Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon CloudFront Origin Access Control L2 Construct #617

Open
11 tasks done
gracelu0 opened this issue May 24, 2024 · 2 comments
Open
11 tasks done

Amazon CloudFront Origin Access Control L2 Construct #617

gracelu0 opened this issue May 24, 2024 · 2 comments
Labels
status/done Implementation complete

Comments

@gracelu0
Copy link
Contributor

gracelu0 commented May 24, 2024
edited
Loading

Description

CloudFront Origin Access Control (OAC) is the recommended way to send authenticated requests to an Amazon S3 origin using IAM service principals. It offers better security, supports server-side encryption with AWS KMS, and supports all Amazon S3 buckets in all AWS regions.

Currently the S3Origin construct automatically creates an Origin Access Identity (OAI) to restrict access to an S3 Origin. However, using OAI is now considered legacy and no longer recommended. CDK users who want to use OAC currently have to use the L1 construct CfnOriginAccessControl. They need to use escape hatches to attach the OAC to their CloudFront distribution and remove the OAI that is automatically configured. With a CloudFront OAC L2 construct, users will easily be able to set up their CloudFront origins using OAC instead of OAI.

Roles

Role User
Author(s) @gracelu0
API Bar Raiser @comcalvi

See RFC Process for details

Workflow

  • Tracking issue created (label: status/proposed)
  • API bar raiser assigned (ping us at #aws-cdk-rfcs if needed)
  • Kick off meeting
  • RFC pull request submitted (label: status/review)
  • Community reach out (via Slack and/or Twitter)
  • API signed-off (label status/api-approved applied to pull request)
  • Final comments period (label: status/final-comments-period)
  • Approved and merged (label: status/approved)
  • Execution plan submitted (label: status/planning)
  • Plan approved and merged (label: status/implementing)
  • Implementation complete (label: status/done)

Author is responsible to progress the RFC according to this checklist, and
apply the relevant labels to this issue so that the RFC table in README gets
updated.
@gracelu0 gracelu0 added the status/proposed Newly proposed RFC label May 24, 2024
@gracelu0 gracelu0 mentioned this issue May 24, 2024
Closed
11 tasks
@clueleaf clueleaf mentioned this issue May 26, 2024
Open
@gracelu0 gracelu0 mentioned this issue Jun 11, 2024
Merged
@gracelu0 gracelu0 added status/review Proposal pending review/revision and removed status/proposed Newly proposed RFC labels Jun 11, 2024
@gotgenes
Copy link

This RFC discusses CloudFront OAC with S3, however, as mentioned by @antstanley in their comment on #491—which was closed in favor if this RFC—AWS has released OAC for other origins including AWS Lambda. Is support for those also tracked here, or are those covered in one or more separate RFCs and issues?

@gracelu0 gracelu0 added status/final-comment-period Pending final approval and removed status/review Proposal pending review/revision labels Jun 24, 2024
gracelu0 added a commit that referenced this issue Jun 25, 2024
@gracelu0
RFC 617: CloudFront Origin Access Control L2 (#619)
663ad91 
This is a request for comments about CloudFront Origin Access Control.
See #617 for
additional details. 

APIs are signed off by @colifran .

---

_By submitting this pull request, I confirm that my contribution is made
under
the terms of the Apache-2.0 license_

---------

Co-authored-by: gracelu0 <grace.r.luo@gmail.com>
@gracelu0 gracelu0 added status/implementing RFC is being implemented and removed status/final-comment-period Pending final approval labels Jun 25, 2024
@gracelu0
Copy link
Contributor Author

This RFC discusses CloudFront OAC with S3, however, as mentioned by @antstanley in their comment on #491—which was closed in favor if this RFC—AWS has released OAC for other origins including AWS Lambda. Is support for those also tracked here, or are those covered in one or more separate RFCs and issues?

As mentioned in the RFC this is scoped to OAC for S3 origins. While we can’t commit to specific dates, we’re planning to support OAC for Lambda function url origins in the future. We always welcome you to create a new issue/RFC to track feature requests so the community can upvote and help us prioritize accordingly!

@gracelu0 gracelu0 mentioned this issue Jun 26, 2024
Merged
@gracelu0 gracelu0 added status/final-comment-period Pending final approval and removed status/implementing RFC is being implemented labels Jun 26, 2024
@gracelu0 gracelu0 added status/review Proposal pending review/revision and removed status/final-comment-period Pending final approval labels Jul 25, 2024
@gracelu0 gracelu0 added status/final-comment-period Pending final approval and removed status/review Proposal pending review/revision labels Aug 20, 2024
gracelu0 added a commit that referenced this issue Aug 28, 2024
@gracelu0
RFC 617: CloudFront S3 Origin Access Control L2 (#624)
3de358d 
This is a request for comments about CloudFront Origin Access Control L2
for S3 origins. See #617 for
additional details. 

APIs are signed off by @comcalvi  .

---

_By submitting this pull request, I confirm that my contribution is made
under
the terms of the Apache-2.0 license_

---------

Co-authored-by: gracelu0 <grace.r.luo@gmail.com>
@gracelu0 gracelu0 added status/approved Ready for implementation and removed status/final-comment-period Pending final approval labels Aug 28, 2024
@gracelu0 gracelu0 added status/done Implementation complete and removed status/approved Ready for implementation labels Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/done Implementation complete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gotgenes @gracelu0