aws-cdk-s3: Public access setup as default.

[MichalLipski95]

Describe the bug

When running bootstrap with version 2.106.0 of aws-cdk it appears that s3 cdk bucket is now created by default has set up all public access as enabled and all ACLs are enabled.
As checked with aws-cli manual, it still says that public access should be disabled by default.
When checked previous version 2.105.0, the behavior was that s3 cdk bucket had blocked public access and object ownership was set up to ACLs disabled.

Expected Behavior

S3 cdk bucket should have blocked public access and object ownership set up to ACLs disabled

Current Behavior

S3 cdk bucket has open public access and object ownership set up to ACLs enabled

Reproduction Steps

Run cdk bootstrap command with aws-cdk version 2.106.0 which will result with creating a public access enabled bucket and enabled ACLs

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.106.0

Framework Version

No response

Node.js Version

10

OS

Linux

Language

Java

Language Version

Java 17

Other information

No response

[pahud]

I think it has blocked all public access by default.

What made you think it does not? Can you share some screenshots?

[scanlonp]

Likely related to #27764.

[colifran]

@MichalLipski95 We've tested this with both external and internal accounts and we're seeing that the CDK S3 bucket has public access blocked and object ownership is set up to disable ACLs. Can you share some screenshots of what you're seeing?

[mgerlach]

In all our repos using CDK, PR checks for renovate PRs upgrading CDK to 2.106.0 fail in CDK bootstrap because of this. Our AWS org does not allow setting S3 Bucket ACLs causing the build to fail even if the deployment role has the s3:PutBucketAcl permission.

Please revert to the previous behavior or provide a way to fix.

#27764 removed a template line setting the deprecated AccessControl property to Private. Maybe the deleted line should better have been replaced by an equivalent non-deprecated setting?

GitHub Actions workflow log

2023-11-10T22:05:44.2464116Z ##[group]Run npx cdk bootstrap aws://***/eu-central-1 --tags ...
2023-11-10T22:05:44.2467801Z �[36;1mnpx cdk bootstrap aws://***/eu-central-1 --tags ...�[0m
2023-11-10T22:05:44.2509715Z shell: /usr/bin/bash -e {0}
2023-11-10T22:05:44.2510152Z env:
2023-11-10T22:05:44.2510586Z   AWS_DEFAULT_REGION: eu-central-1
2023-11-10T22:05:44.2511045Z   AWS_REGION: eu-central-1
2023-11-10T22:05:44.2511557Z   AWS_ACCESS_KEY_ID: ***
2023-11-10T22:05:44.2512146Z   AWS_SECRET_ACCESS_KEY: ***
2023-11-10T22:05:44.2521778Z   AWS_SESSION_TOKEN: ***
2023-11-10T22:05:44.2522434Z ##[endgroup]
2023-11-10T22:06:14.2795803Z  ⏳  Bootstrapping environment aws://***/eu-central-1...
2023-11-10T22:06:15.4178198Z Trusted accounts for deployment: (none)
2023-11-10T22:06:15.4181412Z Trusted accounts for lookup: (none)
2023-11-10T22:06:15.4185912Z Using default execution policy of 'arn:aws:iam::aws:policy/***'. Pass '--cloudformation-execution-policies' to customize.
2023-11-10T22:06:17.6216135Z CDKToolkit: creating CloudFormation changeset...
2023-11-10T22:06:33.7432195Z CDKToolkit | 0/6 | 10:06:31 PM | UPDATE_ROLLBACK_IN_P | AWS::CloudFormation::Stack | CDKToolkit The following resource(s) failed to update: [StagingBucket]. 
2023-11-10T22:06:33.7434766Z CDKToolkit | 0/6 | 10:06:25 PM | UPDATE_IN_PROGRESS   | AWS::CloudFormation::Stack | CDKToolkit User Initiated
2023-11-10T22:06:33.7436865Z CDKToolkit | 0/6 | 10:06:30 PM | UPDATE_IN_PROGRESS   | AWS::S3::Bucket         | StagingBucket 
2023-11-10T22:06:33.7440663Z CDKToolkit | 0/6 | 10:06:30 PM | UPDATE_FAILED        | AWS::S3::Bucket         | StagingBucket The bucket does not allow ACLs (Service: Amazon S3; Status Code: 400; Error Code: AccessControlListNotSupported; Request ID: ...; S3 Extended Request ID: ...; Proxy: null)
2023-11-10T22:06:40.1367424Z CDKToolkit | 1/6 | 10:06:38 PM | UPDATE_COMPLETE      | AWS::S3::Bucket         | StagingBucket 
2023-11-10T22:06:47.4201678Z CDKToolkit | 2/6 | 10:06:39 PM | UPDATE_ROLLBACK_COMP | AWS::CloudFormation::Stack | CDKToolkit 
2023-11-10T22:06:47.4203779Z CDKToolkit | 3/6 | 10:06:40 PM | UPDATE_ROLLBACK_COMP | AWS::CloudFormation::Stack | CDKToolkit 
2023-11-10T22:06:47.4204977Z 
2023-11-10T22:06:47.4205577Z Failed resources:
2023-11-10T22:06:47.4211181Z CDKToolkit | 10:06:30 PM | UPDATE_FAILED        | AWS::S3::Bucket         | StagingBucket The bucket does not allow ACLs (Service: Amazon S3; Status Code: 400; Error Code: AccessControlListNotSupported; Request ID: ... ; S3 Extended Request ID: ...; Proxy: null)
2023-11-10T22:06:47.4217907Z  ❌  Environment aws://697382703885/eu-central-1 failed bootstrapping: Error: The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: The bucket does not allow ACLs (Service: Amazon S3; Status Code: 400; Error Code: AccessControlListNotSupported; Request ID: ... ; S3 Extended Request ID: ...; Proxy: null)
2023-11-10T22:06:47.4222755Z     at FullCloudFormationDeployment.monitorDeployment (/home/runner/work/<repo>/<repo>/node_modules/aws-cdk/lib/index.js:421:10232)
2023-11-10T22:06:47.4225077Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2023-11-10T22:06:47.4227206Z     at async /home/runner/work/<repo>/<repo>/node_modules/aws-cdk/lib/index.js:426:2104
2023-11-10T22:06:47.4228792Z     at async Promise.all (index 0)
2023-11-10T22:06:47.4232236Z     at async CdkToolkit.bootstrap (/home/runner/work/<repo>/<repo>/node_modules/aws-cdk/lib/index.js:426:1949)
2023-11-10T22:06:47.4238460Z     at async exec4 (/home/runner/work/<repo>/<repo>/node_modules/aws-cdk/lib/index.js:479:53102)
2023-11-10T22:06:47.5126828Z The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: The bucket does not allow ACLs (Service: Amazon S3; Status Code: 400; Error Code: AccessControlListNotSupported; Request ID: ...; S3 Extended Request ID: ...; Proxy: null)
2023-11-10T22:06:47.5129718Z 
2023-11-10T22:06:47.5387695Z ##[error]Process completed with exit code 1.

[mgerlach]

Looks like this was fixed/reverted in 2.106.1 / #27939. Our PR workflows run successfully with that release.