fix(cdk): add S3 SSL enforcement and COG3 nag suppression for browser construct

MichaelWalker-git · MichaelWalker-git · commit 4f690e3eac86 · 2026-04-16T15:46:55.000-07:00
diff --git a/cdk/src/constructs/agent-browser.ts b/cdk/src/constructs/agent-browser.ts
@@ -45,6 +45,7 @@ export class AgentBrowser extends Construct {
     this.screenshotBucket = new s3.Bucket(this, 'ScreenshotBucket', {
       encryption: s3.BucketEncryption.S3_MANAGED,
       blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+      enforceSSL: true,
       removalPolicy: RemovalPolicy.DESTROY,
       autoDeleteObjects: true,
       lifecycleRules: [
@@ -174,6 +175,10 @@ export class AgentBrowser extends Construct {
         id: 'AwsSolutions-COG2',
         reason: 'Gateway default Cognito user pool uses M2M client credentials flow — MFA not applicable',
       },
+      {
+        id: 'AwsSolutions-COG3',
+        reason: 'Gateway default Cognito user pool uses M2M client credentials flow — advanced security not required',
+      },
     ], true);
 
     NagSuppressions.addResourceSuppressions(this.browser, [
