From 7e6370e1a3762be0c3f1485f02b4067160309020 Mon Sep 17 00:00:00 2001
From: Michael Wittig <michael@widdix.de>
Date: Tue, 9 May 2023 17:09:58 +0200
Subject: [PATCH] [Bug Fix] state/s3 - Fix Access := CloudFrontAccessLogWrite

---
 state/s3.yaml                                                   | 1 +
 .../awscftemplates/operations/TestAccessLogsAnonymizer.java     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/state/s3.yaml b/state/s3.yaml
index 58e8662b3..ff6a7b227 100644
--- a/state/s3.yaml
+++ b/state/s3.yaml
@@ -181,6 +181,7 @@ Resources:
         - !If [HasLambdaFunctionArn, {Event: !Ref LambdaFunctionEvent, Function: !Ref LambdaFunctionArn, Filter: !If [HasLambdaFunctionFilterPrefix, {S3Key: {Rules: [{Name: prefix, Value: !Ref LambdaFunctionFilterPrefix}]}}, !Ref 'AWS::NoValue']}, !Ref 'AWS::NoValue']
         QueueConfigurations:
         - !If [HasS3VirusScan, {Event: 's3:ObjectCreated:*', Queue: {'Fn::ImportValue': !Sub '${ParentS3VirusScanStack}-ScanQueueArn'}}, !Ref 'AWS::NoValue']
+      OwnershipControls: !If [HasCloudFrontAccessLogWrite, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}, !Ref 'AWS::NoValue']
       PublicAccessBlockConfiguration: !If [HasPublicAccessBlock, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, !Ref 'AWS::NoValue'] # AWS Foundational Security Best Practices v1.0.0 S3.8
       VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
       BucketEncryption:
diff --git a/test/src/test/java/de/widdix/awscftemplates/operations/TestAccessLogsAnonymizer.java b/test/src/test/java/de/widdix/awscftemplates/operations/TestAccessLogsAnonymizer.java
index e40d80471..9190fedb1 100644
--- a/test/src/test/java/de/widdix/awscftemplates/operations/TestAccessLogsAnonymizer.java
+++ b/test/src/test/java/de/widdix/awscftemplates/operations/TestAccessLogsAnonymizer.java
@@ -55,7 +55,7 @@ public void alb() {
                 final String functionARN = this.getStackOutputValue(anonymizerStackName, "FunctionARN");
                 this.updateStack(context, s3StackName,
                         "state/s3.yaml",
-                        new Parameter().withParameterKey("Access").withParameterValue("CloudFrontAccessLogWrite"),
+                        new Parameter().withParameterKey("Access").withParameterValue("ElbAccessLogWrite"),
                         new Parameter().withParameterKey("LambdaFunctionArn").withParameterValue(functionARN)
                 );
                 // TODO upload file and test if IP addresses are anonymized