The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
Describe the bug
Starting in April 2023, Amazon S3 will introduce two new default bucket security settings by automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs) for all new S3 buckets[1].
This change is making the S3 bucket provisioned by the CfCT template present in the github link[2] to be created with "Object Ownership" set to “Bucket owner enforced” instead of "ObjectWriter".
Due to this, the CfCT template is failing with the below error:
==========================
Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (
==========================
Logical Id of the Resource - "CustomControlTowerS3AccessLogsBucket"
To Reproduce
Deploy the CfCT template[2] in the eu-north-1 region
Expected behavior
Expected behavior is that the Cloudformation stack should be created successfully.
Please complete the following information about the solution:
[Version: v2.5.3]
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0089) - customizations-for-aws-control-tower Solution. Version: v1.0.0". You can also find the version from releases
[ eu-north-1] Region: [e.g. us-east-1]
[ ] Was the solution modified from the version published on this repository?
[ ] If the answer to the previous question was yes, are the changes available on GitHub?
[ Yes] Have you checked your service quotas for the sevices this solution uses?
[ ] Were there any errors in the CloudWatch Logs?
Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context
Add any other context about the problem here.
Hey @somesh-1696, we're unable to reproduce this deployment failure in our test environment. I would recommend you work with AWS Premium Support to further deep dive the deployment failure in your environment.
Describe the bug Starting in April 2023, Amazon S3 will introduce two new default bucket security settings by automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs) for all new S3 buckets[1].
This change is making the S3 bucket provisioned by the CfCT template present in the github link[2] to be created with "Object Ownership" set to “Bucket owner enforced” instead of "ObjectWriter".
Due to this, the CfCT template is failing with the below error:
==========================
Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (
==========================
Logical Id of the Resource - "CustomControlTowerS3AccessLogsBucket"
References: [1] https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
[2] https://github.com/aws-solutions/aws-control-tower-customizations/blob/main/customizations-for-aws-control-tower.template
To Reproduce Deploy the CfCT template[2] in the eu-north-1 region
Expected behavior
Expected behavior is that the Cloudformation stack should be created successfully.
Please complete the following information about the solution:
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0089) - customizations-for-aws-control-tower Solution. Version: v1.0.0". You can also find the version from releases
Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context Add any other context about the problem here.