Application Load Balancer, LogAccessLogs doesnt follow best practise

[McDoit]

Describe the bug
The policy generated by the LogAccessLogs method allows too wide of a permission on a prefix of loadbalancer

${log-bucket.Arn}/loadbalancer*
vs
${log-bucket.Arn}/arn:aws:s3:::${log-bucket}/loadbalancer/AWSLogs/${AWS::AccountId}/*

To Reproduce
Create a ALB and call LogAccessLogs on it, with a bucket
Generates a bucket policy with ${log-bucket.Arn}/loadbalancer*

Expected behavior
Generate a bucket policy with ${log-bucket.Arn}/arn:aws:s3:::${log-bucket}/loadbalancer/AWSLogs/${AWS::AccountId}/*

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Version:

• OS - Win 10
• Programming Language - CSharp
• CDK Version - 0.28

[made2591]

I would be happy to work on this if it's ok for you!

[McDoit]

Feel free, havnt digged down anything in it yet

[made2591]

I made the change, but I was thinking if it is maybe too much restrictive then... is there any situation in which you would like to have access to multiple accountId under this?

[McDoit]

I think that can be up to the usre to add a less restrictive policy for those rare cases?

AWS writes it like this:

For Amazon Resource Name (ARN), type the ARN of your S3 bucket in the following format. For aws-account-id, specify the ID of the AWS account that owns the load balancer (for example, 123456789012). Do not specify a wildcard for the account ID, as this would allow any other account to write access logs to your bucket. To use a single bucket to store access logs from load balancers in multiple accounts, specify one ARN per account in the bucket policy, using the corresponding AWS account ID in each ARN.

arn:aws:s3:::bucket/prefix/AWSLogs/aws-account-id/*

Otherwise anyone can send data to the bucket

[made2591]

Yes, you're right. I will open a pull request for this