From 69ac08bf41444cdcd8e10fe16c4aa82ec47befba Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 13 Apr 2023 12:18:12 -0700 Subject: [PATCH 1/7] Trying the add to CDK json serverAccessLogsUseBucketPolicy to see if that fixes S3 ownership creation --- source/constructs/cdk.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source/constructs/cdk.json b/source/constructs/cdk.json index b161940..f05e645 100644 --- a/source/constructs/cdk.json +++ b/source/constructs/cdk.json @@ -2,6 +2,7 @@ "app": "npx ts-node bin/live-streaming.ts", "context": { "aws-cdk:enableDiffNoFail": "true", - "@aws-cdk/core:stackRelativeExports": "true" + "@aws-cdk/core:stackRelativeExports": "true", + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true } -} +} \ No newline at end of file From 6cff9e57c182b4ddcd62276c4a595bcc68b1164c Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 13 Apr 2023 14:13:28 -0700 Subject: [PATCH 2/7] Removing logging bucket that is causing solution to fail deployment in Ohio region. Seeing the error Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting --- source/constructs/lib/live-streaming.ts | 51 ------------------------- 1 file changed, 51 deletions(-) diff --git a/source/constructs/lib/live-streaming.ts b/source/constructs/lib/live-streaming.ts index 9a5859e..fc39c79 100644 --- a/source/constructs/lib/live-streaming.ts +++ b/source/constructs/lib/live-streaming.ts @@ -576,50 +576,6 @@ export class LiveStreaming extends cdk.Stack { mediaPackageCmafEndpoint.node.addDependency(mediaPackagePolicy); - /** - * S3: Logs bucket for CloudFront - */ - const logsBucket = new s3.Bucket(this, 'LogsBucket', { - enforceSSL: true, - versioned: true, - removalPolicy: cdk.RemovalPolicy.RETAIN, - accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE, - encryption: s3.BucketEncryption.S3_MANAGED, - blockPublicAccess: { - blockPublicAcls: true, - blockPublicPolicy: true, - ignorePublicAcls: true, - restrictPublicBuckets: true - } - }); - /** get the cfn resource and attach cfn_nag rule */ - (logsBucket.node.defaultChild as cdk.CfnResource).cfnOptions.metadata = { - cfn_nag: { - rules_to_suppress: [ - { - id: 'W35', - reason: 'Used to store access logs for other buckets' - }, { - id: 'W51', - reason: 'Bucket is private and does not need a bucket policy' - } - ] - } - }; - //cdk_nag - NagSuppressions.addResourceSuppressions( - logsBucket, - [ - { - id: 'AwsSolutions-S1', //same as cfn_nag rule W35 - reason: 'Used to store access logs for other buckets' - }, { - id: 'AwsSolutions-S10', - reason: 'Bucket is private and is not using HTTP' - } - ] - ); - /** * CloudFront Distribution */ @@ -697,7 +653,6 @@ export class LiveStreaming extends cdk.Stack { cachedMethods: cloudfront.CachedMethods.CACHE_GET_HEAD_OPTIONS }, enabled: true, - logBucket: logsBucket, logFilePrefix: 'cloudfront-logs/', errorResponses: [ errorResponse400, @@ -1011,12 +966,6 @@ export class LiveStreaming extends cdk.Stack { exportName: `${cdk.Aws.STACK_NAME}-DemoBucket` }); - new cdk.CfnOutput(this, 'LogsBucketConsole', { // NOSONAR - description: 'Logs bucket', - value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/s3/buckets/${logsBucket.bucketName}?region=${cdk.Aws.REGION}`, - exportName: `${cdk.Aws.STACK_NAME}-LogsBucket` - }); - new cdk.CfnOutput(this, 'AppRegistryConsole', { // NOSONAR description: 'AppRegistry', value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/servicecatalog/home?#applications/${appRegistry.applicationId}`, From e124946529c80d5b35cc165588c44b8c4cd82e7c Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 13 Apr 2023 14:32:38 -0700 Subject: [PATCH 3/7] Making CFN nag change for patch release to get solution deploying --- source/constructs/lib/live-streaming.ts | 3 + .../__snapshots__/live-streaming.test.ts.snap | 154 ++---------------- 2 files changed, 16 insertions(+), 141 deletions(-) diff --git a/source/constructs/lib/live-streaming.ts b/source/constructs/lib/live-streaming.ts index fc39c79..1bc131b 100644 --- a/source/constructs/lib/live-streaming.ts +++ b/source/constructs/lib/live-streaming.ts @@ -690,6 +690,9 @@ export class LiveStreaming extends cdk.Stack { id: 'AwsSolutions-CFR2', reason: 'Use case does not warrant CloudFront integration with AWS WAF' }, { + id: 'AwsSolutions-CFR3', //same as cfn_nag rule W70 + reason: 'S3 update causing deploy fail when bucket makes any sort of ACL. With this error cannot have ACLs set with ObjectOwnerships BucketOwnerEnforced setting' + },{ id: 'AwsSolutions-CFR4', //same as cfn_nag rule W70 reason: 'CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name' }, { diff --git a/source/constructs/test/__snapshots__/live-streaming.test.ts.snap b/source/constructs/test/__snapshots__/live-streaming.test.ts.snap index 38cf2d1..4368af9 100644 --- a/source/constructs/test/__snapshots__/live-streaming.test.ts.snap +++ b/source/constructs/test/__snapshots__/live-streaming.test.ts.snap @@ -4,8 +4,8 @@ exports[`LiveStreaming Stack Test 1`] = ` Object { Description: (SO0013) Live Streaming on AWS Solution %%VERSION%%, Mappings: Object { - AnonymousData: Object { - SendAnonymousData: Object { + AnonymizedData: Object { + SendAnonymizedData: Object { Data: Yes, }, }, @@ -335,41 +335,6 @@ Object { ], }, }, - LogsBucketConsole: Object { - Description: Logs bucket, - Export: Object { - Name: Object { - Fn::Join: Array [ - , - Array [ - Object { - Ref: AWS::StackName, - }, - -LogsBucket, - ], - ], - }, - }, - Value: Object { - Fn::Join: Array [ - , - Array [ - https://, - Object { - Ref: AWS::Region, - }, - .console.aws.amazon.com/s3/buckets/, - Object { - Ref: LogsBucket9C4D8843, - }, - ?region=, - Object { - Ref: AWS::Region, - }, - ], - ], - }, - }, MediaLiveChannelConsole: Object { Description: MediaLive Channel, Export: Object { @@ -652,8 +617,8 @@ Object { Resource: AnonymousMetric, SendAnonymousMetric: Object { Fn::FindInMap: Array [ - AnonymousData, - SendAnonymousData, + AnonymizedData, + SendAnonymizedData, Data, ], }, @@ -677,7 +642,7 @@ Object { }, AppRegistryApp5349BE86: Object { DependsOn: Array [ - AppRegistryAttributeGroup7AF07446, + AppRegistryAttributeIdDF43F316, ], Properties: Object { Description: Service Catalog application to track and manage all your resources. The SolutionId is SO0013 and SolutionVersion is %%VERSION%%., @@ -704,9 +669,9 @@ Object { }, Type: AWS::ServiceCatalogAppRegistry::Application, }, - AppRegistryAppAttributeGroupAssociation73c027e3f10e9676CFD5: Object { + AppRegistryAppAttributeGroupAssociatione6a1c2e3176a77F7002D: Object { DependsOn: Array [ - AppRegistryAttributeGroup7AF07446, + AppRegistryAttributeIdDF43F316, ], Properties: Object { Application: Object { @@ -717,7 +682,7 @@ Object { }, AttributeGroup: Object { Fn::GetAtt: Array [ - AppRegistryAttributeGroup7AF07446, + AppRegistryAttributeIdDF43F316, Id, ], }, @@ -726,7 +691,7 @@ Object { }, AppRegistryAppResourceAssociationbb30b2b6ffac2CF098B8: Object { DependsOn: Array [ - AppRegistryAttributeGroup7AF07446, + AppRegistryAttributeIdDF43F316, ], Properties: Object { Application: Object { @@ -742,7 +707,7 @@ Object { }, Type: AWS::ServiceCatalogAppRegistry::ResourceAssociation, }, - AppRegistryAttributeGroup7AF07446: Object { + AppRegistryAttributeIdDF43F316: Object { Properties: Object { Attributes: Object { ApplicationType: AWS-Solutions, @@ -755,6 +720,7 @@ Object { Fn::Join: Array [ , Array [ + A30-, Object { Ref: AWS::Region, }, @@ -771,36 +737,6 @@ Object { }, Type: AWS::ServiceCatalogAppRegistry::AttributeGroup, }, - ApplicationInsightsApp: Object { - DependsOn: Array [ - AppRegistryAppAttributeGroupAssociation73c027e3f10e9676CFD5, - AppRegistryApp5349BE86, - AppRegistryAppResourceAssociationbb30b2b6ffac2CF098B8, - ], - Properties: Object { - AutoConfigurationEnabled: true, - CWEMonitorEnabled: true, - OpsCenterEnabled: true, - ResourceGroupName: Object { - Fn::Join: Array [ - , - Array [ - AWS_AppRegistry_Application-live-streaming-on-aws-, - Object { - Ref: AWS::StackName, - }, - ], - ], - }, - Tags: Array [ - Object { - Key: SolutionId, - Value: SO0013, - }, - ], - }, - Type: AWS::ApplicationInsights::Application, - }, CachePolicy26D8A535: Object { Properties: Object { CachePolicyConfig: Object { @@ -1006,15 +942,6 @@ Object { Enabled: true, HttpVersion: http2, IPV6Enabled: true, - Logging: Object { - Bucket: Object { - Fn::GetAtt: Array [ - LogsBucket9C4D8843, - RegionalDomainName, - ], - }, - Prefix: cloudfront-logs/, - }, Origins: Array [ Object { CustomOriginConfig: Object { @@ -1511,9 +1438,9 @@ Object { S3Bucket: Object { Fn::Sub: cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}, }, - S3Key: 73d45459ae7abbe57b24ae45648c26887c578dbcc2c8001b8932715b29560f21.zip, + S3Key: 700e39bdce00113c2e39b58cb30fec1590a50aa9faf6201ab10f1f7444451b8d.zip, }, - Description: Used to deploy custom resources and send AnonymousData, + Description: Used to deploy custom resources and send AnonymizedData, Environment: Object { Variables: Object { SOLUTION_IDENTIFIER: AwsSolution/SO0013/%%VERSION%%, @@ -1932,61 +1859,6 @@ Object { }, Type: AWS::IAM::Policy, }, - LogsBucket9C4D8843: Object { - DeletionPolicy: Retain, - Metadata: Object { - cdk_nag: Object { - rules_to_suppress: Array [ - Object { - id: AwsSolutions-S1, - reason: Used to store access logs for other buckets, - }, - Object { - id: AwsSolutions-S10, - reason: Bucket is private and is not using HTTP, - }, - ], - }, - cfn_nag: Object { - rules_to_suppress: Array [ - Object { - id: W35, - reason: Used to store access logs for other buckets, - }, - Object { - id: W51, - reason: Bucket is private and does not need a bucket policy, - }, - ], - }, - }, - Properties: Object { - AccessControl: LogDeliveryWrite, - BucketEncryption: Object { - ServerSideEncryptionConfiguration: Array [ - Object { - ServerSideEncryptionByDefault: Object { - SSEAlgorithm: AES256, - }, - }, - ], - }, - PublicAccessBlockConfiguration: Object { - BlockPublicAcls: true, - BlockPublicPolicy: true, - IgnorePublicAcls: true, - RestrictPublicBuckets: true, - }, - Tags: Array [ - Object { - Key: SolutionId, - Value: SO0013, - }, - ], - }, - Type: AWS::S3::Bucket, - UpdateReplacePolicy: Retain, - }, MediaLiveChannel: Object { DeletionPolicy: Delete, Properties: Object { From c61714ddf67e318a6f87e1335a99200798260699 Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 13 Apr 2023 16:31:37 -0700 Subject: [PATCH 4/7] adding new ObjectOwnership rule needed for Amazon S3 --- source/constructs/lib/live-streaming.ts | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/source/constructs/lib/live-streaming.ts b/source/constructs/lib/live-streaming.ts index 1bc131b..175e17d 100644 --- a/source/constructs/lib/live-streaming.ts +++ b/source/constructs/lib/live-streaming.ts @@ -690,9 +690,9 @@ export class LiveStreaming extends cdk.Stack { id: 'AwsSolutions-CFR2', reason: 'Use case does not warrant CloudFront integration with AWS WAF' }, { - id: 'AwsSolutions-CFR3', //same as cfn_nag rule W70 - reason: 'S3 update causing deploy fail when bucket makes any sort of ACL. With this error cannot have ACLs set with ObjectOwnerships BucketOwnerEnforced setting' - },{ + id: 'AwsSolutions-CFR3', + reason: 'S3 changing ownership have to remove since it is causing solution not to deploy' + }, { id: 'AwsSolutions-CFR4', //same as cfn_nag rule W70 reason: 'CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name' }, { @@ -737,13 +737,16 @@ export class LiveStreaming extends cdk.Stack { ] }, bucketProps: { - versioned: false + versioned: false, + objectOwnership: s3.ObjectOwnership.OBJECT_WRITER }, loggingBucketProps: { - versioned: false + versioned: false, + objectOwnership: s3.ObjectOwnership.OBJECT_WRITER }, cloudFrontLoggingBucketProps: { - versioned: false + versioned: false, + objectOwnership: s3.ObjectOwnership.OBJECT_WRITER }, insertHttpSecurityHeaders: false }); From 7a66ec8578bdcf7af3da3bc1b734ec7d4480db9b Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Sun, 16 Apr 2023 23:46:23 -0700 Subject: [PATCH 5/7] Used the newest CloudFront to S3 construct to fix the bucket ACL that causes launch error in Ohio region. --- source/constructs/lib/live-streaming.ts | 63 +++++++++++++++++++++---- source/constructs/package.json | 4 +- 2 files changed, 56 insertions(+), 11 deletions(-) diff --git a/source/constructs/lib/live-streaming.ts b/source/constructs/lib/live-streaming.ts index 175e17d..2d60de1 100644 --- a/source/constructs/lib/live-streaming.ts +++ b/source/constructs/lib/live-streaming.ts @@ -576,6 +576,50 @@ export class LiveStreaming extends cdk.Stack { mediaPackageCmafEndpoint.node.addDependency(mediaPackagePolicy); + /** + * S3: Logs bucket for CloudFront + */ + const logsBucket = new s3.Bucket(this, 'LogsBucket', { + enforceSSL: true, + versioned: true, + removalPolicy: cdk.RemovalPolicy.RETAIN, + encryption: s3.BucketEncryption.S3_MANAGED, + objectOwnership: s3.ObjectOwnership.OBJECT_WRITER, + blockPublicAccess: { + blockPublicAcls: true, + blockPublicPolicy: true, + ignorePublicAcls: true, + restrictPublicBuckets: true + } + }); + /** get the cfn resource and attach cfn_nag rule */ + (logsBucket.node.defaultChild as cdk.CfnResource).cfnOptions.metadata = { + cfn_nag: { + rules_to_suppress: [ + { + id: 'W35', + reason: 'Used to store access logs for other buckets' + }, { + id: 'W51', + reason: 'Bucket is private and does not need a bucket policy' + } + ] + } + }; + //cdk_nag + NagSuppressions.addResourceSuppressions( + logsBucket, + [ + { + id: 'AwsSolutions-S1', //same as cfn_nag rule W35 + reason: 'Used to store access logs for other buckets' + }, { + id: 'AwsSolutions-S10', + reason: 'Bucket is private and is not using HTTP' + } + ] + ); + /** * CloudFront Distribution */ @@ -653,6 +697,7 @@ export class LiveStreaming extends cdk.Stack { cachedMethods: cloudfront.CachedMethods.CACHE_GET_HEAD_OPTIONS }, enabled: true, + logBucket: logsBucket, logFilePrefix: 'cloudfront-logs/', errorResponses: [ errorResponse400, @@ -689,9 +734,6 @@ export class LiveStreaming extends cdk.Stack { }, { id: 'AwsSolutions-CFR2', reason: 'Use case does not warrant CloudFront integration with AWS WAF' - }, { - id: 'AwsSolutions-CFR3', - reason: 'S3 changing ownership have to remove since it is causing solution not to deploy' }, { id: 'AwsSolutions-CFR4', //same as cfn_nag rule W70 reason: 'CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name' @@ -737,16 +779,13 @@ export class LiveStreaming extends cdk.Stack { ] }, bucketProps: { - versioned: false, - objectOwnership: s3.ObjectOwnership.OBJECT_WRITER + versioned: false }, loggingBucketProps: { - versioned: false, - objectOwnership: s3.ObjectOwnership.OBJECT_WRITER + versioned: false }, cloudFrontLoggingBucketProps: { - versioned: false, - objectOwnership: s3.ObjectOwnership.OBJECT_WRITER + versioned: false }, insertHttpSecurityHeaders: false }); @@ -972,6 +1011,12 @@ export class LiveStreaming extends cdk.Stack { exportName: `${cdk.Aws.STACK_NAME}-DemoBucket` }); + new cdk.CfnOutput(this, 'LogsBucketConsole', { // NOSONAR + description: 'Logs bucket', + value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/s3/buckets/${logsBucket.bucketName}?region=${cdk.Aws.REGION}`, + exportName: `${cdk.Aws.STACK_NAME}-LogsBucket` + }); + new cdk.CfnOutput(this, 'AppRegistryConsole', { // NOSONAR description: 'AppRegistry', value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/servicecatalog/home?#applications/${appRegistry.applicationId}`, diff --git a/source/constructs/package.json b/source/constructs/package.json index d1b4826..dfdb666 100644 --- a/source/constructs/package.json +++ b/source/constructs/package.json @@ -31,8 +31,8 @@ }, "dependencies": { "@aws-cdk/aws-servicecatalogappregistry-alpha": "2.35.0-alpha.0", - "@aws-solutions-constructs/aws-cloudfront-s3": "2.35.0", - "aws-cdk-lib": "2.68.0", + "@aws-solutions-constructs/aws-cloudfront-s3": "2.38.0", + "aws-cdk-lib": "2.74.0", "cdk-nag": "^2.21.52", "constructs": "10.1.283", "source-map-support": "0.5.19" From 2771f3404546d3cb9f88aa90783c7c285bf186fd Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Sun, 16 Apr 2023 23:49:35 -0700 Subject: [PATCH 6/7] Update unit test snapshot --- .../__snapshots__/live-streaming.test.ts.snap | 201 +++++++++++++++++- 1 file changed, 199 insertions(+), 2 deletions(-) diff --git a/source/constructs/test/__snapshots__/live-streaming.test.ts.snap b/source/constructs/test/__snapshots__/live-streaming.test.ts.snap index 4368af9..62f0221 100644 --- a/source/constructs/test/__snapshots__/live-streaming.test.ts.snap +++ b/source/constructs/test/__snapshots__/live-streaming.test.ts.snap @@ -335,6 +335,41 @@ Object { ], }, }, + LogsBucketConsole: Object { + Description: Logs bucket, + Export: Object { + Name: Object { + Fn::Join: Array [ + , + Array [ + Object { + Ref: AWS::StackName, + }, + -LogsBucket, + ], + ], + }, + }, + Value: Object { + Fn::Join: Array [ + , + Array [ + https://, + Object { + Ref: AWS::Region, + }, + .console.aws.amazon.com/s3/buckets/, + Object { + Ref: LogsBucket9C4D8843, + }, + ?region=, + Object { + Ref: AWS::Region, + }, + ], + ], + }, + }, MediaLiveChannelConsole: Object { Description: MediaLive Channel, Export: Object { @@ -942,6 +977,15 @@ Object { Enabled: true, HttpVersion: http2, IPV6Enabled: true, + Logging: Object { + Bucket: Object { + Fn::GetAtt: Array [ + LogsBucket9C4D8843, + RegionalDomainName, + ], + }, + Prefix: cloudfront-logs/, + }, Origins: Array [ Object { CustomOriginConfig: Object { @@ -1137,6 +1181,13 @@ Object { }, ], }, + OwnershipControls: Object { + Rules: Array [ + Object { + ObjectOwnership: ObjectWriter, + }, + ], + }, PublicAccessBlockConfiguration: Object { BlockPublicAcls: true, BlockPublicPolicy: true, @@ -1337,7 +1388,6 @@ Object { }, }, Properties: Object { - AccessControl: LogDeliveryWrite, BucketEncryption: Object { ServerSideEncryptionConfiguration: Array [ Object { @@ -1404,6 +1454,42 @@ Object { }, ], }, + Object { + Action: s3:PutObject, + Condition: Object { + ArnLike: Object { + aws:SourceArn: Object { + Fn::GetAtt: Array [ + CloudFrontToS3S3Bucket9CE6AB04, + Arn, + ], + }, + }, + StringEquals: Object { + aws:SourceAccount: Object { + Ref: AWS::AccountId, + }, + }, + }, + Effect: Allow, + Principal: Object { + Service: logging.s3.amazonaws.com, + }, + Resource: Object { + Fn::Join: Array [ + , + Array [ + Object { + Fn::GetAtt: Array [ + CloudFrontToS3S3LoggingBucketEF5CD8B2, + Arn, + ], + }, + /*, + ], + ], + }, + }, ], Version: 2012-10-17, }, @@ -1438,7 +1524,7 @@ Object { S3Bucket: Object { Fn::Sub: cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}, }, - S3Key: 700e39bdce00113c2e39b58cb30fec1590a50aa9faf6201ab10f1f7444451b8d.zip, + S3Key: 09e61b0d6b987f1e34c37dca7fac2021462b7b3bd89ecf3fcdc0eccdae4d6b4a.zip, }, Description: Used to deploy custom resources and send AnonymizedData, Environment: Object { @@ -1859,6 +1945,117 @@ Object { }, Type: AWS::IAM::Policy, }, + LogsBucket9C4D8843: Object { + DeletionPolicy: Retain, + Metadata: Object { + cdk_nag: Object { + rules_to_suppress: Array [ + Object { + id: AwsSolutions-S1, + reason: Used to store access logs for other buckets, + }, + Object { + id: AwsSolutions-S10, + reason: Bucket is private and is not using HTTP, + }, + ], + }, + cfn_nag: Object { + rules_to_suppress: Array [ + Object { + id: W35, + reason: Used to store access logs for other buckets, + }, + Object { + id: W51, + reason: Bucket is private and does not need a bucket policy, + }, + ], + }, + }, + Properties: Object { + BucketEncryption: Object { + ServerSideEncryptionConfiguration: Array [ + Object { + ServerSideEncryptionByDefault: Object { + SSEAlgorithm: AES256, + }, + }, + ], + }, + OwnershipControls: Object { + Rules: Array [ + Object { + ObjectOwnership: ObjectWriter, + }, + ], + }, + PublicAccessBlockConfiguration: Object { + BlockPublicAcls: true, + BlockPublicPolicy: true, + IgnorePublicAcls: true, + RestrictPublicBuckets: true, + }, + Tags: Array [ + Object { + Key: SolutionId, + Value: SO0013, + }, + ], + VersioningConfiguration: Object { + Status: Enabled, + }, + }, + Type: AWS::S3::Bucket, + UpdateReplacePolicy: Retain, + }, + LogsBucketPolicyD70D9252: Object { + Properties: Object { + Bucket: Object { + Ref: LogsBucket9C4D8843, + }, + PolicyDocument: Object { + Statement: Array [ + Object { + Action: s3:*, + Condition: Object { + Bool: Object { + aws:SecureTransport: false, + }, + }, + Effect: Deny, + Principal: Object { + AWS: *, + }, + Resource: Array [ + Object { + Fn::GetAtt: Array [ + LogsBucket9C4D8843, + Arn, + ], + }, + Object { + Fn::Join: Array [ + , + Array [ + Object { + Fn::GetAtt: Array [ + LogsBucket9C4D8843, + Arn, + ], + }, + /*, + ], + ], + }, + ], + }, + ], + Version: 2012-10-17, + }, + }, + Type: AWS::S3::BucketPolicy, + }, MediaLiveChannel: Object { DeletionPolicy: Delete, Properties: Object { From 69cefefae0886416170d0983fe2c91da83ea9c2c Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Sun, 16 Apr 2023 23:59:02 -0700 Subject: [PATCH 7/7] Updated changelog --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3923ca8..75ed9f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - +## [4.2.1] - 2023-4-17 +### Changed +- Updated object ownership configuration on the CloudFormation logging bucket. +- Updated aws-cloudfront-s3 construct to support new bucket ACL changes. ## [4.2.0] - 2023-4-10 ### New