aws-cdk-lib Version 2.100.0 Fails with Access Denied on Deployment about cdk-serverless-clamscan HOT 8 CLOSED

I believe this is due to the imported Bucket not having the correct access permissions. The issue was resolved for newly created buckets in this PR. Does the imported bucket have Object Writer ownership permissions?

from cdk-serverless-clamscan.

I believe this is due to the imported Bucket not having the correct access permissions. The issue was resolved for newly created buckets in this PR. Does the imported bucket have Object Writer ownership permissions?

Hi, the error we are getting is related to virusdeflog bucket which is not an imported bucket.

Update: My bad, this is the imported bucket, but it has correct properties set, see my latest comments.

from cdk-serverless-clamscan.

Was the virusDefinitionLogBucket created in an earlier version of the CDK? That's a bucket that is getting passed into the construct so you will need to make sure that it has the correct object writer permissions

from cdk-serverless-clamscan.

logBucket has following properties set:

versioned: false,
encryption: BucketEncryption.S3_MANAGED,
objectOwnership: ObjectOwnership.OBJECT_WRITER,

I am using newer version of cdk. (2.100.0). The issue does not comes up when we use older version of cdk than this.

from cdk-serverless-clamscan.

Can you share the full CloudFormation error including the logical id and CDK identifier of the resource that is throwing the error?

from cdk-serverless-clamscan.

Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: RWR4YE6NZYHN8BRQ, Extended Request ID: yJRnXEJpvZXgYPTF8twHG0b6psj86gkC2Ys6No2IGyqb7bDcwjBxjcMyOR9btgKM0aM0PMFVwhg=)" (RequestToken: 04049524-9442-f26e-165a-f194dd0efb27, HandlerErrorCode: AccessDenied)

logical id - ourstackamevirusscanVirusDefsBucketPolicyB482E79B
type - AWS::S3::BucketPolicy

from cdk-serverless-clamscan.

I'm unable to reproduce this. I was able to successfully deploy this construct using cdk version 2.103.0 using the following application.

import * as cdk from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { ServerlessClamscan } from 'cdk-serverless-clamscan';

export class MyStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    const virusDefinitionLogBucket = new Bucket(this, 'logs');
    const input = new Bucket(this, 'input');
    new ServerlessClamscan(this, 'clamscan', {
      buckets: [input],
      defsBucketAccessLogsConfig: {
        logsBucket: virusDefinitionLogBucket,
        logsPrefix: 'virusDefinition-log',
      },
    });
  }
}

const app = new cdk.App();
new MyStack(app, 'test-cdk-2-103-0-clamscan');

app.synth();

I'm only seeing access denied errors on stack deletion. The S3 Bucket that contains the Virus Definitions has a bucket policy that will likely cause a deletion error if you when deleting the stack associated in the construct. However since the bucket itself gets deleted, you can run the destroy command again to resolve the error.

from cdk-serverless-clamscan.

Thank you, deleting the bucket and recreating seems to have fixed the issue for us.

from cdk-serverless-clamscan.