diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/README.md b/packages/aws-cdk-lib/aws-cloudfront-origins/README.md index 84878922bc3dc..fa9d069f4b281 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/README.md @@ -31,7 +31,7 @@ and the distribution can use built-in S3 redirects and S3 custom error pages. ```ts const myBucket = new s3.Bucket(this, 'myBucket'); new cloudfront.Distribution(this, 'myDist', { - defaultBehavior: { origin: new origins.S3StaticWebsiteOrigin(myBucket) }, + defaultBehavior: { origin: new origins.S3StaticWebsiteOrigin({ bucket: myBucket }) }, }); ``` @@ -73,6 +73,7 @@ When creating a S3 origin using `origins.S3BucketOrigin.withOriginAccessControl( You can grant read, write or delete access to the OAC using the `originAccessLevels` property: ```ts +const myBucket = new s3.Bucket(this, 'myBucket'); const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, { originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE], }); @@ -85,7 +86,7 @@ const myBucket = new s3.Bucket(this, 'myBucket'); const oac = new cloudfront.S3OriginAccessControl(this, 'MyOAC', { signing: cloudfront.Signing.SIGV4_NO_OVERRIDE }); -const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(bucket, { +const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, { originAccessControl: oac } ) @@ -99,60 +100,99 @@ new cloudfront.Distribution(this, 'myDist', { An existing S3 origin access control can be imported using the `fromOriginAccessControlId` method: ```ts -const importedOAC = cloudfront.S3OriginAccessControl.fromOriginAccessControlId(this, 'myImportedOAC', { - originAccessControlId: 'ABC123ABC123AB', -}); +const importedOAC = cloudfront.S3OriginAccessControl.fromOriginAccessControlId(this, 'myImportedOAC', 'ABC123ABC123AB'); ``` > [Note](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html): When you use OAC with S3 bucket origins, the bucket's object ownership must be set to Bucket owner enforced (default for new S3 buckets), or Bucket owner preferred (only if you require ACLs). -#### Setting up OAC with imported S3 buckets +#### Setting up OAC with a SSE-KMS encrypted S3 origin -If you are using an imported bucket for your S3 Origin and want to use OAC, -you will need to update -the S3 bucket policy manually to allow the OAC to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets. +If the objects in the S3 bucket origin are encrypted using server-side encryption with +AWS Key Management Service (SSE-KMS), the OAC must have permission to use the KMS key. -After deploying the distribution, add the following -policy statement to your -S3 bucket to allow CloudFront read-only access -(or additional S3 permissions as required): +Setting up an S3 origin using `S3BucketOrigin.withOriginAccessControl()` will automatically add the statement to the KMS key policy +to give the OAC permission to use the KMS key. + +```ts +import * as kms from 'aws-cdk-lib/aws-kms'; + +const myKmsKey = new kms.Key(this, 'myKMSKey'); +const myBucket = new s3.Bucket(this, 'mySSEKMSEncryptedBucket', { + encryption: s3.BucketEncryption.KMS, + encryptionKey: myKmsKey, + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, +}); +new cloudfront.Distribution(this, 'myDist', { + defaultBehavior: { + origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically grants Distribution access to `myKmsKey` + }, +}); +``` + +I saw this warning message during synth time. What do I do? + +```text +To avoid circular dependency between the KMS key, Bucket, and Distribution, +a wildcard is used to match all Distribution IDs in Key policy condition. +To further scope down the policy for best security practices, see the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README. +``` + +If the S3 bucket has an `encryptionKey` defined, `S3BucketOrigin.withOriginAccessControl()` +will automatically add the following policy statement to the KMS key policy to allow CloudFront read-only access (unless otherwise specified in the `originAccessLevels` property). ```json { - "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::/*", + "Action": "kms:Decrypt", + "Resource": "*", "Condition": { - "StringEquals": { - "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/" + "ArnLike": { + "AWS:SourceArn": "arn:aws:cloudfront:::distribution/*" } } } } ``` -See CloudFront docs on [Giving the origin access control permission to access the S3 bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3) for more details. +This policy uses a wildcard to match all distribution IDs in the account instead of referencing the specific distribution ID to resolve the circular dependency. The policy statement is not as scoped down as the example in the AWS CloudFront docs (see [SSE-KMS section](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3)). -> Note: If your bucket previously used OAI, you will need to manually remove the policy statement -that gives the OAI access to your bucket after setting up OAC. +After you have deployed the Distribution, you should follow these steps to only grant permissions to the specific distribution according to AWS best practices: -#### Using OAC for a SSE-KMS encrypted S3 origin +**Step 1.** Copy the key policy -If the objects in the S3 bucket origin are encrypted using server-side encryption with -AWS Key Management Service (SSE-KMS), the OAC must have permission to use the KMS key. -Setting up an S3 origin using `S3BucketOrigin.withOriginAccessControl()` will automatically add the statement to the KMS key policy -to give the OAC permission to use the KMS key. -For imported keys, you will need to manually update the -key policy yourself as CDK apps cannot modify the configuration of imported resources. +**Step 2.** Use an escape hatch to update the policy statement condition so that + +```json + "Condition": { + "ArnLike": { + "AWS:SourceArn": "arn:aws:cloudfront:::distribution/*" + } + } +``` + +...becomes... + +```json + "Condition": { + "StringEquals": { + "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/" + } + } +``` + +> Note the change of condition operator from `ArnLike` to `StringEquals` in addition to replacing the wildcard (`*`) with the distribution ID. + +To set the key policy using an escape hatch: ```ts -const myKmsKey = new kms.Key(this, 'myKMSKey'); +import * as kms from 'aws-cdk-lib/aws-kms'; + +const kmsKey = new kms.Key(this, 'myKMSKey'); const myBucket = new s3.Bucket(this, 'mySSEKMSEncryptedBucket', { encryption: s3.BucketEncryption.KMS, encryptionKey: kmsKey, @@ -160,32 +200,134 @@ const myBucket = new s3.Bucket(this, 'mySSEKMSEncryptedBucket', { }); new cloudfront.Distribution(this, 'myDist', { defaultBehavior: { - origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically grants Distribution access to `myKmsKey` + origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) }, }); + +// Add the following to scope down the key policy +const scopedDownKeyPolicy = { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "cloudfront.amazonaws.com" + }, + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/" + } + } + } + ] +}; +const cfnKey = (kmsKey.node.defaultChild as kms.CfnKey); +cfnKey.keyPolicy = scopedDownKeyPolicy; ``` -If the S3 bucket has an `encryptionKey` defined, `S3BucketOrigin.withOriginAccessControl()` -will update the KMS key policy by appending the following policy statement to allow CloudFront read-only access (unless otherwise specified in the `originAccessLevels` property): +**Step 3.** Deploy the stack +> Tip: Run `cdk diff` before deploying to verify the +changes to your stack. + +**Step 4.** Verify your final key policy includes the following statement after deploying: + +```json +{ + "Effect": "Allow", + "Principal": { + "Service": [ + "cloudfront.amazonaws.com" + ] + }, + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/" + } + } +} +``` + +For imported keys, you will need to manually update the +key policy yourself as CDK apps cannot modify the configuration of imported resources. After deploying the distribution, add the following policy statement to your key policy to allow CloudFront OAC to access your KMS key for SSE-KMS: ```json { + "Sid": "AllowCloudFrontServicePrincipalSSE-KMS", + "Effect": "Allow", + "Principal": { + "Service": [ + "cloudfront.amazonaws.com" + ] + }, + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/" + } + } +} +``` + +#### Setting up OAC with imported S3 buckets + +If you are using an imported bucket for your S3 Origin and want to use OAC, +you will need to update +the S3 bucket policy manually to allow the OAC to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets. + +After deploying the distribution, add the following +policy statement to your +S3 bucket to allow CloudFront read-only access +(or additional S3 permissions as required): + +```json +{ + "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, - "Action": "kms:Decrypt", - "Resource": "arn:aws:kms:::key/", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::/*", "Condition": { - "ArnLike": { - "AWS:SourceArn": "arn:aws:cloudfront:::distribution/*" + "StringEquals": { + "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/" } } } } ``` +See CloudFront docs on [Giving the origin access control permission to access the S3 bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3) for more details. + +> Note: If your bucket previously used OAI, you will need to manually remove the policy statement +that gives the OAI access to your bucket after setting up OAC. + #### Setting up an OAI (legacy) Setup an S3 origin with origin access identity (legacy) as follows: @@ -206,7 +348,7 @@ const myBucket = new s3.Bucket(this, 'myBucket'); const myOai = new cloudfront.OriginAccessIdentity(this, 'myOAI', { comment: 'My custom OAI' }); -const s3Origin = origins.S3BucketOrigin.withOriginAccessIdentity(bucket, { +const s3Origin = origins.S3BucketOrigin.withOriginAccessIdentity(myBucket, { originAccessIdentity: myOai }); new cloudfront.Distribution(this, 'myDist', { @@ -282,6 +424,10 @@ To ensure CloudFront doesn't lose access to the bucket during the transition, ad changes to your stack. ```ts +import * as cdk from 'aws-cdk-lib'; +import * as iam from 'aws-cdk-lib/aws-iam'; + +const stack = new Stack(); const myBucket = new s3.Bucket(this, 'myBucket'); const s3Origin = new origins.S3Origin(myBucket); const distribution = new cloudfront.Distribution(this, 'myDist', { @@ -306,7 +452,7 @@ const oacBucketPolicyStatement = new iam.PolicyStatement( effect: iam.Effect.ALLOW, principals: [cloudfrontSP], actions: ['s3:GetObject'], - resources: [bucket.arnForObjects('*')], + resources: [myBucket.arnForObjects('*')], conditions: { "StringEquals": { "AWS:SourceArn": distributionArn @@ -316,7 +462,7 @@ const oacBucketPolicyStatement = new iam.PolicyStatement( ) // Add statement to bucket policy -bucket.addToResourcePolicy(oacBucketPolicyStatement); +myBucket.addToResourcePolicy(oacBucketPolicyStatement); ``` The following changes will take place: @@ -330,9 +476,9 @@ Replace `S3Origin` with `S3BucketOrigin.withOriginAccessControl()`, which create Run `cdk diff` before deploying to verify the changes to your stack. ```ts -const bucket = new s3.Bucket(stack, 'Bucket'); +const bucket = new s3.Bucket(this, 'Bucket'); const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(bucket); -const distribution = new cloudfront.Distribution(stack, 'Distribution', { +const distribution = new cloudfront.Distribution(this, 'Distribution', { defaultBehavior: { origin: s3Origin }, }); ``` diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts index 473a3e4c7e109..6740f4af283b0 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts @@ -20,7 +20,7 @@ const KEY_ACTIONS: Record = { /** * Properties for configuring a origin using a standard S3 bucket */ -export interface S3BucketOriginBaseProps extends cloudfront.OriginProps {} +export interface S3BucketOriginBaseProps extends cloudfront.OriginProps { } /** * Properties for configuring a S3 origin with OAC @@ -156,7 +156,7 @@ export abstract class S3BucketOrigin extends cloudfront.OriginBase { }, ); Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac', - 'To avoid circular dependency between the KMS key, Bucket, and Distribution,' + + 'To avoid circular dependency between the KMS key, Bucket, and Distribution, ' + 'a wildcard is used to match all Distribution IDs in Key policy condition.\n' + 'To further scope down the policy for best security practices, see the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.'); const result = key.addToResourcePolicy(oacKeyPolicyStatement); diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts index 31c53a9755079..cb3215f6347cf 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts @@ -379,7 +379,7 @@ describe('S3BucketOrigin', () => { }, }); Annotations.fromStack(stack).hasWarning('/Default', - 'To avoid circular dependency between the KMS key, Bucket, and Distribution,' + + 'To avoid circular dependency between the KMS key, Bucket, and Distribution, ' + 'a wildcard is used to match all Distribution IDs in Key policy condition.\n' + 'To further scope down the policy for best security practices, see the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README. [ack: @aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac]'); }); @@ -699,7 +699,7 @@ describe('S3BucketOrigin', () => { it('should warn user bucket policy is not updated', () => { Annotations.fromStack(stack).hasWarning('/Default/MyDistributionA/Origin1', 'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' + - 'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac]'); + 'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac]'); }); it('should match expected template resources', () => { @@ -1151,7 +1151,7 @@ describe('S3BucketOrigin', () => { it('should warn user bucket policy is not updated', () => { Annotations.fromStack(distributionStack).hasWarning('/distributionStack/MyDistributionA/Origin1', 'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' + - 'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai]'); + 'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai]'); }); it('should create OAI in bucket stack and output