Access Denied on Deployment
hemanth-m19 opened this issue · 8 comments
Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID:....)" when upgraded CDK version from 2.68.0
to 2.100.0
.
Resource Type - AWS::S3::BucketPolicy
Logical ID - avscanstackVirusDefsBucketPolicy6539E060
const sc = new ServerlessClamscan(this, 'av-scan-stack', {});
this.inputBucket = new Bucket(this, 'av-scan-bucket', {
autoDeleteObjects: true,
removalPolicy: cdk.RemovalPolicy.DESTROY
});
sc.addSourceBucket(this.inputBucket);
Is this the issue that you're seeing?
Is this the issue that you're seeing?
Yes, same CloudFormation Error. and as you can see above I am not passing any existing S3 buckets to construct, those were created in an earlier version of the CDK and now when I upgraded my CDK version and trying to redeploy same stack it is throwing this issue.
Seeing the exact same problem with CDK 2.110.0:
new ServerlessClamscan(this, 'VirusScanner', {
buckets: [sourceBucket],
onResult: destination,
onError: destination,
acceptResponsibilityForUsingImportedBucket: true,
});
Some further context: The construct was created before CDK 2.100.0 version and has been deploying successfully. Since CDK was updated to 2.110.0 the same construct fails to deploy.
That bucket policy has a statement on it that makes it immutable, except by the root user of the account.
That's a really odd permission to add to the bucket and needs further research why that is happening
Would it be possible to not make it immutable? Is there a reason behind making it immutable?
It's immutable to ensure that that ClamAV definition files are not tempered with
Only the account root user has the ability to modify the bucket policy and could remove the policy that makes it immutable.
The other options are to remove the construct from the solution and add it again or to diagnose why that permission is being added in the first place and remove it
From having a quick look around, it seems that this needs to be configured on the VirusDefsBucket
bucket:
blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL
It's immutable to ensure that that ClamAV definition files are not tempered with
This is not a concern for our account, so it might be nice to have that configurable.
Thanks @dontirun ,
Managed to resolve the problem by removing the construct from the stack and then adding it back, which seems to have effectively fixed the issue.