// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Static Website Unit Tests Defaults - Nested 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsDistributionDomainNameFD2CBB4B": { "Value": { "Fn::GetAtt": [ "DefaultsCloudfrontDistributionF4EA1054", "DomainName", ], }, }, }, "Resources": { "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsCloudfrontDistributionF4EA1054": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "NestedStackDefaultsCloudfrontDistributionOrigin1D3B56211", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "RegionalDomainName", ], }, "Id": "NestedStackDefaultsCloudfrontDistributionOrigin1D3B56211", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "DefaultsOriginAccessIdentity7F5D47DF", }, ], ], }, }, }, ], "WebACLId": { "Fn::GetAtt": [ "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C", "WebAclArn", ], }, }, }, "Type": "AWS::CloudFront::Distribution", }, "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsDistributionLogBucketPolicyC6D11E8F", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketPolicyC6D11E8F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsOriginAccessIdentity7F5D47DF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ID": { "Fn::Join": [ "", [ { "Ref": "AWS::StackName", }, "-WebsiteAcl", ], ], }, "MANAGED_RULES": [ { "name": "AWSManagedRulesCommonRuleSet", "vendor": "AWS", }, ], "ServiceToken": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0": { "DependsOn": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f9a4e3a2d1dd90ac1bfaec793acad708d019b35402700253f45a40ada6d2786a.zip", }, "FunctionName": "Default-Nested-Stack-OnEventHandler", "Handler": "index.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, ":*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "Roles": [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB": { "DependsOn": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip", }, "Description": "AWS CDK resource provider framework - onEvent (Default/Nested-Stack/Defaults/WebsiteAcl/CloudfrontWebAclProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", "Arn", ], }, "Runtime": "nodejs14.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclOnEventHandlerRole83BC6E99": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-Nested-Stack-OnEventHandler:*/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-Nested-Stack-OnEventHandler:*/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-Nested-Stack-OnEventHandler", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-Nested-Stack-OnEventHandler:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, { "PolicyDocument": { "Statement": [ { "Action": [ "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdateWebACL", "wafv2:GetWebACL", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/", { "Ref": "AWS::StackName", }, "-WebsiteAcl-IPSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/webacl/", { "Ref": "AWS::StackName", }, "-WebsiteAcl/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/managedruleset/*/*", ], ], }, ], }, { "Action": [ "wafv2:CreateIPSet", "wafv2:DeleteIPSet", "wafv2:UpdateIPSet", "wafv2:GetIPSet", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/", { "Ref": "AWS::StackName", }, "-WebsiteAcl-IPSet/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "wafv2", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteBucket3263D025": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:df4f5c8e", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketAutoDeleteObjectsCustomResourceD840F8F2": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsWebsiteBucketPolicy594E6643", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketPolicy594E6643": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsWebsiteBucket3263D025", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "DefaultsWebsiteDeploymentCustomResource326CD6C1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "DistributionId": { "Ref": "DefaultsCloudfrontDistributionF4EA1054", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, }, } `; exports[`Static Website Unit Tests Defaults - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsDistributionDomainNameFD2CBB4B": { "Value": { "Fn::GetAtt": [ "DefaultsCloudfrontDistributionF4EA1054", "DomainName", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsCloudfrontDistributionF4EA1054": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "RegionalDomainName", ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "DefaultsOriginAccessIdentity7F5D47DF", }, ], ], }, }, }, ], "WebACLId": { "Fn::GetAtt": [ "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C", "WebAclArn", ], }, }, }, "Type": "AWS::CloudFront::Distribution", }, "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsDistributionLogBucketPolicyC6D11E8F", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketPolicyC6D11E8F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsOriginAccessIdentity7F5D47DF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ID": "Default-WebsiteAcl", "MANAGED_RULES": [ { "name": "AWSManagedRulesCommonRuleSet", "vendor": "AWS", }, ], "ServiceToken": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0": { "DependsOn": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f9a4e3a2d1dd90ac1bfaec793acad708d019b35402700253f45a40ada6d2786a.zip", }, "FunctionName": "Default-OnEventHandler", "Handler": "index.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, ":*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "Roles": [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB": { "DependsOn": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip", }, "Description": "AWS CDK resource provider framework - onEvent (Default/Defaults/WebsiteAcl/CloudfrontWebAclProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", "Arn", ], }, "Runtime": "nodejs14.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclOnEventHandlerRole83BC6E99": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, { "PolicyDocument": { "Statement": [ { "Action": [ "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdateWebACL", "wafv2:GetWebACL", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/webacl/Default-WebsiteAcl/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/managedruleset/*/*", ], ], }, ], }, { "Action": [ "wafv2:CreateIPSet", "wafv2:DeleteIPSet", "wafv2:UpdateIPSet", "wafv2:GetIPSet", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "wafv2", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteBucket3263D025": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:fb67e0d5", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketAutoDeleteObjectsCustomResourceD840F8F2": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsWebsiteBucketPolicy594E6643", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketPolicy594E6643": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsWebsiteBucket3263D025", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "DefaultsWebsiteDeploymentCustomResource326CD6C1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "DistributionId": { "Ref": "DefaultsCloudfrontDistributionF4EA1054", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Static Website Unit Tests Defaults 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsDistributionDomainNameFD2CBB4B": { "Value": { "Fn::GetAtt": [ "DefaultsCloudfrontDistributionF4EA1054", "DomainName", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsCloudfrontDistributionF4EA1054": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "RegionalDomainName", ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "DefaultsOriginAccessIdentity7F5D47DF", }, ], ], }, }, }, ], "WebACLId": { "Fn::GetAtt": [ "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C", "WebAclArn", ], }, }, }, "Type": "AWS::CloudFront::Distribution", }, "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsDistributionLogBucketPolicyC6D11E8F", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketPolicyC6D11E8F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsOriginAccessIdentity7F5D47DF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ID": "Default-WebsiteAcl", "MANAGED_RULES": [ { "name": "AWSManagedRulesCommonRuleSet", "vendor": "AWS", }, ], "ServiceToken": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0": { "DependsOn": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f9a4e3a2d1dd90ac1bfaec793acad708d019b35402700253f45a40ada6d2786a.zip", }, "FunctionName": "Default-OnEventHandler", "Handler": "index.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, ":*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "Roles": [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB": { "DependsOn": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip", }, "Description": "AWS CDK resource provider framework - onEvent (Default/Defaults/WebsiteAcl/CloudfrontWebAclProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", "Arn", ], }, "Runtime": "nodejs14.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclOnEventHandlerRole83BC6E99": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, { "PolicyDocument": { "Statement": [ { "Action": [ "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdateWebACL", "wafv2:GetWebACL", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/webacl/Default-WebsiteAcl/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/managedruleset/*/*", ], ], }, ], }, { "Action": [ "wafv2:CreateIPSet", "wafv2:DeleteIPSet", "wafv2:UpdateIPSet", "wafv2:GetIPSet", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "wafv2", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteBucket3263D025": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:fb67e0d5", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketAutoDeleteObjectsCustomResourceD840F8F2": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsWebsiteBucketPolicy594E6643", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketPolicy594E6643": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsWebsiteBucket3263D025", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "DefaultsWebsiteDeploymentCustomResource326CD6C1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "DistributionId": { "Ref": "DefaultsCloudfrontDistributionF4EA1054", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Static Website Unit Tests Defaults and Geoblocking - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsDistributionDomainNameFD2CBB4B": { "Value": { "Fn::GetAtt": [ "DefaultsCloudfrontDistributionF4EA1054", "DomainName", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsCloudfrontDistributionF4EA1054": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "RegionalDomainName", ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "DefaultsOriginAccessIdentity7F5D47DF", }, ], ], }, }, }, ], "Restrictions": { "GeoRestriction": { "Locations": [ "AU", "SG", ], "RestrictionType": "whitelist", }, }, "WebACLId": { "Fn::GetAtt": [ "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C", "WebAclArn", ], }, }, }, "Type": "AWS::CloudFront::Distribution", }, "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsDistributionLogBucketPolicyC6D11E8F", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketPolicyC6D11E8F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsOriginAccessIdentity7F5D47DF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ID": "Default-WebsiteAcl", "MANAGED_RULES": [ { "name": "AWSManagedRulesCommonRuleSet", "vendor": "AWS", }, ], "ServiceToken": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0": { "DependsOn": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f9a4e3a2d1dd90ac1bfaec793acad708d019b35402700253f45a40ada6d2786a.zip", }, "FunctionName": "Default-OnEventHandler", "Handler": "index.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, ":*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "Roles": [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB": { "DependsOn": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip", }, "Description": "AWS CDK resource provider framework - onEvent (Default/Defaults/WebsiteAcl/CloudfrontWebAclProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", "Arn", ], }, "Runtime": "nodejs14.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclOnEventHandlerRole83BC6E99": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, { "PolicyDocument": { "Statement": [ { "Action": [ "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdateWebACL", "wafv2:GetWebACL", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/webacl/Default-WebsiteAcl/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/managedruleset/*/*", ], ], }, ], }, { "Action": [ "wafv2:CreateIPSet", "wafv2:DeleteIPSet", "wafv2:UpdateIPSet", "wafv2:GetIPSet", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "wafv2", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteBucket3263D025": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:fb67e0d5", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketAutoDeleteObjectsCustomResourceD840F8F2": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsWebsiteBucketPolicy594E6643", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketPolicy594E6643": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsWebsiteBucket3263D025", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "DefaultsWebsiteDeploymentCustomResource326CD6C1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "DistributionId": { "Ref": "DefaultsCloudfrontDistributionF4EA1054", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Static Website Unit Tests Defaults with suppression rule - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsDistributionDomainNameFD2CBB4B": { "Value": { "Fn::GetAtt": [ "DefaultsCloudfrontDistributionF4EA1054", "DomainName", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsCloudfrontDistributionF4EA1054": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "RegionalDomainName", ], }, "Id": "DefaultsCloudfrontDistributionOrigin1BA23CD94", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "DefaultsOriginAccessIdentity7F5D47DF", }, ], ], }, }, }, ], "WebACLId": { "Fn::GetAtt": [ "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C", "WebAclArn", ], }, }, }, "Type": "AWS::CloudFront::Distribution", }, "DefaultsDistributionLogBucket7EA741E2": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketAutoDeleteObjectsCustomResource7370C612": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsDistributionLogBucketPolicyC6D11E8F", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsDistributionLogBucketPolicyC6D11E8F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsDistributionLogBucket7EA741E2", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsDistributionLogBucket7EA741E2", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsOriginAccessIdentity7F5D47DF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "DefaultsWebsiteAclCFWebAclCustomResourceB050DB2C": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "ID": "Default-WebsiteAcl", "MANAGED_RULES": [ { "name": "AWSManagedRulesCommonRuleSet", "vendor": "AWS", }, ], "ServiceToken": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0": { "DependsOn": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f9a4e3a2d1dd90ac1bfaec793acad708d019b35402700253f45a40ada6d2786a.zip", }, "FunctionName": "Default-OnEventHandler", "Handler": "index.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclOnEventHandlerRole83BC6E99", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, ":*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "Roles": [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsWebsiteAclCloudfrontWebAclProviderframeworkonEvent595963CB": { "DependsOn": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicy0BEB9831", "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip", }, "Description": "AWS CDK resource provider framework - onEvent (Default/Defaults/WebsiteAcl/CloudfrontWebAclProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", "Arn", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "DefaultsWebsiteAclCloudfrontWebAclOnEventHandlerEC085AE0", }, "-Provider", ], ], }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "DefaultsWebsiteAclCloudfrontWebAclProviderRoleD884ECCA", "Arn", ], }, "Runtime": "nodejs14.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "DefaultsWebsiteAclOnEventHandlerRole83BC6E99": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, { "PolicyDocument": { "Statement": [ { "Action": [ "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdateWebACL", "wafv2:GetWebACL", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/webacl/Default-WebsiteAcl/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/managedruleset/*/*", ], ], }, ], }, { "Action": [ "wafv2:CreateIPSet", "wafv2:DeleteIPSet", "wafv2:UpdateIPSet", "wafv2:GetIPSet", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "wafv2", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsWebsiteBucket3263D025": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:fb67e0d5", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketAutoDeleteObjectsCustomResourceD840F8F2": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsWebsiteBucketPolicy594E6643", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsWebsiteBucketPolicy594E6643": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsWebsiteBucket3263D025", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "DefaultsOriginAccessIdentity7F5D47DF", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsWebsiteBucket3263D025", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsWebsiteDeploymentAwsCliLayerD5AA12CC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "DefaultsWebsiteDeploymentCustomResource326CD6C1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-CloudFrontDistributionGeoRestrictions", "reason": "This is a supression reason", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "DefaultsWebsiteBucket3263D025", }, "DistributionId": { "Ref": "DefaultsCloudfrontDistributionF4EA1054", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Static Website Unit Tests Disable Web ACL 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "WithoutWebAclDistributionDomainName8036597A": { "Value": { "Fn::GetAtt": [ "WithoutWebAclCloudfrontDistribution079C1AED", "DomainName", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "WithoutWebAclWebsiteDeploymentAwsCliLayerD4021A44", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "WithoutWebAclAccessLogsBucket79EA9931", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "WithoutWebAclAccessLogsBucket79EA9931": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "WithoutWebAclAccessLogsBucketAutoDeleteObjectsCustomResourceE719ECBF": { "DeletionPolicy": "Delete", "DependsOn": [ "WithoutWebAclAccessLogsBucketPolicy161A069A", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "WithoutWebAclAccessLogsBucket79EA9931", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "WithoutWebAclAccessLogsBucketPolicy161A069A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "WithoutWebAclAccessLogsBucket79EA9931", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclAccessLogsBucket79EA9931", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclAccessLogsBucket79EA9931", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclAccessLogsBucket79EA9931", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclAccessLogsBucket79EA9931", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclAccessLogsBucket79EA9931", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "WithoutWebAclDistributionLogBucketD44A0A31", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclAccessLogsBucket79EA9931", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "WithoutWebAclCloudfrontDistribution079C1AED": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "WithoutWebAclCloudfrontDistributionOrigin1FA8DDFBE", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "WithoutWebAclDistributionLogBucketD44A0A31", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "RegionalDomainName", ], }, "Id": "WithoutWebAclCloudfrontDistributionOrigin1FA8DDFBE", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "WithoutWebAclOriginAccessIdentity44AFE92A", }, ], ], }, }, }, ], }, }, "Type": "AWS::CloudFront::Distribution", }, "WithoutWebAclDistributionLogBucketAutoDeleteObjectsCustomResource6B7F8E37": { "DeletionPolicy": "Delete", "DependsOn": [ "WithoutWebAclDistributionLogBucketPolicy76B66889", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "WithoutWebAclDistributionLogBucketD44A0A31", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "WithoutWebAclDistributionLogBucketD44A0A31": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "WithoutWebAclAccessLogsBucket79EA9931", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "WithoutWebAclDistributionLogBucketPolicy76B66889": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "WithoutWebAclDistributionLogBucketD44A0A31", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclDistributionLogBucketD44A0A31", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclDistributionLogBucketD44A0A31", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclDistributionLogBucketD44A0A31", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclDistributionLogBucketD44A0A31", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "WithoutWebAclOriginAccessIdentity44AFE92A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "WithoutWebAclWebsiteBucket86DBF045": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "WithoutWebAclAccessLogsBucket79EA9931", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:935a6988", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "WithoutWebAclWebsiteBucketAutoDeleteObjectsCustomResourceB7C8374F": { "DeletionPolicy": "Delete", "DependsOn": [ "WithoutWebAclWebsiteBucketPolicy535CE3AA", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "WithoutWebAclWebsiteBucket86DBF045", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "WithoutWebAclWebsiteBucketPolicy535CE3AA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "WithoutWebAclWebsiteBucket86DBF045", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "WithoutWebAclOriginAccessIdentity44AFE92A", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "WithoutWebAclOriginAccessIdentity44AFE92A", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "WithoutWebAclWebsiteBucket86DBF045", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "WithoutWebAclWebsiteDeploymentAwsCliLayerD4021A44": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "WithoutWebAclWebsiteDeploymentCustomResource517CC44A": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "WithoutWebAclWebsiteBucket86DBF045", }, "DistributionId": { "Ref": "WithoutWebAclCloudfrontDistribution079C1AED", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Static Website Unit Tests With custom bucket deployment props 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "CustomBucketDeploymentPropsDistributionDomainName664FB503": { "Value": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsCloudfrontDistributionB6A5E893", "DomainName", ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomBucketDeploymentPropsAccessLogsBucketAutoDeleteObjectsCustomResourceBC275762": { "DeletionPolicy": "Delete", "DependsOn": [ "CustomBucketDeploymentPropsAccessLogsBucketPolicy9AECFE18", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsAccessLogsBucketPolicy9AECFE18": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", "Arn", ], }, "/website-access-logs*", ], ], }, }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", "Arn", ], }, "/distribution-access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CustomBucketDeploymentPropsCloudfrontDistributionB6A5E893": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CFR4", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL", "reason": "Certificate is not mandatory therefore the Cloudfront certificate will be used.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html", }, ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "TargetOriginId": "CustomBucketDeploymentPropsCloudfrontDistributionOrigin1A81BA7D6", "ViewerProtocolPolicy": "redirect-to-https", }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", "RegionalDomainName", ], }, }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "RegionalDomainName", ], }, "Id": "CustomBucketDeploymentPropsCloudfrontDistributionOrigin1A81BA7D6", "S3OriginConfig": { "OriginAccessIdentity": { "Fn::Join": [ "", [ "origin-access-identity/cloudfront/", { "Ref": "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD", }, ], ], }, }, }, ], "WebACLId": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclCFWebAclCustomResource14F5FB79", "WebAclArn", ], }, }, }, "Type": "AWS::CloudFront::Distribution", }, "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", }, "LogFilePrefix": "distribution-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsDistributionLogBucketAutoDeleteObjectsCustomResource39E33CEC": { "DeletionPolicy": "Delete", "DependsOn": [ "CustomBucketDeploymentPropsDistributionLogBucketPolicy3090DBDD", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsDistributionLogBucketPolicy3090DBDD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsDistributionLogBucket5A45CBB2", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "Allows CloudFront to reach the bucket", }, }, "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", }, "CustomBucketDeploymentPropsWebsiteAclCFWebAclCustomResource14F5FB79": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ID": "Default-WebsiteAcl", "MANAGED_RULES": [ { "name": "AWSManagedRulesCommonRuleSet", "vendor": "AWS", }, ], "ServiceToken": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderframeworkonEvent49BA130C", "Arn", ], }, }, "Type": "AWS::CloudFormation::CustomResource", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2": { "DependsOn": [ "CustomBucketDeploymentPropsWebsiteAclOnEventHandlerRole21E82ED8", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f9a4e3a2d1dd90ac1bfaec793acad708d019b35402700253f45a40ada6d2786a.zip", }, "FunctionName": "Default-OnEventHandler", "Handler": "index.onEvent", "Role": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclOnEventHandlerRole21E82ED8", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 300, }, "Type": "AWS::Lambda::Function", }, "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRole938A57CB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2", }, "-Provider", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/", { "Ref": "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2", }, "-Provider:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, ], }, "Type": "AWS::IAM::Role", }, "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicyB736764C": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2", "Arn", ], }, ":*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicyB736764C", "Roles": [ { "Ref": "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRole938A57CB", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderframeworkonEvent49BA130C": { "DependsOn": [ "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRoleDefaultPolicyB736764C", "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRole938A57CB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "8e3d635893ea17fa3158623489cd42c680fad925b38de1ef51cb10d84f6e245e.zip", }, "Description": "AWS CDK resource provider framework - onEvent (Default/CustomBucketDeploymentProps/WebsiteAcl/CloudfrontWebAclProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2", "Arn", ], }, }, }, "FunctionName": { "Fn::Join": [ "", [ { "Ref": "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclOnEventHandler27B7D2F2", }, "-Provider", ], ], }, "Handler": "framework.onEvent", "Role": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteAclCloudfrontWebAclProviderRole938A57CB", "Arn", ], }, "Runtime": "nodejs14.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomBucketDeploymentPropsWebsiteAclOnEventHandlerRole21E82ED8": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:wafv2:us-east-1::global/(.