Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only SSE-S3 encryption is supported for Access Log bucket #1

Open
awsjputro opened this issue Dec 28, 2022 · 1 comment
Open

Only SSE-S3 encryption is supported for Access Log bucket #1

awsjputro opened this issue Dec 28, 2022 · 1 comment

Comments

@awsjputro
Copy link

I got an error that only SSE-S3 is supported for access log bucket.

SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets --
@biffgaut
Copy link

That's from this fix introduced in CDK 2.57.0. To avoid it in the short term, you can probably pin to CDK 2.56.0.

But according to the docs, it probably means S3 access logs are probably not being written somewhere in the app. We got the same error when we upgraded and dug into the CDK code. It doesn't look like the fix catches the KMS encryption when logging to a different bucket, so there's probably a bucket with KMS encryption attempting to write it's logs to itself. Look for a bucket with serverAccessLogsPrefix set, no log bucket assigned and (the encryption type set explicitly to KMS or KMS_MANGED) OR (an encryption key set).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants