s3: breaking change, cannot create bucket anymore, InvalidBucketAclWithObjectOwn

[melinaschweizer]

Describe the bug

Deployed S3 bucket last week into account A without issues and this week it fails on account B with a "Bucket cannot have ACLs set with "ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)". Perhaps the announcement https://www.helpnetsecurity.com/2023/02/07/amazon-s3-bucket-security/ is the reason.

Expected Behavior

I expected the buckets to be created without issue, since this worked last week.

Current Behavior

TERMINAL Output: The bucket creation fails with "1:43:11 PM | CREATE_FAILED | AWS::S3::Bucket | Servicesxxxcsvaccesslogstsm07305C09 Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwn ership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)"

CFN Output: 2023-04-25 13:43:11 UTC+0200	Servicesxxxcsvaccesslogstsm07305C09	CREATE_FAILED	Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)

Reproduction Steps

    access_logs_bucket = s3.Bucket(
        self, "xxx-csv-access-logs-tsm", 
        encryption=s3.BucketEncryption.S3_MANAGED,
        versioned=True,
        block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
    )
    csv_bucket = s3.Bucket(
        self, "xxx-csv", 
        encryption=s3.BucketEncryption.KMS, 
        encryption_key=csv_bucket_key,
        versioned=True,
        block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
        enforce_ssl=True,
        server_access_logs_bucket=access_logs_bucket
    )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.76.0 (build 78c411b)

Framework Version

No response

Node.js Version

v19.8.1

OS

macos

Language

Python

Language Version

Python 3.9.6

Other information

No response

[vincenthongzy]

we are facing this issue as well:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

edit: following this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ , I managed to generate a new error Bucket cannot have public ACLs set with BlockPublicAccess enabled:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      objectOwnership: ObjectOwnership.OBJECT_WRITER,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

...but there seems to be no way to remove the BlockPublicAccess config

[melinaschweizer]

Hi folks, for me, the solution that worked was adding the following to both buckets: xxxxxxxx_bucket = s3.Bucket( ... object_ownership=s3.ObjectOwnership.OBJECT_WRITER )

[pahud]

According to the blog post announcement:

Once the changes are in effect for a target Region, all newly created buckets in the Region will by default have S3 Block Public Access enabled and access control lists (ACLs) disabled. Both of these options are already console defaults and have long been recommended as best practices. The options will become the default for buckets that are created using the S3 API, S3 CLI, the AWS SDKs, or AWS CloudFormation templates.

and

ACLs Disabled – The Bucket owner enforced setting will be enabled for newly created buckets, making bucket ACLs and object ACLs ineffective, and ensuring that the bucket owner is the object owner no matter who uploads the object. If you want to enable ACLs for a bucket, you can set the ObjectOwnership parameter to ObjectWriter in your CreateBucket request or you can call DeleteBucketOwnershipControls after you create the bucket. You will need s3:PutBucketOwnershipControls permission in order to use the parameter or to call the function; read Controlling Ownership of Objects and Creating a Bucket to learn more.

I believe we should improve the property validation in L2 Bucket construct to improve better user experience.

For cloudfront access log bucket, this works for me per described in the blog post regarding the ObjectOwnership FYR:

const logBucket = new s3.Bucket(this, 'logBucket', {
  objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
  autoDeleteObjects: true,
  removalPolicy: RemovalPolicy.DESTROY,
});

ref: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership

[rittneje]

@pahud I think you should pin this issue.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[WealthBlockAI]

we are facing this issue as well:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

edit: following this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ , I managed to generate a new error Bucket cannot have public ACLs set with BlockPublicAccess enabled:

    this.bucket = new s3.Bucket(this, 'Bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
      bucketName: `bucket-name`,
      publicReadAccess: true,
      objectOwnership: ObjectOwnership.OBJECT_WRITER,
      accessControl: s3.BucketAccessControl.PUBLIC_READ,
    });

...but there seems to be no way to remove the BlockPublicAccess config

publicReadAccess: true,

I got the same message, but after sifting around the documentation for a while, found that this can be achieved with two calls (examples using NodeJS SDK)

1. Create bucket with the Object Ownership set to Object Writer, but do NOT include any public read access or public ACLs. e.g. s3.createBucket({ Bucket: "my_bucket", ObjectOwnership: "ObjectWriter" })

2. Make a second call to delete the PublicAccessBlock e.g. s3.deletePublicAccessBlock({ Bucket: "my_bucket" })

[jstampleman]

I'm an AWS noob, but the bottom line for me is that I'm getting these errors while followind an AWS tutorial...

https://catalog.workshops.aws/complete-aws-sam/en-US/module-4-cicd/module-4-cicd-gh/50-sampipeinit

... is this something likely to be fixed? Or does someone need to update that tutorial?

[0xdevalias]

catalog.workshops.aws/complete-aws-sam/en-US/module-4-cicd/module-4-cicd-gh/50-sampipeinit

... is this something likely to be fixed? Or does someone need to update that tutorial?

@jstampleman I didn't look too deeply into it, but my guess is that the tutorial (or the sam pipeline init --bootstrap code will likely need to be updated (if it hasn't already been) to account for the changes needed in the CloudFormation template.

If it's still an issue, I would suggest searching the existing issues on the SAM CLI GitHub repo, and if a relevant one doesn't exist, then submitting a new issue for it there (potentially referring back to this issue if relevant):

• https://github.com/aws/aws-sam-cli/issues

[pkit]

This shitshow is amazing. Yes, all official AWS documents for CloudFormation still use the old syntax that fails to create anything. ALL OF THEM!