aws-samples
fix(template.yaml): enable ACLs on cloudfront logging bucket and add bucket policy
Description of changes: This Pull Request updates the configuration for the S3 bucket used to store CloudFront access logs. The changes ensure compatibility with AWS’s 2023 updates, where ACLs are disabled by default on new S3 buckets.
Without these updates, the stack no longer deploys, as it shows the following error:
Invalid request provided: AWS::CloudFront::Distribution:The S3 bucket that you specified for CloudFront logs does not enable ACL access:
Changes Introduced:
- Enable ACLs:
- Added ObjectOwnership: BucketOwnerPreferred to ensure all objects in the bucket are owned by the bucket owner, regardless of the uploader. This enables the ACLs on the bucket.
- Access Control:
- Added AccessControl: LogDeliveryWrite to allow CloudFront to write access logs to the bucket.
- Bucket Policy:
- Granted s3:PutObject permissions to the cloudfront.amazonaws.com service principal for log delivery.
- Granted s3:GetBucketAcl and s3:PutBucketAcl permissions to cloudfront.amazonaws.com to manage ACLs as required.
Reference:
- AWS Documentation on the required configuration for CloudFront access logs with the new defaults: Access Logs - Bucket and File Ownership
- Blog Announcement about the S3 ACLs being disabled by default: Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
I've run into the error Invalid request provided: AWS::CloudFront::Distribution:The S3 bucket that you specified for CloudFront logs does not enable ACL access and tried deploying this branch and still get the same error during deployment.
