thinknimble / tn-aws-cloud-formations

A cloud formation for adding new aws s3 buckets for projects
0 stars 0 forks source link

AWS changed rules/behavior for ACL #1

Open oudeismetis opened 1 year ago

oudeismetis commented 1 year ago

Currently following the vanilla instructions on this repo will throw an error

Error you'll get:

You'll see a ROLLBACK_COMPLETE on your bucket creation status when running aws cloudformation describe-stacks. If you poke around on cloudformation on the AWS console you'll find this error:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership

Hotfix:

Remove AccessControl: PublicRead

Better fix:

We need to research and update our access control settings as AWS has changed things to make things "easier".

Resources/Context:

Starting in April 2023, Amazon S3 will change the default settings for S3 Block Public Access and Object Ownership (ACLs disabled) for all new S3 buckets. For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket. For more information, see Default settings for new S3 buckets FAQ and Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 in the AWS News Blog.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

whusterj commented 5 months ago

Have we resolved this issue? I think the configs are still working fine.

cc: @paribaker