[BUG] (compliance_log_bucket_policy doesn't allow CloudFront to put access logs)

[mishdane]

Describe the bug

compliance_log_bucket_policy (see below link) doesn't allow CloudFront to put access logs. Hence, can't use wrapper provided compliance bucket with CloudFront access logging.
https://github.com/cdklabs/cdk-cicd-wrapper/blob/main/packages/%40cdklabs/cdk-cicd-wrapper/src/stacks/compliance-bucket/lambda-functions/compliance_log_bucket_policy.py

Expected Behavior

update the bucket policy to have ACL for CloudFront to be able to log access logs on compliance bucket

Current Behavior

Resource handler returned message: "Invalid request provided: AWS::CloudFront::Distribution: The S3 bucket that you specified for CloudFront logs does not enable ACL access: compliance-log-xxxxxxx-eu-west-1.s3.eu-west-1.amazonaws.com (Service: CloudFront, Status Code: 400, Request ID:

Reproduction Steps

Just pass complaince bucket to CloudFront construct and use for access log.
e.g.

import * as cdk from 'aws-cdk-lib';
import * as acm from 'aws-cdk-lib/aws-certificatemanager';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import { S3Origin } from 'aws-cdk-lib/aws-cloudfront-origins';
import * as iam from 'aws-cdk-lib/aws-iam';
import { IBucket, CfnBucket } from 'aws-cdk-lib/aws-s3';
import * as shield from 'aws-cdk-lib/aws-shield';
import * as ssm from 'aws-cdk-lib/aws-ssm';
import * as nag from 'cdk-nag';
import { Construct } from 'constructs';

interface Props {
domainNames?: string[];
webAclArn: string;
certificate?: acm.ICertificate;
staticContentBucket: IBucket;
logBucket?: IBucket;
applicationName: string;
stageName: string;
defaultRootObject?: string;
}

export class CloudFrontConstruct extends Construct {
readonly distribution: cloudfront.Distribution;
readonly staticSourceBucket: IBucket;

constructor(scope: Construct, id: string, props: Props) {
super(scope, id);

if (props.domainNames == undefined && props.certificate) {
  throw new Error(
    'Custom certificate is provided but not custom domain name.',
  );
}

if (props.certificate == undefined && props.domainNames) {
  throw new Error(
    'Custom domain name is provided but not custom certificate.',
  );
}

const originAccessIdentity = new cloudfront.OriginAccessIdentity(
  this,
  'OriginAccessIdentity',
  {
    comment: `${props.applicationName}${props.stageName}OriginAccessIdentity`,
  },
);

this.staticSourceBucket = props.staticContentBucket;
this.staticSourceBucket.grantRead(originAccessIdentity);

this.distribution = new cloudfront.Distribution(this, 'CloudFront', {
  defaultBehavior: {
    origin: new S3Origin(this.staticSourceBucket, { originAccessIdentity }),
    viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  },
  domainNames: props.domainNames,
  certificate: props.certificate,
  webAclId: props.webAclArn,
  defaultRootObject: props.defaultRootObject ?? 'index.html',
  minimumProtocolVersion: cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021,
  comment: `${props.applicationName}${props.stageName}Distribution`,
  enableLogging: props.logBucket != undefined,
  sslSupportMethod: cloudfront.SSLMethod.SNI,
  logBucket: props.logBucket,
  errorResponses: [
    {
      httpStatus: 404,
      responseHttpStatus: 404,
      responsePagePath: '/index.html',
      ttl: cdk.Duration.minutes(30),
    },
    {
      httpStatus: 403,
      responseHttpStatus: 403,
      responsePagePath: '/index.html',
      ttl: cdk.Duration.minutes(30),
    },
    {
      httpStatus: 500,
      responseHttpStatus: 500,
      responsePagePath: '/index.html',
      ttl: cdk.Duration.minutes(30),
    },
  ],
});

if (props.logBucket) {
  props.logBucket.addToResourcePolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    principals: [new iam.ServicePrincipal('cloudfront.amazonaws.com')],
    actions: ['s3:PutObject'],
    resources: [`${props.logBucket.bucketArn}/*`],
    conditions: {
      StringEquals: {
        'aws:SecureTransport': 'true',
        's3:x-amz-server-side-encryption': 'AES256',
        'AWS:SourceArn': `arn:aws:cloudfront::${cdk.Aws.ACCOUNT_ID}:distribution/${this.distribution.distributionId}`,
      },
    },
  }));
}

new ssm.StringParameter(this, 'CloudFrontDomainId', {
  parameterName: `/${props.applicationName}/${props.stageName}/SiteCloudFrontDomainId`,
  stringValue: this.distribution.distributionId,
});

new ssm.StringParameter(this, 'CloudFrontDomainName', {
  parameterName: `/${props.applicationName}/${props.stageName}/SiteCloudFrontDomainName`,
  stringValue: this.distribution.domainName,
});

// Attach AWS Shield Advanced for DDoS protection
new shield.CfnProtection(this, 'DDoSProtection', {
  name: 'DDoSProtection',
  resourceArn: this.getDistributionArn(),
});

nag.NagSuppressions.addResourceSuppressions(
  this.distribution,
  [
    ...(props.certificate
      ? []
      : [
        {
          id: 'AwsSolutions-CFR4',
          reason: 'CloudFront distribution is not using custom cert',
        },
      ]),
    {
      id: 'AwsSolutions-CFR1',
      reason: 'CloudFront distribution is not limited by Geo',
    },
  ],
  true,
);

}

private getDistributionArn(): string {
return arn:aws:cloudfront::${cdk.Aws.ACCOUNT_ID}:distribution/${this.distribution.distributionId};
}
}

Possible Solution

Add this to bucket policy =>
{
"Sid": "CloudFrontLogDeliveryPolicy",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::compliance-log-211826912675-eu-west-1/",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::211826912675:distribution/",
"aws:SecureTransport": "true",
"s3:x-amz-server-side-encryption": "AES256"
}
}
},

Additional Information/Context

Ignore this if compliance bucket is not supposed to be used for CLOUDFRONT access logs.

CDK CI/CD Wrapper version used

0.0.12

Environment details (OS name and version, etc.)

MacOS Sonoma 14.5