New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(s3): logging bucket blocks KMS_MANAGED encryption #23514
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
Exception to PR Linter requested: This PR changes what inputs are flagged as an error, it has not effect on synthesized output - so there is no updated integration test to push. |
Correction on versions - the framework version is 2.58.0, the CLI version is 2.55.1 |
Hey! I originally wrote #23385 based on an issue with log delivery and the code is based on https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
I am curious if a PR needs to be made to https://github.com/awsdocs/amazon-s3-userguide/blob/main/doc_source/enable-server-access-logging.md as well |
The outlier is KMS_MANAGED - which is not a setting recognized by the S3 console/api. It is apparently a CDK concept, which the CDK translates into a configuration that works for self-logging buckets. I'm running yet another test just to prove to myself again that I saw this work. |
This is actually really interesting to me! I am curious where this breaks. The only difference that I really see is in how the CloudFormation is generated For aws-cdk/packages/@aws-cdk/aws-s3/lib/bucket.ts Lines 1982 to 1992 in f03cc85
And for aws-cdk/packages/@aws-cdk/aws-s3/lib/bucket.ts Lines 1953 to 1970 in f03cc85
So that setup is basically just whether the I've tried reproducing with: import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
const app = new cdk.App();
const stack = new cdk.Stack(app, 'Stack');
const target = new s3.Bucket(stack, 'Target', { encryption: s3.BucketEncryption.KMS_MANAGED });
const bucket = new s3.Bucket(stack, 'Bucket', {
serverAccessLogsBucket: target,
serverAccessLogsPrefix: 'test/',
}); I don't see any logs being delivered. But I am wondering if this can be made to work some other way? Because I would personally love to be able to use But even when I do: import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
const app = new cdk.App();
const stack = new cdk.Stack(app, 'Stack');
const selfLog = new s3.Bucket(stack, 'SelfLogging', {
encryption: s3.BucketEncryption.KMS_MANAGED,
serverAccesLogsPrefix: 'test/',
});
// Ensure LogDeliverWrite is applied, aws/aws-cdk#23513
(selfLog.node.defaultChild as s3.CfnBucket).addPropertyOverride('AccessControl', 'LogDeliveryWrite'); I am not getting any logs delivered into the bucket. I also tried to go into the console, and have it apply the bucket policy to see if that would allow log delivery and while logs did seem to be delivered, they were encrypted with a key I couldn't use (I didn't recognize the account number and it didn't seem to match the key for the |
Make sure you are waiting long enough for your tests - logs can take up to an hour to show up.
|
Out of curiousity, can you actually read the objects? In both my examples, the objects are encrypted with key a owned by
|
Ha! Never crossed my mind to actually try to open them - I cannot read them either. My unverified assumption had been that KMS logging was unavailable because of issues sharing a CMK with the logging process. This would suggest that the configuration generated by KMS_MANAGED (without a key), uses a CMK owned by the logging process so sharing the key is still a problem. |
Yeah, so the annoying thing about Default Bucket Encryption is that it's just the default. If something does A lot of recommendations include using a bucket policy to enforce the correct encryption settings to prevent using the wrong type of encryption or the wrong key. Some information is available at https://repost.aws/knowledge-center/s3-aws-kms-default-encryption I am curious why this doesn't impact buckets with SSE-S3 and without default encryption. But that must be an implementation detail I am unaware of. The configuration generated by |
Definitely forgot this detail by the way! I thought it was 10ish minutes! Went back and checked all the buckets; and they're all receiving the logs but I can't |
I think I need to update this PR to replace KMS_MANAGED in the list of excepted encryptions. Since I'm in here anyway, I'll add a comment explaining how it is different, but still doesn't work. I'll also leave the tests (more complete) and the parenthesis that make the precedence in the condition more explicit. |
The extra tests point out that we're not flagging KMS_MANAGED for separate buckets. Since the logging bucket is an IBucket at that point in the code, the .encryption prop is not available, so KMS_MANAGED is "not a thing" for IBucket. Diving a little deeper to see if there's another way to flag KMS_MANAGED buckets. |
From the sound of it, the additional validation preventing some scenarios, while technically a deploy-time regression, isn't actually breaking any valid use cases. Did I get that right? |
Correct. The only remaining question is that there is no way to alert the client if they provide a logging bucket using KMS_MANAGED encryption, as the logging bucket prop is IBucket, which does not expose the .encryption value from the BucketProps used to create it. This situation will create a stack and store logs on the provided bucket, but those logs will be unreadable. |
The changes requested are an automated requirement to add an integration test - but after all discussion, this PR only increases unit test coverage to make it more complete and adds a set of parenthesis to make the precedence explicit instead of implicit. So there's nothing to check with an integration test. |
Since it's just tests that being added, you may want to consider removing the non-comment changes from
I don't believe that a "chore" requires integration test changes; a "fix" is meant to be a bug fix, so usually there are integration test changes to avoid a regression. |
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks to both @biffgaut and @kylelaker for investigating this...these S3 encryption settings are non trivial.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Mergify out here failing on the job. Manually rebasing. Also, I think this is more of a fix but the unit tests here are sufficient so I'm going to change this to a fix but exempt the test. |
Pull request has been modified.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
I agree that |
As this PR is merged, the CDK team may not see the comments (I'm not a member of the CDK team). I suggest you open a new Issue describing your situation and referencing this PR. |
)" This reverts commit 1e8926f.
)" This reverts commit 1e8926f.
…uckets (#25350) The previous changes(#23514 & #23385) about failing early when certain encryption type being used is not correct. In fact, KMS encryption works fine for server access logging target buckets with proper permission being setup. So this change is removing the condition failing for the SSE-KMS with customized encryption key case. However, it is not possible to know which encryption type for the server access logging bucket, so the only checking can be applied after this change merged is failing when logging to self case using BucketEncryption.KMS_MANAGED. After this fix, the only condition would be failed pre-checking is __Log to self and using KMS_MANAGED encryption type__ This change only fix the checking condition, so this change won't affect snapshot at all. Hence, Exemption Request. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
closes #23513
All Submissions:
Adding new Construct Runtime Dependencies:
New Features
yarn integ
to deploy the infrastructure and generate the snapshot (i.e.yarn integ
without--dry-run
)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license