SCP: BucketOwnerEnforced issue
dannysteenman opened this issue · 3 comments
I've implemented and activated the SCP on my accounts as suggested in the docs: https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/ensure-object-ownership.md#disabling-acls-for-all-new-buckets-bucket-owner-enforced
However when I try to create an S3 bucket with CloudFormation where I enforce: "ObjectOwnership": "BucketOwnerEnforced", CloudFormation get's the following error:
CREATE_FAILED | API: s3:CreateBucket Access Denied
Here is the resource:
"trainingLogs1BCCC4D1": {
"Type": "AWS::S3::Bucket",
"Properties": {
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "BucketOwnerEnforced"
}
]
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
What am I missing? If I create the same bucket through the console with bucket owner enforced, the resource get's created successfully.
First of all, apologies for the delayed response. I'm sorry to hear that you are having this issue. I just tested this out, and I was able to create a new bucket using the AWS::S3::Bucket OwnershipControlsRule example in our AWS CloudFormation documentation.
If you run the following CLI command for the stack, do you see more details about why the create failed?
aws cloudformation describe-stack-events --stack-name "full-stack-arn" --output json --query 'sort_by(StackEvents[], &Timestamp)[*].{Status: ResourceStatus, Reason: ResourceStatusReason, Stack: StackName, TimeStamp: Timestamp}
@lincolahanbeck no this was the only event that was mentioned
CREATE_FAILED | API: s3:CreateBucket Access Denied
But did you deploy the stack while having the SCP enabled on the account? Can you confirm that the properties are right in my template, or am I missing something?
Closing this issue or pull request in advance of archiving this repo. For more information about the decision to archive this repo (and others in the 'awsdocs' org), see the announcement on the AWS News Blog.