AWS AWSCloudFormation documentation change
Summary
Added multiple detailed examples for creating CloudFront distribution tenants with different configurations including certificate inheritance, custom certificates, CloudFront hosted, and self-hosted setups
Security assessment
The examples demonstrate security-related configurations including SSL certificate management (AcmCertificateArn), S3 bucket encryption (SSEAlgorithm: aws:kms), secure transport enforcement (aws:SecureTransport condition), and public access restrictions. However, these are standard security best practices documentation rather than addressing a specific security vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md index bf592ac63..bf8d61d13 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md @@ -3 +3 @@ -SyntaxPropertiesReturn values +SyntaxPropertiesReturn valuesExamplesSee also @@ -198,0 +199,888 @@ The status of the distribution tenant. +## Examples + +###### + + * Create a distribution tenant that inherits its certificate + + * Create a distribution tenant with its own certificate + + * Create a CloudFront hosted distribution tenant + + * Create a self hosted distribution tenant + + + + +### Create a distribution tenant that inherits its certificate + +The following example specifies a distribution tenant that inherits its certificate from its parent multi-tenant distribution. + +#### JSON + + + { + "Resources": { + "MyMultiTenantDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ConnectionMode": "tenant-only", + "ViewerCertificate": { + "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d", + "SslSupportMethod": "sni-only" + }, + "TenantConfig": { + "ParameterDefinitions": [ + { + "Name": "tenantName", + "Definition": { + "StringSchema": { + "Comment": "Tenant name", + "DefaultValue": "root", + "Required": false + } + } + } + ] + }, + "DefaultCacheBehavior": { + "TargetOriginId": "MyBucket.Arn", + "ViewerProtocolPolicy": "allow-all", + "AllowedMethods": [ + "GET", + "HEAD" + ], + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6" + }, + "Enabled": true, + "Origins": [ + { + "DomainName": "MyBucket.RegionalDomainName", + "Id": "MyBucket.Arn", + "OriginPath": "/{{tenantName}}", + "S3OriginConfig": { + "OriginAccessIdentity": "" + } + } + ] + } + } + }, + "MyBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "amzn-s3-demo-bucket", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "aws:kms", + "KMSMasterKeyID": "alias/aws/s3" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + } + } + }, + "MyBucketBucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "MyBucket", + "PolicyDocument": { + "Id": "RequireEncryptionInTransit", + "Version": "2012-10-17", + "Statement": [ + { + "Principal": "*", + "Action": "*", + "Effect": "Deny", + "Resource": [ + "MyBucket.Arn", + "${MyBucket.Arn}/*" + ], + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + } + } + ] + } + } + }, + "MyDistributionTenant": { + "Type": "AWS::CloudFront::DistributionTenant", + "Properties": { + "Domains": [ + "my-distribution-tenant.example.com" + ], + "DistributionId": "MyMultiTenantDistribution.Id", + "Name": "MyDistributionTenant", + "Enabled": true, + "Parameters": [ + { + "Name": "tenantName", + "Value": "first-user" + } + ] + } + } + } + } + +#### YAML + + + Resources: + MyMultiTenantDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + ConnectionMode: tenant-only + ViewerCertificate: + AcmCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d + SslSupportMethod: sni-only + TenantConfig: + ParameterDefinitions: + - Name: tenantName + Definition: + StringSchema: + Comment: "Tenant name" + DefaultValue: "root" + Required: false + DefaultCacheBehavior: + TargetOriginId: !GetAtt MyBucket.Arn + ViewerProtocolPolicy: allow-all + AllowedMethods: + - GET + - HEAD + CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId + Enabled: true + Origins: + - DomainName: !GetAtt MyBucket.RegionalDomainName + Id: !GetAtt MyBucket.Arn + OriginPath: "/{{tenantName}}" + S3OriginConfig: + OriginAccessIdentity: "" + + MyBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: amzn-s3-demo-bucket + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: aws:kms + KMSMasterKeyID: alias/aws/s3 + PublicAccessBlockConfiguration: + IgnorePublicAcls: true + RestrictPublicBuckets: true + MyBucketBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref MyBucket + PolicyDocument: + Id: RequireEncryptionInTransit + Version: '2012-10-17' + Statement: + - Principal: '*'