AWS service log: AccessDenied when calling the GetBucketNotificationConfiguration operation

[jacekhewko]

Describe the bug

Hi. We are trying cross-account centralized logging with Opensearch. For tests, our main account is master account, and child account where we want to grab logs from is INT. The general configuration went fine, however, there is an issue whenever trying to configure AWS service log for AWS Lambda service type and INT account as a source.

Expected Behavior

We expect successful creation of AWS service log for AWS Lambda service type and INT account as a source.

Current Behavior

Currently, the config finishes with an error:

Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (AccessDenied) when calling the GetBucketNotificationConfiguration operation: Access Denied Logs: /aws/lambda/CL-SvcPipe-0b5a9c19-LogPipelinelogSourceS3Notifica-l7JPtBue6RFO at invokeUserFunction (/var/task/framework.js:2:6) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async onEvent (/var/task/framework.js:1:369) at async Runtime.handler (/var/task/cfn-response.js:1:1837) (RequestId: e007c600-39ae-4ed2-845d-ee867e3ed441) Resource creation cancelled. More details, please go to Cloudformation event

And when going down to CloudFormation stack (CL-SvcPipe-0b5a9c19) it goes with CREATE_FAILED for LogPipelinelogSourceS3NotificationlambdaTriggerE8C8CB9D with an error:

Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (AccessDenied) when calling the GetBucketNotificationConfiguration operation: Access Denied Logs: /aws/lambda/CL-SvcPipe-b08d1404-LogPipelinelogSourceS3Notifica-TIZ5Ce4rId5e at invokeUserFunction (/var/task/framework.js:2:6) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async onEvent (/var/task/framework.js:1:369) at async Runtime.handler (/var/task/cfn-response.js:1:1837) (RequestId: 87472f92-19cc-4b2c-a1ca-ae557210aa30)

I am running out of ideas on how we could fix it.

Reproduction Steps

1. Deploy cross-account Centralized Logging with OpenSearch Solution (Template version v2.3.0)
2. Configure master and child accounts
3. Try to configure new AWS service log for your child account as a source and AWS Lambda as a service
4. There is an error on CloudFormation stack and the configuration itself

Possible Solution

No response

Additional Information/Context

No response

Solution Version

(SO8025) - Centralized Logging with OpenSearch Solution. Template version v2.3.0

AWS Region. e.g., us-east-1

eu-central-1

Other information

No response

[jangidms]

Thank you for reporting this.
We will review this and revert back to you

[jacekhewko]

Hi @jangidms - thank you for your reply.
Do you have a time estimate on when could we potentially expect any progress in this matter - so that we can make a decision if we are able to wait or need to develop another solution?
Thank you

[jangidms]

Hi @jacekhewko
We have released fix for this in release v2.3.1
Please upgrade to latest version.

Thanks