Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: AwsSolutions-CFR6 conflicts with AWS recommendation #1582

Closed
EysaN opened this issue Jan 26, 2024 · 5 comments · Fixed by #1794
Closed

doc: AwsSolutions-CFR6 conflicts with AWS recommendation #1582

EysaN opened this issue Jan 26, 2024 · 5 comments · Fixed by #1794
Labels
documentation Improvements or additions to documentation feature-request A feature should be added or improved.

Comments

@EysaN
Copy link

EysaN commented Jan 26, 2024
edited
Loading

Under RULES.md, the rule AwsSolutions-CFR6 results in the following error when synthesizing CDK app:
AwsSolutions-CFR6: The CloudFront distribution does not use an origin access identity with an S3 origin.

However, AWS Documentation clearly says: We recommend using OAC and it marks OAI as legacy, not recommended.

Currently, we have to manually suppress it to avoid synthesizing failure.

Could you please support OAC instead?
@EysaN EysaN added documentation Improvements or additions to documentation needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2024
@dontirun dontirun added feature-request A feature should be added or improved. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 7, 2024
@dontirun
Copy link
Collaborator

dontirun commented Feb 7, 2024

@EysaN I'll take a look into what needs to be done for this one. Thanks for bringing it up!

@clueleaf
Copy link
Contributor

clueleaf commented Mar 5, 2024

I think we can check if OriginAccessControlId is configured in CloudFront origin.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html#cfn-cloudfront-distribution-origin-originaccesscontrolid

@dontirun
Copy link
Collaborator

I think there will need to be a few changes here

Streaming Distribution

CloudFront Streaming distributions don't seem to support OACs so the rule should be kept the same for Streaming Distributions

Distribution

@clueleaf I think you're correct that we need to check the OriginAccessControlId property on Distributions. Additionally, if the OAC is created in the stack, we should also check if the SigningBehavior isn't set to never

@braidoa
Copy link

braidoa commented May 13, 2024

Hi. Commenting from AWS ProServe Engagement Security:
We will wait until cdk-nag is updated, and then we'll update our guidance to ProServe builders. 😄

@clueleaf
Copy link
Contributor

clueleaf commented May 26, 2024
edited
Loading

Since currently we have to use addPropertyOverride to configure OAC, and cdk-nag can not see overridden properties, I think supporting OAC in cdk-nag now will result in a lot of false positives.
Waiting for an L2 construct for OAC. (aws/aws-cdk#21771 aws/aws-cdk-rfcs#617)

@clueleaf clueleaf mentioned this issue Sep 9, 2024
Merged
@mergify mergify bot closed this as completed in #1794 Oct 7, 2024
mergify bot pushed a commit that referenced this issue Oct 7, 2024
@clueleaf
feat: check origin access control usage for cloudfront with s3 origin (
ce7f549 
…#1794)

Fixes #1582

CDK now supports [S3 Origin Access Control L2 construct](aws/aws-cdk#31254). Added a new rule to check if OAC is configured for CloudFront distributions using S3 as an origin.


* Bumped cdk version used in development
  * Added missing parameters in QuickSight tests accordingly
* Applied the existing OAI rule only to CloudFront Streaming distributions (CloudFront distributions will not be non-compliant if OAI is not configured any more)
* Added a new rule checking OAC usage. Included the rule to AWS Solutions packs as `AwsSolutions-CFR7`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: check origin access control usage for cloudfront with s3 origin clueleaf/cdk-nag
4 participants
@dontirun @clueleaf @EysaN @braidoa