ],
177
+ "UpdateReplacePolicy": "Delete",
178
+ "DeletionPolicy": "Delete"
179
+ },
180
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": {
181
+ "Type": "AWS::IAM::Role",
182
+ "Properties": {
183
+ "AssumeRolePolicyDocument": {
184
+ "Version": "2012-10-17",
185
+ "Statement": [
186
+ {
187
+ "Action": "sts:AssumeRole",
188
+ "Effect": "Allow",
189
+ "Principal": {
190
+ "Service": "lambda.amazonaws.com"
191
+ }
192
+ }
193
+ ]
194
+ },
195
+ "ManagedPolicyArns": [
196
+ {
197
+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
198
+ }
199
+ ]
200
+ }
201
+ },
202
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": {
203
+ "Type": "AWS::Lambda::Function",
204
+ "Properties": {
205
+ "Code": {
206
+ "S3Bucket": {
207
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
208
+ },
209
+ "S3Key": "faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6.zip"
210
+ },
211
+ "Timeout": 900,
212
+ "MemorySize": 128,
213
+ "Handler": "index.handler",
214
+ "Role": {
215
+ "Fn::GetAtt": [
216
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
217
+ "Arn"
218
+ ]
219
+ },
220
+ "Runtime": "nodejs22.x",
221
+ "Description": {
222
+ "Fn::Join": [
223
+ "",
224
+ [
225
+ "Lambda function for auto-deleting objects in ",
226
+ {
227
+ "Ref": "scrapBucketLog7B53B25C"
228
+ },
229
+ " S3 bucket."
230
+ ]
231
+ ]
232
+ }
233
+ },
234
+ "DependsOn": [
235
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092"
236
+ ],
237
+ "Metadata": {
238
+ "cfn_nag": {
239
+ "rules_to_suppress": [
240
+ {
241
+ "id": "W58",
242
+ "reason": "CDK generated custom resource"
243
+ },
244
+ {
245
+ "id": "W89",
246
+ "reason": "CDK generated custom resource"
247
+ },
248
+ {
249
+ "id": "W92",
250
+ "reason": "CDK generated custom resource"
251
+ }
252
+ ]
253
+ }
254
+ }
255
+ },
256
+ "scrapBucketB11863B7": {
257
+ "Type": "AWS::S3::Bucket",
258
+ "Properties": {
259
+ "BucketEncryption": {
260
+ "ServerSideEncryptionConfiguration": [
261
+ {
262
+ "ServerSideEncryptionByDefault": {
263
+ "SSEAlgorithm": "AES256"
264
+ }
265
+ }
266
+ ]
267
+ },
268
+ "LoggingConfiguration": {
269
+ "DestinationBucketName": {
270
+ "Ref": "scrapBucketLog7B53B25C"
271
+ }
272
+ },
273
+ "Tags": [
274
+ {
275
+ "Key": "aws-cdk:auto-delete-objects",
276
+ "Value": "true"
277
+ }
278
+ ],
279
+ "VersioningConfiguration": {
280
+ "Status": "Enabled"
281
+ }
282
+ },
283
+ "UpdateReplacePolicy": "Delete",
284
+ "DeletionPolicy": "Delete"
285
+ },
286
+ "scrapBucketPolicy189B0607": {
287
+ "Type": "AWS::S3::BucketPolicy",
288
+ "Properties": {
289
+ "Bucket": {
290
+ "Ref": "scrapBucketB11863B7"
291
+ },
292
+ "PolicyDocument": {
293
+ "Statement": [
294
+ {
295
+ "Action": "s3:*",
296
+ "Condition": {
297
+ "Bool": {
298
+ "aws:SecureTransport": "false"
299
+ }
300
+ },
301
+ "Effect": "Deny",
302
+ "Principal": {
303
+ "AWS": "*"
304
+ },
305
+ "Resource": [
306
+ {
307
+ "Fn::GetAtt": [
308
+ "scrapBucketB11863B7",
309
+ "Arn"
310
+ ]
311
+ },
312
+ {
313
+ "Fn::Join": [
314
+ "",
315
+ [
316
+ {
317
+ "Fn::GetAtt": [
318
+ "scrapBucketB11863B7",
319
+ "Arn"
320
+ ]
321
+ },
322
+ "/*"
323
+ ]
324
+ ]
325
+ }
326
+ ]
327
+ },
328
+ {
329
+ "Action": [
330
+ "s3:DeleteObject*",
331
+ "s3:GetBucket*",
332
+ "s3:List*",
333
+ "s3:PutBucketPolicy"
334
+ ],
335
+ "Effect": "Allow",
336
+ "Principal": {
337
+ "AWS": {
338
+ "Fn::GetAtt": [
339
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
340
+ "Arn"
341
+ ]
342
+ }
343
+ },
344
+ "Resource": [
345
+ {
346
+ "Fn::GetAtt": [
347
+ "scrapBucketB11863B7",
348
+ "Arn"
349
+ ]
350
+ },
351
+ {
352
+ "Fn::Join": [
353
+ "",
354
+ [
355
+ {
356
+ "Fn::GetAtt": [
357
+ "scrapBucketB11863B7",
358
+ "Arn"
359
+ ]
360
+ },
361
+ "/*"
362
+ ]
363
+ ]
364
+ }
365
+ ]
366
+ }
367
+ ],
368
+ "Version": "2012-10-17"
369
+ }
370
+ }
371
+ },
372
+ "scrapBucketAutoDeleteObjectsCustomResourceFFFC3275": {
373
+ "Type": "Custom::S3AutoDeleteObjects",
374
+ "Properties": {
375
+ "ServiceToken": {
376
+ "Fn::GetAtt": [
377
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
378
+ "Arn"
379
+ ]
380
+ },
381
+ "BucketName": {
382
+ "Ref": "scrapBucketB11863B7"
383
+ }
384
+ },
385
+ "DependsOn": [
386
+ "scrapBucketPolicy189B0607"
387
+ ],
388
+ "UpdateReplacePolicy": "Delete",
389
+ "DeletionPolicy": "Delete"
390
+ },
391
+ "CloudFrontOac": {
392
+ "Type": "AWS::CloudFront::OriginAccessControl",
393
+ "Properties": {
394
+ "OriginAccessControlConfig": {
395
+ "Description": "Origin access control provisioned by aws-cloudfront-s3",
396
+ "Name": {
397
+ "Fn::Join": [
398
+ "",
399
+ [
400
+ "aws-cloudfront-s3-spare-",
401
+ {
402
+ "Fn::Select": [
403
+ 2,
404
+ {
405
+ "Fn::Split": [
406
+ "/",
407
+ {
408
+ "Ref": "AWS::StackId"
409
+ }
410
+ ]
411
+ }
412
+ ]
413
+ }
414
+ ]
415
+ ]
416
+ },
417
+ "OriginAccessControlOriginType": "s3",
418
+ "SigningBehavior": "always",
419
+ "SigningProtocol": "sigv4"
420
+ }
421
+ }
422
+ },
423
+ "testcloudfronts3S3LoggingBucket90D239DD": {
424
+ "Type": "AWS::S3::Bucket",
425
+ "Properties": {
426
+ "BucketEncryption": {
427
+ "ServerSideEncryptionConfiguration": [
428
+ {
429
+ "ServerSideEncryptionByDefault": {
430
+ "SSEAlgorithm": "AES256"
431
+ }
432
+ }
433
+ ]
434
+ },
435
+ "PublicAccessBlockConfiguration": {
436
+ "BlockPublicAcls": true,
437
+ "BlockPublicPolicy": true,
438
+ "IgnorePublicAcls": true,
439
+ "RestrictPublicBuckets": true
440
+ },
441
+ "Tags": [
442
+ {
443
+ "Key": "aws-cdk:auto-delete-objects",
444
+ "Value": "true"
445
+ }
446
+ ],
447
+ "VersioningConfiguration": {
448
+ "Status": "Enabled"
449
+ }
450
+ },
451
+ "UpdateReplacePolicy": "Delete",
452
+ "DeletionPolicy": "Delete",
453
+ "Metadata": {
454
+ "cfn_nag": {
455
+ "rules_to_suppress": [
456
+ {
457
+ "id": "W35",
458
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
459
+ }
460
+ ]
461
+ }
462
+ }
463
+ },
464
+ "testcloudfronts3S3LoggingBucketPolicy529D4CFF": {
465
+ "Type": "AWS::S3::BucketPolicy",
466
+ "Properties": {
467
+ "Bucket": {
468
+ "Ref": "testcloudfronts3S3LoggingBucket90D239DD"
469
+ },
470
+ "PolicyDocument": {
471
+ "Statement": [
472
+ {
473
+ "Action": "s3:*",
474
+ "Condition": {
475
+ "Bool": {
476
+ "aws:SecureTransport": "false"
477
+ }
478
+ },
479
+ "Effect": "Deny",
480
+ "Principal": {
481
+ "AWS": "*"
482
+ },
483
+ "Resource": [
484
+ {
485
+ "Fn::GetAtt": [
486
+ "testcloudfronts3S3LoggingBucket90D239DD",
487
+ "Arn"
488
+ ]
489
+ },
490
+ {
491
+ "Fn::Join": [
492
+ "",
493
+ [
494
+ {
495
+ "Fn::GetAtt": [
496
