search

aws-samples / aws-genai-llm-chatbot

A modular and comprehensive solution to deploy a Multi-LLM and Multi-RAG powered chatbot (Amazon Bedrock, Anthropic, HuggingFace, OpenAI, Meta, AI21, Cohere, Mistral) using AWS CDK on AWS
https://aws-samples.github.io/aws-genai-llm-chatbot/
MIT No Attribution
1.09k stars 328 forks source link

Deploying a public chatbot to some regions (e.g af-south-1) fails due to unsupported logging for Cloudfront distribution #517

Closed eldimi closed 3 weeks ago

eldimi commented 3 months ago

Observed behavior: Trying to deploy in af-south-1 fails with the following error

7:05:48 AM | CREATE_FAILED        | AWS::CloudFront::Distribution                   | UserInterface/Publ...ion/CFDistribution
Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 buck
et for CloudFront logs: issuesgenaichatbotstack-userinterfacepublicwebsite-24jbnfsrjee2.s3.af-south-1.amazonaws.com If you're using IAM, you ne
ed s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition
, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: fddbf7da-f7b2-4de6-86fe-2ddeef7091
e8)'." (RequestToken: 27dd0ea0-c118-b372-d085-1771cbd1e439, HandlerErrorCode: AccessDenied)

Root cause: CloudFront doesn't deliver standards logs to Amazon S3 buckets in the following AWS Regions: Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Europe (Milan), and Middle East (Bahrain). . There is a workaround to set remove the loggingConfiguration for CloudfrontDistribution in \lib\user-interface\public-website.ts. This will trigger a CDK nag rule, so if you try to deploy you will receive an error[Error at /issuesGenAIChatBotStack/UserInterface/PublicWebsite/Distribution/CFDistribution] AwsSolutions-CFR3: The CloudFront distribution does not have access logging enabled. Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.

To suppress it append to NagSuppressions.addResourceSuppressions(distribution ,in the same file, a rule like 

   {
        id: "AwsSolutions-CFR3",
        reason: "Access logging not available in af-south-1"
      },

To resolve this permanently, an would be to add this to the advanced setting in config.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] commented 3 weeks ago

This issue was closed because it has been inactive for 30 days since being marked as stale.