aws-elasticloadbalancingv2: logAccessLogs grants too wide permissions #33477

Lilja-at-funnel · 2025-02-17T11:18:22Z

Describe the bug

We are receiving alerts that our policy has too wide permissions. Anybody using {"Service":"delivery.logs.amazonaws.com"} can potentially use s3:PubObject or s3:GetObjectAcl.

Similar to #29811

Regression Issue

Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

arn:SourceArn in condition to require the deployed aws account.

Current Behavior

No source arn or similar

Policy produces(values has been changed):

{"Version":"2012-10-17","Statement":[{
"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::12345678910:root"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::loadbalancerlogs-test/AWSLogs/112233445566/*"},
{"Effect":"Allow","Principal":{"Service":"delivery.logs.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::loadbalancerlogs-test/AWSLogs/112233445566/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}}},
{"Effect":"Allow","Principal":{"Service":"delivery.logs.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::loadbalancerlogs-test"}
]}

Reproduction Steps

    const vpc = new ec2.Vpc(this, 'Vpc', {
        maxAzs: 2,
        subnetConfiguration: [
            {
            cidrMask: 24,
            name: 'ingress',
            subnetType: ec2.SubnetType.PUBLIC,
            },
            {
            cidrMask: 24,
            name: 'egress',
            subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
            },
        ],
    });
    const lb = new elb.ApplicationLoadBalancer(this, 'LoadBalancer', {
      vpc,
      internetFacing: true,
      loadBalancerName: 'repro-api',
      idleTimeout: Duration.seconds(60),
      vpcSubnets: { subnets: clusterResources.subnets },
    })

    const loadBalancerBucket = new s3.Bucket(this, 'LoadBalancerLogs', {
      lifecycleRules: [
        {
          id: 'expire-object',
          enabled: true,
          expiration: Duration.days(30),
        },
      ],
      encryption: s3.BucketEncryption.S3_MANAGED,
      publicReadAccess: false,
      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
    })

    lb.logAccessLogs(loadBalancerBucket)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.157.0

Framework Version

No response

Node.js Version

20

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

github-actions · 2025-02-17T12:48:22Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

Lilja-at-funnel added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 17, 2025

github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Feb 17, 2025

Lilja-at-funnel closed this as completed Feb 17, 2025

github-actions bot locked as resolved and limited conversation to collaborators Feb 17, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-elasticloadbalancingv2: logAccessLogs grants too wide permissions #33477

aws-elasticloadbalancingv2: logAccessLogs grants too wide permissions #33477

Lilja-at-funnel commented Feb 17, 2025

github-actions bot commented Feb 17, 2025