search

aws-samples / aws-security-reference-architecture-examples

Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
977 stars 245 forks source link

[BUG] CustomControlTowerS3AccessLogsBucket Failed to create #158

Closed lance-udasco closed 6 months ago

lance-udasco commented 1 year ago

Describe the bug

During deployment of the SRA, the sra-common-cfct-setup-main-rCFCTStack fails to create the CustomControlTowerS3AccessLogsBucket S3 bucket with the following status reason

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: 3W9T4XC5BMANRPD0; S3 Extended Request ID: MNT1YCGt9SxEK/P2U4ubMZ9XoLETKhnkkJXWFTmsnu/o+rYSBd1ZZDzR1BXP/JGVdy6SlPbGmJc=; Proxy: null)

To Reproduce

I download and stage the SRA solution: https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md#download-the-sra-examples-code-from-github

I deploy the prerequisites: https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/common/common_prerequisites#implementation-instructions

I run step 1 of the implementation instructions: https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/common/common_cfct_setup

aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml --stack-name sra-common-cfct-setup-main --capabilities CAPABILITY_NAMED_IAM

sbrown-tecracer commented 1 year ago

Had the same problem, stems to this: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/

The SRA depolyment file in your S3 for sra-staging-XXXXXXXXXXXX-Region/sra-common-cfct-setup/templates/customizations-for-aws-control-tower.template is still at v2.5.3 and the current release is at v2.6.0 which resolves your problem.

Workaround - Simply download the v2.6.0 from CFCT, rename it with a version, upload to the SRA staging bucket, and then apend your last deploy template - sra-common-cfct-setup-main.yaml to the new version:

TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/customizations-for-aws-control-tower-v2.6.0.template

The Stacks should then deploy as desired BUT should definately be controlled at SRA Source