+ "testcloudfronts3S3LoggingBucket90D239DD",
497
+ "Arn"
498
+ ]
499
+ },
500
+ "/*"
501
+ ]
502
+ ]
503
+ }
504
+ ]
505
+ },
506
+ {
507
+ "Action": [
508
+ "s3:DeleteObject*",
509
+ "s3:GetBucket*",
510
+ "s3:List*",
511
+ "s3:PutBucketPolicy"
512
+ ],
513
+ "Effect": "Allow",
514
+ "Principal": {
515
+ "AWS": {
516
+ "Fn::GetAtt": [
517
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
518
+ "Arn"
519
+ ]
520
+ }
521
+ },
522
+ "Resource": [
523
+ {
524
+ "Fn::GetAtt": [
525
+ "testcloudfronts3S3LoggingBucket90D239DD",
526
+ "Arn"
527
+ ]
528
+ },
529
+ {
530
+ "Fn::Join": [
531
+ "",
532
+ [
533
+ {
534
+ "Fn::GetAtt": [
535
+ "testcloudfronts3S3LoggingBucket90D239DD",
536
+ "Arn"
537
+ ]
538
+ },
539
+ "/*"
540
+ ]
541
+ ]
542
+ }
543
+ ]
544
+ },
545
+ {
546
+ "Action": "s3:PutObject",
547
+ "Condition": {
548
+ "ArnLike": {
549
+ "aws:SourceArn": {
550
+ "Fn::GetAtt": [
551
+ "testcloudfronts3S3BucketE0C5F76E",
552
+ "Arn"
553
+ ]
554
+ }
555
+ },
556
+ "StringEquals": {
557
+ "aws:SourceAccount": {
558
+ "Ref": "AWS::AccountId"
559
+ }
560
+ }
561
+ },
562
+ "Effect": "Allow",
563
+ "Principal": {
564
+ "Service": "logging.s3.amazonaws.com"
565
+ },
566
+ "Resource": {
567
+ "Fn::Join": [
568
+ "",
569
+ [
570
+ {
571
+ "Fn::GetAtt": [
572
+ "testcloudfronts3S3LoggingBucket90D239DD",
573
+ "Arn"
574
+ ]
575
+ },
576
+ "/*"
577
+ ]
578
+ ]
579
+ }
580
+ }
581
+ ],
582
+ "Version": "2012-10-17"
583
+ }
584
+ }
585
+ },
586
+ "testcloudfronts3S3LoggingBucketAutoDeleteObjectsCustomResource6EE37727": {
587
+ "Type": "Custom::S3AutoDeleteObjects",
588
+ "Properties": {
589
+ "ServiceToken": {
590
+ "Fn::GetAtt": [
591
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
592
+ "Arn"
593
+ ]
594
+ },
595
+ "BucketName": {
596
+ "Ref": "testcloudfronts3S3LoggingBucket90D239DD"
597
+ }
598
+ },
599
+ "DependsOn": [
600
+ "testcloudfronts3S3LoggingBucketPolicy529D4CFF"
601
+ ],
602
+ "UpdateReplacePolicy": "Delete",
603
+ "DeletionPolicy": "Delete"
604
+ },
605
+ "testcloudfronts3S3BucketE0C5F76E": {
606
+ "Type": "AWS::S3::Bucket",
607
+ "Properties": {
608
+ "BucketEncryption": {
609
+ "ServerSideEncryptionConfiguration": [
610
+ {
611
+ "ServerSideEncryptionByDefault": {
612
+ "SSEAlgorithm": "AES256"
613
+ }
614
+ }
615
+ ]
616
+ },
617
+ "LifecycleConfiguration": {
618
+ "Rules": [
619
+ {
620
+ "NoncurrentVersionTransitions": [
621
+ {
622
+ "StorageClass": "GLACIER",
623
+ "TransitionInDays": 90
624
+ }
625
+ ],
626
+ "Status": "Enabled"
627
+ }
628
+ ]
629
+ },
630
+ "LoggingConfiguration": {
631
+ "DestinationBucketName": {
632
+ "Ref": "testcloudfronts3S3LoggingBucket90D239DD"
633
+ }
634
+ },
635
+ "PublicAccessBlockConfiguration": {
636
+ "BlockPublicAcls": true,
637
+ "BlockPublicPolicy": true,
638
+ "IgnorePublicAcls": true,
639
+ "RestrictPublicBuckets": true
640
+ },
641
+ "Tags": [
642
+ {
643
+ "Key": "aws-cdk:auto-delete-objects",
644
+ "Value": "true"
645
+ }
646
+ ],
647
+ "VersioningConfiguration": {
648
+ "Status": "Enabled"
649
+ }
650
+ },
651
+ "UpdateReplacePolicy": "Delete",
652
+ "DeletionPolicy": "Delete",
653
+ "Metadata": {
654
+ "cfn_nag": {
655
+ "rules_to_suppress": [
656
+ {
657
+ "id": "W35",
658
+ "reason": "This S3 bucket is created for unit/ integration testing purposes only."
659
+ }
660
+ ]
661
+ }
662
+ }
663
+ },
664
+ "testcloudfronts3S3BucketPolicy250F1F61": {
665
+ "Type": "AWS::S3::BucketPolicy",
666
+ "Properties": {
667
+ "Bucket": {
668
+ "Ref": "testcloudfronts3S3BucketE0C5F76E"
669
+ },
670
+ "PolicyDocument": {
671
+ "Statement": [
672
+ {
673
+ "Action": "s3:*",
674
+ "Condition": {
675
+ "Bool": {
676
+ "aws:SecureTransport": "false"
677
+ }
678
+ },
679
+ "Effect": "Deny",
680
+ "Principal": {
681
+ "AWS": "*"
682
+ },
683
+ "Resource": [
684
+ {
685
+ "Fn::GetAtt": [
686
+ "testcloudfronts3S3BucketE0C5F76E",
687
+ "Arn"
688
+ ]
689
+ },
690
+ {
691
+ "Fn::Join": [
692
+ "",
693
+ [
694
+ {
695
+ "Fn::GetAtt": [
696
+ "testcloudfronts3S3BucketE0C5F76E",
697
+ "Arn"
698
+ ]
699
+ },
700
+ "/*"
701
+ ]
702
+ ]
703
+ }
704
+ ]
705
+ },
706
+ {
707
+ "Action": [
708
+ "s3:DeleteObject*",
709
+ "s3:GetBucket*",
710
+ "s3:List*",
711
+ "s3:PutBucketPolicy"
712
+ ],
713
+ "Effect": "Allow",
714
+ "Principal": {
715
+ "AWS": {
716
+ "Fn::GetAtt": [
717
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
718
+ "Arn"
719
+ ]
720
+ }
721
+ },
722
+ "Resource": [
723
+ {
724
+ "Fn::GetAtt": [
725
+ "testcloudfronts3S3BucketE0C5F76E",
726
+ "Arn"
727
+ ]
728
+ },
729
+ {
730
+ "Fn::Join": [
731
+ "",
732
+ [
733
+ {
734
+ "Fn::GetAtt": [
735
+ "testcloudfronts3S3BucketE0C5F76E",
736
+ "Arn"
737
+ ]
738
+ },
739
+ "/*"
740
+ ]
741
+ ]
742
+ }
743
+ ]
744
+ },
745
+ {
746
+ "Action": "s3:GetObject",
747
+ "Condition": {
748
+ "StringEquals": {
749
+ "AWS:SourceArn": {
750
+ "Fn::Join": [
751
+ "",
752
+ [
753
+ "arn:",
754
+ {
755
+ "Ref": "AWS::Partition"
756
+ },
757
+ ":cloudfront::",
758
+ {
759
+ "Ref": "AWS::AccountId"
760
+ },
761
+ ":distribution/",
762
+ {
763
+ "Ref": "testcloudfronts3CloudFrontDistribution0565DEE8"
764
+ }
765
+ ]
766
+ ]
767
+ }
768
+ }
769
+ },
770
+ "Effect": "Allow",
771
+ "Principal": {
772
+ "Service": "cloudfront.amazonaws.com"
773
+ },
774
+ "Resource": {
775
+ "Fn::Join": [
776
+ "",
777
+ [
778
+ {
779
+ "Fn::GetAtt": [
780
+ "testcloudfronts3S3BucketE0C5F76E",
781
+ "Arn"
782
+ ]
783
+ },
784
+ "/*"
785
+ ]
786
+ ]
787
+ }
788
+ },
789
+ {
790
+ "Action": "s3:ListBucket",
791
+ "Condition": {
792
+ "StringEquals": {
793
+ "AWS:SourceArn": {
794
+ "Fn::Join": [
795
+ "",
796
+ [
797
+ "arn:",
798
+ {
799
+ "Ref": "AWS::Partition"
800
+ },
801
+ ":cloudfront::",
802
+ {
803
+ "Ref": "AWS::AccountId"
804
+ },
805
+ ":distribution/",
806
+ {
807
+ "Ref": "testcloudfronts3CloudFrontDistribution0565DEE8"
808
+ }
809
+ ]
810
+ ]
811
+ }
812
+ }
813
+ },
814
+ "Effect": "Allow",
815
+ "Principal": {
816
+ "Service": "cloudfront.amazonaws.com"
817
+ },
818
+ "Resource": {
819
+ "Fn::GetAtt": [
820
+ "testcloudfronts3S3BucketE0C5F76E",
821
+ "Arn"
822
+ ]
823
+ }
824
+ }
825
+ ],
826
+ "Version": "2012-10-17"
827
+ }
828
+ },
829
+ "Metadata": {
830
+ "cfn_nag": {
831
+ "rules_to_suppress": [
832
+ {
833
+ "id": "F16",
834
+ "reason": "Public website bucket policy requires a wildcard principal"
835
+ }
836
+ ]
837
+ }
838
+ }
839
+ },
840
+ "testcloudfronts3S3BucketAutoDeleteObjectsCustomResourceA13DD8F7": {
841
+ "Type": "Custom::S3AutoDeleteObjects",
842
+ "Properties": {
843
+ "ServiceToken": {
844
+ "Fn::GetAtt": [
845
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
846
+ "Arn"
847
+ ]
848
+ },
849
+ "BucketName": {
850
+ "Ref": "testcloudfronts3S3BucketE0C5F76E"
851
+ }
852
+ },
853
+ "DependsOn": [
854
+ "testcloudfronts3S3BucketPolicy250F1F61"
855
+ ],
856
+ "UpdateReplacePolicy": "Delete",
857
+ "DeletionPolicy": "Delete"
858
+ },
859
+ "testcloudfronts3SetHttpSecurityHeaders6C5A1E69": {
860
+ "Type": "AWS::CloudFront::Function",
861
+ "Properties": {
862
+ "AutoPublish": true,
863
+ "FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
864
+ "FunctionConfig": {
865
+ "Comment": "SetHttpSecurityHeadersc8e292c5e42a882cc21356c52627ed64ad19dbb7d2",
866
+ "Runtime": "cloudfront-js-1.0"
867
+ },
868
+ "Name": "SetHttpSecurityHeadersc8e292c5e42a882cc21356c52627ed64ad19dbb7d2"
869
+ }
870
+ },
871
+ "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58": {
872
+ "Type": "AWS::S3::Bucket",
873
+ "Properties": {
874
+ "BucketEncryption": {
875
+ "ServerSideEncryptionConfiguration": [
876
+ {
877
+ "ServerSideEncryptionByDefault": {
878
+ "SSEAlgorithm": "AES256"
879
+ }
880
+ }
881
+ ]
882
+ },
883
+ "PublicAccessBlockConfiguration": {
884
+ "BlockPublicAcls": true,
885
+ "BlockPublicPolicy": true,
886
+ "IgnorePublicAcls": true,
887
+ "RestrictPublicBuckets": true
888
+ },
889
+ "Tags": [
890
+ {
891
+ "Key": "aws-cdk:auto-delete-objects",
892
+ "Value": "true"
893
+ }
894
+ ],
895
+ "VersioningConfiguration": {
896
+ "Status": "Enabled"
897
+ }
898
+ },
899
+ "UpdateReplacePolicy": "Delete",
900
+ "DeletionPolicy": "Delete",
901
+ "Metadata": {
902
+ "cfn_nag": {
903
+ "rules_to_suppress": [
904
+ {
905
+ "id": "W35",
906
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
907
+ }
908
+ ]
909
+ }
910
+ }
911
+ },
912
+ "testcloudfronts3CloudfrontLoggingBucketAccessLogPolicy526F2E14": {
913
+ "Type": "AWS::S3::BucketPolicy",
914
+ "Properties": {
915
+ "Bucket": {
916
+ "Ref": "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58"
917
+ },
918
+ "PolicyDocument": {
919
+ "Statement": [
920
+ {
921
+ "Action": "s3:*",
922
+ "Condition": {
923
+ "Bool": {
924
+ "aws:SecureTransport": "false"
925
+ }
926
+ },
927
+ "Effect": "Deny",
928
+ "Principal": {
929
+ "AWS": "*"
930
+ },
931
+ "Resource": [
932
+ {
933
+ "Fn::GetAtt": [
934
+ "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58",
935
+ "Arn"
936
+ ]
937
+ },
938
+ {
939
+ "Fn::Join": [
940
+ "",
941
+ [
942
+ {
943
+ "Fn::GetAtt": [
944
+ "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58",
945
+ "Arn"
946
+ ]
947
+ },
948
+ "/*"
949
+ ]
950
+ ]
951
+ }
952
+ ]
953
+ },
954
+ {
955
+ "Action": [
956
+ "s3:DeleteObject*",
957
+ "s3:GetBucket*",
958
+ "s3:List*",
959
+ "s3:PutBucketPolicy"
960
+ ],
961
+ "Effect": "Allow",
962
+ "Principal": {
963
+ "AWS": {
964
+ "Fn::GetAtt": [
965
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
966
+ "Arn"
967
+ ]
968
+ }
969
+ },
970
+ "Resource": [
971
+ {
972
+ "Fn::GetAtt": [
973
+ "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58",
974
+ "Arn"
975
+ ]
976
+ },
977
+ {
978
+ "Fn::Join": [
979
+ "",
980
+ [
981
+ {
982
+ "Fn::GetAtt": [
983
+ "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58",
984
+ "Arn"
985
+ ]
986
+ },
987
+ "/*"
988
+ ]
989
+ ]
990
+ }
991
+ ]
992
+ },
993
+ {
994
+ "Action": "s3:PutObject",
995
+ "Condition": {
996
+ "ArnLike": {
997
+ "aws:SourceArn": {
998
+ "Fn::GetAtt": [
999
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8",
1000
+ "Arn"
1001
+ ]
1002
+ }
1003
+ },
1004
+ "StringEquals": {
1005
+ "aws:SourceAccount": {
1006
+ "Ref": "AWS::AccountId"
1007
+ }
1008
+ }
1009
+ },
1010
+ "Effect": "Allow",
1011
+ "Principal": {
1012
+ "Service": "logging.s3.amazonaws.com"
1013
+ },
1014
+ "Resource": {
1015
+ "Fn::Join": [
1016
+ "",
1017
+ [
1018
+ {
1019
+ "Fn::GetAtt": [
1020
+ "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58",
1021
+ "Arn"
1022
+ ]
1023
+ },
1024
+ "/*"
1025
+ ]
1026
+ ]
1027
+ }
1028
+ }
1029
+ ],
1030
+ "Version": "2012-10-17"
1031
+ }
1032
+ }
1033
+ },
1034
+ "testcloudfronts3CloudfrontLoggingBucketAccessLogAutoDeleteObjectsCustomResourceE16E063D": {
1035
+ "Type": "Custom::S3AutoDeleteObjects",
1036
+ "Properties": {
1037
+ "ServiceToken": {
1038
+ "Fn::GetAtt": [
1039
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
1040
+ "Arn"
1041
+ ]
1042
+ },
1043
+ "BucketName": {
1044
+ "Ref": "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58"
1045
+ }
1046
+ },
1047
+ "DependsOn": [
1048
+ "testcloudfronts3CloudfrontLoggingBucketAccessLogPolicy526F2E14"
1049
+ ],
1050
+ "UpdateReplacePolicy": "Delete",
1051
+ "DeletionPolicy": "Delete"
1052
+ },
1053
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8": {
1054
+ "Type": "AWS::S3::Bucket",
1055
+ "Properties": {
1056
+ "AccessControl": "LogDeliveryWrite",
1057
+ "BucketEncryption": {
1058
+ "ServerSideEncryptionConfiguration": [
1059
+ {
1060
+ "ServerSideEncryptionByDefault": {
1061
+ "SSEAlgorithm": "AES256"
1062
+ }
1063
+ }
1064
+ ]
1065
+ },
1066
+ "LoggingConfiguration": {
1067
+ "DestinationBucketName": {
1068
+ "Ref": "testcloudfronts3CloudfrontLoggingBucketAccessLog2E738D58"
1069
+ }
1070
+ },
1071
+ "OwnershipControls": {
1072
+ "Rules": [
1073
+ {
1074
+ "ObjectOwnership": "ObjectWriter"
1075
+ }
1076
+ ]
1077
+ },
1078
+ "PublicAccessBlockConfiguration": {
1079
+ "BlockPublicAcls": true,
1080
+ "BlockPublicPolicy": true,
1081
+ "IgnorePublicAcls": true,
1082
+ "RestrictPublicBuckets": true
1083
+ },
1084
+ "Tags": [
1085
+ {
1086
+ "Key": "aws-cdk:auto-delete-objects",
1087
+ "Value": "true"
1088
+ }
1089
+ ],
1090
+ "VersioningConfiguration": {
1091
+ "Status": "Enabled"
1092
+ }
1093
+ },
1094
+ "UpdateReplacePolicy": "Delete",
1095
+ "DeletionPolicy": "Delete"
1096
+ },
1097
+ "testcloudfronts3CloudfrontLoggingBucketPolicyDF55851B": {
1098
+ "Type": "AWS::S3::BucketPolicy",
1099
+ "Properties": {
1100
+ "Bucket": {
1101
+ "Ref": "testcloudfronts3CloudfrontLoggingBucket985C0FE8"
1102
+ },
1103
+ "PolicyDocument": {
1104
+ "Statement": [
1105
+ {
1106
+ "Action": "s3:*",
1107
+ "Condition": {
1108
+ "Bool": {
1109
+ "aws:SecureTransport": "false"
1110
+ }
1111
+ },
1112
+ "Effect": "Deny",
1113
+ "Principal": {
1114
+ "AWS": "*"
1115
+ },
1116
+ "Resource": [
1117
+ {
1118
+ "Fn::GetAtt": [
1119
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8",
1120
+ "Arn"
1121
+ ]
1122
+ },
1123
+ {
1124
+ "Fn::Join": [
1125
+ "",
1126
+ [
1127
+ {
1128
+ "Fn::GetAtt": [
1129
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8",
1130
+ "Arn"
1131
+ ]
1132
+ },
1133
+ "/*"
1134
+ ]
1135
+ ]
1136
+ }
1137
+ ]
1138
+ },
1139
+ {
1140
+ "Action": [
1141
+ "s3:DeleteObject*",
1142
+ "s3:GetBucket*",
1143
+ "s3:List*",
1144
+ "s3:PutBucketPolicy"
1145
+ ],
1146
+ "Effect": "Allow",
1147
+ "Principal": {
1148
+ "AWS": {
1149
+ "Fn::GetAtt": [
1150
+ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092",
1151
+ "Arn"
1152
+ ]
1153
+ }
1154
+ },
1155
+ "Resource": [
1156
+ {
1157
+ "Fn::GetAtt": [
1158
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8",
1159
+ "Arn"
1160
+ ]
1161
+ },
1162
+ {
1163
+ "Fn::Join": [
1164
+ "",
1165
+ [
1166
+ {
1167
+ "Fn::GetAtt": [
1168
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8",
1169
+ "Arn"
1170
+ ]
1171
+ },
1172
+ "/*"
1173
+ ]
1174
+ ]
1175
+ }
1176
+ ]
1177
+ }
1178
+ ],
1179
+ "Version": "2012-10-17"
1180
+ }
1181
+ }
1182
+ },
1183
+ "testcloudfronts3CloudfrontLoggingBucketAutoDeleteObjectsCustomResource19604D88": {
1184
+ "Type": "Custom::S3AutoDeleteObjects",
1185
+ "Properties": {
1186
+ "ServiceToken": {
1187
+ "Fn::GetAtt": [
1188
+ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F",
1189
+ "Arn"
1190
+ ]
1191
+ },
1192
+ "BucketName": {
1193
+ "Ref": "testcloudfronts3CloudfrontLoggingBucket985C0FE8"
1194
+ }
1195
+ },
1196
+ "DependsOn": [
1197
+ "testcloudfronts3CloudfrontLoggingBucketPolicyDF55851B"
1198
+ ],
1199
+ "UpdateReplacePolicy": "Delete",
1200
+ "DeletionPolicy": "Delete"
1201
+ },
1202
+ "testcloudfronts3CloudFrontOac7A951AA6": {
1203
+ "Type": "AWS::CloudFront::OriginAccessControl",
1204
+ "Properties": {
1205
+ "OriginAccessControlConfig": {
1206
+ "Description": "Origin access control provisioned by aws-cloudfront-s3",
1207
+ "Name": {
1208
+ "Fn::Join": [
1209
+ "",
1210
+ [
1211
+ "aws-cloudfront-s3-testnt-s3-",
1212
+ {
1213
+ "Fn::Select": [
1214
+ 2,
1215
+ {
1216
+ "Fn::Split": [
1217
+ "/",
1218
+ {
1219
+ "Ref": "AWS::StackId"
1220
+ }
1221
+ ]
1222
+ }
1223
+ ]
1224
+ }
1225
+ ]
1226
+ ]
1227
+ },
1228
+ "OriginAccessControlOriginType": "s3",
1229
+ "SigningBehavior": "always",
1230
+ "SigningProtocol": "sigv4"
1231
+ }
1232
+ }
1233
+ },
1234
+ "testcloudfronts3CloudFrontDistribution0565DEE8": {
1235
+ "Type": "AWS::CloudFront::Distribution",
1236
+ "Properties": {
1237
+ "DistributionConfig": {
1238
+ "CacheBehaviors": [
1239
+ {
1240
+ "CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
1241
+ "Compress": true,
1242
+ "PathPattern": "/assets/public/*",
1243
+ "TargetOriginId": "cfts3additionalbehaviortestcloudfronts3CloudFrontDistributionOrigin2C22ED426",
1244
+ "ViewerProtocolPolicy": "allow-all"
1245
+ },
1246
+ {
1247
+ "CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
1248
+ "Compress": true,
1249
+ "PathPattern": "ngsw.json",
1250
+ "TargetOriginId": "cfts3additionalbehaviortestcloudfronts3CloudFrontDistributionOrigin192BE1CD4",
1251
+ "ViewerProtocolPolicy": "allow-all"
1252
+ }
1253
+ ],
1254
+ "DefaultCacheBehavior": {
1255
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
1256
+ "Compress": true,
1257
+ "FunctionAssociations": [
1258
+ {
1259
+ "EventType": "viewer-response",
1260
+ "FunctionARN": {
1261
+ "Fn::GetAtt": [
1262
+ "testcloudfronts3SetHttpSecurityHeaders6C5A1E69",
1263
+ "FunctionARN"
1264
+ ]
1265
+ }
1266
+ }
1267
+ ],
1268
+ "TargetOriginId": "cfts3additionalbehaviortestcloudfronts3CloudFrontDistributionOrigin192BE1CD4",
1269
+ "ViewerProtocolPolicy": "redirect-to-https"
1270
+ },
1271
+ "DefaultRootObject": "index.html",
1272
+ "Enabled": true,
1273
+ "HttpVersion": "http2",
1274
+ "IPV6Enabled": true,
1275
+ "Logging": {
1276
+ "Bucket": {
1277
+ "Fn::GetAtt": [
1278
+ "testcloudfronts3CloudfrontLoggingBucket985C0FE8",
1279
+ "RegionalDomainName"
1280
+ ]
1281
+ }
1282
+ },
1283
+ "Origins": [
1284
+ {
1285
+ "DomainName": {
1286
+ "Fn::GetAtt": [
1287
+ "testcloudfronts3S3BucketE0C5F76E",
1288
+ "RegionalDomainName"
1289
+ ]
1290
+ },
1291
+ "Id": "cfts3additionalbehaviortestcloudfronts3CloudFrontDistributionOrigin192BE1CD4",
1292
+ "OriginAccessControlId": {
1293
+ "Fn::GetAtt": [
1294
+ "testcloudfronts3CloudFrontOac7A951AA6",
1295
+ "Id"
1296
+ ]
1297
+ },
1298
+ "S3OriginConfig": {
1299
+ "OriginAccessIdentity": ""
1300
+ }
1301
+ },
1302
+ {
1303
+ "DomainName": {
1304
+ "Fn::GetAtt": [
1305
+ "scrapBucketB11863B7",
1306
+ "RegionalDomainName"
1307
+ ]
1308
+ },
1309
+ "Id": "cfts3additionalbehaviortestcloudfronts3CloudFrontDistributionOrigin2C22ED426",
1310
+ "S3OriginConfig": {
1311
+ "OriginAccessIdentity": ""
1312
+ }
1313
+ }
1314
+ ]
1315
+ }
1316
+ },
1317
+ "Metadata": {
1318
+ "cfn_nag": {
1319
+ "rules_to_suppress": [
1320
+ {
1321
+ "id": "W70",
1322
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
1323
+ }
1324
+ ]
1325
+ }
1326
+ }
1327
+ }
1328
+ },
1329
+ "Parameters": {
1330
+ "BootstrapVersion": {
1331
+ "Type": "AWS::SSM::Parameter::Value<String>",
1332
+ "Default": "/cdk-bootstrap/hnb659fds/version",
1333
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
1334
+ }
1335
+ },
1336
+ "Rules": {
1337
+ "CheckBootstrapVersion": {
1338
+ "Assertions": [
1339
+ {
1340
+ "Assert": {
1341
+ "Fn::Not": [
1342
+ {
1343
+ "Fn::Contains": [
1344
+ [
1345
+ "1",
1346
+ "2",
1347
+ "3",
1348
+ "4",
1349
+ "5"
1350
+ ],
1351
+ {
1352
+ "Ref": "BootstrapVersion"
1353
+ }
1354
+ ]
1355
+ }
1356
+ ]
1357
+ },
1358
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
1359
+ }
1360
+ ]
1361
+ }
1362
+ }
1363
+ }