diff --git a/text/0617-cloudfront-oac-l2.md b/text/0617-cloudfront-oac-l2.md index 6473714e2..200f722ca 100644 --- a/text/0617-cloudfront-oac-l2.md +++ b/text/0617-cloudfront-oac-l2.md @@ -132,8 +132,8 @@ will update the S3 bucket policy by appending the following policy statement to } ``` -If your bucket previously used OAI, there will be an attempt to remove both the policy statement -that allows access to the OAI and the origin access identity itself. +> Note: If your bucket previously used OAI, you will need to manually remove the policy statement +that gives the OAI access to your bucket from your bucket policy. ```ts const bucket = s3.Bucket.fromBucketArn(this, 'MyExistingBucket', @@ -589,7 +589,7 @@ abstract class S3BucketOrigin extends cloudfront.OriginBase { } /** - * Use custom resource to update bucket policy and remove OAI policy statement if it exists + * Use custom resource to update bucket policy */ private grantDistributionAccessToImportedBucket(scope: Construct, distributionId: string) { const provider = S3OriginAccessControlBucketPolicyProvider.getOrCreateProvider(scope, S3_ORIGIN_ACCESS_CONTROL_BUCKET_RESOURCE_TYPE, @@ -660,6 +660,9 @@ abstract class S3BucketOrigin extends cloudfront.OriginBase { To support OAC, a property `originAccessControl` will be added to `S3OriginProps`. The `S3Origin` constructor will need additional logic to determine how to configure the S3 origin (either as website endpoint, using OAI, or using OAC). +Two additional properties `overrideImportedBucketPolicy` and `originAccessLevels` will be added to `S3OriginProps` +to give the user flexibility to let CDK update their imported bucket policy and what level of +permissions (combination of READ, WRITE, DELETE) to grant OAC. ```ts /** @@ -685,8 +688,34 @@ export interface S3OriginProps extends cloudfront.OriginProps { * @default false */ readonly overrideImportedBucketPolicy?: boolean; + + /** + * The level of permissions granted in the bucket policy and key policy (if applicable) + * to the CloudFront distribution. + * @default AccessLevel.READ + */ + readonly originAccessLevels?: AccessLevel[]; } +/** + * The types of permissions to grant OAC access to th S3 origin + */ +export enum AccessLevel { + /** + * Grants 's3:GetObject' permission to OAC + */ + READ = 'READ', + /** + * Grants 's3:PutObject' permission to OAC + */ + WRITE = 'WRITE', + /** + * Grants 's3:DeleteObject' permission to OAC + */ + DELETE = 'DELETE', +} + + export class S3Origin implements cloudfront.IOrigin { private readonly origin: cloudfront.IOrigin;