Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Amazon CloudFront Origin Access Control L2 Construct #617

Open
11 tasks done
gracelu0 opened this issue May 24, 2024 · 2 comments
Open
11 tasks done

Amazon CloudFront Origin Access Control L2 Construct #617

gracelu0 opened this issue May 24, 2024 · 2 comments
Labels
status/done Implementation complete

Comments

@gracelu0
Copy link
Contributor

gracelu0 commented May 24, 2024

Description

CloudFront Origin Access Control (OAC) is the recommended way to send authenticated requests to an Amazon S3 origin using IAM service principals. It offers better security, supports server-side encryption with AWS KMS, and supports all Amazon S3 buckets in all AWS regions.

Currently the S3Origin construct automatically creates an Origin Access Identity (OAI) to restrict access to an S3 Origin. However, using OAI is now considered legacy and no longer recommended. CDK users who want to use OAC currently have to use the L1 construct CfnOriginAccessControl. They need to use escape hatches to attach the OAC to their CloudFront distribution and remove the OAI that is automatically configured. With a CloudFront OAC L2 construct, users will easily be able to set up their CloudFront origins using OAC instead of OAI.

Roles

Role User
Author(s) @gracelu0
API Bar Raiser @comcalvi

See RFC Process for details

Workflow

  • Tracking issue created (label: status/proposed)
  • API bar raiser assigned (ping us at #aws-cdk-rfcs if needed)
  • Kick off meeting
  • RFC pull request submitted (label: status/review)
  • Community reach out (via Slack and/or Twitter)
  • API signed-off (label status/api-approved applied to pull request)
  • Final comments period (label: status/final-comments-period)
  • Approved and merged (label: status/approved)
  • Execution plan submitted (label: status/planning)
  • Plan approved and merged (label: status/implementing)
  • Implementation complete (label: status/done)

Author is responsible to progress the RFC according to this checklist, and
apply the relevant labels to this issue so that the RFC table in README gets
updated.

@gotgenes
Copy link

This RFC discusses CloudFront OAC with S3, however, as mentioned by @antstanley in their comment on #491—which was closed in favor if this RFC—AWS has released OAC for other origins including AWS Lambda. Is support for those also tracked here, or are those covered in one or more separate RFCs and issues?

@gracelu0 gracelu0 added status/final-comment-period Pending final approval and removed status/review Proposal pending review/revision labels Jun 24, 2024
gracelu0 added a commit that referenced this issue Jun 25, 2024
This is a request for comments about CloudFront Origin Access Control.
See #617 for
additional details. 

APIs are signed off by @colifran .

---

_By submitting this pull request, I confirm that my contribution is made
under
the terms of the Apache-2.0 license_

---------

Co-authored-by: gracelu0 <[email protected]>
@gracelu0 gracelu0 added status/implementing RFC is being implemented and removed status/final-comment-period Pending final approval labels Jun 25, 2024
@gracelu0
Copy link
Contributor Author

This RFC discusses CloudFront OAC with S3, however, as mentioned by @antstanley in their comment on #491—which was closed in favor if this RFC—AWS has released OAC for other origins including AWS Lambda. Is support for those also tracked here, or are those covered in one or more separate RFCs and issues?

As mentioned in the RFC this is scoped to OAC for S3 origins. While we can’t commit to specific dates, we’re planning to support OAC for Lambda function url origins in the future. We always welcome you to create a new issue/RFC to track feature requests so the community can upvote and help us prioritize accordingly!

@gracelu0 gracelu0 added status/final-comment-period Pending final approval and removed status/implementing RFC is being implemented labels Jun 26, 2024
@gracelu0 gracelu0 added status/review Proposal pending review/revision and removed status/final-comment-period Pending final approval labels Jul 25, 2024
@gracelu0 gracelu0 added status/final-comment-period Pending final approval and removed status/review Proposal pending review/revision labels Aug 20, 2024
gracelu0 added a commit that referenced this issue Aug 28, 2024
This is a request for comments about CloudFront Origin Access Control L2
for S3 origins. See #617 for
additional details. 

APIs are signed off by @comcalvi  .

---

_By submitting this pull request, I confirm that my contribution is made
under
the terms of the Apache-2.0 license_

---------

Co-authored-by: gracelu0 <[email protected]>
@gracelu0 gracelu0 added status/approved Ready for implementation and removed status/final-comment-period Pending final approval labels Aug 28, 2024
@gracelu0 gracelu0 added status/done Implementation complete and removed status/approved Ready for implementation labels Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/done Implementation complete
Projects
None yet
Development

No branches or pull requests

2 participants