aws_cloudfront: default S3 bucket for logging does not enable ACL access

[ghferrari]

Describe the bug

When providing a logging configuration for a CloudFrontWebDistribution, it is optional to specify an S3 bucket - when not specified, one will be created by default. However, the default S3 bucket configuration gives the error "The S3 bucket that you specified for CloudFront logs does not enable ACL access". This means that the default S3 bucket configuration is broken.

Expected Behavior

I expected the default S3 bucket configuration to be suitable for CloudFrontWebDistribution logs and for no error to be produced.

Current Behavior

Relying on the default S3 bucket configuration gives the error "The S3 bucket that you specified for CloudFront logs does not enable ACL access".

Reproduction Steps

source_s3_bucket = s3.Bucket(...)

cloudfront.CloudFrontWebDistribution(
    self, "CloudFront",
    origin_configs=[
        cloudfront.SourceConfiguration(
            s3_origin_source=cloudfront.S3OriginConfig(
                s3_bucket_source=source_s3_bucket
            ),
            behaviors=[cloudfront.Behavior(is_default_behavior=True)]
        )
    ],
    viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
    enabled=True,
    logging_config=cloudfront.LoggingConfiguration(
        # no bucket specified so cdk will create one by default
        include_cookies=False,
    ),
)

Possible Solution

According to #25358 the S3 bucket defaults were updated in April 2023 - this may be the cause of the problem.

To resolve the problem, the default S3 bucket configuration at

aws-cdk/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts

Line 962 in c445b8c

this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket', {

must be updated to enable ACL access, as required by CloudFrontWebDistribution. In my own code, I create an S3 bucket manually and specify

cloudfront_logs_bucket = s3.Bucket(
    self, "LogsBucket",
    access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE,
    ....
)

Additional Information/Context

No response

CDK CLI Version

2.101.0 (build cbaa50e)

Framework Version

Python package: aws-cdk-lib==2.101.0

Node.js Version

v18.18.2

OS

Debian Linux

Language

TypeScript, Python

Language Version

No response

Other information

No response

[khushail]

@ghferrari , this was fixed by introduction of this flag in this PR which you need to enable in cdk.json

"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,

Let me know if it solves your issue.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[ghferrari]

@khushail Thanks for the helpful reply and reference.

I will test this feature flag and it seems likely it will workaround the problem.

However, I don't consider this workaround a fix for the problem - the CDK resource remains broken by default.

[shellscape]

@khushail I agree with @ghferrari. The default behavior is broken, and this flag is not accurately exposed in documentation as to be a visible first solution for the issue. I had to arrive at discovery of that flag by way of this issue, and not the documentation, which I arrived at following links in other issues. Please recognize the poor DX around this one.

[abaschen]

For me the flag is not correctly fixing the issue either. I understand why we don't want to passively change the default behaviour though.
Creating a distribution with accessLog on a bucket then adding the correct policy will still yield the same ACL missing error.