aws-security-reference-architecture-examples icon indicating copy to clipboard operation
aws-security-reference-architecture-examples copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

[BUG] CustomControlTowerS3AccessLogsBucket Failed to create

Open lance-udasco opened this issue 2 years ago • 1 comments

Describe the bug

During deployment of the SRA, the sra-common-cfct-setup-main-rCFCTStack fails to create the CustomControlTowerS3AccessLogsBucket S3 bucket with the following status reason

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: 3W9T4XC5BMANRPD0; S3 Extended Request ID: MNT1YCGt9SxEK/P2U4ubMZ9XoLETKhnkkJXWFTmsnu/o+rYSBd1ZZDzR1BXP/JGVdy6SlPbGmJc=; Proxy: null)

To Reproduce

I download and stage the SRA solution: https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md#download-the-sra-examples-code-from-github

I deploy the prerequisites: https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/common/common_prerequisites#implementation-instructions

I run step 1 of the implementation instructions: https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/common/common_cfct_setup

aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml --stack-name sra-common-cfct-setup-main --capabilities CAPABILITY_NAMED_IAM

lance-udasco avatar Jul 18 '23 18:07 lance-udasco

Had the same problem, stems to this: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/

The SRA depolyment file in your S3 for sra-staging-XXXXXXXXXXXX-Region/sra-common-cfct-setup/templates/customizations-for-aws-control-tower.template is still at v2.5.3 and the current release is at v2.6.0 which resolves your problem.

Workaround - Simply download the v2.6.0 from CFCT, rename it with a version, upload to the SRA staging bucket, and then apend your last deploy template - sra-common-cfct-setup-main.yaml to the new version:

TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/customizations-for-aws-control-tower-v2.6.0.template

The Stacks should then deploy as desired BUT should definately be controlled at SRA Source

sbrown-tecracer avatar Jul 20 '23 10:07 sbrown-tecracer