aws-cdk-lib Version 2.100.0 Fails with Access Denied on Deployment

[surecloud-meason]

Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID:..."

As of cdk version 2.100.0 deployments for cdk-serveress-clamscan fail with a access denied error in Cloudformation.

const scanOnBucket = new ServerlessClamscan(scope, `${id}-virus-scan`, {
acceptResponsibilityForUsingImportedBucket: true,
buckets: [props.quarantineBucket],
defsBucketAccessLogsConfig: {
    logsBucket: virusDefinitionLogBucket,
    logsPrefix: 'virusDefinition-log',
},
onError: new SnsDestination(snsOnFail),
});

The issue seems to be related to the default s3 bucket policy changes: aws/aws-cdk#25358

[dontirun]

I believe this is due to the imported Bucket not having the correct access permissions. The issue was resolved for newly created buckets in this PR. Does the imported bucket have Object Writer ownership permissions?

[surecloud-Awalia]

I believe this is due to the imported Bucket not having the correct access permissions. The issue was resolved for newly created buckets in this PR. Does the imported bucket have Object Writer ownership permissions?

Hi, the error we are getting is related to virusdeflog bucket which is not an imported bucket.

Update: My bad, this is the imported bucket, but it has correct properties set, see my latest comments.

[dontirun]

Was the virusDefinitionLogBucket created in an earlier version of the CDK? That's a bucket that is getting passed into the construct so you will need to make sure that it has the correct object writer permissions

[surecloud-Awalia]

logBucket has following properties set:

versioned: false,
encryption: BucketEncryption.S3_MANAGED,
objectOwnership: ObjectOwnership.OBJECT_WRITER,

I am using newer version of cdk. (2.100.0). The issue does not comes up when we use older version of cdk than this.

[dontirun]

Can you share the full CloudFormation error including the logical id and CDK identifier of the resource that is throwing the error?

[surecloud-Awalia]

Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: RWR4YE6NZYHN8BRQ, Extended Request ID: yJRnXEJpvZXgYPTF8twHG0b6psj86gkC2Ys6No2IGyqb7bDcwjBxjcMyOR9btgKM0aM0PMFVwhg=)" (RequestToken: 04049524-9442-f26e-165a-f194dd0efb27, HandlerErrorCode: AccessDenied)

logical id - ourstackamevirusscanVirusDefsBucketPolicyB482E79B
type - AWS::S3::BucketPolicy

[dontirun]

I'm unable to reproduce this. I was able to successfully deploy this construct using cdk version 2.103.0 using the following application.

import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { ServerlessClamscan } from 'cdk-serverless-clamscan';

export class MyStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    const virusDefinitionLogBucket = new Bucket(this, 'logs');
    const input = new Bucket(this, 'input');
    new ServerlessClamscan(this, 'clamscan', {
      buckets: [input],
      defsBucketAccessLogsConfig: {
        logsBucket: virusDefinitionLogBucket,
        logsPrefix: 'virusDefinition-log',
      },
    });
  }
}

const app = new cdk.App();
new MyStack(app, 'test-cdk-2-103-0-clamscan');

app.synth();

I'm only seeing access denied errors on stack deletion. The S3 Bucket that contains the Virus Definitions has a bucket policy that will likely cause a deletion error if you when deleting the stack associated in the construct. However since the bucket itself gets deleted, you can run the destroy command again to resolve the error.

[surecloud-Awalia]

Thank you, deleting the bucket and recreating seems to have fixed the issue for us.