Closed melinaschweizer closed 1 year ago
we are facing this issue as well:
this.bucket = new s3.Bucket(this, 'Bucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
bucketName: `bucket-name`,
publicReadAccess: true,
accessControl: s3.BucketAccessControl.PUBLIC_READ,
});
edit:
following this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ , I managed to generate a new error Bucket cannot have public ACLs set with BlockPublicAccess enabled
:
this.bucket = new s3.Bucket(this, 'Bucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
bucketName: `bucket-name`,
publicReadAccess: true,
objectOwnership: ObjectOwnership.OBJECT_WRITER,
accessControl: s3.BucketAccessControl.PUBLIC_READ,
});
...but there seems to be no way to remove the BlockPublicAccess
config
Hi folks, for me, the solution that worked was adding the following to both buckets: xxxxxxxx_bucket = s3.Bucket( ... object_ownership=s3.ObjectOwnership.OBJECT_WRITER )
According to the blog post announcement:
Once the changes are in effect for a target Region, all newly created buckets in the Region will by default have S3 Block Public Access enabled and access control lists (ACLs) disabled. Both of these options are already console defaults and have long been recommended as best practices. The options will become the default for buckets that are created using the S3 API, S3 CLI, the AWS SDKs, or AWS CloudFormation templates.
and
ACLs Disabled – The Bucket owner enforced setting will be enabled for newly created buckets, making bucket ACLs and object ACLs ineffective, and ensuring that the bucket owner is the object owner no matter who uploads the object. If you want to enable ACLs for a bucket, you can set the ObjectOwnership parameter to ObjectWriter in your CreateBucket request or you can call DeleteBucketOwnershipControls after you create the bucket. You will need s3:PutBucketOwnershipControls permission in order to use the parameter or to call the function; read Controlling Ownership of Objects and Creating a Bucket to learn more.
I believe we should improve the property validation in L2 Bucket construct to improve better user experience.
For cloudfront access log bucket, this works for me per described in the blog post regarding the ObjectOwnership
FYR:
const logBucket = new s3.Bucket(this, 'logBucket', {
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
});
@pahud I think you should pin this issue.
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
we are facing this issue as well:
this.bucket = new s3.Bucket(this, 'Bucket', { autoDeleteObjects: true, removalPolicy: RemovalPolicy.DESTROY, bucketName: `bucket-name`, publicReadAccess: true, accessControl: s3.BucketAccessControl.PUBLIC_READ, });
edit: following this https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ , I managed to generate a new error
Bucket cannot have public ACLs set with BlockPublicAccess enabled
:this.bucket = new s3.Bucket(this, 'Bucket', { autoDeleteObjects: true, removalPolicy: RemovalPolicy.DESTROY, bucketName: `bucket-name`, publicReadAccess: true, objectOwnership: ObjectOwnership.OBJECT_WRITER, accessControl: s3.BucketAccessControl.PUBLIC_READ, });
...but there seems to be no way to remove the
BlockPublicAccess
configpublicReadAccess: true,
I got the same message, but after sifting around the documentation for a while, found that this can be achieved with two calls (examples using NodeJS SDK)
Create bucket with the Object Ownership set to Object Writer, but do NOT include any public read access or public ACLs. e.g. s3.createBucket({ Bucket: "my_bucket", ObjectOwnership: "ObjectWriter" })
Make a second call to delete the PublicAccessBlock e.g. s3.deletePublicAccessBlock({ Bucket: "my_bucket" })
I'm an AWS noob, but the bottom line for me is that I'm getting these errors while followind an AWS tutorial...
https://catalog.workshops.aws/complete-aws-sam/en-US/module-4-cicd/module-4-cicd-gh/50-sampipeinit
... is this something likely to be fixed? Or does someone need to update that tutorial?
catalog.workshops.aws/complete-aws-sam/en-US/module-4-cicd/module-4-cicd-gh/50-sampipeinit
... is this something likely to be fixed? Or does someone need to update that tutorial?
@jstampleman I didn't look too deeply into it, but my guess is that the tutorial (or the sam pipeline init --bootstrap
code will likely need to be updated (if it hasn't already been) to account for the changes needed in the CloudFormation template.
If it's still an issue, I would suggest searching the existing issues on the SAM CLI GitHub repo, and if a relevant one doesn't exist, then submitting a new issue for it there (potentially referring back to this issue if relevant):
This shitshow is amazing. Yes, all official AWS documents for CloudFormation still use the old syntax that fails to create anything. ALL OF THEM!
Describe the bug
Deployed S3 bucket last week into account A without issues and this week it fails on account B with a "Bucket cannot have ACLs set with "ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)". Perhaps the announcement https://www.helpnetsecurity.com/2023/02/07/amazon-s3-bucket-security/ is the reason.
Expected Behavior
I expected the buckets to be created without issue, since this worked last week.
Current Behavior
TERMINAL Output: The bucket creation fails with "1:43:11 PM | CREATE_FAILED | AWS::S3::Bucket | Servicesxxxcsvaccesslogstsm07305C09 Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwn ership; Request ID: K97VC1M7Z0YY14A5; S3 Extended Request ID: DZGiUrXpLClhwp+7nOjoGocVx15FGQCQd6V0NGXk/YSJ3n/OTZWOIg5sNZGagfs7T0wWX2hPw6M=; Proxy: null)"
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.76.0 (build 78c411b)
Framework Version
No response
Node.js Version
v19.8.1
OS
macos
Language
Python
Language Version
Python 3.9.6
Other information
No response