Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cloudfront-origins): Add possibility to allow s3:ListBucket in S3BucketOrigin #26830

Closed
1 of 2 tasks
WtfJoke opened this issue Aug 21, 2023 · 2 comments
Closed
1 of 2 tasks

(aws-cloudfront-origins): Add possibility to allow s3:ListBucket in S3BucketOrigin #26830

WtfJoke opened this issue Aug 21, 2023 · 2 comments
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.

Comments

@WtfJoke
Copy link
Contributor

WtfJoke commented Aug 21, 2023

Describe the feature

It should be possible to configure a S3Origin with additional s3:ListBucket action permission.
(for example with an additional property in S3OriginProps)

Use Case

Use case

I would like to activate WAF for a given Cloudfront which serves a Single Page Application (SPA). I also dont want to serve assets to a malicious actor. Due how S3Origin currently works, its not possible to distinguish between a 403 produced by a blocked request from WAF from a malicious actor or a 403 produced by a legitimate user, which had a typo in their URL (and should have gotten a 404 instead of a 403).

It also matches with the Note in the Docs

CloudFront can't distinguish between an HTTP status code 403 that is returned by your origin and one that is returned by AWS WAF when a request is blocked. This means that you can't return different custom error pages based on the different causes of an HTTP status code 403.

Context

When using an Single Page Application (SPA) a non existing page usually returns http status code 404. Usually you set up redirects to the index.html of your SPA so the Routing can be configured in the SPA itself.

However when we host a static website using S3 using S3Origin, instead of a 404 we get a 403 (which doesn't reflect the information found in the AWS Hosting a static website docs - 404 Not Found.

Cause

The cause for this a missing permission of s3:ListBucket. If you add this missing permission, you can setup redirects for 404 of legitimate users and serve 403 instantly for malicious actors.

Proposed Solution

The S3OriginProps) could be extended with an additional Property (name TBD, allowListBucket, report404OnMissingKeys), which when set to true it would add the s3:ListBucket with the origin the same way as currently the s3:GetObject permission is added here

Other Information

I tried to explain the issue/the feature as good as possible and hope it is understandable enough, feel free to ask for more details.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.86.0

Environment details (OS name and version, etc.)

windows 11 (wsl)
@WtfJoke WtfJoke added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 21, 2023
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Aug 21, 2023
@WtfJoke
Copy link
Contributor Author

WtfJoke commented Aug 21, 2023

just found an existing issue: #13983

@WtfJoke WtfJoke closed this as completed Aug 21, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@WtfJoke WtfJoke mentioned this issue Aug 21, 2023
Open
@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WtfJoke