Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-s3): Invalid configuration for server access logging bucket when using ObjectOwnership.BUCKET_OWNER_ENFORCED #22183

Closed
shanman190 opened this issue Sep 22, 2022 · 3 comments · Fixed by #23386
Closed

(aws-s3): Invalid configuration for server access logging bucket when using ObjectOwnership.BUCKET_OWNER_ENFORCED #22183

shanman190 opened this issue Sep 22, 2022 · 3 comments · Fixed by #23386
Assignees
@otaviomacedo
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1

Comments

@shanman190
Copy link

Describe the bug

let accessLogsBucket = new Bucket(scope, 'AccessLogsBucket', {
  objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED, // <-- start of the issue here
});

let dataBucket = new Bucket(scope, 'DataBucket', {
  objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED,
  serverAccessLogsBucket: accessLogsBucket // <-- second part of the issue
});

This internally yields an S3 Bucket representing the AccessLogsBucket in the following YAML:

AccessLogsBucket:
    Type: AWS::S3::Bucket
    Properties:
        AccessControl: LogDeliveryWrite # <-- third part of the problem
        OwnershipControls:
            Rules:
            - ObjectOwnership: BucketOwnerEnforced
        UpdateReplacePolicy: Retain
        DeletionPolicy: Retain

In this CloudFormation template, the S3 service rejects the request stating that ACLs cannot be configured when ObjectOwnership is configured to BucketOwnerEnfoced.

Source:

aws-cdk/packages/@aws-cdk/aws-s3/lib/bucket.ts

Line 1832 in 9726e8f

props.serverAccessLogsBucket.allowLogDelivery();

Expected Behavior

If ObjectOwnership.BUCKET_OWNER_ENFORCED has been configured, then the ACL should not be set

Current Behavior

The S3 service returns the following error to CloudFormation:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; [...])

Reproduction Steps

See bug description

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.42.1

Framework Version

No response

Node.js Version

16.17.0

OS

Windows

Language

Typescript, Python

Language Version

No response

Other information

No response
@shanman190 shanman190 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 22, 2022
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Sep 22, 2022
@shanman190
Copy link
Author

What would be even more ideal, is adding the S3 server access logging resource policy automatically when this configuration is encountered.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ServerAccessLogsPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/EXAMPLE-LOGGING-PREFIX*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:::SOURCE-BUCKET-NAME"
                },
                "StringEquals": {
                    "aws:SourceAccount": "SOURCE-ACCOUNT-ID"
                }
            }
        }
    ]
}

Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

@peterwoodworth
Copy link
Contributor

You're right, we should support this use case. We should be able to detect the type of object ownership and do something different here if it's BUCKET_OWNER_ENFORCED:

aws-cdk/packages/@aws-cdk/aws-s3/lib/bucket.ts

Line 2186 in 9726e8f

private allowLogDelivery() {

In the meantime you can remove the prop with escape hatches, here's an example which should work

const bucket = new Bucket(...)
(bucket.node.defaultChild as CfnBucket).addPropertyDeletionOverride('AccessControl');

@peterwoodworth peterwoodworth added good first issue Related to contributions. See CONTRIBUTING.md p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 6, 2022
@laurelmay laurelmay mentioned this issue Dec 18, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #23386 Dec 28, 2022
mergify bot pushed a commit that referenced this issue Dec 28, 2022
@laurelmay
feat(s3): use Bucket Policy for Server Access Logging grant (under fe…
6975a7e 
…ature flag) (#23386)

Using ACLs to grant access to buckets is no longer recommended. In fact,
it doesn't work if Object Ownership is set to be enforced for the
bucket. According to the service documentation for [enabling server
access logging][1], it is now preferred to use a bucket policy to grant
permission to deliver logs to a bucket.

Changing the default would result in changes to deployed resources, so
the new behavior is added behind a feature flag.

An alternative here may be to use the Bucket Policy either when the feature
flag is enabled or when ownership is set to `BUCKET_OWNER_ENFORCED` since
the latter doesn't work with the current implementation anyway.

Closes: #22183 

[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html


----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

brennanho pushed a commit to brennanho/aws-cdk that referenced this issue Jan 20, 2023
@laurelmay
feat(s3): use Bucket Policy for Server Access Logging grant (under fe…
b8717d0 
…ature flag) (aws#23386)

Using ACLs to grant access to buckets is no longer recommended. In fact,
it doesn't work if Object Ownership is set to be enforced for the
bucket. According to the service documentation for [enabling server
access logging][1], it is now preferred to use a bucket policy to grant
permission to deliver logs to a bucket.

Changing the default would result in changes to deployed resources, so
the new behavior is added behind a feature flag.

An alternative here may be to use the Bucket Policy either when the feature
flag is enabled or when ownership is set to `BUCKET_OWNER_ENFORCED` since
the latter doesn't work with the current implementation anyway.

Closes: aws#22183 

[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html


----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this issue Feb 22, 2023
@laurelmay
feat(s3): use Bucket Policy for Server Access Logging grant (under fe…
52ce308 
…ature flag) (aws#23386)

Using ACLs to grant access to buckets is no longer recommended. In fact,
it doesn't work if Object Ownership is set to be enforced for the
bucket. According to the service documentation for [enabling server
access logging][1], it is now preferred to use a bucket policy to grant
permission to deliver logs to a bucket.

Changing the default would result in changes to deployed resources, so
the new behavior is added behind a feature flag.

An alternative here may be to use the Bucket Policy either when the feature
flag is enabled or when ownership is set to `BUCKET_OWNER_ENFORCED` since
the latter doesn't work with the current implementation anyway.

Closes: aws#22183 

[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html


----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@cogwirrel cogwirrel mentioned this issue Apr 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@otaviomacedo otaviomacedo

Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(s3): use Bucket Policy for Server Access Logging grant (under feature flag) laurelmay/aws-cdk
3 participants
@otaviomacedo @shanman190 @peterwoodworth