Access Denied on Deployment

awslabs / cdk-serverless-clamscan

Apache License 2.0

233 stars 66 forks source link

Access Denied on Deployment #1056

Open hemanth-m19 opened 8 months ago

hemanth-m19 commented 8 months ago

Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID:....)" when upgraded CDK version from 2.68.0 to 2.100.0.

Resource Type - AWS::S3::BucketPolicy Logical ID - avscanstackVirusDefsBucketPolicy6539E060

const sc = new ServerlessClamscan(this, 'av-scan-stack', {});
this.inputBucket = new Bucket(this, 'av-scan-bucket', {
    autoDeleteObjects: true,
    removalPolicy: cdk.RemovalPolicy.DESTROY
});
sc.addSourceBucket(this.inputBucket);

dontirun commented 8 months ago

Is this the issue that you're seeing?

hemanth-m19 commented 8 months ago

Is this the issue that you're seeing?

Yes, same CloudFormation Error. and as you can see above I am not passing any existing S3 buckets to construct, those were created in an earlier version of the CDK and now when I upgraded my CDK version and trying to redeploy same stack it is throwing this issue.

Mikoz93 commented 6 months ago

Seeing the exact same problem with CDK 2.110.0:

new ServerlessClamscan(this, 'VirusScanner', {
    buckets: [sourceBucket],
    onResult: destination,
    onError: destination,
    acceptResponsibilityForUsingImportedBucket: true,
});

Some further context: The construct was created before CDK 2.100.0 version and has been deploying successfully. Since CDK was updated to 2.110.0 the same construct fails to deploy.

This is the policy update that CDK tries to apply:

dontirun commented 6 months ago

That bucket policy has a statement on it that makes it immutable, except by the root user of the account.

That's a really odd permission to add to the bucket and needs further research why that is happening

Mikoz93 commented 6 months ago

Would it be possible to not make it immutable? Is there a reason behind making it immutable?

dontirun commented 6 months ago

It's immutable to ensure that that ClamAV definition files are not tempered with

Only the account root user has the ability to modify the bucket policy and could remove the policy that makes it immutable.

The other options are to remove the construct from the solution and add it again or to diagnose why that permission is being added in the first place and remove it

Mikoz93 commented 5 months ago

From having a quick look around, it seems that this needs to be configured on the VirusDefsBucket bucket:

blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL

It's immutable to ensure that that ClamAV definition files are not tempered with

This is not a concern for our account, so it might be nice to have that configurable.

hemanth-m19 commented 2 months ago

Thanks @dontirun ,

Managed to resolve the problem by removing the construct from the stack and then adding it back, which seems to have effectively fixed the issue.