it, then reference the output in the distribution stack', () => { diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md index b828c89e288f8..c20c454f06af7 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront/README.md @@ -1,6 +1,5 @@ # Amazon CloudFront Construct Library - Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so that content is delivered with the best @@ -25,141 +24,19 @@ among other settings. #### From an S3 Bucket -An S3 bucket can be added as an origin. If the bucket is configured as a website endpoint, the distribution can use S3 redirects and S3 custom error -documents. - -```ts -// Creates a distribution from an S3 bucket. -const myBucket = new s3.Bucket(this, 'myBucket'); -new cloudfront.Distribution(this, 'myDist', { - defaultBehavior: { origin: new origins.S3Origin(myBucket) }, -}); -``` - -The above will treat the bucket differently based on if `IBucket.isWebsite` is set or not. If the bucket is configured as a website, the bucket is -treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and -CloudFront's redirect and error handling will be used. - -## Restricting access to an S3 origin - -CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: -origin access control (OAC) and origin access identity (OAI). -OAI is considered legacy due to limited functionality and regional -limitations, whereas OAC is recommended because it supports All Amazon S3 -buckets in all AWS Regions, Amazon S3 server-side encryption with AWS KMS (SSE-KMS), and dynamic requests (PUT and DELETE) to Amazon S3. Additionally, -OAC provides stronger security posture with short term credentials, -and more frequent credential rotations as compared to OAI. -(see [Restricting access to an Amazon S3 Origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html)). -OAI and OAC can be used in conjunction with a bucket that is not public to -require that your users access your content using CloudFront URLs and not S3 URLs directly. - -> Note: OAC and OAI can only be used with an regular S3 bucket origin (not a bucket configured as a website endpoint). - -The `S3BucketOrigin` class supports creating a S3 origin with OAC, OAI, and no access control (using your bucket access settings) via -the `withOriginAccessControl()`, `withOriginAccessIdentity()`, and `withBucketDefaults()` methods respectively. - -To setup an S3 origin with OAC (recommended): +An S3 bucket can be added as an origin. An S3 bucket origin can either be configured as a standard bucket or as a website endpoint (see AWS docs for [Using an S3 Bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html#using-s3-as-origin)). ```ts +// Creates a distribution from an S3 bucket with origin access control const myBucket = new s3.Bucket(this, 'myBucket'); new cloudfront.Distribution(this, 'myDist', { defaultBehavior: { - origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically creates an OAC + origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically creates a S3OriginAccessControl construct }, }); ``` -You can also pass in a custom S3 origin access control: - -```ts -const myBucket = new s3.Bucket(this, 'myBucket'); -const oac = new cloudfront.S3OriginAccessControl(this, 'MyOAC', { signing: cloudfront.Signing.SIGV4_NO_OVERRIDE }); -const s3Origin = origins.S3BucketOrigin.withOriginAccessControl( - bucket, { originAccessControl: oac } -) -new cloudfront.Distribution(this, 'myDist', { - defaultBehavior: { - origin: s3Origin - }, -}); -``` - -Depending on the types of HTTP requests you need to send to the S3 origin, you can set the `originAccessLevels` property to specify the level of permissions (READ, WRITE, or DELETE) to grant CloudFront OAC. The default is read-only permissions. - -```ts -const myBucket = new s3.Bucket(this, 'myBucket'); -const oac = new cloudfront.S3OriginAccessControl(this, 'myS3OAC'); -const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, { - originAccessControl: oac, - originAccessLevels: [origins.AccessLevel.READ, origins.AccessLevel.WRITE, origins.AccessLevel.DELETE] -}); -new cloudfront.Distribution(this, 'myDist', { - defaultBehavior: { - origin: s3Origin - }, -}); -``` - -## Migrating from OAI to OAC - -If you are currently using OAI for your S3 origin and wish to migrate to OAC, -replace the `S3Origin` construct (now deprecated) with `S3BucketOrigin.withOriginAccessControl()` which automatically -creates and sets up a OAC for you. -The OAI will be deleted as part of the -stack update. The logical IDs of the resources managed by -the stack (i.e. distribution, bucket) will be unchanged. Run `cdk diff` before deploying to verify the -changes to your stack. - -Existing setup using OAI and `S3Origin`: - -```ts -const myBucket = new