Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] (pipeline) accessLogs bucket objectOwnership changes with April 2023 S3 Security Changes #386

Closed
sperka opened this issue May 3, 2023 · 0 comments · Fixed by #387
Closed

[BUG] (pipeline) accessLogs bucket objectOwnership changes with April 2023 S3 Security Changes #386

sperka opened this issue May 3, 2023 · 0 comments · Fixed by #387
Labels
bug Something isn't working

Comments

@sperka
Copy link
Contributor

sperka commented May 3, 2023

Describe the bug

There were some S3 Security Changes in April 2023: Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023.

Related CDK issues: #25288 and #25298

Docs: Choosing an Amazon S3 bucket for your standard logs

<quote from docs>
Important
Don't choose an Amazon S3 bucket with S3 Object Ownership set to bucket owner enforced. That setting disables ACLs for the bucket and the objects in it, which prevents CloudFront from delivering log files to the bucket.
</quote from docs>

TLDR: for log buckets, objectOwnership parameter should be ObjectOwnership.OBJECT_WRITER, while when we're creating the accessLogsBucket in PDK pipeline, ObjectOwnership.BUCKET_OWNER_ENFORCED is used, which results in the errors mentioned in the above github issues (InvalidBucketAclWithObjectOwnership).

Expected Behavior

Deploying a pipeline project should go through without errors

Current Behavior

PipelineStack | 8:57:46 AM | CREATE_FAILED    | AWS::S3::Bucket      | AccessLogsBucket (AccessLogsBucket83982689) Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: MVCW7FVKN53SMK4N; S3 Extended Request ID: 8ZuYVCf8upqCiU1fR5CJ/jqAYzBwOubsSBLcoRq2pHcYkVPE62E0hlWM6bFi2fleLhhRtOqh25k=; Proxy: null)

Reproduction Steps

Deploy a new PipelineStack into a new account

Possible Solution

objectOwnership: ObjectOwnership.OBJECT_WRITER, on L115

Additional Information/Context

No response

PDK version used

0.17.4

What languages are you seeing this issue on?

Typescript

Environment details (OS name and version, etc.)

MacOS 13.2.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: access logs buckets objectOwnership to align with S3 Security requirements sperka/aws-pdk
1 participant
@sperka