Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Denied on Deployment #1056

Open
hemanth-m19 opened this issue Dec 15, 2023 · 8 comments
Open

Access Denied on Deployment #1056

hemanth-m19 opened this issue Dec 15, 2023 · 8 comments

Comments

@hemanth-m19
Copy link

Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID:....)" when upgraded CDK version from 2.68.0 to 2.100.0.

Resource Type - AWS::S3::BucketPolicy
Logical ID - avscanstackVirusDefsBucketPolicy6539E060

const sc = new ServerlessClamscan(this, 'av-scan-stack', {});
this.inputBucket = new Bucket(this, 'av-scan-bucket', {
    autoDeleteObjects: true,
    removalPolicy: cdk.RemovalPolicy.DESTROY
});
sc.addSourceBucket(this.inputBucket);
@dontirun
Copy link
Contributor

Is this the issue that you're seeing?

@hemanth-m19
Copy link
Author

hemanth-m19 commented Dec 17, 2023
edited
Loading

Is this the issue that you're seeing?

Yes, same CloudFormation Error. and as you can see above I am not passing any existing S3 buckets to construct, those were created in an earlier version of the CDK and now when I upgraded my CDK version and trying to redeploy same stack it is throwing this issue.

@mikoz93
Copy link

mikoz93 commented Mar 2, 2024
edited
Loading

Seeing the exact same problem with CDK 2.110.0:
image

new ServerlessClamscan(this, 'VirusScanner', {
    buckets: [sourceBucket],
    onResult: destination,
    onError: destination,
    acceptResponsibilityForUsingImportedBucket: true,
});

Some further context: The construct was created before CDK 2.100.0 version and has been deploying successfully. Since CDK was updated to 2.110.0 the same construct fails to deploy.

This is the policy update that CDK tries to apply:
image

@dontirun
Copy link
Contributor

dontirun commented Mar 2, 2024

That bucket policy has a statement on it that makes it immutable, except by the root user of the account.

That's a really odd permission to add to the bucket and needs further research why that is happening

@mikoz93
Copy link

mikoz93 commented Mar 4, 2024

Would it be possible to not make it immutable? Is there a reason behind making it immutable?

@dontirun
Copy link
Contributor

dontirun commented Mar 4, 2024

It's immutable to ensure that that ClamAV definition files are not tempered with

Only the account root user has the ability to modify the bucket policy and could remove the policy that makes it immutable.

The other options are to remove the construct from the solution and add it again or to diagnose why that permission is being added in the first place and remove it

@mikoz93
Copy link

mikoz93 commented Mar 6, 2024
edited
Loading

From having a quick look around, it seems that this needs to be configured on the VirusDefsBucket bucket:

blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL

It's immutable to ensure that that ClamAV definition files are not tempered with

This is not a concern for our account, so it might be nice to have that configurable.

@hemanth-m19
Copy link
Author

Thanks @dontirun ,

Managed to resolve the problem by removing the construct from the stack and then adding it back, which seems to have effectively fixed the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dontirun @mikoz93 @hemanth-m19