s3.Bucket(this, 'myBucket'); -new cloudfront.Distribution(this, 'myDist', { - defaultBehavior: { origin: new origins.S3Origin(myBucket) }, -}); -``` - -Updated setup using `S3BucketOrigin.withOriginAccessControl()`: - -```ts -const myBucket = new s3.Bucket(this, 'myBucket'); -new cloudfront.Distribution(this, 'myDist', { - defaultBehavior: { origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) }, -}); -``` - -For more information, see [Migrating from origin access identity (OAI) to origin access control (OAC)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac). - -### Using pre-existing S3 buckets - -If you are using an imported bucket for your S3 Origin and want to use OAC, -you will need to update -the S3 bucket policy manually. CDK apps **cannot** modify the configuration of imported constructs. After deploying the distribution, add the following -policy statement to your -S3 bucket to allow CloudFront read-only access -(or additional permissions as required): - -```json -{ - "Statement": { - "Sid": "GrantOACAccessToS3", - "Effect": "Allow", - "Principal": { - "Service": "cloudfront.amazonaws.com" - }, - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::/*", - "Condition": { - "StringEquals": { - "AWS:SourceArn": "arn:aws:cloudfront:::distribution/" - } - } - } -} -``` - -> Note: If your bucket previously used OAI, you will need to manually remove the policy statement -that gives the OAI access to your bucket from your bucket policy. +See the README of the [`aws-cdk-lib/aws-cloudfront-origins`](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudfront-origins/README.md) module for more information on setting up S3 origins and origin access control (OAC). #### ELBv2 Load Balancer @@ -346,7 +223,7 @@ You can use a cache policy to improve your cache hit ratio by controlling the va that are included in the cache key, and/or adjusting how long items remain in the cache via the time-to-live (TTL) settings. CloudFront provides some predefined cache policies, known as managed policies, for common use cases. You can use these managed policies, or you can create your own cache policy that’s specific to your needs. -See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html for more details. +See for more details. ```ts // Using an existing cache policy for a Distribution @@ -389,7 +266,7 @@ Other information from the viewer request, such as URL query strings, HTTP heade You can use an origin request policy to control the information that’s included in an origin request. CloudFront provides some predefined origin request policies, known as managed policies, for common use cases. You can use these managed policies, or you can create your own origin request policy that’s specific to your needs. -See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html for more details. +See for more details. ```ts // Using an existing origin request policy for a Distribution @@ -425,7 +302,7 @@ new cloudfront.Distribution(this, 'myDistCustomPolicy', { You can configure CloudFront to add one or more HTTP headers to the responses that it sends to viewers (web browsers or other clients), without making any changes to the origin or writing any code. To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy. -See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html +See ```ts // Using an existing managed response headers policy @@ -547,7 +424,7 @@ new cloudfront.Distribution(this, 'myDist', { > The `EdgeFunction` construct will automatically request a function in `us-east-1`, regardless of the region of the current stack. > `EdgeFunction` has the same interface as `Function` and can be created and used interchangeably. > Please note that using `EdgeFunction` requires that the `us-east-1` region has been bootstrapped. -> See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more about bootstrapping regions. +> See for more about bootstrapping regions. If the stack is in `us-east-1`, a "normal" `lambda.Function` can be used instead of an `EdgeFunction`. @@ -687,7 +564,7 @@ To create an empty Key Value Store: const store = new cloudfront.KeyValueStore(this, 'KeyValueStore'); ``` -To also include an initial set of values, the `source` property can be specified, either from a +To also include an initial set of values, the `source` property can be specified, either from a local file or an inline string. For the structure of this file, see [Creating a file of key value pairs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-create-s3-kvp.html). ```ts @@ -1306,5 +1183,5 @@ new cloudfront.KeyGroup(this, 'MyKeyGroup', { See: -* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html -* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html +- +-