chore(cloudfront): encryption and enforceSSL on distribution s3 loggingBucket #18264
Conversation
|
|
There was a problem hiding this comment.
I see you've opened quite a lot of these.
I'm ever-so-slightly hesitant about the enforceSSL change. There is a chance -- remote as it may be -- that someone, somewhere has opened up their logs for access using HTTP, and that this will break them. I can't find a good reason why turning on S3-managed encryption by default would possibly break anyone. We could make the former change under a feature flag, but I feel that the risk of anyone doing that for any reason is so minimal that I'm happy to approve this (and the other in my queue) as-is, and we'll deal with the fall-out if and when it arises.
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
… s3 loggingBucket (#18264)" (#18772) #18271 resulted in the definition of a new bucket policy, which broke existing users that already had an implicit bucket policy created by AWS (see [docs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3)). Reverts commit ad7374a in the meantime until we figure out the longer term solution. Fixes #18676 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ngBucket (aws#18264) could pass another bucket, but automatically created buckets are convenient/popular, so worth improving defaults https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Distribution.html https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.CloudFrontWebDistribution.html https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html --- ```sh # updated integ snapshots packages/@aws-cdk/aws-cloudfront $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ integ.cloudfront-bucket-logging.js integ.distribution-extensive.js --dry-run ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… s3 loggingBucket (aws#18264)" (aws#18772) aws#18271 resulted in the definition of a new bucket policy, which broke existing users that already had an implicit bucket policy created by AWS (see [docs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3)). Reverts commit ad7374a in the meantime until we figure out the longer term solution. Fixes aws#18676 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#18283
could pass another bucket, but automatically created buckets are convenient/popular, so worth improving defaults
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Distribution.html
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.CloudFrontWebDistribution.html
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html
also: #18268, #18269, #18270, #18271
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license