Unable to remove imported bucket

[ScottSturdivant]

Summary

After specifying an existing bucket as a scanning target, I attempted to remove it and was met with the following error: An error occurred (AccessDenied) when calling the GetBucketNotificationConfiguration operation: Access Denied.

Disclaimer -- this is running in an enterprise type environment in gov cloud and I'm not savvy enough to understand the permissions boundaries and the policies granted to the roles I have access to - just reporting this based on what I've been told. That said, here is what I've attempted. Note that my pseudo-code below does not include the Aspects that are unique to this environment.

Import / add an existing bucket to be scanned

from aws_cdk import (
  Stack,
  aws_events as events,
  aws_events_targets as events_targets,
  aws_s3 as s3,
  aws_sns as sns,
  DefaultStackSynthesizer,
  App,
)
from cdk_serverless_clamscan import ServerlessClamscan
from constructs import Construct


class CdkTestStack(Stack):

  def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
    super().__init__(scope, construct_id, **kwargs)

    bucket_1 = s3.Bucket(self, "rBucket1")
    bucket_2 = s3.Bucket(self, "rBucket2")
    bucketList = [ bucket_1, bucket_2 ]
    sc = ServerlessClamscan(self, "rClamScan",
      buckets=bucketList,
      accept_responsibility_for_using_imported_bucket=True,
    )
    bucket = s3.Bucket.from_bucket_name(self, 'MyImportedBucket', 'an-existing-bucket');
    sc.add_source_bucket(bucket);

    bucket_policy_for_specific_imported_bucket = s3.BucketPolicy(self, 'BucketPolicy', bucket=bucket)
    bucket_policy_for_specific_imported_bucket.document.add_statements(sc.get_policy_statement_for_bucket(bucket))

    infected_topic = sns.Topic(self, "rInfectedTopic")
    if sc.infected_rule != None:
      sc.infected_rule.add_target(
        events_targets.SnsTopic(
          infected_topic,
          message=events.RuleTargetInput.from_event_path('$.detail.responsePayload.message'),
        )
      )

app = App()
stack = CdkTestStack(app, "clamav-scan-stack")
app.synth()

This successfully setup an-existing-bucket to be scanned after running cdk deploy.

Remove bucket as a scan target

Now, I'd like to remove an-existing-bucket from the scan targets. My expectation was that I could just update app.py, remove the references that added it, re-run cdk deploy and the bucket policy would be removed, etc.

from aws_cdk import (
  Stack,
  aws_events as events,
  aws_events_targets as events_targets,
  aws_s3 as s3,
  aws_sns as sns,
  DefaultStackSynthesizer,
  App,
)
from cdk_serverless_clamscan import ServerlessClamscan
from constructs import Construct


class CdkTestStack(Stack):

  def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
    super().__init__(scope, construct_id, **kwargs)

    bucket_1 = s3.Bucket(self, "rBucket1")
    bucket_2 = s3.Bucket(self, "rBucket2")
    bucketList = [ bucket_1, bucket_2 ]
    sc = ServerlessClamscan(self, "rClamScan",
      buckets=bucketList,
      accept_responsibility_for_using_imported_bucket=True,
    )

    infected_topic = sns.Topic(self, "rInfectedTopic")
    if sc.infected_rule != None:
      sc.infected_rule.add_target(
        events_targets.SnsTopic(
          infected_topic,
          message=events.RuleTargetInput.from_event_path('$.detail.responsePayload.message'),
        )
      )

app = App()
stack = CdkTestStack(app, "clamav-scan-stack")
app.synth()

Now cdk deploy gives me an error about lacking permissions for GetBucketNotificationConfiguration.

Someone smarter than me has provided this analysis:

It seems like the permissions for the Role attached to the "clamav-scan-stack-BucketNotificationsHandler050a05-QNovedi171qG" lambda (service-clamav-scan-stack-BucketNotificationsHandler050a0587b75) doesn't have permissions for s3:GetBucketNotificationConfiguration. It only has s3:PutBucketNotification, so it's not limited by the permissions boundary.

After the s3:GetBucketNotificationConfiguration permission was added to the role, I was able to remove the imported bucket successfully.

Thanks for taking a look at this!

[dontirun]

Hey! I'm glad you figured it a solution to your issue.

I don't understand what the question is, but It seems like you have some restrictions in your deployment roles and permissions boundaries that are preventing successful destruction.