feat(cloudfront-origins): list access level for 404 response

[Tietew]

Issue # (if applicable)

Closes #13983.
Closes #31689.

Reason for this change

When we want to receive HTTP 404 response where the requested object does not exist,
s3:ListBucket permission is needed in the S3 bucket policy.

Unlike errorResponses to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404).

Description of changes

Added a new AccessLevel.LIST to allow s3:ListBucket.

Description of how you validated changes

Unit test and integration test. The integ test also tests the response is 404.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[Tietew]

@gracelu0 Thank you for your review!
I will add a warning annotation when LIST is specified.

[Tietew]

I created an example CDK project.
It creates an S3 bucket and a CloudFront distribution with OAC. The S3 bucket allows the distribution to s3:GetObject and s3:ListBucket.
https://github.com/Tietew/cdk-cloudfront-listbucket-example

The root path returns the list of objects in the bucket:
https://d1s2487zo3mtd6.cloudfront.net/

A missing object returns 404:
https://d1s2487zo3mtd6.cloudfront.net/missing.html

Regular objects return 200 and their contents:
https://d1s2487zo3mtd6.cloudfront.net/folder/index.html
https://d1s2487zo3mtd6.cloudfront.net/non-folder/index.html

A folder created by S3 console returns 200 and empty content (content-type: application/x-directory):
https://d1s2487zo3mtd6.cloudfront.net/folder/

Without a folder, S3 returns 404:
https://d1s2487zo3mtd6.cloudfront.net/non-folder/

Pull request has been modified.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.48%. Comparing base (ddaad47) to head (46103a2).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32059   +/-   ##
=======================================
  Coverage   81.48%   81.48%           
=======================================
  Files         226      226           
  Lines       13768    13768           
  Branches     2416     2416           
=======================================
  Hits        11219    11219           
  Misses       2271     2271           
  Partials      278      278           

Flag	Coverage Δ
suite.unit	81.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	80.89% <ø> (ø)
packages/aws-cdk-lib/core	82.10% <ø> (ø)

[gracelu0]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[gracelu0]

Thank you for contributing!

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 46103a2
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.