fix: prevent content deletion from artifact bucket (#1073)

coderbirju · web-flow · commit 94d09a7ba547 · 2026-01-29T13:28:56.000-08:00
* fix: prevent content deletion from artifact bucket

Signed-off-by: Arjun Raja Yogidas &lt;arjunry@amazon.com&gt;

* fix: add listBucket permission to s3 policy

Signed-off-by: Arjun Raja Yogidas &lt;arjunry@amazon.com&gt;

---------

Signed-off-by: Arjun Raja Yogidas &lt;arjunry@amazon.com&gt;
diff --git a/lib/artifact-bucket-cloudfront.ts b/lib/artifact-bucket-cloudfront.ts
@@ -24,7 +24,8 @@ export class ArtifactBucketCloudfrontStack extends cdk.Stack {
     // upload the file for integration testing puporse
     new s3Deployment.BucketDeployment(this, 'DeployTestFile', {
       sources: [s3Deployment.Source.asset('./assets')],
-      destinationBucket: artifactBucket
+      destinationBucket: artifactBucket,
+      prune: false
     });
 
     const cloudfrontCdn = new CloudfrontCdn(this, 'ArtifactCloudfrontCdn', {
diff --git a/lib/cloudfront_cdn.ts b/lib/cloudfront_cdn.ts
@@ -20,8 +20,11 @@ export class CloudfrontCdn extends Construct {
 
     props.bucket.addToResourcePolicy(
       new iam.PolicyStatement({
-        actions: ['s3:GetObject'],
-        resources: [props.bucket.arnForObjects('*')],
+        actions: ['s3:GetObject', 's3:ListBucket'],
+        resources: [
+          props.bucket.bucketArn,           // arn:aws:s3:::bucket-name
+          props.bucket.arnForObjects('*')   // arn:aws:s3:::bucket-name/*
+        ],
         principals: [new iam.CanonicalUserPrincipal(cloudfrontOAI.cloudFrontOriginAccessIdentityS3CanonicalUserId)]
       })
     );
diff --git a/test/cloudfront_cdn.test.ts b/test/cloudfront_cdn.test.ts
@@ -46,28 +46,33 @@ describe('CloudfrontCdn', () => {
         Ref: bukcetLogicalId
       },
       PolicyDocument: {
-        Statement: [
+        Statement: Match.arrayWith([
           Match.objectLike({
-            Action: 's3:GetObject',
+            Action: ['s3:GetObject', 's3:ListBucket'],
             Effect: 'Allow',
             Principal: {
               CanonicalUser: {
                 'Fn::GetAtt': [Match.anyValue(), 'S3CanonicalUserId']
               }
             },
-            Resource: {
-              'Fn::Join': [
-                '',
-                [
-                  {
-                    'Fn::GetAtt': [bukcetLogicalId, 'Arn']
-                  },
-                  '/*'
+            Resource: [
+              {
+                'Fn::GetAtt': [bukcetLogicalId, 'Arn']
+              },
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': [bukcetLogicalId, 'Arn']
+                    },
+                    '/*'
+                  ]
                 ]
-              ]
-            }
+              }
+            ]
           })
-        ],
+        ]),
         Version: '2012-10-17'
       }
     });
