(@aws-cdk/aws-cloudfront-origins): S3 OAI & bucket policy are not created for CloudFront Distribution
See original GitHub issueWhen I create a Cloudfront Distribution with a new S3 bucket which is not accessible to the public, I expect to get an OAI and an S3 Bucket Policy. This is however not automatically created. Not even when I create an OAI myself and add it to the distribution.
Am I just interpreting the docs wrong?
Reproduction Steps
Stack typescript code:
const frontendBucket = new s3.Bucket(this, 'TvmFrontendBucket', {
publicReadAccess: false,
removalPolicy: cdk.RemovalPolicy.DESTROY,
websiteIndexDocument: 'index.html',
});
const cloudfrontDistribution = new cloudfront.Distribution(this, 'TvmFrontendDistribution', {
defaultBehavior: {
origin: new origins.S3Origin(frontendBucket),
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
},
priceClass: PriceClass.PRICE_CLASS_100,
});
Cloudformation template generated:
TvmFrontendBucket18442A50:
Type: AWS::S3::Bucket
Properties:
WebsiteConfiguration:
IndexDocument: index.html
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: TvmFrontendStack/TvmFrontendBucket/Resource
TvmFrontendDistributionB85B3A99:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultCacheBehavior:
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
Compress: true
TargetOriginId: TvmFrontendStackTvmFrontendDistributionOrigin17DD10F8D
ViewerProtocolPolicy: redirect-to-https
Enabled: true
HttpVersion: http2
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginProtocolPolicy: http-only
OriginSSLProtocols:
- TLSv1.2
DomainName:
Fn::Select:
- 2
- Fn::Split:
- /
- Fn::GetAtt:
- TvmFrontendBucket18442A50
- WebsiteURL
Id: TvmFrontendStackTvmFrontendDistributionOrigin17DD10F8D
PriceClass: PriceClass_100
Metadata:
aws:cdk:path: TvmFrontendStack/TvmFrontendDistribution/Resource
What did you expect to happen?
I expected to get a S3 bucket, with a bucket policy granting access to the OAI attached to the Distribution origin.
What actually happened?
I got an S3 bucket and a Distribution origin, but the Distribution origin is not allowed to see the contents of the bucket and when I go to the Distribution URL, I get a 403 Forbidden page.
Environment
- CDK CLI Version : 1.96.0
- Framework Version: 1.96.0
- Node.js Version: 14.15.4
- OS : Windows 10
- Language (Version): TypeScript (3.9.7)
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Restricting access to an Amazon S3 origin - Amazon CloudFront
Restricts access to the Amazon S3 bucket so that it's not publicly accessible. Makes sure that viewers (users) can access the content in...
Read more >Cloudfront Origin Access Identity (OAI): How to use it? - StormIT
Click on “Create distribution”. 8. Do not forget to block all public access in permissions for your S3 bucket. You should also see...
Read more >Cloudfront with S3 origin returns AccessDenied when using ...
No issues with CF distro, bucket policy nor OAI were identified. ... Distribution: Type: AWS::CloudFront::Distribution Properties: ...
Read more >Securing S3 with Origin Access Identity (OAI) via CloudFront
Update the existing S3 bucket policy related to OAI. ... I assume the CF distribution is already created and the OAI will be...
Read more >Enable Origin Access Identity for Distributions with S3 Origin
If the S3 bucket access is set to Don't use OAI (bucket must allow public access), the selected Amazon CloudFront distribution is not...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi @ebosveld ,
The
S3Origin
class treats buckets differently when they are configured for website hosting. Per the docs:I guess what might not be obviously clear there is the implication of “configured to use the bucket as an HTTP server origin”. Origin access identities are only valid for S3 origins, not HTTP origins. If your bucket is configured for website hosting (i.e., has a
websiteIndexDocument
) the implication is that it is intended to be directly accessible and doesn’t need specific bucket policies to be accessed.What I’d do in your situation is change your code to this:
This still means going to the root of the distribution will load
index.html
from the bucket, and will treat the bucket as a bucket (rather than HTTP origin), meaning an OAI and bucket policy will be created.It would be great if the clarification above that setting websiteIndexDocument is what toggles isWebsite True/False could be added to the docs because the docs imply that isWebsite is a parameter to be set.