From ee660d7ccfc0978d0c64c8b2f56b7c9a69ef1728 Mon Sep 17 00:00:00 2001 From: John Smith Date: Fri, 1 Apr 2022 14:55:42 +1030 Subject: [PATCH 1/2] Add s3 access logging option --- lib/static-hosting.ts | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lib/static-hosting.ts b/lib/static-hosting.ts index e03d118..7cf5a3b 100644 --- a/lib/static-hosting.ts +++ b/lib/static-hosting.ts @@ -14,6 +14,7 @@ export interface StaticHostingProps { createPublisherUser?: boolean; extraDistributionCnames?: ReadonlyArray; enableCloudFrontAccessLogging?: boolean; + enableS3AccessLogging?: boolean; zoneName?: string; /** * Used to add Custom origins and behaviors @@ -46,10 +47,28 @@ export class StaticHosting extends Construct { siteNameArray.concat(props.extraDistributionCnames) : siteNameArray; + + const s3LoggingBucket = (props.enableS3AccessLogging) + ? new Bucket(this, 'S3LoggingBucket', { + bucketName: `${siteName}-s3-access-logs`, + encryption: BucketEncryption.S3_MANAGED, + blockPublicAccess: BlockPublicAccess.BLOCK_ALL, + removalPolicy: RemovalPolicy.RETAIN, + }) + : undefined; + + if (s3LoggingBucket) { + new CfnOutput(this, 'S3LoggingBucketName', { + description: "S3 Logs", + value: s3LoggingBucket.bucketName, + }); + } + const bucket = new Bucket(this, 'ContentBucket', { bucketName: siteName, encryption: BucketEncryption.S3_MANAGED, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, + serverAccessLogsBucket: s3LoggingBucket }); new CfnOutput(this, 'Bucket', { From 699754b1a82c2224ec90d76080faad7182db733e Mon Sep 17 00:00:00 2001 From: John Smith Date: Fri, 1 Apr 2022 15:11:28 +1030 Subject: [PATCH 2/2] Enforce SSL communication on buckets --- lib/static-hosting.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/static-hosting.ts b/lib/static-hosting.ts index 7cf5a3b..e09ade6 100644 --- a/lib/static-hosting.ts +++ b/lib/static-hosting.ts @@ -54,6 +54,7 @@ export class StaticHosting extends Construct { encryption: BucketEncryption.S3_MANAGED, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, removalPolicy: RemovalPolicy.RETAIN, + enforceSSL: true }) : undefined; @@ -68,7 +69,8 @@ export class StaticHosting extends Construct { bucketName: siteName, encryption: BucketEncryption.S3_MANAGED, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, - serverAccessLogsBucket: s3LoggingBucket + serverAccessLogsBucket: s3LoggingBucket, + enforceSSL: true }); new CfnOutput(this, 'Bucket', { @@ -118,6 +120,7 @@ export class StaticHosting extends Construct { encryption: BucketEncryption.S3_MANAGED, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, removalPolicy: RemovalPolicy.RETAIN, + enforceSSL: true }) : undefined;