*)$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "WafV2 resources have been scoped down to the ACL/IPSet level, however * is still needed as resource id's are created just in time.", }, { "applies_to": [ { "regex": "/^Resource::arn:aws:logs:::log-group:/aws/lambda/Default-OnEventHandler:*/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.", }, { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler", ], ], }, { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/lambda/Default-OnEventHandler:*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "logs", }, { "PolicyDocument": { "Statement": [ { "Action": [ "wafv2:CreateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdateWebACL", "wafv2:GetWebACL", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/webacl/Default-WebsiteAcl/*", ], ], }, { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/managedruleset/*/*", ], ], }, ], }, { "Action": [ "wafv2:CreateIPSet", "wafv2:DeleteIPSet", "wafv2:UpdateIPSet", "wafv2:GetIPSet", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:wafv2:us-east-1:", { "Ref": "AWS::AccountId", }, ":global/ipset/Default-WebsiteAcl-IPSet/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "wafv2", }, ], }, "Type": "AWS::IAM::Role", }, "CustomBucketDeploymentPropsWebsiteBucket36644456": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", }, "LogFilePrefix": "website-access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "aws-cdk:cr-owned:907c0d02", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsWebsiteBucketAutoDeleteObjectsCustomResourceCDD7BBDF": { "DeletionPolicy": "Delete", "DependsOn": [ "CustomBucketDeploymentPropsWebsiteBucketPolicy0B35E6B4", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CustomBucketDeploymentPropsWebsiteBucket36644456", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CustomBucketDeploymentPropsWebsiteBucketPolicy0B35E6B4": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CustomBucketDeploymentPropsWebsiteBucket36644456", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:ListBucket", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, }, { "Action": "s3:GetObject", "Effect": "Allow", "Principal": { "CanonicalUser": { "Fn::GetAtt": [ "CustomBucketDeploymentPropsOriginAccessIdentity45810ADD", "S3CanonicalUserId", ], }, }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CustomBucketDeploymentPropsWebsiteDeploymentAwsCliLayer06EBA27F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Content": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "0e38c73676c042efb04d698981ab7a9706991a146e59250a537916db0e9bde39.zip", }, "Description": "/opt/awscli/aws", }, "Type": "AWS::Lambda::LayerVersion", }, "CustomBucketDeploymentPropsWebsiteDeploymentCustomResource47254BC8": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-L1", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "id": "AwsPrototyping-LambdaLatestVersion", "reason": "Latest runtime cannot be configured. CDK will need to upgrade the BucketDeployment construct accordingly.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Action::s3:.*$/g", }, { "regex": "/^Resource::.*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "All Policies have been scoped to a Bucket. Given Buckets can contain arbitrary content, wildcard resources with bucket scope are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Buckets can contain arbitrary content, therefore wildcard resources under a bucket are required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "DestinationBucketName": { "Ref": "CustomBucketDeploymentPropsWebsiteBucket36644456", }, "DistributionId": { "Ref": "CustomBucketDeploymentPropsCloudfrontDistributionB6A5E893", }, "Prune": true, "ServiceToken": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", "Arn", ], }, "SourceBucketNames": [ { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], "SourceObjectKeys": [ "a79f62b4071246acc1e8e834ba67dc3bbf15a3662e39d31667fa59315ef86f56.zip", ], }, "Type": "Custom::CDKBucketDeployment", "UpdateReplacePolicy": "Delete", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { "DependsOn": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip", }, "Environment": { "Variables": { "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", }, }, "Handler": "index.handler", "Layers": [ { "Ref": "CustomBucketDeploymentPropsWebsiteDeploymentAwsCliLayer06EBA27F", }, ], "Role": { "Fn::GetAtt": [ "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", "Arn", ], }, "Runtime": "python3.9", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CLogRetention1948627D": { "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", }, ], ], }, "RetentionInDays": 2922, "ServiceToken": { "Fn::GetAtt": [ "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A", "Arn", ], }, }, "Type": "Custom::LogRetention", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":s3:::", { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CustomBucketDeploymentPropsWebsiteBucket36644456", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "cloudfront:GetInvalidation", "cloudfront:CreateInvalidation", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", "Roles": [ { "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "CustomBucketDeploymentPropsAccessLogsBucketEFEB44B3", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A": { "DependsOn": [ "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "5fa1330271b8967d9254ba2d4a07144f8acefe8b77e6d6bba38261373a50d5f8.zip", }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", "Arn", ], }, "Runtime": { "Fn::FindInMap": [ "DefaultCrNodeVersionMap", { "Ref": "AWS::Region", }, "value", ], }, }, "Type": "AWS::Lambda::Function", }, "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:PutRetentionPolicy", "logs:DeleteRetentionPolicy", ], "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", "Roles": [ { "Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `;