aws_s3: Starting April 2023, it's not possible to setup an s3 bucket to use as logging bucket for a cloudfront distribution #25291
Comments
ben-elsen
added
feature-request
pahud
added
the
investigating
|
related to #25288 (comment) And this works for me FYR const logBucket = new s3.Bucket(this, 'logBucket', {
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
});We probably need to improve our API document for this. |
pahud
added
p2
effort/small
|
We are facing the same issue trying to use a bucket for the server access logs of another bucket. According to the docs the recommendation is to use an IAM policy instead of an ACL. CDK ought to be fixed to follow this security best practice. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-bucket-policy |
Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created. Reference - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket Closes #25288 #25291 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Thanks @pahud this seems to work for us! |
Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created. Reference - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket Closes #25288 #25291 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
I'm going to close this in favor of #25358 |
|
Describe the feature
At the moment, it is not possible to create a bucket with aws_cdk that can be used in a cloudfront distribution as logging bucket.
There was the announcement of AWS: Starting April 2023 you will need to enable S3 access control lists (ACLs) for new S3 buckets being used for CloudFront standard logs. (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html)
I don't think there is a way to do this with CDK at the moment, every configuration I use, I get the following error:
ROLLBACK_COMPLETE: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership;
Use Case
I want to be able to define a s3 bucket and use it as logging bucket for a cloudfront distribution.
Proposed Solution
I think a new type for BucketAccessControl could help?
Other Information
No response
Acknowledgements
CDK version used
2.76.0 (build 78c411b)
Environment details (OS name and version, etc.)
Macbook Ventura 13.3.1 (22E261)
The text was updated successfully, but these errors were encountered: