❗ NOTICE (cdk): removal of AccessControl property from bootstrap template in v2.106.0 can result in public access on bootstrap buckets

[colifran]

Please add your +1 👍 to let us know you have encountered this

Status

Resolved

What is the issue?

A PR was merged which removed the legacy AccessControl property from the bootstrap template. Users who remove the public access block using the public-access-block-configuration cli flag will see bootstrapped buckets are created with public access and ACLs enabled by default.

Error message

No response

What is the impact?

S3 buckets created during bootstrapping will be created with all public access and all ACLs enabled by default.

Workaround

Upgrade to aws-cdk v2.106.1.

Who is affected?

Users bootstrapping regions using aws-cdk v2.106.0.

How do I resolve this?

Upgrade to aws-cdk v2.106.1.

Related issues

No response

[laurelmay]

To understand the severity of this issue as a user a bit more as well, does this actually make the bucket and objects public? Or does it make it so the bucket and objects can be public? Wouldn't either the public-read or a bucket policy equivalent to the following need to be applied to actually make anything public?

Dangerous Bucket Policy

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid": "PublicAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "${Bucket.Arn}/*"
    }
  ]
}

If it immediately makes all object in the bucket actually public (bootstrapping with v2.106.0 automatically makes it so anyone can s3:GetObject anything in my StagingBucket) then this is especially severe. If it makes it so that applying a bad ACL or Bucket Policy (in addition to passing --no-public-access-block-configuration) then this feels a bit less severe.

Documentation Issues

This probably also highlights a need for updates to the CloudFormation resource docs and the service docs.

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-accesscontrol

  This is a legacy property, and it is not recommended for most use cases

  (except for users that want to actually have secure buckets?)

  S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the AWS::S3::OwnershipControls property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon

  this property isn't defined on the bucket at all

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl

  Owner gets FULL_CONTROL. No one else has access rights (default).

The second one especially seems to be at issue here. Is Private the default or is it that by default in Private no else has access rights but the default can be changed to grant access to others? If so, the service docs REALLY need to be more clear about that but frankly CloudFormation needs to do a better job of communicating what happens. If Private is the default it's unclear how anything is different here from before that PR.

[colifran]

Closed with this revert.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.