aws_s3: minimum_tls_version alllows setting invalid TLS versions #30226

ericprice3678 · 2024-05-15T23:43:44Z

Describe the bug

You can currently set an invalid TLS Version using the minimumTLSVersion prop on s3.Bucket which will lock you out of being able to interact with the bucket after its created.

Obviously you should never do this, but its still possible.

my_broken_s3_bucket = s3.Bucket( self, "bucket", enforce_ssl=True, minimum_tls_version=1.4 )

Will deploy and create an S3 bucket, however because its not possible to meet its Bucket Policy's TLS requirements you cannot interact with this AWS Bucket at all. I presume you'd need to contact AWS Support to get it deleted.

Expected Behavior

Some type of input validation to this to make sure you can't do this.

Current Behavior

It allows you to set invalid the minimum tls version to an invalid result

Reproduction Steps

my_broken_s3_bucket = s3.Bucket( self, "bucket", enforce_ssl=True, minimum_tls_version=1.4 )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.132.1 (build 9df7dd3)

Framework Version

No response

Node.js Version

v21.4.0

OS

macos

Language

Python

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

ericprice3678 · 2024-05-15T23:46:25Z

Forgot to mention, once this is done its not fixable. You can't delete the bucket manually and you also can't change the version number to a supported one and deploy an updated Stack because that will also get an Access Denied result.

pahud · 2024-05-16T12:55:49Z

Thank you for bringing this to our attention.

my_broken_s3_bucket = s3.Bucket( self, "bucket", enforce_ssl=True, minimum_tls_version=1.4 )

Can you share a sample bucket policy that would conflict with this prop so we can have more context about it?

github-actions · 2024-05-18T16:04:40Z

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

aws-cdk-automation · 2024-07-25T21:08:05Z

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

ericprice3678 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 15, 2024

github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label May 15, 2024

pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels May 16, 2024

github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label May 18, 2024

github-actions bot mentioned this issue May 20, 2024

Weekly issue metrics report #30273

Closed

github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels May 23, 2024

github-actions bot closed this as completed May 23, 2024

github-actions bot mentioned this issue Jun 1, 2024

Monthly issue metrics report #30413

Closed

aws locked as resolved and limited conversation to collaborators Jul 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws_s3: minimum_tls_version alllows setting invalid TLS versions #30226

aws_s3: minimum_tls_version alllows setting invalid TLS versions #30226

ericprice3678 commented May 15, 2024

ericprice3678 commented May 15, 2024

pahud commented May 16, 2024

github-actions bot commented May 18, 2024

aws-cdk-automation commented Jul 25, 2024