chore(s3): use bucket policy instead of ACL for logging access control #20898
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,6 +2,7 @@ import { EOL } from 'os'; | |
| import * as path from 'path'; | ||
| import * as events from '@aws-cdk/aws-events'; | ||
| import * as iam from '@aws-cdk/aws-iam'; | ||
| import { PolicyStatement, ServicePrincipal } from '@aws-cdk/aws-iam'; | ||
| import * as kms from '@aws-cdk/aws-kms'; | ||
| import { | ||
| Fn, IResource, Lazy, RemovalPolicy, Resource, ResourceProps, Stack, Token, | ||
|
|
@@ -1658,6 +1659,7 @@ export class Bucket extends BucketBase { | |
| private readonly cors: CorsRule[] = []; | ||
| private readonly inventories: Inventory[] = []; | ||
| private readonly _resource: CfnBucket; | ||
| private objectOwnership?: ObjectOwnership; | ||
|
|
||
| constructor(scope: Construct, id: string, props: BucketProps = {}) { | ||
| super(scope, id, { | ||
|
|
@@ -1685,7 +1687,7 @@ export class Bucket extends BucketBase { | |
| accessControl: Lazy.string({ produce: () => this.accessControl }), | ||
| loggingConfiguration: this.parseServerAccessLogs(props), | ||
| inventoryConfigurations: Lazy.any({ produce: () => this.parseInventoryConfiguration() }), | ||
| ownershipControls: Lazy.any({ produce: () => this.parseOwnershipControls() }), | ||
| accelerateConfiguration: props.transferAcceleration ? { accelerationStatus: 'Enabled' } : undefined, | ||
| intelligentTieringConfigurations: this.parseTieringConfig(props), | ||
| }); | ||
|
|
@@ -1713,14 +1715,15 @@ export class Bucket extends BucketBase { | |
|
|
||
| this.disallowPublicAccess = props.blockPublicAccess && props.blockPublicAccess.blockPublicPolicy; | ||
| this.accessControl = props.accessControl; | ||
| this.objectOwnership = props.objectOwnership; | ||
|
|
||
| // Enforce AWS Foundational Security Best Practice | ||
| if (props.enforceSSL) { | ||
| this.enforceSSLStatement(); | ||
| } | ||
|
|
||
| if (props.serverAccessLogsBucket instanceof Bucket) { | ||
| props.serverAccessLogsBucket.allowLogDelivery(this, Stack.of(this).account, props.serverAccessLogsPrefix); | ||
| } | ||
|
|
||
| for (const inventory of props.inventories ?? []) { | ||
|
|
@@ -1990,13 +1993,13 @@ export class Bucket extends BucketBase { | |
| })); | ||
| } | ||
|
|
||
| private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined { | ||
| if (!this.objectOwnership) { | ||
| return undefined; | ||
| } | ||
| return { | ||
| rules: [{ | ||
| objectOwnership: this.objectOwnership, | ||
| }], | ||
| }; | ||
| } | ||
|
|
@@ -2069,17 +2072,28 @@ export class Bucket extends BucketBase { | |
| } | ||
|
|
||
| /** | ||
| * Allows the 'logging.s3.amazonaws.com' service principal to write log events | ||
| * to this bucket. | ||
| * | ||
| * @see | ||
| * https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html | ||
| */ | ||
| private allowLogDelivery(sourceBucket: IBucket, accountId: string, logFilePrefix?: string) { | ||
| const prefix = logFilePrefix ?? ''; | ||
|
|
||
|
There was a problem hiding this comment. Does this need to be added back then? There was a problem hiding this comment. Yes, I think so, which means that this change adds no value. Closing the PR until CloudFront (and possibly other services) catches up. |
||
| this.addToResourcePolicy(new PolicyStatement({ | ||
| principals: [new ServicePrincipal('logging.s3.amazonaws.com')], | ||
| actions: ['s3:PutObject'], | ||
| conditions: { | ||
|
There was a problem hiding this comment. Should this also include the condition: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html There was a problem hiding this comment. Added.
I think so. Otherwise, the service principal wouldn't have permission to write the logs. There was a problem hiding this comment. I don't think this is being done today. There was a problem hiding this comment. Not sure if I understand... today the There was a problem hiding this comment. I added a comment that tries to clarify. |
||
| ArnLike: { | ||
| 'aws:SourceArn': sourceBucket.bucketArn, | ||
| }, | ||
| StringEquals: { | ||
| 'aws:SourceAccount': accountId, | ||
| }, | ||
| }, | ||
| resources: [`${this.bucketArn}/${prefix}*`], | ||
| })); | ||
| } | ||
|
|
||
| private parseInventoryConfiguration(): CfnBucket.InventoryConfigurationProperty[] | undefined { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| {"version":"20.0.0"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is where we setup the log delivery policy/acl, but it only gets done if the user passes in a bucket to
serverAccessLogsBucket. If a user providesserverAccessLogsPrefixbut does not provideserverAccessLogsBucket, then access logs are sent to the source bucket. Does it need to be something likeIt's not being done today so it could be a bug or it could be that you don't need to grant access to allow access logs to be written to the same bucket?