Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Support zero-config KMS encryption for static-website. #49

Closed
1 of 2 tasks
agdimech opened this issue Jun 21, 2022 · 4 comments
Closed
1 of 2 tasks

[FEATURE] Support zero-config KMS encryption for static-website. #49

agdimech opened this issue Jun 21, 2022 · 4 comments
Assignees
@agdimech
Labels
backlog feature-request New feature or request tracking

Comments

@agdimech
Copy link
Contributor

Describe the feature

Cloudfront OAI does not currently support KMS encryption on buckets and as such a user needs to use S3_MANAGED encryption or follow this guide: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/.

Use Case

Highly regulated customers which mandate using customer managed keys i.e. banks.

Proposed Solution

A Lambda@Edge function will need to be associated to the distribution which will sign the request on OAI's behalf as per: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/.

This lambda must exist in us-east-1 and as such a custom resource will need to be created such that it can be created agnostic of the host region. This lambda will need to intercept origin requests to S3, sign the request using it's own credentials (s3 ro access + kms decrypt).

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

PDK version used

N/A

What languages will this feature affect?

Typescript, Java, Python

Environment details (OS name and version, etc.)

N/A
@agdimech agdimech mentioned this issue Jun 21, 2022
Closed
@agdimech agdimech added feature-request New feature or request help wanted Extra attention is needed labels Jun 27, 2022
@agdimech
Copy link
Contributor Author

This can be resolved once this is implemented and we move to OAC.

aws/aws-cdk#21771

@agdimech agdimech added tracking and removed help wanted Extra attention is needed labels Aug 29, 2022
@agdimech agdimech self-assigned this Aug 29, 2022
@github-actions
Copy link

This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label.

@github-actions github-actions bot added the stale label Oct 31, 2022
@github-actions
Copy link

Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen. If you wish to exclude this issue from being marked as stale, add the "backlog" label.

@JeremyJonas JeremyJonas reopened this Mar 9, 2023
@github-actions github-actions bot removed the stale label Mar 13, 2023
@agdimech
Copy link
Contributor Author

agdimech commented May 3, 2023

aws/aws-cdk#21771

agdimech added a commit that referenced this issue Nov 23, 2023
@agdimech
feat(static-website): add support for Origin Access Control (OAC)
6ae5b47 
fix #49
@agdimech agdimech mentioned this issue Nov 23, 2023
Closed
agdimech added a commit that referenced this issue Nov 23, 2023
@agdimech
feat(static-website): add support for Origin Access Control (OAC)
11c30cd 
fix #49
@agdimech agdimech closed this as completed May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agdimech agdimech

Labels
backlog feature-request New feature or request tracking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(static-website): add support for Origin Access Control (OAC) aws/aws-pdk
2 participants
@JeremyJonas @agdimech