chore(s3): use bucket policy instead of ACL for logging access control

[otaviomacedo]

As of December 2021 AWS recommends using bucket policies instead of ACLs for logging access control.

In addition to adding the bucket policy, this change also sets the object ownership to BUCKET_OWNER_ENFORCED, effectively disabling ACLs.

Fixes #19603.

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[corymhall]

Does the policy need to be added to the source bucket if the access logs are configured to be sent to the source bucket?

[corymhall]

Should this also include the condition:

"StringEquals": {
                    "aws:SourceAccount": "SOURCE-ACCOUNT-ID"
                }

https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

[otaviomacedo]

Added.

Does the policy need to be added to the source bucket if the access logs are configured to be sent to the source bucket?

I think so. Otherwise, the service principal wouldn't have permission to write the logs.

[corymhall]

I don't think this is being done today.

[otaviomacedo]

Not sure if I understand... today the LOG_DELIVERY_WRITE ACL is applied to the target bucket. If it happens that the source and target are the same, then the ACL is applied to the source bucket. By the same logic, this change applies the policy to the source bucket if source and target are the same.

[corymhall]

I added a comment that tries to clarify.

[corymhall]

@otaviomacedo another thing I just thought of is I wonder if customers might be using a centralized access log bucket. Not all access logs support the BUCKET_OWNER_ENFORCED ACL (for example CloudFront)

[otaviomacedo]

@otaviomacedo another thing I just thought of is I wonder if customers might be using a centralized access log bucket. Not all access logs support the BUCKET_OWNER_ENFORCED ACL (for example CloudFront)

In that case, the logging bucket is created without setting the objectOwnership or the serverAccessLogsBucket properties:

aws-cdk/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

Lines 443 to 458 in 42d1d7c

	private renderLogging(props: DistributionProps): CfnDistribution.LoggingProperty | undefined {
	if (!props.enableLogging && !props.logBucket) { return undefined; }
	if (props.enableLogging === false && props.logBucket) {
	throw new Error('Explicitly disabled logging but provided a logging bucket.');
	}
	const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket', {
	encryption: s3.BucketEncryption.S3_MANAGED,
	});
	return {
	bucket: bucket.bucketRegionalDomainName,
	includeCookies: props.logIncludesCookies,
	prefix: props.logFilePrefix,
	};
	}

[otaviomacedo]

@otaviomacedo another thing I just thought of is I wonder if customers might be using a centralized access log bucket. Not all access logs support the BUCKET_OWNER_ENFORCED ACL (for example CloudFront)

In that case, the logging bucket is created without setting the objectOwnership or the serverAccessLogsBucket properties:

aws-cdk/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

Lines 443 to 458 in 42d1d7c

	private renderLogging(props: DistributionProps): CfnDistribution.LoggingProperty | undefined {
	if (!props.enableLogging && !props.logBucket) { return undefined; }
	if (props.enableLogging === false && props.logBucket) {
	throw new Error('Explicitly disabled logging but provided a logging bucket.');
	}
	const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket', {
	encryption: s3.BucketEncryption.S3_MANAGED,
	});
	return {
	bucket: bucket.bucketRegionalDomainName,
	includeCookies: props.logIncludesCookies,
	prefix: props.logFilePrefix,
	};
	}

[otaviomacedo]

@otaviomacedo another thing I just thought of is I wonder if customers might be using a centralized access log bucket. Not all access logs support the BUCKET_OWNER_ENFORCED ACL (for example CloudFront)

In that case, the logging bucket is created without setting the objectOwnership or the serverAccessLogsBucket properties:

aws-cdk/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

Lines 443 to 458 in 42d1d7c

	private renderLogging(props: DistributionProps): CfnDistribution.LoggingProperty | undefined {
	if (!props.enableLogging && !props.logBucket) { return undefined; }
	if (props.enableLogging === false && props.logBucket) {
	throw new Error('Explicitly disabled logging but provided a logging bucket.');
	}
	const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket', {
	encryption: s3.BucketEncryption.S3_MANAGED,
	});
	return {
	bucket: bucket.bucketRegionalDomainName,
	includeCookies: props.logIncludesCookies,
	prefix: props.logFilePrefix,
	};
	}

[corymhall]

In that case, the logging bucket is created without setting the objectOwnership or the serverAccessLogsBucket properties:

I'm more meaning if you did something like this

const centralLoggingBucket = new s3.Bucket(this, 'Logging');

new s3.Bucket(this, 'SomeOtherBucket', {
  serverAccessLogsBucket: centralLoggingBucket,
  serverAccessLogsPrefix: 'someotherbucket',
});

new cloudfront.Distribution(this, 'Distro', {
  logBucket: centralLoggingBucket,
  logFilePrefix: 'cloudfront',
});

[otaviomacedo]

@corymhall I see. Re-reading the documentation, I realised that it strongly suggests the use of BUCKET_OWNER_ENFORCED for object ownership, but it's not mandatory. Removed.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: fab78e2
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[corymhall]

This is where we setup the log delivery policy/acl, but it only gets done if the user passes in a bucket to serverAccessLogsBucket. If a user provides serverAccessLogsPrefix but does not provide serverAccessLogsBucket, then access logs are sent to the source bucket. Does it need to be something like

if (props.serverAccessLogsBucket instanceof Bucket) {
  ...
} else if (props.serverAcessLogsPrefix && !props.serverAccessLogsBucket) {
  this.allowLogDelivery(this, Stack.of(this).account, props.serverAccessLogsPrefix);
}

It's not being done today so it could be a bug or it could be that you don't need to grant access to allow access logs to be written to the same bucket?

[corymhall]

Does this need to be added back then?

[otaviomacedo]

Yes, I think so, which means that this change adds no value. Closing the PR until CloudFront (and possibly other services) catches up.