Setup OAC to restrict S3 bucket access properly

[sicarul]

This PR sets up the S3 bucket as described in https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

With this merged non-existent paths will return 404 instead of 403, e.g.:

Current behavior:

After this change:

[claude]

Code Review

Summary

This PR correctly modernizes the CloudFront-to-S3 access control by migrating from the legacy Origin Access Identity (OAI) to the recommended Origin Access Control (OAC) approach. The changes follow AWS best practices as documented.

Issues Found

1. Condition Key Capitalization (Line 820)

"AWS:SourceArn": distributionArn,

AWS IAM condition keys are case-sensitive and typically use lowercase. This should likely be:

"aws:SourceArn": distributionArn,

Please verify against AWS CloudFront OAC documentation to confirm the correct capitalization.

2. Policy Version Change (Line 789)

The IAM policy version changed from "2008-10-17" to "2012-10-17". While 2012-10-17 is the current version and generally recommended, confirm this change is intentional and doesn't affect any existing policy behavior.

3. Missing Deployment Guidance

This is a significant infrastructure change that affects how CloudFront accesses S3. Consider documenting:

• Whether existing deployments require manual intervention
• If there's a deployment strategy to avoid service interruption
• Any rollback procedures if issues arise

Suggestions

Add explanatory comment (Line 808):
Consider adding a brief comment explaining the OAC choice for future maintainers:

// Configure bucket policy to allow CloudFront OAC access and deny direct access
// OAC (Origin Access Control) is the modern replacement for OAI (Origin Access Identity)
// and provides improved security with support for all S3 bucket configurations
// This must be created after the distribution so we can reference its ARN

Positive Aspects

• ✅ Correct use of OAC, following current AWS best practices
• ✅ Proper bucket policy with CloudFront service principal
• ✅ Correct switch from websiteEndpoint to bucketRegionalDomainName
• ✅ Proper resource ordering (policy created after distribution)
• ✅ Maintains existing DenyDirectListBucket security rule

---

Mention @claude if you'd like me to review again after making changes or if you have questions about these findings.

[pulumi-bot]

Your site preview for commit 6ff227a is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-6ff227a2.s3-website.us-west-2.amazonaws.com.

[pulumi-bot]

Your site preview for commit affea6a is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-affea6a2.s3-website.us-west-2.amazonaws.com.

[pulumi-bot]

Your site preview for commit b3c0dc3 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-b3c0dc3e.s3-website.us-west-2.amazonaws.com.

[pulumi-bot]

Your site preview for commit a62b5f4 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-a62b5f46.s3-website.us-west-2.amazonaws.com.

[pulumi-bot]

Your site preview for commit 848f66d is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-848f66de.s3-website.us-west-2.amazonaws.com.

[CamSoper]

I don't have any feedback of note. Thank you for doing this!

[pulumi-bot]

Your site preview for commit 82507c2 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-82507c27.s3-website.us-west-2.amazonaws.com.

[pulumi-bot]

Your site preview for commit 00368dc is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16341-00368dc8.s3-website.us-west-2.amazonaws.com.