Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cloudfront): s3 origin access control L2 construct #31254

Merged
merged 79 commits into from
Sep 5, 2024
Merged
Changes from 1 commit
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
cd5f600
wip oac
May 17, 2024
fee9488
create custom resource to update kms policy
May 24, 2024
4ae6627
custom resource for bucket policy
May 28, 2024
dc49ed1
Support oac in webDistribution
May 28, 2024
ad28865
refactor
May 29, 2024
98af399
fix undefined distribution id
Jun 3, 2024
d87681e
refactor
Jun 19, 2024
c9bba82
Add validation for origin type on OAC
Jun 20, 2024
8a4e752
Add origin type to oac
Jun 21, 2024
4267b49
remove feature flag
gracelu0 Aug 3, 2024
a0529ec
deprecate S3Origin and replace with S3StaticWebsiteOrigin and S3Bucke…
gracelu0 Aug 8, 2024
e0a3d37
Add S3BucketOrigin subclass props
gracelu0 Aug 12, 2024
1bd7d95
update README for cloudfront with new API for S3BucketOrigin
gracelu0 Aug 12, 2024
5c16627
add unit tests for S3 OAC
gracelu0 Aug 14, 2024
664d2a9
remove name length validation (leave this to cloudformation)
gracelu0 Aug 14, 2024
62f8c68
fix unit test
gracelu0 Aug 14, 2024
012dfc6
formatting
gracelu0 Aug 14, 2024
622209a
Add integration test for S3 bucket origin with default OAC
gracelu0 Aug 16, 2024
1f7f792
add if check to OAC bind method
gracelu0 Aug 16, 2024
d4ac775
check default properties in OriginAccessControl in unit test
samson-keung Aug 16, 2024
a306f53
remove custom resource
gracelu0 Aug 19, 2024
d9376fb
fix integ test formatting
gracelu0 Aug 19, 2024
840957d
Add note about bucket object ownership with OAC
gracelu0 Aug 19, 2024
632c131
remove web distribution oac
gracelu0 Aug 19, 2024
bbc70e0
adding first unit test for S3BucketOrigin
samson-keung Aug 20, 2024
d835503
more unit tests for S3BucketOrigin
samson-keung Aug 21, 2024
7f51018
more unit tests for S3BucketOrigin and removed originAccessControlId …
samson-keung Aug 22, 2024
1b9455c
address feedback
gracelu0 Aug 22, 2024
903b105
fix unit tests
gracelu0 Aug 22, 2024
4c9d719
Unit test for S3BucketOrigin.withOriginAccessIdentity
samson-keung Aug 22, 2024
affcaf8
Add integration tests for s3 bucket origin and s3 static website origin
gracelu0 Aug 22, 2024
e256724
add unit test for s3 static website origin
gracelu0 Aug 23, 2024
1de0c6a
add test for imported bucket
gracelu0 Aug 24, 2024
879fc94
add unit test for oac permission levels
gracelu0 Aug 26, 2024
b08605e
introduce assembleDomainName option in S3BucketOrigin.withOriginAcces…
samson-keung Aug 27, 2024
054f24f
Update README and warning
gracelu0 Aug 22, 2024
f5c308c
fix using imported bucket with assembleDomainName to true
samson-keung Aug 27, 2024
626a8b3
remove assembleDomainName and use wildcard key policy
samson-keung Aug 28, 2024
4a8f9c8
warn user about wildcard in key policy
samson-keung Aug 28, 2024
9449c3c
warning wording update
samson-keung Aug 28, 2024
f33dffb
add unit test for oac permission levels (#31225)
gracelu0 Aug 28, 2024
dd11f45
warning wording update and removed redundant warning
samson-keung Aug 28, 2024
c8eaa3e
Use wildcard in KMS key policy instead of referencing Distribution to…
gracelu0 Aug 28, 2024
8d1f326
unit test using escape hatch to scope down OAC Key policy permission
samson-keung Aug 28, 2024
06b471a
liniting fix
samson-keung Aug 28, 2024
516c29f
add migration section and imported bucket sections to README
gracelu0 Aug 29, 2024
e146ecf
revert accidentally deleted doc string
samson-keung Aug 29, 2024
69f10ad
Unit test for using escape hatch to scope down Key Policy (#31246)
gracelu0 Aug 29, 2024
f776aad
update unit test warning message to match
gracelu0 Aug 29, 2024
5d6d0d4
update readme
gracelu0 Aug 29, 2024
8d37c8d
add section to README on migrating from OAI to OAC (#31247)
gracelu0 Aug 29, 2024
f0f58cd
liniting fixes
samson-keung Aug 29, 2024
afadeee
Liniting fixes (#31256)
samson-keung Aug 29, 2024
762e036
add section for ssekms circular dependency workaround
gracelu0 Aug 30, 2024
54d597e
add README section for sse-kms circular dependency workaround (#31262)
gracelu0 Aug 30, 2024
ebfa3fd
OAC encrypted bucket origin integ test
samson-keung Aug 30, 2024
bec0246
snapshot update
samson-keung Aug 30, 2024
35dd110
OAC encrypted bucket origin integ test (#31270)
gracelu0 Sep 3, 2024
298ffc9
update note on downtime during migration
gracelu0 Sep 3, 2024
3cab851
update readme
gracelu0 Sep 4, 2024
9377b09
docs: update note on downtime during migration (#31307)
gracelu0 Sep 4, 2024
765d37e
pr feedback for static website origin
gracelu0 Sep 4, 2024
69e2846
clarify standard s3 origin
gracelu0 Sep 4, 2024
d6ee6b7
refactor and readme
gracelu0 Sep 4, 2024
d111eea
Update S3BucketOrigin.withOriginAccessControl class methods to be pri…
samson-keung Sep 4, 2024
684ed5a
Update S3BucketOrigin.withOriginAccessControl class methods to be pri…
samson-keung Sep 4, 2024
5d510c5
move note to s3 section
gracelu0 Sep 4, 2024
070b3d5
format docstring with extra line
gracelu0 Sep 4, 2024
a4a5ef3
add new line to s3 origin file
gracelu0 Sep 4, 2024
ae53ce3
docstring for signingbehavior
gracelu0 Sep 4, 2024
405488d
address feedback
gracelu0 Sep 5, 2024
d35c6bd
refactor anonymous classes into subclasses for s3 bucket origin with …
gracelu0 Sep 5, 2024
912891b
Merge branch 'main' into gracelu0/s3-oac-l2
gracelu0 Sep 5, 2024
46db428
make subclasses private
gracelu0 Sep 5, 2024
3df3b2f
move permissions to keep private
gracelu0 Sep 5, 2024
81a8a89
fix linting error
gracelu0 Sep 5, 2024
d1dc56a
fix integ test
gracelu0 Sep 5, 2024
844c234
Merge branch 'main' into gracelu0/s3-oac-l2
mergify[bot] Sep 5, 2024
3d79694
Merge branch 'main' into gracelu0/s3-oac-l2
mergify[bot] Sep 5, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
321 changes: 166 additions & 155 deletions packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,114 +51,7 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase {
* Create a S3 Origin with Origin Access Control (OAC) configured
*/
public static withOriginAccessControl(bucket: IBucket, props?: S3BucketOriginWithOACProps): cloudfront.IOrigin {
return new class extends S3BucketOrigin {
private originAccessControl?: cloudfront.IOriginAccessControl;

constructor() {
super(bucket, { ...props });
this.originAccessControl = props?.originAccessControl;
}

public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
if (!this.originAccessControl) {
this.originAccessControl = new cloudfront.S3OriginAccessControl(scope, 'S3OriginAccessControl');
}

const distributionId = options.distributionId;
const accessLevels = new Set(props?.originAccessLevels ?? [cloudfront.AccessLevel.READ]);
const bucketPolicyActions = this.getBucketPolicyActions(accessLevels);
const bucketPolicyResult = this.grantDistributionAccessToBucket(distributionId!, bucketPolicyActions);

// Failed to update bucket policy, assume using imported bucket
if (!bucketPolicyResult.statementAdded) {
Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac',
'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' +
'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info.');
}

if (bucket.encryptionKey) {
const keyPolicyActions = this.getKeyPolicyActions(accessLevels);
const keyPolicyResult = this.grantDistributionAccessToKey(keyPolicyActions, bucket.encryptionKey);
// Failed to update key policy, assume using imported key
if (!keyPolicyResult.statementAdded) {
Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedKeyPolicyOac',
'Cannot update key policy of an imported key. You will need to update the policy manually instead.\n' +
'See the "Updating imported key policies" section of the module\'s README for more info.');
}
}

const originBindConfig = this._bind(scope, options);

// Update configuration to set OriginControlAccessId property
return {
...originBindConfig,
originProperty: {
...originBindConfig.originProperty!,
originAccessControlId: this.originAccessControl.originAccessControlId,
},
};
}

private getBucketPolicyActions(accessLevels: Set<cloudfront.AccessLevel>): string[] {
let actions: string[] = [];
for (const accessLevel of accessLevels) {
actions = actions.concat(BUCKET_ACTIONS[accessLevel]);
}
return actions;
}

private getKeyPolicyActions(accessLevels: Set<cloudfront.AccessLevel>): string[] {
let actions: string[] = [];
for (const accessLevel of accessLevels) {
// Filter out DELETE since delete permissions are not applicable to KMS key actions
if (accessLevel !== AccessLevel.DELETE) {
actions = actions.concat(KEY_ACTIONS[accessLevel]);
}
}
return actions;
}

private grantDistributionAccessToBucket(distributionId: string, actions: string[]): iam.AddToResourcePolicyResult {
const oacBucketPolicyStatement = new iam.PolicyStatement(
{
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('cloudfront.amazonaws.com')],
actions,
resources: [bucket.arnForObjects('*')],
conditions: {
StringEquals: {
'AWS:SourceArn': `arn:${Aws.PARTITION}:cloudfront::${Aws.ACCOUNT_ID}:distribution/${distributionId}`,
},
},
},
);
const result = bucket.addToResourcePolicy(oacBucketPolicyStatement);
return result;
}

private grantDistributionAccessToKey(actions: string[], key: IKey): iam.AddToResourcePolicyResult {
const oacKeyPolicyStatement = new iam.PolicyStatement(
{
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('cloudfront.amazonaws.com')],
actions,
resources: ['*'],
conditions: {
ArnLike: {
'AWS:SourceArn': `arn:${Aws.PARTITION}:cloudfront::${Aws.ACCOUNT_ID}:distribution/*`,
},
},
},
);
Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac',
'To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, ' +
'a wildcard is used in the Key policy condition to match all Distribution IDs.\n' +
'After deploying once, it is strongly recommended to further scope down the policy for best security practices by ' +
'following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.');
const result = key.addToResourcePolicy(oacKeyPolicyStatement);
return result;
}
}();
return new S3BucketOriginWithOAC(bucket, props);
}

/**
Expand All @@ -167,53 +60,7 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase {
* unless it is not supported in your required region (e.g. China regions).
*/
public static withOriginAccessIdentity(bucket: IBucket, props?: S3BucketOriginWithOAIProps): cloudfront.IOrigin {
return new class extends S3BucketOrigin {
private originAccessIdentity?: cloudfront.IOriginAccessIdentity;

constructor() {
super(bucket, { ...props });
this.originAccessIdentity = props?.originAccessIdentity;
}

public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
if (!this.originAccessIdentity) {
// Using a bucket from another stack creates a cyclic reference with
// the bucket taking a dependency on the generated S3CanonicalUserId for the grant principal,
// and the distribution having a dependency on the bucket's domain name.
// Fix this by parenting the OAI in the bucket's stack when cross-stack usage is detected.
const bucketStack = Stack.of(bucket);
const bucketInDifferentStack = bucketStack !== Stack.of(scope);
const oaiScope = bucketInDifferentStack ? bucketStack : scope;
const oaiId = bucketInDifferentStack ? `${Names.uniqueId(scope)}S3Origin` : 'S3Origin';

this.originAccessIdentity = new cloudfront.OriginAccessIdentity(oaiScope, oaiId, {
comment: `Identity for ${options.originId}`,
});
};
// Used rather than `grantRead` because `grantRead` will grant overly-permissive policies.
// Only GetObject is needed to retrieve objects for the distribution.
// This also excludes KMS permissions; OAI only supports SSE-S3 for buckets.
// Source: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
const result = bucket.addToResourcePolicy(new iam.PolicyStatement({
resources: [bucket.arnForObjects('*')],
actions: ['s3:GetObject'],
principals: [this.originAccessIdentity.grantPrincipal],
}));
if (!result.statementAdded) {
Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai',
'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' +
'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info.');
}
return this._bind(scope, options);
}

protected renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined {
if (!this.originAccessIdentity) {
throw new Error('Origin access identity cannot be undefined');
}
return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityId}` };
}
}();
return new S3BucketOriginWithOAI(bucket, props);
}

/**
Expand All @@ -240,3 +87,167 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase {
return { originAccessIdentity: '' };
gracelu0 marked this conversation as resolved.
Show resolved Hide resolved
}
}

export class S3BucketOriginWithOAC extends S3BucketOrigin {
gracelu0 marked this conversation as resolved.
Show resolved Hide resolved
private readonly bucket: IBucket;
private originAccessControl?: cloudfront.IOriginAccessControl;
private originAccessLevels?: cloudfront.AccessLevel[];

constructor(bucket: IBucket, props?: S3BucketOriginWithOACProps) {
super(bucket, { ...props });
this.bucket = bucket;
this.originAccessControl = props?.originAccessControl;
this.originAccessLevels = props?.originAccessLevels;
}

public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
if (!this.originAccessControl) {
this.originAccessControl = new cloudfront.S3OriginAccessControl(scope, 'S3OriginAccessControl');
}

const distributionId = options.distributionId;
const accessLevels = new Set(this.originAccessLevels ?? [cloudfront.AccessLevel.READ]);
const bucketPolicyActions = this.getBucketPolicyActions(accessLevels);
const bucketPolicyResult = this.grantDistributionAccessToBucket(distributionId!, bucketPolicyActions);

// Failed to update bucket policy, assume using imported bucket
if (!bucketPolicyResult.statementAdded) {
Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac',
'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' +
'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info.');
}

if (this.bucket.encryptionKey) {
const keyPolicyActions = this.getKeyPolicyActions(accessLevels);
const keyPolicyResult = this.grantDistributionAccessToKey(keyPolicyActions, this.bucket.encryptionKey);
// Failed to update key policy, assume using imported key
if (!keyPolicyResult.statementAdded) {
Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedKeyPolicyOac',
'Cannot update key policy of an imported key. You will need to update the policy manually instead.\n' +
'See the "Updating imported key policies" section of the module\'s README for more info.');
}
}

const originBindConfig = this._bind(scope, options);

// Update configuration to set OriginControlAccessId property
return {
...originBindConfig,
originProperty: {
...originBindConfig.originProperty!,
originAccessControlId: this.originAccessControl.originAccessControlId,
},
};
}

private getBucketPolicyActions(accessLevels: Set<cloudfront.AccessLevel>): string[] {
let actions: string[] = [];
for (const accessLevel of accessLevels) {
actions = actions.concat(BUCKET_ACTIONS[accessLevel]);
}
return actions;
}

private getKeyPolicyActions(accessLevels: Set<cloudfront.AccessLevel>): string[] {
let actions: string[] = [];
for (const accessLevel of accessLevels) {
// Filter out DELETE since delete permissions are not applicable to KMS key actions
if (accessLevel !== AccessLevel.DELETE) {
actions = actions.concat(KEY_ACTIONS[accessLevel]);
}
}
return actions;
}

private grantDistributionAccessToBucket(distributionId: string, actions: string[]): iam.AddToResourcePolicyResult {
const oacBucketPolicyStatement = new iam.PolicyStatement(
{
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('cloudfront.amazonaws.com')],
actions,
resources: [this.bucket.arnForObjects('*')],
conditions: {
StringEquals: {
'AWS:SourceArn': `arn:${Aws.PARTITION}:cloudfront::${Aws.ACCOUNT_ID}:distribution/${distributionId}`,
},
},
},
);
const result = this.bucket.addToResourcePolicy(oacBucketPolicyStatement);
return result;
}

private grantDistributionAccessToKey(actions: string[], key: IKey): iam.AddToResourcePolicyResult {
const oacKeyPolicyStatement = new iam.PolicyStatement(
{
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('cloudfront.amazonaws.com')],
actions,
resources: ['*'],
conditions: {
ArnLike: {
'AWS:SourceArn': `arn:${Aws.PARTITION}:cloudfront::${Aws.ACCOUNT_ID}:distribution/*`,
},
},
},
);
Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac',
'To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, ' +
'a wildcard is used in the Key policy condition to match all Distribution IDs.\n' +
'After deploying once, it is strongly recommended to further scope down the policy for best security practices by ' +
'following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.');
const result = key.addToResourcePolicy(oacKeyPolicyStatement);
return result;
}
};


xazhao marked this conversation as resolved.
Show resolved Hide resolved
export class S3BucketOriginWithOAI extends S3BucketOrigin {
private readonly bucket: IBucket;
private originAccessIdentity?: cloudfront.IOriginAccessIdentity;

constructor(bucket: IBucket, props?: S3BucketOriginWithOAIProps) {
super(bucket, { ...props });
this.bucket = bucket;
this.originAccessIdentity = props?.originAccessIdentity;
}

public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
if (!this.originAccessIdentity) {
// Using a bucket from another stack creates a cyclic reference with
// the bucket taking a dependency on the generated S3CanonicalUserId for the grant principal,
// and the distribution having a dependency on the bucket's domain name.
// Fix this by parenting the OAI in the bucket's stack when cross-stack usage is detected.
const bucketStack = Stack.of(this.bucket);
const bucketInDifferentStack = bucketStack !== Stack.of(scope);
const oaiScope = bucketInDifferentStack ? bucketStack : scope;
const oaiId = bucketInDifferentStack ? `${Names.uniqueId(scope)}S3Origin` : 'S3Origin';

this.originAccessIdentity = new cloudfront.OriginAccessIdentity(oaiScope, oaiId, {
comment: `Identity for ${options.originId}`,
});
};
// Used rather than `grantRead` because `grantRead` will grant overly-permissive policies.
// Only GetObject is needed to retrieve objects for the distribution.
// This also excludes KMS permissions; OAI only supports SSE-S3 for buckets.
// Source: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
const result = this.bucket.addToResourcePolicy(new iam.PolicyStatement({
resources: [this.bucket.arnForObjects('*')],
actions: ['s3:GetObject'],
principals: [this.originAccessIdentity.grantPrincipal],
}));
if (!result.statementAdded) {
Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai',
'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' +
'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info.');
}
return this._bind(scope, options);
}

protected renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined {
if (!this.originAccessIdentity) {
throw new Error('Origin access identity cannot be undefined');
}
return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityId}` };
}
};
Loading