aws-data-lake-solution icon indicating copy to clipboard operation
aws-data-lake-solution copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

Bug report: Unable to create "S3LoggingBucket" due to InvalidBucketAclWithObjectOwnership

Open fecmcd opened this issue 2 years ago • 0 comments
trafficstars

Hello,

I'd like to report a bug in the Data Lake Solution v2.2. This can be found on the Service Catalog 'Getting started library', 'Data Lake on AWS'.

The CloudFormation stack fails to create the S3 bucket "S3LoggingBucket", with the following error:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership). Following is the code, which can also be found here - https://github.com/aws-solutions/aws-data-lake-solution/blob/main/deployment/data-lake-deploy.template#L471

    S3LoggingBucket:
        DeletionPolicy: Retain
        Type: AWS::S3::Bucket
        Metadata:
            cfn_nag:
                rules_to_suppress:
                  - id: W35
                    reason: "This S3 bucket is used as the destination for storing access logs"
                  - id: W51
                    reason: "The bucket is not public. When using the CF template in PROD, create a bucket policy to allow only administrators/ auditors access to the bucket"
        Properties:
            BucketName: !Join ["-", [!FindInMap ["SourceCode", "General", "SolutionName"], !Ref "AWS::AccountId", !Ref "AWS::Region", "s3-access-log"]]
            AccessControl: LogDeliveryWrite
            BucketEncryption:
                ServerSideEncryptionConfiguration:
                    - ServerSideEncryptionByDefault:
                        SSEAlgorithm: AES256
            PublicAccessBlockConfiguration:
                BlockPublicAcls: true
                BlockPublicPolicy: true
                IgnorePublicAcls: true
                RestrictPublicBuckets: true

Issue: Because ACLs are enabled (AccessControl: LogDeliveryWrite), then Object Ownership must be set with Bucket owner preferred. It can be added with the following property:

          OwnershipControls:
            Rules:
              - ObjectOwnership: BucketOwnerPreferred

"AccessControl" is actually a legacy property and not recommended any longer for most use cases, except in unusual circumstances where you must control access for each object individually.

Therefore, if the AccessControl property is disabled, the object ownership will be for the bucket owner enforced by default. If we remove "AccessControl" property, the resource is created successfully.

Hope this is helpful! Thank you.

References: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-accesscontrol https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

fecmcd avatar Aug 16 '23 01:08 fecmcd