Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cloudfront-origins): list access level for 404 response #32059

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

Tietew
Copy link
Contributor

@Tietew Tietew commented Nov 8, 2024

Issue # (if applicable)

Closes #13983.
Closes #31689.

Reason for this change

When we want to receive HTTP 404 response where the requested object does not exist,
s3:ListBucket permission is needed in the S3 bucket policy.

Unlike errorResponses to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404).

Description of changes

Added a new AccessLevel.LIST to allow s3:ListBucket.

Description of how you validated changes

Unit test and integration test. The integ test also tests the response is 404.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the admired-contributor [Pilot] contributed between 13-24 PRs to the CDK label Nov 8, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team November 8, 2024 04:24
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Nov 8, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 8, 2024
Comment on lines 170 to 172
if (actions.some(({ bucketArn }) => bucketArn)) {
resources.push(this.bucket.bucketArn);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain this part please?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s3:ListBucket action requires bucket ARN in resources (instead of object ARN required by s3:GetObject etc.)
see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When READ and LIST are specified, actions will be [{ action: 's3:GetObject' }, { action: 's3:ListBucket', bucketArn: true }].
The if condition returns whether actions has one or more elements with truthy bucketArn prop, so the result will be true. Then the the bucketArn will be pushed to resources.

It is the reason why the object arn (arnForObjects('*')) is always in resources that the LIST permission should be used with READ in most cases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated names more descriptive.

Comment on lines 363 to 364
It is highly recommended to specify `defaultRootObject` distribution property.
Without it, the root path `https://xxxx.cloudfront.net/` will return the list of the S3 object keys.
Copy link
Contributor

@gracelu0 gracelu0 Nov 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm this raises some concern to me, can we make it so that defaultRootObject MUST be specified when user adds LIST permission?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should not be forced to specify defaultRootObject because origins associated to non-default behaviors do not require it. We can add a warning annotation instead.

For example:

new cloudfront.Distribution(this, 'Distribution', {
  defaultBehavior: {
    // the origin server will handle root path
    // setting defaultRootObject will break the web application's router
    origin: new origins.HttpOrigin('mywebserver.example.com'), 
  },
  additionalBehaviors: {
    // the bucket will not receive requests to the root path
    'assets/*': {
      origin: origins.S3BucketOrigin.withOriginAccessControl(bucket, {
        originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST],
      }),
    },
  },
});

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 19, 2024
@gracelu0 gracelu0 added the needs-security-review Related to feature or issues that needs security review label Nov 19, 2024
@Tietew
Copy link
Contributor Author

Tietew commented Nov 19, 2024

@gracelu0 Thank you for your review!
I will add a warning annotation when LIST is specified.

@Tietew
Copy link
Contributor Author

Tietew commented Nov 19, 2024

I created an example CDK project.
It creates an S3 bucket and a CloudFront distribution with OAC. The S3 bucket allows the distribution to s3:GetObject and s3:ListBucket.
https://github.com/Tietew/cdk-cloudfront-listbucket-example

The root path returns the list of objects in the bucket:
https://d1s2487zo3mtd6.cloudfront.net/

A missing object returns 404:
https://d1s2487zo3mtd6.cloudfront.net/missing.html

Regular objects return 200 and their contents:
https://d1s2487zo3mtd6.cloudfront.net/folder/index.html
https://d1s2487zo3mtd6.cloudfront.net/non-folder/index.html

A folder created by S3 console returns 200 and empty content (content-type: application/x-directory):
https://d1s2487zo3mtd6.cloudfront.net/folder/

Without a folder, S3 returns 404:
https://d1s2487zo3mtd6.cloudfront.net/non-folder/

@mergify mergify bot dismissed gracelu0’s stale review November 19, 2024 04:18

Pull request has been modified.

@@ -47,6 +47,10 @@ export enum AccessLevel {
* Grants read permissions to CloudFront Distribution
*/
READ = 'READ',
/**
* Grants list permissions to CloudFront Distribution
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the previous comment in favor of the warning annotation.

Copy link

codecov bot commented Nov 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.17%. Comparing base (baa8561) to head (30f5871).
Report is 34 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #32059      +/-   ##
==========================================
- Coverage   77.18%   77.17%   -0.01%     
==========================================
  Files         105      105              
  Lines        7161     7169       +8     
  Branches     1312     1315       +3     
==========================================
+ Hits         5527     5533       +6     
- Misses       1454     1455       +1     
- Partials      180      181       +1     
Flag Coverage Δ
suite.unit 77.17% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 77.17% <ø> (-0.01%) ⬇️
---- 🚨 Try these New Features:

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 19, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 30f5871
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
admired-contributor [Pilot] contributed between 13-24 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-security-review Related to feature or issues that needs security review p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
3 participants