|
| 1 | +# aws-cloudfront-oai-s3 module |
| 2 | +<!--BEGIN STABILITY BANNER--> |
| 3 | + |
| 4 | +--- |
| 5 | + |
| 6 | + |
| 7 | + |
| 8 | +--- |
| 9 | +<!--END STABILITY BANNER--> |
| 10 | + |
| 11 | +| **Reference Documentation**:| <span style="font-weight: normal">https://docs.aws.amazon.com/solutions/latest/constructs/</span>| |
| 12 | +|:-------------|:-------------| |
| 13 | +<div style="height:8px"></div> |
| 14 | + |
| 15 | +| **Language** | **Package** | |
| 16 | +|:-------------|-----------------| |
| 17 | +| Python|`aws_solutions_constructs.aws_cloudfront_oai_s3`| |
| 18 | +| Typescript|`@aws-solutions-constructs/aws-cloudfront-oai-s3`| |
| 19 | +| Java|`software.amazon.awsconstructs.services.cloudfrontoais3`| |
| 20 | + |
| 21 | +## Overview |
| 22 | +This AWS Solutions Construct provisions an Amazon CloudFront Distribution that serves objects from an AWS S3 Bucket via an Origin Access Identity (OAI). |
| 23 | + |
| 24 | +IMPORTANT: The recommended architecture for this pattern is to use an Origin Access Control, which is available in aws-cloudfront-s3. This construct is provided to support China regions where Origin Access Controls are not available. |
| 25 | + |
| 26 | +Here is a minimal deployable pattern definition: |
| 27 | + |
| 28 | +Typescript |
| 29 | +``` typescript |
| 30 | +import { Construct } from 'constructs'; |
| 31 | +import { Stack, StackProps } from 'aws-cdk-lib'; |
| 32 | +import { CloudFrontToOaiToS3 } from '@aws-solutions-constructs/aws-cloudfront-oai-s3'; |
| 33 | + |
| 34 | +new CloudFrontToOaiToS3(this, 'test-cloudfront-oai-s3', {}); |
| 35 | +``` |
| 36 | + |
| 37 | +Python |
| 38 | +``` python |
| 39 | +from aws_solutions_constructs.aws_cloudfront_oai_s3 import CloudFrontToOaiToS3 |
| 40 | +from aws_cdk import Stack |
| 41 | +from constructs import Construct |
| 42 | + |
| 43 | +CloudFrontToOaiToS3(self, 'test-cloudfront-oai-s3') |
| 44 | +``` |
| 45 | + |
| 46 | +Java |
| 47 | +``` java |
| 48 | +import software.constructs.Construct; |
| 49 | + |
| 50 | +import software.amazon.awscdk.Stack; |
| 51 | +import software.amazon.awscdk.StackProps; |
| 52 | +import software.amazon.awsconstructs.services.cloudfrontoais3.*; |
| 53 | + |
| 54 | +new CloudFrontToOaiToS3(this, "test-cloudfront-oai-s3", new CloudFrontToOaiToS3Props.Builder() |
| 55 | + .build()); |
| 56 | +``` |
| 57 | + |
| 58 | +## Pattern Construct Props |
| 59 | + |
| 60 | +| **Name** | **Type** | **Description** | |
| 61 | +|:-------------|:----------------|-----------------| |
| 62 | +|cloudFrontDistributionProps?|[`cloudfront.DistributionProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution| |
| 63 | +|insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront| |
| 64 | +|responseHeadersPolicyProps? | [`cloudfront.ResponseHeadersPolicyProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses.| |
| 65 | +|originPath?|`string`|Optional user provided props to provide an[originPath](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront_origins.S3OriginProps.html#originpath) that CloudFront appends to the origin domain name when CloudFront requests content from the origin. The string should start with a `/`, for example: `/production`. Default value is `'/'`| |
| 66 | +|existingBucketObj?|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html)|Existing instance of S3 content bucket object or interface. If this is provided, then also providing bucketProps will cause an error. | |
| 67 | +|bucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html)|Optional user provided props to override the default props for the S3 content bucket. Note - to log S3 access for this bucket to an existing S3 bucket, put the existing log bucket in bucketProps: `serverAccessLogsBucket`| |
| 68 | +|logS3AccessLogs?| boolean|Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true| |
| 69 | +|loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.| |
| 70 | +|cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket. Note: to use an existing bucketto hold CloudFront logs, pass the existing log bucket in | |
| 71 | +|logCloudFrontAccessLog|`boolean`|Optional - Whether to maintain access logs for the CloudFront Logging bucket. Specifying false for this while providing info about the log bucket will cause an error. Default = true | |
| 72 | +|cloudFrontLoggingBucketAccessLogBucketProps|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Log Bucket Access Log bucket. Providing both this and `existingcloudFrontLoggingBucketAccessLogBucket` will cause an error. To provide an existing bucket to accept these logs, pass the existing bucket in `cloudFrontLoggingBucketProps::serverAccessLogBucket`| |
| 73 | + |
| 74 | +## Pattern Properties |
| 75 | + |
| 76 | +| **Name** | **Type** | **Description** | |
| 77 | +|:-------------|:----------------|-----------------| |
| 78 | +|cloudFrontWebDistribution|[`cloudfront.Distribution`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html)|Returns an instance of cloudfront.Distribution created by the construct.| |
| 79 | +|cloudFrontFunction?|[`cloudfront.Function`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html)|Returns an instance of the Cloudfront function created by the construct.| |
| 80 | +|s3BucketInterface|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html)|Returns an instance of s3.IBucket created by the construct.| |
| 81 | +|s3Bucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct. IMPORTANT: If `existingBucketObj` was provided in Pattern Construct Props, this property will be `undefined`| |
| 82 | +|s3LoggingBucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket.| |
| 83 | +|cloudFrontLoggingBucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html)|The S3 bucket created by the construct to hold CloudFront logs. Only populated if the construct creates the bucket (not if an existing bucket is passed in via DistributionProps)| |
| 84 | +|cloudFrontLoggingBucketAccessLogBucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html)|The S3 bucket containing the S3 access logs for the CloudFront log bucket. Only populated if the construct creates the bucket (not if the bucket is passed in via `cloudFrontLoggingBucketProps::serverAccessLogBucket`| |
| 85 | + |
| 86 | +## Default settings |
| 87 | + |
| 88 | +Out of the box implementation of the Construct without any override will set the following defaults: |
| 89 | + |
| 90 | +### Amazon CloudFront |
| 91 | +* Configure Access logging for CloudFront Distribution |
| 92 | +* Enable automatic injection of best practice HTTP security headers in all responses from CloudFront Distribution |
| 93 | +* CloudFront originPath set to `'/'` |
| 94 | +* Create an Origin Access Identity to access S3 bucket |
| 95 | + |
| 96 | +### Amazon S3 Bucket |
| 97 | +* Configure Access logging for S3 Bucket |
| 98 | +* Enable server-side encryption for S3 Bucket using AWS managed KMS Key |
| 99 | +* Enforce encryption of data in transit |
| 100 | +* Turn on the versioning for S3 Bucket |
| 101 | +* Block public access for S3 Bucket |
| 102 | +* Retain the S3 Bucket when deleting the CloudFormation stack |
| 103 | +* Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days |
| 104 | + |
| 105 | +## Architecture |
| 106 | + |
| 107 | + |
| 108 | +*** |
| 109 | +© Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. |
0 commit comments