mrinaudo-aws
commented
1 year ago Besides the above issue, I also noted that the access log bucket does not seem to get access logs. Looking into the relevant docs, I read: [...] You can use default bucket encryption on the target bucket only if you use AES256 (SSE-S3). Default encryption with AWS KMS keys (SSE-KMS) is not supported.
I then tested with AES256 instead of the current SSE-KMS setting on the log bucket, and this resulted for me to have logs being delivered when I tested access to my bucket.
Whilst using the
cfn submitcommand of the CloudFormation CLI on a region I have not yet used with it, theCloudFormationManagedUploadInfrastructurestack (that the tool creates and updates on a region when usingcfn submit) failed to create. The resource with logical IDAccessLogsBucketresulted in aCREATE_FAILEDstatus, and with the following message:Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership [...].As a result, I could not submit the extension to the registry with the CloudFormation CLI; the newly-created stack transitioned to a
ROLLBACK_COMPLETEstatus, and I then deleted the stack.I inspected the relevant resource declaration in the template, as shown in the following excerpt:
The resource in question is described with the
AccessControl: LogDeliveryWritecanned access control list (ACL); I believe the error above would be explained by information I see in this post on the part relevant to disabling S3 ACLs for all new S3 buckets. When I try to usecfn submitin a region where I already used it (hence, where I already have a relevant, existing stack and bucket), I do not get the error.