Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3: breaking change, cannot create bucket anymore, InvalidBucketAclWithObjectOwn #25288

Closed
melinaschweizer opened this issue Apr 25, 2023 · 9 comments · Fixed by #25298 or #25303
Closed

s3: breaking change, cannot create bucket anymore, InvalidBucketAclWithObjectOwn #25288

melinaschweizer opened this issue Apr 25, 2023 · 9 comments · Fixed by #25298 or #25303
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1

Comments

@melinaschweizer
Copy link

melinaschweizer commented Apr 25, 2023
edited
Loading

Describe the bug

Deployed S3 bucket last week into account A without issues and this week it fails on account B with a "Bucket cannot have ACLs set with "ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)".
Perhaps the announcement https://www.helpnetsecurity.com/2023/02/07/amazon-s3-bucket-security/ is the reason.

Expected Behavior

I expected the buckets to be created without issue, since this worked last week.

Current Behavior

TERMINAL Output: The bucket creation fails with "1:43:11 PM | CREATE_FAILED | AWS::S3::Bucket | Servicesxxxcsvaccesslogstsm07305C09
Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwn
ership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)"

CFN Output:

2023-04-25 13:43:11 UTC+0200 Servicesxxxcsvaccesslogstsm07305C09 CREATE_FAILED Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)

Reproduction Steps

    access_logs_bucket = s3.Bucket(
        self, "xxx-csv-access-logs-tsm", 
        encryption=s3.BucketEncryption.S3_MANAGED,
        versioned=True,
        block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
    )
    csv_bucket = s3.Bucket(
        self, "xxx-csv", 
        encryption=s3.BucketEncryption.KMS, 
        encryption_key=csv_bucket_key,
        versioned=True,
        block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
        enforce_ssl=True,
        server_access_logs_bucket=access_logs_bucket
    )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.76.0 (build 78c411b)

Framework Version

No response

Node.js Version

v19.8.1

OS

macos

Language

Python

Language Version

Python 3.9.6

Other information

No response
@melinaschweizer melinaschweizer added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 25, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Apr 25, 2023
@vincenthongzy
Copy link

vincenthongzy commented Apr 25, 2023
edited
Loading

we are facing this issue as well:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

edit:
following this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ , I managed to generate a new error Bucket cannot have public ACLs set with BlockPublicAccess enabled:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      objectOwnership: ObjectOwnership.OBJECT_WRITER,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

...but there seems to be no way to remove the BlockPublicAccess config

@melinaschweizer
Copy link
Author

melinaschweizer commented Apr 25, 2023
edited
Loading

Hi folks, for me, the solution that worked was adding the following to both buckets:
xxxxxxxx_bucket = s3.Bucket(
...
object_ownership=s3.ObjectOwnership.OBJECT_WRITER
)

@pahud
Copy link
Contributor

pahud commented Apr 25, 2023
edited
Loading

According to the blog post announcement:

Once the changes are in effect for a target Region, all newly created buckets in the Region will by default have S3 Block Public Access enabled and access control lists (ACLs) disabled. Both of these options are already console defaults and have long been recommended as best practices. The options will become the default for buckets that are created using the S3 API, S3 CLI, the AWS SDKs, or AWS CloudFormation templates.

and

ACLs Disabled – The Bucket owner enforced setting will be enabled for newly created buckets, making bucket ACLs and object ACLs ineffective, and ensuring that the bucket owner is the object owner no matter who uploads the object. If you want to enable ACLs for a bucket, you can set the ObjectOwnership parameter to ObjectWriter in your CreateBucket request or you can call DeleteBucketOwnershipControls after you create the bucket. You will need s3:PutBucketOwnershipControls permission in order to use the parameter or to call the function; read Controlling Ownership of Objects and Creating a Bucket to learn more.

I believe we should improve the property validation in L2 Bucket construct to improve better user experience.

For cloudfront access log bucket, this works for me per described in the blog post regarding the ObjectOwnership FYR:

const logBucket = new s3.Bucket(this, 'logBucket', {
  objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
  autoDeleteObjects: true,
  removalPolicy: RemovalPolicy.DESTROY,
});

ref: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership

@pahud pahud added p1 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Apr 25, 2023
@pahud pahud mentioned this issue Apr 25, 2023
Closed
2 tasks
@pahud pahud added p2 p1 and removed p1 p2 labels Apr 25, 2023
@rittneje
Copy link

@pahud I think you should pin this issue.

@pahud pahud mentioned this issue Apr 25, 2023
Merged
@mergify mergify bot closed this as completed in #25298 Apr 25, 2023
mergify bot pushed a commit that referenced this issue Apr 25, 2023
@pahud
fix(cloudfront): can't create the default log bucket (#25298)
0eb25f2 
Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created.


Reference
- https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

Closes #25288 #25291 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@MrArnoldPalmer MrArnoldPalmer mentioned this issue Apr 25, 2023
Merged
rix0rrr pushed a commit that referenced this issue Apr 26, 2023
@MrArnoldPalmer @corymhall
fix: log buckets don't have acls enabled (#25303)
0e9440b 
Set ObjectOwnership: ObjectWriter automatically if and only if:

   - It is not provided by the user
   - AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

`ObjectWriter` was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Closes #25288

---------

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
madeline-k pushed a commit that referenced this issue Apr 27, 2023
@pahud @madeline-k
fix(cloudfront): can't create the default log bucket (#25298)
f98c428 
Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created.


Reference
- https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

Closes #25288 #25291 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
madeline-k pushed a commit that referenced this issue Apr 27, 2023
@MrArnoldPalmer @corymhall @madeline-k
fix: log buckets don't have acls enabled (#25303)
1a57b05 
Set ObjectOwnership: ObjectWriter automatically if and only if:

   - It is not provided by the user
   - AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

`ObjectWriter` was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Closes #25288

---------

Co-authored-by: corymhall <43035978+corymhall@users.noreply.github.com>
@sperka sperka mentioned this issue May 3, 2023
Closed
@WealthBlockAI
Copy link

we are facing this issue as well:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

edit: following this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ , I managed to generate a new error Bucket cannot have public ACLs set with BlockPublicAccess enabled:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      objectOwnership: ObjectOwnership.OBJECT_WRITER,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

...but there seems to be no way to remove the BlockPublicAccess config

publicReadAccess: true,

I got the same message, but after sifting around the documentation for a while, found that this can be achieved with two calls (examples using NodeJS SDK)

  1. Create bucket with the Object Ownership set to Object Writer, but do NOT include any public read access or public ACLs.
    e.g. s3.createBucket({ Bucket: "my_bucket", ObjectOwnership: "ObjectWriter" })

  2. Make a second call to delete the PublicAccessBlock
    e.g. s3.deletePublicAccessBlock({ Bucket: "my_bucket" })

@arielbeckjit arielbeckjit mentioned this issue May 11, 2023
Closed
@jstampleman
Copy link

I'm an AWS noob, but the bottom line for me is that I'm getting these errors while followind an AWS tutorial...

https://catalog.workshops.aws/complete-aws-sam/en-US/module-4-cicd/module-4-cicd-gh/50-sampipeinit

... is this something likely to be fixed? Or does someone need to update that tutorial?

@philipws philipws mentioned this issue Jun 8, 2023
Closed
@0xdevalias
Copy link
Contributor

catalog.workshops.aws/complete-aws-sam/en-US/module-4-cicd/module-4-cicd-gh/50-sampipeinit

... is this something likely to be fixed? Or does someone need to update that tutorial?

@jstampleman I didn't look too deeply into it, but my guess is that the tutorial (or the sam pipeline init --bootstrap code will likely need to be updated (if it hasn't already been) to account for the changes needed in the CloudFormation template.

If it's still an issue, I would suggest searching the existing issues on the SAM CLI GitHub repo, and if a relevant one doesn't exist, then submitting a new issue for it there (potentially referring back to this issue if relevant):

@0xdevalias 0xdevalias mentioned this issue Jun 16, 2023
Open
@pkit
Copy link

pkit commented Dec 13, 2023

This shitshow is amazing. Yes, all official AWS documents for CloudFormation still use the old syntax that fails to create anything.
ALL OF THEM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
7 participants
@pahud @0xdevalias @pkit @jstampleman @rittneje @melinaschweizer @vincenthongzy