awslabs/cdk-serverless-clamscan

Access Denied on Deployment

hemanth-m19 opened this issue · 8 comments

Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID:....)" when upgraded CDK version from 2.68.0 to 2.100.0.

Resource Type - AWS::S3::BucketPolicy
Logical ID - avscanstackVirusDefsBucketPolicy6539E060

const sc = new ServerlessClamscan(this, 'av-scan-stack', {});
this.inputBucket = new Bucket(this, 'av-scan-bucket', {
    autoDeleteObjects: true,
    removalPolicy: cdk.RemovalPolicy.DESTROY
});
sc.addSourceBucket(this.inputBucket);

Is this the issue that you're seeing?

Is this the issue that you're seeing?

Yes, same CloudFormation Error. and as you can see above I am not passing any existing S3 buckets to construct, those were created in an earlier version of the CDK and now when I upgraded my CDK version and trying to redeploy same stack it is throwing this issue.

Seeing the exact same problem with CDK 2.110.0:
image

new ServerlessClamscan(this, 'VirusScanner', {
    buckets: [sourceBucket],
    onResult: destination,
    onError: destination,
    acceptResponsibilityForUsingImportedBucket: true,
});

Some further context: The construct was created before CDK 2.100.0 version and has been deploying successfully. Since CDK was updated to 2.110.0 the same construct fails to deploy.

This is the policy update that CDK tries to apply:
image

That bucket policy has a statement on it that makes it immutable, except by the root user of the account.

That's a really odd permission to add to the bucket and needs further research why that is happening

Would it be possible to not make it immutable? Is there a reason behind making it immutable?

It's immutable to ensure that that ClamAV definition files are not tempered with

Only the account root user has the ability to modify the bucket policy and could remove the policy that makes it immutable.

The other options are to remove the construct from the solution and add it again or to diagnose why that permission is being added in the first place and remove it

From having a quick look around, it seems that this needs to be configured on the VirusDefsBucket bucket:

blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL

It's immutable to ensure that that ClamAV definition files are not tempered with

This is not a concern for our account, so it might be nice to have that configurable.

Thanks @dontirun ,

Managed to resolve the problem by removing the construct from the stack and then adding it back, which seems to have effectively fixed the issue.