Skip to content

bug: AwsSolutions-CFR7 OAC Not Detected When Using AWS Solutions Constructs #2149

New issue
New issue
Open
Open
bug: AwsSolutions-CFR7 OAC Not Detected When Using AWS Solutions Constructs#2149
Labels
bugSomething isn't workingneeds-triageThis issue or PR still needs to be triaged.
@anacunha

Description

@anacunha
anacunha
opened on Nov 14, 2025

What is the problem?

CDK Nag rule AwsSolutions-CFR7 reports a CloudFront distribution as non-compliant when Origin Access Control (OAC) is configured via the AWS Solutions Construct @aws-solutions-constructs/aws-cloudfront-s3.

The rule reports:

"The CloudFront distribution does not use an origin access control with an S3 origin."

However, the synthesized CloudFormation template shows that OAC is configured.

Reproduction Steps

1. Create a new CDK project:

mkdir cdk-nag-repro
cd cdk-nag-repro
npx aws-cdk@latest init app --language typescript

2. Install CDK Nag and AWS Solutions Constructs:

npm install aws-cdk-lib@^2.219.0
npm install cdk-nag @aws-solutions-constructs/aws-cloudfront-s3

3. Replace the stack file (lib/cdk-nag-repro-stack.ts) with:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { CloudFrontToS3 } from '@aws-solutions-constructs/aws-cloudfront-s3';

export class CdkNagReproStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new CloudFrontToS3(this, 'Frontend', {});
  }
}

4. Replace the app file (bin/cdk-nag-repro.ts) with:

#!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { Aspects } from 'aws-cdk-lib';
import { AwsSolutionsChecks } from 'cdk-nag';
import { CdkNagReproStack } from '../lib/cdk-nag-repro-stack';

const app = new cdk.App();

new CdkNagReproStack(app, 'CdkNagReproStack');

Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));

5. Synthesize:

npx cdk synth

Output will show:

[Error at /CdkNagReproStack/Frontend/CloudFrontDistribution/Resource] AwsSolutions-CFR7: The CloudFront distribution does not use an origin access control with an S3 origin. Origin access controls help with security by restricting any direct access to objects through S3 URLs.

6. Verify OAC is present on CloudFormation template:

cat cdk.out/CdkNagReproStack.template.json | grep -A 10 "OriginAccessControl"

What did you expect to happen?

CDK Nag would recognize that OAC is configured by @aws-solutions-constructs/aws-cloudfront-s3 and report the stack as compliant with AwsSolutions-CFR7.

What actually happened?

CDK Nag reports the distribution as non-compliant:

[Error at /CdkNagReproStack/Frontend/CloudFrontDistribution/Resource] AwsSolutions-CFR7: The CloudFront distribution does not use an origin access control with an S3 origin. Origin access controls help with security by restricting any direct access to objects through S3 URLs.

Even though the CloudFormation template has OAC:

"FrontendCloudFrontOacEEAA642D": {
   "Type": "AWS::CloudFront::OriginAccessControl",
   "Properties": {
    "OriginAccessControlConfig": {
     "Description": "Origin access control provisioned by aws-cloudfront-s3",
     "Name": {
      "Fn::Join": [
       "",
       [
        "aws-cloudfront-s3-Frontend-",
        {
         "Fn::Select": [
          2,
          {
           "Fn::Split": [
            "/",
            {
             "Ref": "AWS::StackId"
            }
           ]
          }
         ]
        }
       ]
      ]
     },
     "OriginAccessControlOriginType": "s3",
     "SigningBehavior": "always",
     "SigningProtocol": "sigv4"
    }
   }
  }
"FrontendCloudFrontDistribution2821C825": {
   "Type": "AWS::CloudFront::Distribution",
   "Properties": {
    "DistributionConfig": {
     "DefaultCacheBehavior": {
      "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
      "Compress": true,
      "FunctionAssociations": [
       {
        "EventType": "viewer-response",
        "FunctionARN": {
         "Fn::GetAtt": [
          "FrontendSetHttpSecurityHeadersCC86ECCF",
          "FunctionARN"
         ]
        }
       }
      ],
      "TargetOriginId": "CdkNagReproStackFrontendCloudFrontDistributionOrigin166A2E107",
      "ViewerProtocolPolicy": "redirect-to-https"
     },
     "DefaultRootObject": "index.html",
     "Enabled": true,
     "HttpVersion": "http2",
     "IPV6Enabled": true,
     "Logging": {
      "Bucket": {
       "Fn::GetAtt": [
        "FrontendCloudfrontLoggingBucketA12CC26D",
        "RegionalDomainName"
       ]
      }
     },
     "Origins": [
      {
       "DomainName": {
        "Fn::GetAtt": [
         "FrontendS3Bucket834EF3A2",
         "RegionalDomainName"
        ]
       },
       "Id": "CdkNagReproStackFrontendCloudFrontDistributionOrigin166A2E107",
       "OriginAccessControlId": {
        "Fn::GetAtt": [
         "FrontendCloudFrontOacEEAA642D",
         "Id"
        ]
       },
       "S3OriginConfig": {
        "OriginAccessIdentity": ""
       }
      }
     ]
    }
   }
  }

cdk-nag version

2.37.55

Language

Typescript

Other information

Issue has been reported on aws-solutions-constructs repo too: awslabs/aws-solutions-constructs#1229

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-triageThis issue or PR still needs to be triaged.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions