Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Object Ownership doesn't allow Value BucketOwnerEnforced

See original GitHub issue

cfn-lint version: 0.56.3

When linting a CF temptate containing a bucket with bucket ownership set to ObjectOwnership: BucketOwnerEnforced linking fails with the error E3030 You must specify a valid value for ObjectOwnership (BucketOwnerEnforced). Valid values are ["ObjectWriter", "BucketOwnerPreferred"] however Cloudformation allows the value BucketOwnerEnforced per the documentation

sample template

  LogBucket:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        IgnorePublicAcls: True
        BlockPublicPolicy: True
        RestrictPublicBuckets: True
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced

Cfn-lint uses the CloudFormation Resource Specifications as the base to do validation. These files are included as part of the application version. Please update to the latest version of cfn-lint or update the spec files manually (cfn-lint -u)

Issue Analytics

State:
Created 2 years ago
Reactions:7
Comments:5 (4 by maintainers)

Top GitHub Comments

6reactions

kddejongcommented, Jan 28, 2022

This is coming from the definition in the public registry. I’m looking into why there is a mix match between documentation and the resource schema definition.

"OwnershipControlsRule": {
            "type": "object",
            "additionalProperties": false,
            "properties": {
                "ObjectOwnership": {
                    "description": "Specifies an object ownership rule.",
                    "type": "string",
                    "enum": [
                        "ObjectWriter",
                        "BucketOwnerPreferred"
                    ]
                }
            }
        },

2reactions

kddejongcommented, Dec 16, 2021

I’m waiting on an issue in the spec to be resolved before I can get this merged. Should be resolved this week.

Top Results From Across the Web

S3 Object ownership: Bucket Owner Enforced - Stack Overflow

Clearly showing that BucketOwnerEnforced is a valid and allowed value for the CloudFormation property OwnershipControls. Rules.

Controlling ownership of objects and disabling ACLs for your ...

Bucket owner enforced (recommended) – ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the...

Resolve 403 errors from S3 objects uploaded by other accounts

It's a best practice that bucket owners use the bucket owner enforced setting on new and existing buckets, while managing permissions through IAM...

aws_s3_bucket_ownership_cont...

Valid values: BucketOwnerPreferred , ObjectWriter or BucketOwnerEnforced. BucketOwnerPreferred - Objects uploaded to the bucket change ownership to the ...

Creates a new S3 bucket — s3_create_bucket • paws

Anonymous requests are never allowed to create buckets. ... If your CreateBucket request sets bucket owner enforced for S3 Object Ownership and specifies...