- 최신
- 최다 투표
- 가장 많은 댓글
Due to the new changes in April, the newly created S3 buckets have S3 Block Public Access enable and S3 access control lists (ACLs) disable automatically. So if you want to enable ACLs for a bucket, you can set the ObjectOwnership parameter to ObjectWriter. The ops-automator template is creating one of the S3 bucket through S3LoggingBucket resource which has AccessControl set to LogDeliveryWrite, therefore according to the new policy for enabling ACLs, you have to add ObjectOwnership: ObjectWriter, otherwise you will encounter the below error :
Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID
In ops-automator template, you can edit the template and add ObjectOwnership to ObjectWriter, which looks like below :
S3LoggingBucket:
DeletionPolicy: Retain
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'aws-opsautomator-s3-access-logs-${AWS::AccountId}-${AWS::Region}'
AccessControl: LogDeliveryWrite
OwnershipControls: ### Add ObjectOwnership to ObjectWriter
Rules:
- ObjectOwnership: ObjectWriter
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: Name
Value: AWS Ops Automator Access Logs
For more information related to the changes, you can refer to this Amazon blog and similar repost article.
