Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug report: Unable to create "S3LoggingBucket" due to InvalidBucketAclWithObjectOwnership #53

Open
fecmcd opened this issue Aug 16, 2023 · 0 comments
Open

Bug report: Unable to create "S3LoggingBucket" due to InvalidBucketAclWithObjectOwnership #53

fecmcd opened this issue Aug 16, 2023 · 0 comments

Comments

@fecmcd
Copy link

fecmcd commented Aug 16, 2023

Hello,

I'd like to report a bug in the Data Lake Solution v2.2. This can be found on the Service Catalog 'Getting started library', 'Data Lake on AWS'.

The CloudFormation stack fails to create the S3 bucket "S3LoggingBucket", with the following error:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership).
Following is the code, which can also be found here - https://github.com/aws-solutions/aws-data-lake-solution/blob/main/deployment/data-lake-deploy.template#L471

    S3LoggingBucket:
        DeletionPolicy: Retain
        Type: AWS::S3::Bucket
        Metadata:
            cfn_nag:
                rules_to_suppress:
                  - id: W35
                    reason: "This S3 bucket is used as the destination for storing access logs"
                  - id: W51
                    reason: "The bucket is not public. When using the CF template in PROD, create a bucket policy to allow only administrators/ auditors access to the bucket"
        Properties:
            BucketName: !Join ["-", [!FindInMap ["SourceCode", "General", "SolutionName"], !Ref "AWS::AccountId", !Ref "AWS::Region", "s3-access-log"]]
            AccessControl: LogDeliveryWrite
            BucketEncryption:
                ServerSideEncryptionConfiguration:
                    - ServerSideEncryptionByDefault:
                        SSEAlgorithm: AES256
            PublicAccessBlockConfiguration:
                BlockPublicAcls: true
                BlockPublicPolicy: true
                IgnorePublicAcls: true
                RestrictPublicBuckets: true

Issue: Because ACLs are enabled (AccessControl: LogDeliveryWrite), then Object Ownership must be set with Bucket owner preferred. It can be added with the following property:

          OwnershipControls:
            Rules:
              - ObjectOwnership: BucketOwnerPreferred

"AccessControl" is actually a legacy property and not recommended any longer for most use cases, except in unusual circumstances where you must control access for each object individually.

Therefore, if the AccessControl property is disabled, the object ownership will be for the bucket owner enforced by default. If we remove "AccessControl" property, the resource is created successfully.

Hope this is helpful! Thank you.

References:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-accesscontrol
https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fecmcd