kalipavan
commented
2 days ago Thank you for bringing this to our attention. I'm glad to inform you that we've addressed these issues in the updated code. Let me explain how we've resolved each of the warnings and errors you mentioned:
-
Deprecation of S3Origin: We've updated the code to use
S3BucketOrigininstead of the deprecatedS3Origin. This resolves the deprecation warnings. -
AwsSolutions-APIG3 (WAF for API Gateway): We've added a suppression for this warning as WAF is not required for this demo API. However, we've included a comment explaining why it's suppressed, which is a best practice for production environments.
-
AwsSolutions-CFR1 (Geo restrictions): This warning is suppressed as geo-restrictions are not necessary for this demo. We've added a comment explaining the suppression.
-
AwsSolutions-CFR2 (WAF for CloudFront): Similar to the API Gateway, we've suppressed this warning for the demo, with an explanatory comment.
-
AwsSolutions-CFR7 (Origin Access Control): This error has been resolved by implementing Origin Access Control (OAC) for the S3 origin. We're now using
S3BucketOrigin.withOriginAccessControl()to create the S3 origin with OAC.
Here's a snippet of the relevant part of the updated code:
const originAccessControl = new cloudfront.S3OriginAccessControl(this, 'MyOAC', {
signing: cloudfront.Signing.SIGV4_NO_OVERRIDE
});
const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(s3Bucket, {
originAccessControl,
});
const distribution = new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: {
origin: s3Origin,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
...
},
// ... other configuration ...
});These changes should resolve all the warnings and errors you encountered. The updated code now uses best practices for securing S3 access via CloudFront while suppressing warnings that aren't applicable to this demo setup.
If you have any questions about these changes or need further clarification, please don't hesitate to ask. Thank you for your support in reporting these issues, as it helps improve the quality and security of our code.
during step 5: when deploying cdk, getting below error log
web-voice-video-calling-blog % cdk deploy [WARNING] aws-cdk-lib.aws_cloudfront_origins.S3Origin is deprecated. Use
S3BucketOriginorS3StaticWebsiteOrigininstead. This API will be removed in the next major release. [WARNING] aws-cdk-lib.aws_cloudfront_origins.S3Origin#bind is deprecated. UseS3BucketOriginorS3StaticWebsiteOrigininstead. This API will be removed in the next major release. [Warning at /AcWebCallingStack/Endpoint/DeploymentStage.prod/Resource] AwsSolutions-APIG3: The REST API stage is not associated with AWS WAFv2 web ACL. AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined.[Warning at /AcWebCallingStack/CloudFrontToS3/CloudFrontDistribution/Resource] AwsSolutions-CFR1: The CloudFront distribution may require Geo restrictions. Geo restriction may need to be enabled for the distribution in order to allow or deny a country in order to allow or restrict users in specific locations from accessing content.
[Warning at /AcWebCallingStack/CloudFrontToS3/CloudFrontDistribution/Resource] AwsSolutions-CFR2: The CloudFront distribution may require integration with AWS WAF. The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.
[Error at /AcWebCallingStack/CloudFrontToS3/CloudFrontDistribution/Resource] AwsSolutions-CFR7: The CloudFront distribution does not use an origin access control with an S3 origin. Origin access controls help with security by restricting any direct access to objects through S3 URLs.