❗ NOTICE (cli): AWS recommends upgrading your bootstrap stack to version 21 #31885
Labels
management/tracking
Issues that track a subject or multiple issues
package/tools
Related to AWS CDK Tools or CLI
Comments
rix0rrr
added
management/tracking
rix0rrr
added a commit
to cdklabs/aws-cdk-notices
that referenced
this issue
Oct 24, 2024
github-merge-queue bot
pushed a commit
to cdklabs/aws-cdk-notices
that referenced
this issue
Oct 24, 2024
github-merge-queue bot
pushed a commit
to cdklabs/aws-cdk-notices
that referenced
this issue
Oct 24, 2024
|
Comments on closed issues and PRs are hard for our team to see. |
1 task
zaro0508
added a commit
to zaro0508/organizations-infra
that referenced
this issue
Nov 13, 2024
Update to fix this message from the CI.. ``` NOTICES (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices) 31885 (cli): Bootstrap stack outdated Overview: The bootstrap stack in aws://***/us-east-1 is outdated. We recommend at least version 21, distributed with CDK CLI 2.149.0 or higher. Please rebootstrap your environment by runing 'cdk bootstrap aws://***/us-east-1' Affected versions: bootstrap: <21 More information at: aws/aws-cdk#31885 ```
zaro0508
added a commit
to Sage-Bionetworks-IT/organizations-infra
that referenced
this issue
Nov 13, 2024
Update to fix this message from the CI.. ``` NOTICES (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices) 31885 (cli): Bootstrap stack outdated Overview: The bootstrap stack in aws://***/us-east-1 is outdated. We recommend at least version 21, distributed with CDK CLI 2.149.0 or higher. Please rebootstrap your environment by runing 'cdk bootstrap aws://***/us-east-1' Affected versions: bootstrap: <21 More information at: aws/aws-cdk#31885 ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Status
Resolved
What is the issue?
AWS has been notified of an issue for bootstrap stacks versioned 20 or lower where a third party could recreate your asset bucket after you delete it, and in doing so, monitor and make changes to your AWS Cloud Development Kit (AWS CDK) deployments.
This could affect you if you first bootstrap your account, then manually delete only the asset S3 bucket named cdk-hnb659fds-assets-- without deleting the rest of the bootstrap stack, and then continue to perform CDK deployments. A third party could predict the bucket name and recreate it with appropriate permissions. Your next CDK deployment would then upload your assets to their bucket.
In version 21 of the bootstrap stack, the permissions of the File Asset Publishing Role have been changed to only allow access to an S3 bucket in the same account. This ensures that even if you delete your bucket and a third party recreates it, the upload will never succeed.
Solution
Upgrade your version of the CDK CLI to at least version 2.149.0 [1], load appropriate credentials into your shell, and run
cdk bootstrap aws://<ACCOUNT ID>/<REGION>for all of your Accounts and regions. Alternatively, use your own preferred method of deploying the bootstrapping CloudFormation template [2] across your accounts using the AWS CLI [3] or CloudFormation Stack Sets [4].[1] https://docs.aws.amazon.com/cdk/v2/guide/cli.html
[2] https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
[3] https://aws.amazon.com/cli/
[4] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
The text was updated successfully, but these errors were encountered: