aws-s3: The eventBridgeEnabled property of the Bucket Object Errors on Deployment

[X-Guardian]

Describe the bug

When deploying a stack that has eventBridgeEnabled: true on a Bucket object, the deployment fails.

Expected Behavior

On deployment, the stack should deploy and enable the EventBridge notification on the S3 bucket.

Current Behavior

The following error is thrown on deployment:

Stack Deployments Failed: Error: The stack named dev-s3 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Received response
status [FAILED] from custom resource. Message returned: Error: An error occurred (AccessDenied) when calling the
PutBucketNotificationConfiguration operation: Access Denied. See the details in CloudWatch Log Stream:
2023/03/08/[$LATEST]927d904acae34ae38736e2947ce07c72 (RequestId: c3f37496-7410-4db5-98c1-9c67e7d46da9), Received
response status [FAILED] from custom resource. Message returned: Error: An error occurred (AccessDenied) when calling the
PutBucketNotificationConfiguration operation: Access Denied. See the details in CloudWatch Log Stream: 
2023/03/08/[$LATEST]927d904acae34ae38736e2947ce07c72 (RequestId: 004c11a2-437e-4f58-90be-ca70d1cd7959)

Reproduction Steps

Deploy a stack that includes the following construct:

const bucket = new Bucket(this, `bucket`, {
                bucketName : 'this-bucket,
                eventBridgeEnabled : true
}

Possible Solution

Looking at the synthed CloudFormation for this stack, a CloudFormation custom resource is used to configure this setting. The permissions policy for the custom resource role is:

Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: s3:PutBucketNotification
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"

The action value is not correct, as the API being used is PutBucketNotificationConfiguration.

Additional Information/Context

No response

CDK CLI Version

2.67.0 (build b6f7f39)

Framework Version

No response

Node.js Version

v18.12.1

OS

Windows 11

Language

Typescript

Language Version

typescript 4.6.3

Other information

Here is the original PR that adds this feature: #18614.

Here is the code that is building the custom resource policy:

aws-cdk/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts

Lines 69 to 72 in b2d293d

	this.role.addToPrincipalPolicy(new iam.PolicyStatement({
	actions: ['s3:PutBucketNotification'],
	resources: ['*'],
	}));

The PutBucketNotification API has been deprecated at some point and replaced with PutBucketNotificationConfiguration.

[pahud]

Thank you for the feedback with all the details! I am making it a p1 bug now. The team should address this shortly but if you are interested to submit a PR, we'll be happy to review and get this issue resolved. Thank you.

[X-Guardian]

The plot thickens for this. Today the stack with the S3 EventBridgeEnabled property is deploying successfully with no changes my end. Looking at the CloudTrail logs, both the AccessDenied events from yesterday and the ones that are working today have an event name of PutBucketNotification,
Looking at the documentation for PutBucketNotification and PutBucketNotificationConfiguration, the endpoint is the same i.e. notification, so I don't understand the difference between the two.

I now don't think my proposed solution is correct, and am not sure whether this was just a transient issue on AWS or not.

[corymhall]

Not sure what was going on, but you may be right and it may have been a transient issue. Looking at the code we are using the correct permissions and the correct API method so there shouldn't be any issue.

I'm going to close this, but if anyone sees this issue again let us know.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.