search

giantswarm / roadmap

Giant Swarm Product Roadmap
https://github.com/orgs/giantswarm/projects/273
Apache License 2.0
3 stars 0 forks source link

Amazon S3 changed default settings for S3 Block Public Access and Object Ownership (ACLs disabled) for all new S3 buckets. #2384

Closed T-Kukawka closed 1 year ago

T-Kukawka commented 1 year ago

Following an error on new testing cluster:

"caller":"github.com/giantswarm/micrologger@v1.0.0/logger.go:88","controller":"aws-operator-cluster-controller","event":"update","function":"ApplyCreateChange","level":"error","loop":"0","message":"retrying due to error","object":"org-giantswarm/u6uv7","resource":"s3bucket","stack":{"annotation":"AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400, request id: 2HX13PN6F9HNFMF9, host id: LCp9B+J84XlbjocmBr1wCCojMlL40tNRxvNza9detqGFjLPzJGzebw1GbFBTjdHdOfMemHI0ZWk=","kind":"unknown","stack":[{"file":"/root/project/service/controller/resource/s3bucket/create.go","line":81},"file":"/go/pkg/mod/github.com/giantswarm/operatorkit/v7@v7.1.0/pkg/resource/wrapper/retryresource/crud_resource.go","line":154}]},"time":"2023-04-24T11:16:24.993106+00:00","version":"1093124964"}            {"caller":"github.com/giantswarm/micrologger@v1.0.0/logger.go:66","controller":"aws-operator-cluster-controller","event":"update","function":"ApplyCreateChange","level":"debug","loop":"0","message":"creating S3 bucket `107744613923-g8s-u6uv7-access-logs`","object":"org-giantswarm/u6uv7","resource":"s3bucket","time":"2023-04-24T11:16:25.993345+00:00","version":"1093124964"}

We have found out that:

Starting in April 2023, Amazon S3 will change the default settings for S3 Block Public Access and Object Ownership (ACLs disabled) for all new S3 buckets. For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket. For more information, see Default settings for new S3 buckets FAQ and Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 in the AWS News Blog.

More info: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

T-Kukawka commented 1 year ago

This will require changes in all used aws-operators

njuettner commented 1 year ago

For now 18.4.0 and 19.0.0-beta1 are patched. aws-operator should be able now to create S3 buckets, however we need to inform all customers that they also would need to update their IAM policies for aws-operator again and adding s3:PutBucketOwnershipControls, to make it work.

I retagged GiantswarmAWSOperator Policy in giantswarm-aws-account-prerequisites. I also updated AWSOperator IAM policy manually in gaia, gauss and giraffe.

T-Kukawka commented 1 year ago

We will move on with 18.2.2 and 18.3.1

T-Kukawka commented 1 year ago

closing, will add to scope to all relevant releases