-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_s3: Starting April 2023, it's not possible to setup an s3 bucket to use as logging bucket for a cloudfront distribution #25291
Comments
related to #25288 (comment) And this works for me FYR const logBucket = new s3.Bucket(this, 'logBucket', {
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
}); We probably need to improve our API document for this. |
We are facing the same issue trying to use a bucket for the server access logs of another bucket. According to the docs the recommendation is to use an IAM policy instead of an ACL. CDK ought to be fixed to follow this security best practice. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-bucket-policy |
Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created. Reference - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket Closes #25288 #25291 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Thanks @pahud this seems to work for us! |
Starting from April 2023, all newly created S3 buckets by default have [S3 Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) enabled and [access control lists](https://aws.amazon.com/blogs/aws/new-simplify-access-management-for-data-stored-in-amazon-s3/) (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the `ObjectOwnership` property to `ObjectWriter` that allows the default log bucket to be successfully created. Reference - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket Closes #25288 #25291 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I'm going to close this in favor of #25358 |
|
Describe the feature
At the moment, it is not possible to create a bucket with aws_cdk that can be used in a cloudfront distribution as logging bucket.
There was the announcement of AWS: Starting April 2023 you will need to enable S3 access control lists (ACLs) for new S3 buckets being used for CloudFront standard logs. (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html)
I don't think there is a way to do this with CDK at the moment, every configuration I use, I get the following error:
ROLLBACK_COMPLETE: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership;
Use Case
I want to be able to define a s3 bucket and use it as logging bucket for a cloudfront distribution.
Proposed Solution
I think a new type for BucketAccessControl could help?
Other Information
No response
Acknowledgements
CDK version used
2.76.0 (build 78c411b)
Environment details (OS name and version, etc.)
Macbook Ventura 13.3.1 (22E261)
The text was updated successfully, but these errors were encountered: