{ "Description": "Integration Test for aws-cloudfront-s3", "Resources": { "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the access logging bucket for another bucket" } ] } } }, "testcloudfronts3nosecurityheadersS3LoggingBucketPolicy264DE8B6": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn" ] } }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } } }, "testcloudfronts3nosecurityheadersS3LoggingBucketAutoDeleteObjectsCustomResourceB6D397D3": { "Type": "Custom::S3AutoDeleteObjects", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn" ] }, "BucketName": { "Ref": "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F" } }, "DependsOn": [ "testcloudfronts3nosecurityheadersS3LoggingBucketPolicy264DE8B6" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "testcloudfronts3nosecurityheadersS3Bucket4D06173D": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LifecycleConfiguration": { "Rules": [ { "NoncurrentVersionTransitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90 } ], "Status": "Enabled" } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "testcloudfronts3nosecurityheadersS3BucketPolicy99D27ED1": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "testcloudfronts3nosecurityheadersS3Bucket4D06173D" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn" ] } }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:GetObject", "Condition": { "StringEquals": { "AWS:SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/", { "Ref": "testcloudfronts3nosecurityheadersCloudFrontDistribution3BC8CDED" } ] ] } } }, "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] }, "/*" ] ] } }, { "Action": "s3:ListBucket", "Condition": { "StringEquals": { "AWS:SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/", { "Ref": "testcloudfronts3nosecurityheadersCloudFrontDistribution3BC8CDED" } ] ] } } }, "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Resource": { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "Arn" ] } } ], "Version": "2012-10-17" } }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "F16", "reason": "Public website bucket policy requires a wildcard principal" } ] } } }, "testcloudfronts3nosecurityheadersS3BucketAutoDeleteObjectsCustomResource7011F955": { "Type": "Custom::S3AutoDeleteObjects", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn" ] }, "BucketName": { "Ref": "testcloudfronts3nosecurityheadersS3Bucket4D06173D" } }, "DependsOn": [ "testcloudfronts3nosecurityheadersS3BucketPolicy99D27ED1" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the access logging bucket for another bucket" } ] } } }, "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogPolicy3DF5F522": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn" ] } }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } } }, "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogAutoDeleteObjectsCustomResource20738403": { "Type": "Custom::S3AutoDeleteObjects", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn" ] }, "BucketName": { "Ref": "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1" } }, "DependsOn": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogPolicy3DF5F522" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAccessLogA3FF51B1" } }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter" } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true" } ], "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketPolicy7D709982": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5", "Arn" ] }, "/*" ] ] } ] }, { "Action": [ "s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy" ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn" ] } }, "Resource": [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } } }, "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketAutoDeleteObjectsCustomResource5BEC5CA0": { "Type": "Custom::S3AutoDeleteObjects", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn" ] }, "BucketName": { "Ref": "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5" } }, "DependsOn": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucketPolicy7D709982" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "testcloudfronts3nosecurityheadersCloudFrontOac7954FB73": { "Type": "AWS::CloudFront::OriginAccessControl", "Properties": { "OriginAccessControlConfig": { "Description": "Origin access control provisioned by aws-cloudfront-s3", "Name": { "Fn::Join": [ "", [ "aws-cloudfront-s3-testaders-", { "Fn::Select": [ 2, { "Fn::Split": [ "/", { "Ref": "AWS::StackId" } ] } ] } ] ] }, "OriginAccessControlOriginType": "s3", "SigningBehavior": "always", "SigningProtocol": "sigv4" } } }, "testcloudfronts3nosecurityheadersCloudFrontDistribution3BC8CDED": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "cfts3nosecurityheaderstestcloudfronts3nosecurityheadersCloudFrontDistributionOrigin1A0125E27", "ViewerProtocolPolicy": "redirect-to-https" }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudfrontLoggingBucket92A5E2A5", "RegionalDomainName" ] } }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersS3Bucket4D06173D", "RegionalDomainName" ] }, "Id": "cfts3nosecurityheaderstestcloudfronts3nosecurityheadersCloudFrontDistributionOrigin1A0125E27", "OriginAccessControlId": { "Fn::GetAtt": [ "testcloudfronts3nosecurityheadersCloudFrontOac7954FB73", "Id" ] }, "S3OriginConfig": { "OriginAccessIdentity": "" } } ] } }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W70", "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" } ] } } }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ] }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } ] } }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, "S3Key": "faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6.zip" }, "Timeout": 900, "MemorySize": 128, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn" ] }, "Runtime": "nodejs22.x", "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "testcloudfronts3nosecurityheadersS3LoggingBucketF644B35F" }, " S3 bucket." ] ] } }, "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CDK generated custom resource" }, { "id": "W89", "reason": "CDK generated custom resource" }, { "id": "W92", "reason": "CDK generated custom resource" } ] } } } }, "Parameters": { "BootstrapVersion": { "Type": "AWS::SSM::Parameter::Value", "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" } }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5" ], { "Ref": "BootstrapVersion" } ] } ] }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } ] } } }