fix: add listBucket permission to s3 policy

Signed-off-by: Arjun Raja Yogidas <arjunry@amazon.com>

Author: coderbirju

lib/artifact-bucket-cloudfront.ts

@@ -18,7 +18,8 @@ export class ArtifactBucketCloudfrontStack extends cdk.Stack {
     const artifactBucket = new s3.Bucket(this, 'ArtifactBucket', {
       bucketName,
       publicReadAccess: false,
-      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
+      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+      enforceSSL: true
     });
 
     // upload the file for integration testing puporse

lib/cloudfront_cdn.ts

@@ -20,8 +20,11 @@ export class CloudfrontCdn extends Construct {
 
     props.bucket.addToResourcePolicy(
       new iam.PolicyStatement({
-        actions: ['s3:GetObject'],
-        resources: [props.bucket.arnForObjects('*')],
+        actions: ['s3:GetObject', 's3:ListBucket'],
+        resources: [
+          props.bucket.bucketArn,           // arn:aws:s3:::bucket-name
+          props.bucket.arnForObjects('*')   // arn:aws:s3:::bucket-name/*
+        ],
         principals: [new iam.CanonicalUserPrincipal(cloudfrontOAI.cloudFrontOriginAccessIdentityS3CanonicalUserId)]
       })
     );