- Newest
- Most votes
- Most comments
Hello, thank you for your post.
For your first question, you can safely ignore the SecurityHub recommendation due to the recursion scenario you described.
As for your second question about the warning in Trusted Advisor, to make the "Write Not Enabled" alert go away, please try enabling the following ACL permissions for the affected buckets for the "S3 log delivery group":
Objects: Write (WRITE)
Bucket ACL: Read (READ_ACP)
You can read more about managing S3 bucket ACLs in our documentation[1].
Please let me know if you have any questions.
References: [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html
I agree with AWS-User-8416516's comment. It would be nice to have a solution that satisfies Trusted Advisor and does not require us to use bucket ACLs as AWS's guidance recommend not using.
In a way, Trusted Advisor advises a bad setup about looping access logs configuration.
Relevant content
- asked 3 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
Thanks for the answer! I'll ignore the SecurityHub recommendation.
As for the second one, hmm, I'd rather stay away from ACLs in my S3 buckets, though, considering "A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you disable ACLs except in unusual circumstances where you need to control access for each object individually." (which I had read before and also quoted in the link you sent). I'd rather do everything with Bucket Policies, which seems to be the recommended approach.
If TrustedAdvisor cannot deal with this, then so be it, I guess. Then TrustedAdvisor has a problem, which I should report.