aws-s3-deployment: support signed payloads with x-amz-content-sha256 header

[AMZN-hgoffin]

Describe the feature

Currently, the aws-s3-deployment construct uses the default settings of the AWS CLI tool, which is to never sign upload payloads. This means that the x-amz-content-sha256 header is never set, and any resource policies which prohibit unsigned payloads (by checking condition StringEquals: { "s3:x-amz-content-sha256": "UNSIGNED_PAYLOAD" } cannot be targeted by the BucketDeployment construct.

Use Case

It is impossible to use aws-s3-deployment's BucketDeployment construct to put files in buckets that prohibit unsigned payloads.

Proposed Solution

The CLI tool supports this via the s3.payload_signing_enabled global configuration property, but there is no way to specify this global configuration for the Lambda environment. A tiny bit of logic needs to be added to the Lambda to call "aws configure set ..." to enable the property before calling "aws s3 sync" to perform the upload.

Other Information

It is possible that enabling this increases memory usage or makes deployment slightly slower, so I am not proposing to enable it by default. There would be no change to behavior unless a new option is set to 'true'.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

v2.68

Environment details (OS name and version, etc.)

CDKv2 (TypeScript), deploying from AL2 Linux

[pahud]

This is awesome! Thank you for your PR!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.