Configuring web ACL traffic logging for an Amazon S3 bucket

Question

Hello,
I am trying to Configuring web ACL traffic logging for an Amazon S3 bucket in aws cdk code.
I got a error 'The bucket policy already exists on bucket aws-waf-logs-*testName*.'  when i deploy the cdk code.
How do I fix this?

```
    const webACL = new wafv2.CfnWebACL(this, 'WebACL', {
      name: `${this.stack.stackName}-WebACL`,
      scope: resourceScope,
      defaultAction: { allow: {} },
      visibilityConfig: {
        metricName: `${this.stack.stackName}-WebACL`,
        sampledRequestsEnabled: true,
        cloudWatchMetricsEnabled: true,
      },
      rules: [
        testRule,
      ],
    });

const s3Bucket = new s3.Bucket(this, 'S3BucketWafLog', {
      bucketName: `aws-waf-logs-${this.stack.stackName}`.toLocaleLowerCase(),
      publicReadAccess: false,
      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true,
      accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
      encryption: s3.BucketEncryption.S3_MANAGED, 
      bucketKeyEnabled: false,
    });

re:Post Agent · Answer

The error you're encountering suggests that a bucket policy already exists on the S3 bucket you're trying to use for WAF logging. To resolve this issue, you have a few options:

1. Remove existing bucket policy: If you're sure you want to overwrite the existing policy, you can remove it before applying the new one. However, this approach may not be suitable if the existing policy contains important permissions.

2. Merge policies: Instead of replacing the existing policy, you can merge the new WAF logging permissions with the existing policy. This approach ensures you don't lose any existing permissions.

3. Use a custom resource: Create a custom resource in your CDK code to modify the bucket policy, allowing you to add the necessary permissions without overwriting the entire policy.

Here's an example of how you can modify your code to merge the WAF logging permissions with the existing bucket policy:

```typescript
const s3Bucket = new s3.Bucket(this, 'S3BucketWafLog', {
bucketName: `aws-waf-logs-${this.stack.stackName}`.toLowerCase(),
// ... other bucket properties ...
});

// Add WAF logging permissions to the bucket policy
s3Bucket.addToResourcePolicy(new iam.PolicyStatement({
actions: ['s3:PutObject'],
resources: [s3Bucket.arnForObjects('*')],
principals: [new iam.ServicePrincipal('logging.s3.amazonaws.com')],
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control'
}
}
}));

// The rest of your code remains the same
const wafLogConfig = new wafv2.CfnLoggingConfiguration(this, 'wafCfnLoggingConfiguration', {
// ... configuration properties ...
});
```

This approach adds the necessary permissions for WAF logging to the existing bucket policy without overwriting it entirely. It uses the `addToResourcePolicy` method to append the new policy statement to the existing policy.

Remember to ensure that your IAM role or user has the necessary permissions to modify bucket policies, including `s3:PutBucketPolicy` and `s3:GetBucketPolicy`.  
**Sources**  
[Sending web ACL traffic logs to an Amazon Simple Storage Service bucket - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html)  
[Enabling Amazon S3 server access logging - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html)

Configuring web ACL traffic logging for an Amazon S3 bucket

Relevant content