From 84edad88009521d5943246ec0effbf3a7df5e518 Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Tue, 22 Feb 2022 15:17:41 -0800 Subject: [PATCH] chore(cloudfront): encryption on distribution s3 loggingBucket https://github.com/aws/aws-cdk/pull/18264 got reverted in: https://github.com/aws/aws-cdk/pull/18772 because of the BucketPolicy, re-submitting the non-BucketPolicy half of that PR --- packages/@aws-cdk/aws-cloudfront/lib/distribution.ts | 4 +++- .../@aws-cdk/aws-cloudfront/lib/web-distribution.ts | 4 +++- .../integ.cloudfront-bucket-logging.expected.json | 11 +++++++++++ .../test/integ.distribution-extensive.expected.json | 11 +++++++++++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts index bd9fb1cb50202..b88144d0a7c54 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts @@ -430,7 +430,9 @@ export class Distribution extends Resource implements IDistribution { throw new Error('Explicitly disabled logging but provided a logging bucket.'); } - const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket'); + const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket', { + encryption: s3.BucketEncryption.S3_MANAGED, + }); return { bucket: bucket.bucketRegionalDomainName, includeCookies: props.logIncludesCookies, diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts index c0a332a2e1b89..5b4e785cc21a7 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts @@ -954,7 +954,9 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu } if (props.loggingConfig) { - this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket'); + this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket', { + encryption: s3.BucketEncryption.S3_MANAGED, + }); distributionConfig = { ...distributionConfig, logging: { diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json index 36a334898a57f..5bdfba44e3ae1 100644 --- a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json +++ b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json @@ -75,6 +75,17 @@ }, "AnAmazingWebsiteProbably2LoggingBucket222F7CE9": { "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + } + }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json index 4ddd5ddb8d373..fb0c6b3543bd0 100644 --- a/packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json +++ b/packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json @@ -2,6 +2,17 @@ "Resources": { "MyDistLoggingBucket9B8976BC": { "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + } + }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" },