-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amazon CloudFront Origin Access Control L2 Construct #617
Comments
This RFC discusses CloudFront OAC with S3, however, as mentioned by @antstanley in their comment on #491—which was closed in favor if this RFC—AWS has released OAC for other origins including AWS Lambda. Is support for those also tracked here, or are those covered in one or more separate RFCs and issues? |
This is a request for comments about CloudFront Origin Access Control. See #617 for additional details. APIs are signed off by @colifran . --- _By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license_ --------- Co-authored-by: gracelu0 <grace.r.luo@gmail.com>
As mentioned in the RFC this is scoped to OAC for S3 origins. While we can’t commit to specific dates, we’re planning to support OAC for Lambda function url origins in the future. We always welcome you to create a new issue/RFC to track feature requests so the community can upvote and help us prioritize accordingly! |
This is a request for comments about CloudFront Origin Access Control L2 for S3 origins. See #617 for additional details. APIs are signed off by @comcalvi . --- _By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license_ --------- Co-authored-by: gracelu0 <grace.r.luo@gmail.com>
Description
CloudFront Origin Access Control (OAC) is the recommended way to send authenticated requests to an Amazon S3 origin using IAM service principals. It offers better security, supports server-side encryption with AWS KMS, and supports all Amazon S3 buckets in all AWS regions.
Currently the
S3Origin
construct automatically creates an Origin Access Identity (OAI) to restrict access to an S3 Origin. However, using OAI is now considered legacy and no longer recommended. CDK users who want to use OAC currently have to use the L1 constructCfnOriginAccessControl
. They need to use escape hatches to attach the OAC to their CloudFront distribution and remove the OAI that is automatically configured. With a CloudFront OAC L2 construct, users will easily be able to set up their CloudFront origins using OAC instead of OAI.Roles
Workflow
status/proposed
)status/review
)status/api-approved
applied to pull request)status/final-comments-period
)status/approved
)status/planning
)status/implementing
)status/done
)The text was updated successfully, but these errors were encountered: