feat(aws-cloudfront-s3): update construct to use origin access controls; add support for CMK-encrypted buckets

source/package.json

@@ -34,7 +34,7 @@
   },
   "workspaces": {
     "packages": [
-      "./patterns/@aws-solutions-constructs/*"
+      "./patterns/@aws-solutions-constructs/**/*"
     ],
     "nohoist": [
       "**/deepmerge",

source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/.eslintignore

@@ -1,5 +1,5 @@
-lib/*.js
+lib/**/*.js
 test/*.js
 *.d.ts
 coverage
-test/lambda/index.js
+node_modules

source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/README.md

@@ -19,7 +19,11 @@
 |![Java Logo](https://docs.aws.amazon.com/cdk/api/latest/img/java32.png) Java|`software.amazon.awsconstructs.services.cloudfronts3`|
 
 ## Overview
-This AWS Solutions Construct implements an AWS CloudFront fronting an AWS S3 Bucket.
+This AWS Solutions Construct provisions an Amazon CloudFront Distribution that serves objects from an AWS S3 Bucket via an Origin Access Control (OAC).
+
+> **Note:** This AWS Solutions Construct was updated in December 2023 to replace the use of Origin Access Identities (OAIs) with Origin Access Controls (OACs) for accessing objects from the Bucket. Due to the
+> current configuration of one or more underlying AWS CDK constructs, this Construct will still provison an OAI, but it will be "orphaned" and the OAC will be used for accessing the Bucket. The 
+> unused OAI does not introduce any cost or security risk, and it can be safely deleted through the AWS CloudFront Management Console if desired.
 
 Here is a minimal deployable pattern definition:
 

source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/custom-resources/kms-key-policy-updater/.gitignore

@@ -0,0 +1,2 @@
+**/*.js
+node_modules

source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/custom-resources/kms-key-policy-updater/index.ts

@@ -0,0 +1,109 @@
+/**
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+ *  with the License. A copy of the License is located at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
+import { KMSClient, GetKeyPolicyCommand, DescribeKeyCommand, PutKeyPolicyCommand, KeyManagerType } from "@aws-sdk/client-kms";
+
+const kmsClient = new KMSClient();
+
+export const handler = async (e: any, context: any) => {
+
+  let status = 'SUCCESS';
+  let responseData = {};
+
+  if (e.RequestType === 'Create' || e.RequestType === 'Update') {
+
+    try {
+      const kmsKeyId = e.ResourceProperties.KmsKeyId;
+      const cloudFrontDistributionId = e.ResourceProperties.CloudFrontDistributionId;
+      const accountId = e.ResourceProperties.AccountId;
+      const region = process.env.AWS_REGION;
+
+      const describeKeyCommandResponse = await kmsClient.send(new DescribeKeyCommand({
+        KeyId: kmsKeyId
+      }));
+
+      if (describeKeyCommandResponse.KeyMetadata?.KeyManager === KeyManagerType.AWS) {
+        return {
+          Status: 'SUCCESS',
+          Reason: 'An AWS managed key was provided, no action needed from the custom resource, exiting now.',
+          PhysicalResourceId: e.PhysicalResourceId ?? context.logStreamName,
+          StackId: e.StackId,
+          RequestId: e.RequestId,
+          LogicalResourceId: e.LogicalResourceId,
+          Data: 'An AWS managed key was provided, no action needed from the custom resource, exiting now.',
+        };
+      }
+
+      const getKeyPolicyCommandResponse = await kmsClient.send(new GetKeyPolicyCommand({
+        KeyId: kmsKeyId,
+        PolicyName: 'default'
+      }));
+
+      if (!getKeyPolicyCommandResponse.Policy) {
+        return {
+          Status: 'FAILED',
+          Reason: 'An error occurred while retrieving the key policy',
+          PhysicalResourceId: e.PhysicalResourceId ?? context.logStreamName,
+          StackId: e.StackId,
+          RequestId: e.RequestId,
+          LogicalResourceId: e.LogicalResourceId,
+          Data: 'An error occurred while retrieving the key policy',
+        };
+      }
+
+      const keyPolicy = JSON.parse(getKeyPolicyCommandResponse?.Policy);
+
+      // Update the existing key policy to allow the cloudfront distribution to use the key
+      keyPolicy.Statement.push({
+        Sid: 'Grant-CloudFront-Distribution-Key-Usage',
+        Effect: 'Allow',
+        Principal: {
+          Service: 'cloudfront.amazonaws.com',
+        },
+        Action: [
+          'kms:Decrypt',
+          'kms:Encrypt',
+          'kms:GenerateDataKey*',
+          'kms:ReEncrypt*'
+        ],
+        Resource: `arn:aws:kms:${region}:${accountId}:key/${kmsKeyId}`,
+        Condition: {
+          StringEquals: {
+            'AWS:SourceArn': `arn:aws:cloudfront::${accountId}:distribution/${cloudFrontDistributionId}`
+          }
+        }
+      });
+
+      await kmsClient.send(new PutKeyPolicyCommand({
+        KeyId: kmsKeyId,
+        Policy: JSON.stringify(keyPolicy),
+        PolicyName: 'default'
+      }));
+    } catch (err) {
+      status = 'FAILED';
+      responseData = {
+        Error: JSON.stringify(err)
+      };
+    }
+  }
+
+  return {
+    Status: status,
+    Reason: JSON.stringify(responseData),
+    PhysicalResourceId: e.PhysicalResourceId ?? context.logStreamName,
+    StackId: e.StackId,
+    RequestId: e.RequestId,
+    LogicalResourceId: e.LogicalResourceId,
+    Data: responseData,
+  };
+};

source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/custom-resources/kms-key-policy-updater/package.json

@@ -0,0 +1,43 @@
+{
+    "name": "kms-key-policy-updater",
+    "version": "0.0.0",
+    "description": "Custom resource for updating CMK key policies",
+    "main": "lib/index.js",
+    "types": "lib/index.d.ts",
+    "author": {
+        "name": "Amazon Web Services",
+        "url": "https://aws.amazon.com",
+        "organization": true
+    },
+    "license": "Apache-2.0",
+    "scripts": {
+        "build": "tsc -b .",
+        "lint": "eslint -c ../eslintrc.yml --ext=.js,.ts . && tslint --project .",
+        "lint-fix": "eslint -c ../eslintrc.yml --ext=.js,.ts --fix .",
+        "test": "jest --coverage",
+        "clean": "tsc -b --clean",
+        "watch": "tsc -b -w"
+    },
+    "dependencies": {
+        "@aws-sdk/client-kms": "^3.468.0",
+        "aws-sdk-client-mock": "^3.0.0"
+    },
+    "devDependencies": {
+        "@types/jest": "^27.4.0",
+        "@types/node": "^10.3.0"
+    },
+    "jest": {
+        "moduleFileExtensions": [
+            "js"
+        ],
+        "coverageReporters": [
+            "text",
+            [
+                "lcov",
+                {
+                    "projectRoot": "../../../../"
+                }
+            ]
+        ]
+    }
+}

source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/custom-resources/kms-key-policy-updater/tests/kms-key-policy-updater.test.ts

@@ -0,0 +1,156 @@
+/**
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+ *  with the License. A copy of the License is located at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
+import { handler } from "..";
+import { mockClient } from "aws-sdk-client-mock";
+import { KMSClient, DescribeKeyCommand, KeyManagerType, GetKeyPolicyCommand, PutKeyPolicyCommand } from "@aws-sdk/client-kms";
+
+const kmsMock = mockClient(KMSClient);
+
+beforeEach(() => {
+  kmsMock.reset();
+});
+
+it('Should exit if an AWS managed key is provided; return a success code but give the exact reason', async () => {
+  // Mocks
+  kmsMock.on(DescribeKeyCommand).resolves({
+    KeyMetadata: {
+      KeyId: 'sample-key-id',
+      KeyManager: KeyManagerType.AWS
+    }
+  });
+  // Arrange
+  const e = {
+    RequestType: 'Create',
+    ResourceProperties: {
+      CloudFrontDistributionId: 'sample-cf-distro-id',
+      AccountId: '111122223333'
+    }
+  };
+  const context = {
+    // ...
+  };
+  // Act
+  const res = await handler(e, context);
+  // Assert
+  expect(res.Status).toBe('SUCCESS');
+  expect(res.Data).toBe('An AWS managed key was provided, no action needed from the custom resource, exiting now.');
+});
+
+it('Should return an error if the key policy is returned as undefined', async () => {
+  // Mocks
+  kmsMock.on(DescribeKeyCommand).resolves({
+    KeyMetadata: {
+      KeyId: 'sample-key-id',
+      KeyManager: KeyManagerType.CUSTOMER
+    }
+  });
+  kmsMock.on(GetKeyPolicyCommand).resolves({
+    Policy: undefined
+  });
+  // Arrange
+  const e = {
+    RequestType: 'Update',
+    ResourceProperties: {
+      CloudFrontDistributionId: 'sample-cf-distro-id',
+      AccountId: '111122223333'
+    }
+  };
+  const context = {
+    // ...
+  };
+  // Act
+  const res = await handler(e, context);
+  // Assert
+  expect(res.Status).toBe('FAILED');
+});
+
+it('Should update the key policy if the proper params are given', async () => {
+  // Mocks
+  kmsMock.on(DescribeKeyCommand).resolves({
+    KeyMetadata: {
+      KeyId: 'sample-key-id',
+      KeyManager: KeyManagerType.CUSTOMER
+    }
+  });
+  kmsMock.on(GetKeyPolicyCommand).resolves({
+    Policy: `{\n
+      \"Version\" : \"2012-10-17\",\n
+      \"Id\" : \"key-default-1\",\n
+      \"Statement\" : [ {\n
+          \"Sid\" : \"Enable IAM User Permissions\",\n
+          \"Effect\" : \"Allow\",\n
+          \"Principal\" : {\n
+              \"AWS\" : \"arn:aws:iam::111122223333:root\"\n
+          },\n
+          \"Action\" : \"kms:*\",\n
+          \"Resource\" : \"*\"\n
+      } ]\n
+    }`
+  });
+  // Arrange
+  const e = {
+    RequestType: 'Update',
+    ResourceProperties: {
+      CloudFrontDistributionId: 'sample-cf-distro-id',
+      AccountId: '111122223333'
+    }
+  };
+  const context = {
+    // ...
+  };
+  // Act
+  const res = await handler(e, context);
+  // Assert
+  expect(res.Status).toBe('SUCCESS');
+});
+
+it('Should fail if an error occurs with putting the new key policy, all other inputs valid', async () => {
+  // Mocks
+  kmsMock.on(DescribeKeyCommand).resolves({
+    KeyMetadata: {
+      KeyId: 'sample-key-id',
+      KeyManager: KeyManagerType.CUSTOMER
+    }
+  });
+  kmsMock.on(GetKeyPolicyCommand).resolves({
+    Policy: `{\n
+      \"Version\" : \"2012-10-17\",\n
+      \"Id\" : \"key-default-1\",\n
+      \"Statement\" : [ {\n
+          \"Sid\" : \"Enable IAM User Permissions\",\n
+          \"Effect\" : \"Allow\",\n
+          \"Principal\" : {\n
+              \"AWS\" : \"arn:aws:iam::111122223333:root\"\n
+          },\n
+          \"Action\" : \"kms:*\",\n
+          \"Resource\" : \"*\"\n
+      } ]\n
+    }`
+  });
+  kmsMock.on(PutKeyPolicyCommand).rejects();
+  const e = {
+    RequestType: 'Update',
+    ResourceProperties: {
+      CloudFrontDistributionId: 'sample-cf-distro-id',
+      AccountId: '111122223333'
+    }
+  };
+  const context = {
+    // ...
+  };
+  // Act
+  const res = await handler(e, context);
+  // Assert
+  expect(res.Status).toBe('FAILED');
+});