-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-s3): Logging Bucket blocks KMS_MANAGED encryption #23513
Comments
@biffgaut, this came as a surprise to me too. We have been using access logging buckets with KMS encryption, but online docs state that it is not.
|
Pretty sure that if you look at your log buckets you'll find that the logs are not actually getting created (if your log bucket is indeed KMS encrypted). This was addressed in a recent release - the new error message didn't break any working code, it just alerted people that their code had not actually been working. KMS_MANAGED encryption is a different beast - if you log to a bucket with KMS_MANAGED encryption the infrastructure created by the CDK Bucket construct will create the log files. But the encryption key is not available to your account and you will be unable to read those log files. So flagging an error for KMS_MANAGED log buckets is also appropriate, just for a different reason. So the code snippet in Expected Behavior above should throw an error, so I'm going to close this issue. |
|
---- closes #23513 ### All Submissions: * [ x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@biffgaut I am getting this error after upgrading an existing app but can confirm that the configuration is working properly--access logs are being sent to the KMS encrypted log target bucket and I am able to download and view them. My log target bucket has the I'll note that logs were not getting delivered initially but it started working when I gave I know that the documentation indicates that only SSE-S3 is supported, but it doesn't seem to be the case. |
I agreed with @jeffgardnerdev. I am using KMS encryption with |
I put a fix for this. #25350. It is available after v2.81.0. |
Describe the bug
PR 23385 introduced a check to block launching S3 access log buckets with KMS encryption. S3 does not support access log buckets with KMS encryption, so previously these stacks would launch but fail to generate any logs. This PR would throw an Error when this occurred.
The PR included KMS_MANAGED in the list of blocked encryptions, but tests show that S3 buckets with KMS_MANAGED encryption can accepts logs. So the application threw an error for configurations that were valid.
KMS_MANAGED needs to be removed from the list of encryptions flagged by the code.
Expected Behavior
This code should not throw an error:
Current Behavior
That code throws 'SSE-S3 is the only supported default bucket encryption for Server Access Logging target buckets'
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.57.0
Framework Version
No response
Node.js Version
v14.21.1
OS
macOS Monterey 12.7.1
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: