Closed mrinaudo-aws closed 1 year ago
Besides the above issue, I also noted that the access log bucket does not seem to get access logs. Looking into the relevant docs, I read: [...] You can use default bucket encryption on the target bucket only if you use AES256 (SSE-S3). Default encryption with AWS KMS keys (SSE-KMS) is not supported.
I then tested with AES256
instead of the current SSE-KMS
setting on the log bucket, and this resulted for me to have logs being delivered when I tested access to my bucket.
Whilst using the
cfn submit
command of the CloudFormation CLI on a region I have not yet used with it, theCloudFormationManagedUploadInfrastructure
stack (that the tool creates and updates on a region when usingcfn submit
) failed to create. The resource with logical IDAccessLogsBucket
resulted in aCREATE_FAILED
status, and with the following message:Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership [...]
.As a result, I could not submit the extension to the registry with the CloudFormation CLI; the newly-created stack transitioned to a
ROLLBACK_COMPLETE
status, and I then deleted the stack.I inspected the relevant resource declaration in the template, as shown in the following excerpt:
The resource in question is described with the
AccessControl: LogDeliveryWrite
canned access control list (ACL); I believe the error above would be explained by information I see in this post on the part relevant to disabling S3 ACLs for all new S3 buckets. When I try to usecfn submit
in a region where I already used it (hence, where I already have a relevant, existing stack and bucket), I do not get the error.