-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access Denied on Deployment #1056
Comments
Is this the issue that you're seeing? |
Yes, same CloudFormation Error. and as you can see above I am not passing any existing S3 buckets to construct, those were created in an earlier version of the CDK and now when I upgraded my CDK version and trying to redeploy same stack it is throwing this issue. |
That bucket policy has a statement on it that makes it immutable, except by the root user of the account. That's a really odd permission to add to the bucket and needs further research why that is happening |
Would it be possible to not make it immutable? Is there a reason behind making it immutable? |
It's immutable to ensure that that ClamAV definition files are not tempered with Only the account root user has the ability to modify the bucket policy and could remove the policy that makes it immutable. The other options are to remove the construct from the solution and add it again or to diagnose why that permission is being added in the first place and remove it |
From having a quick look around, it seems that this needs to be configured on the blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL
This is not a concern for our account, so it might be nice to have that configurable. |
Thanks @dontirun , Managed to resolve the problem by removing the construct from the stack and then adding it back, which seems to have effectively fixed the issue. |
Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID:....)" when upgraded CDK version from
2.68.0
to2.100.0
.Resource Type - AWS::S3::BucketPolicy
Logical ID - avscanstackVirusDefsBucketPolicy6539E060
The text was updated successfully, but these errors were encountered: