(aws-cloudfront-origins): S3Origin needs s3:ListBucket permission for CloudFront to return 404 #13983
Labels
@aws-cdk/aws-cloudfront
Related to Amazon CloudFront
@aws-cdk/aws-cloudfront-origins
Related to CloudFront Origins for the CDK CloudFront Library
effort/small
Small work item – less than a day of effort
feature-request
A feature should be added or improved.
p3
Comments
aaronlna
added
feature-request
github-actions
bot
added
@aws-cdk/aws-cloudfront-origins
|
@robertd - Correct! @aaronlna - See more details in the pull request description for #13087. Having the OAI granted There is a work-around, which is to explicitly create the OAI and grant access yourself: // Before
const bucket = new s3.Bucket(this, 'Bucket');
const s3Origin = new origins.S3Origin(this, 'S3Origin', { bucket });
// After
const bucket = new s3.Bucket(this, 'Bucket');
const originAccessIdentity = new cloudfront.OriginAccessIdentity(this, 'OAI');
bucket.grantRead(originAccessIdentity);
const s3Origin = new origins.S3Origin(this, 'S3Origin', { bucket, originAccessIdentity });The other work-around is to redirect the 403s to 404s. const dist = new cloudfront.Distribution(this, 'Dist', {
...
errorResponses: [{
httpStatus: 403,
responseHttpStatus: 404,
responsePagePath: '404.html', // Optional, if you want to redirect to a specific 404 page in the bucket.
}],Finally, we can consider adding in an option to grant the List permissions back in, with sufficient documentation and warning about potentially exposing the bucket contents if a default root object is not set. |
njlynch
added
effort/small
|
Why not grant the permissions by default if a root object is set? The current default is pretty unexpected. A lot of people are trying to troubleshoot permissions issues when really they should be seeing 404s. At the very least there should be a convenience method or property added to enable the behavior probably most people expect and want. |
2 tasks
|
I just stumbled over the same issue when we activated WAF in our cloudfront distribution, as we couldn't distinguish between 403 responses from malicious blocked calls and 403 from legitimate users (which should have been a 404 to redirect users in a SPA). I've opened #26830 (with some more details) but found this existing issue afterwards. It would be great if you could configure this. |
1 task
1 task
|
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
|
Comments on closed issues and PRs are hard for our team to see. |
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Reading thru the
S3Originconstruct it appears the only permission granted to the associated CloudFront distribution iss3:GetObject. However, withouts3:ListBucket, CloudFront has no way of returning a 404 response to callers and instead returns HTTP 403 Forbidden.Use Case
It would be nice for S3Origin construct to provide all the necessary permissions for an associated CloudFront distribution to respond via HTTP. After using this construct its unintuitive to have my CloudFront distribution responding to callers with 403 for resources that are otherwise missing per HTTP spec.
Proposed Solution
Add
s3:ListBucketin addition to the currents3:GetObjectfor the resource policy of the S3 bucket for given CloudFront distribution.The text was updated successfully, but these errors were encountered: