doc: AwsSolutions-CFR6 conflicts with AWS recommendation

[EysaN]

Under RULES.md, the rule AwsSolutions-CFR6 results in the following error when synthesizing CDK app:
AwsSolutions-CFR6: The CloudFront distribution does not use an origin access identity with an S3 origin.

However, AWS Documentation clearly says: We recommend using OAC and it marks OAI as legacy, not recommended.

Currently, we have to manually suppress it to avoid synthesizing failure.

Could you please support OAC instead?

[dontirun]

@EysaN I'll take a look into what needs to be done for this one. Thanks for bringing it up!

[clueleaf]

I think we can check if OriginAccessControlId is configured in CloudFront origin.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html#cfn-cloudfront-distribution-origin-originaccesscontrolid

[dontirun]

I think there will need to be a few changes here

Streaming Distribution

CloudFront Streaming distributions don't seem to support OACs so the rule should be kept the same for Streaming Distributions

Distribution

@clueleaf I think you're correct that we need to check the OriginAccessControlId property on Distributions. Additionally, if the OAC is created in the stack, we should also check if the SigningBehavior isn't set to never

[braidoa]

Hi. Commenting from AWS ProServe Engagement Security:
We will wait until cdk-nag is updated, and then we'll update our guidance to ProServe builders. 😄

[clueleaf]

Since currently we have to use addPropertyOverride to configure OAC, and cdk-nag can not see overridden properties, I think supporting OAC in cdk-nag now will result in a lot of false positives.
Waiting for an L2 construct for OAC. (aws/aws-cdk#21771 aws/aws-cdk-rfcs#617)