Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cloudfront-origins): S3Origin needs s3:ListBucket permission for CloudFront to return 404 #13983

Open
aaronlna opened this issue Apr 5, 2021 · 4 comments · May be fixed by #32059
Open

(aws-cloudfront-origins): S3Origin needs s3:ListBucket permission for CloudFront to return 404 #13983

aaronlna opened this issue Apr 5, 2021 · 4 comments · May be fixed by #32059
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p3

Comments

@aaronlna
Copy link

aaronlna commented Apr 5, 2021
edited
Loading

Reading thru the S3Origin construct it appears the only permission granted to the associated CloudFront distribution is s3:GetObject. However, without s3:ListBucket, CloudFront has no way of returning a 404 response to callers and instead returns HTTP 403 Forbidden.

Use Case

It would be nice for S3Origin construct to provide all the necessary permissions for an associated CloudFront distribution to respond via HTTP. After using this construct its unintuitive to have my CloudFront distribution responding to callers with 403 for resources that are otherwise missing per HTTP spec.

Proposed Solution

Add s3:ListBucket in addition to the current s3:GetObject for the resource policy of the S3 bucket for given CloudFront distribution.
@aaronlna aaronlna added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 5, 2021
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Apr 5, 2021
@github-actions github-actions bot added @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library @aws-cdk/aws-s3 Related to Amazon S3 labels Apr 5, 2021
@iliapolo iliapolo removed their assignment Apr 5, 2021
@iliapolo iliapolo removed the @aws-cdk/aws-s3 Related to Amazon S3 label Apr 5, 2021
@robertd
Copy link
Contributor

robertd commented Apr 7, 2021

@njlynch Most likely affected by changes introduced in cc28312

@njlynch
Copy link
Contributor

njlynch commented Apr 7, 2021

@robertd - Correct!

@aaronlna - See more details in the pull request description for #13087. Having the OAI granted List* leads to (potentially) the complete contents of the bucket being listable when navigating to the distribution root. This was generally seen as undesirable behavior and removed in 1.90.0.

There is a work-around, which is to explicitly create the OAI and grant access yourself:

// Before
const bucket = new s3.Bucket(this, 'Bucket');
const s3Origin = new origins.S3Origin(this, 'S3Origin', { bucket });

// After
const bucket = new s3.Bucket(this, 'Bucket');
const originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OAI');
bucket.grantRead(originAccessIdentity);
const s3Origin = new origins.S3Origin(this, 'S3Origin', { bucket, originAccessIdentity });

The other work-around is to redirect the 403s to 404s.

const dist = new cloudfront.Distribution(this, 'Dist', {
  ...
  errorResponses: [{
    httpStatus: 403,
    responseHttpStatus: 404,
    responsePagePath: '404.html', // Optional, if you want to redirect to a specific 404 page in the bucket.
  }],

Finally, we can consider adding in an option to grant the List permissions back in, with sufficient documentation and warning about potentially exposing the bucket contents if a default root object is not set.

@njlynch njlynch added effort/small Small work item – less than a day of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Apr 7, 2021
@strongishllama strongishllama mentioned this issue Apr 23, 2021
Closed
@dtabuenc
Copy link

dtabuenc commented Apr 2, 2023

Why not grant the permissions by default if a root object is set? The current default is pretty unexpected. A lot of people are trying to troubleshoot permissions issues when really they should be seeing 404s. At the very least there should be a convenience method or property added to enable the behavior probably most people expect and want.

@WtfJoke WtfJoke mentioned this issue Aug 21, 2023
Closed
2 tasks
@WtfJoke
Copy link
Contributor

WtfJoke commented Aug 21, 2023

I just stumbled over the same issue when we activated WAF in our cloudfront distribution, as we couldn't distinguish between 403 responses from malicious blocked calls and 403 from legitimate users (which should have been a 404 to redirect users in a SPA).

I've opened #26830 (with some more details) but found this existing issue afterwards.

It would be great if you could configure this.

@WtfJoke WtfJoke mentioned this issue Aug 22, 2023
Open
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
@khushail khushail mentioned this issue Oct 8, 2024
Open
1 task
@Tietew Tietew linked a pull request Nov 8, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cloudfront-origins): list access level for 404 response Tietew/aws-cdk
7 participants
@robertd @dtabuenc @pahud @njlynch @iliapolo @aaronlna @WtfJoke