Class CpWebsite

CloudKitect Website Pattern Properties

Infrastructure Diagram

Default Configuration

Validated public certificate for the API domain Cloudfront Distribution

Note: This construct expects a HostedZone present in the same AWS account

Default Alarms

1. Cloudwatch Total Error Rate Alarm

   • Risk Level: Low
   • Well Architected Pillar: Reliability

2. Certificate Expiration Alarms

   • Risk Level: High
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Operational Excellence

Note that the default alarm uses the WaAlarm construct, which sets up an alarm action to notify the SNS Topic AlarmEventsTopic by default.

Examples

Default Usage, if HostedZone is in the same account

new CpWebsite(this, "LogicalId", {
     cpDomainName: 'example.com',
     cpSubdomain: "www",
     cpPathToContent: './site-content'
});
Copy

Default Usage, if HostedZone is in different account

new CpWebsite(this, "LogicalId", {
     cpDomainName: 'example.com',
     cpHostedZoneId: "HOSTED_ZONE_ID",
     cpHostedZoneAccountId: "SHARED_ACCOUNT_ID",
     cpPathToContent: './site-content',
     cpAdditionalDomainNames: ['www2.example.com']
});
Copy

Compliance

It addresses the following compliance requirements

1. Blocks public access

   • Risk Level: Medium
   • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

2. S3 Bucket Logging Enabled

   • Risk Level: Medium
   • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

3. Bucket versioning enabled in Production Environment

   • Risk Level: Low
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Reliability

4. Block S3 Bucket Public 'READ' Access

   • Risk Level: Very High
   • Compliance: PCI, GDPR, ARPA, MAS, NIST4
   • Well Architected Pillar: Security

5. S3 Bucket should have Retain Policy in Production Environment

   • Risk Level: High
   • Compliance: NA
   • Well Architected Pillar: Reliability

6. Only allow secure transport protocols

   • Risk Level: High
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Security

7. Server side encryption

   • Risk Level: High
   • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

8. S3 Bucket Block ACLs

   • Risk Level: Very High
   • Compliance: PCI, APRA, MAS, NIST4
   • Well Architected Pillar: Security

9. Cloudfront origin should not use insecure protocols

   • Risk Level: Medium
   • Compliance: PCI, HIPAA, APRA, MAS, NIST4
   • Well Architected Pillar: Security

10. Cloudfront logging enabled

    • Risk Level: Low
    • Compliance: PCI, HIPAA, GDPR, APRA, NIST4
    • Well Architected Pillar: Operational Excellence

11. Cloudfront uses enhanced security policy min TLS1.2

    • Risk Level: High
    • Compliance: PCI, HIPAA, MAS, NIST4
    • Well Architected Pillar: Security

12. Cloudfront uses only secure protocol to communicate with origin

    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security

13. Cloudfront uses only secure protocol to communicate with end users

    • Risk Level: High
    • Compliance: PCI, HIPAA, NIST4
    • Well Architected Pillar: Security

14. Enable origin access identify for S3 origins

    • Risk Level: Medium
    • Compliance: NA
    • Well Architected Pillar: Security