s3 bucket policy resource should be created in cases where AWS will create one automatically

[corymhall]

Description

There are certain types of S3 Buckets that AWS will automatically create a bucket policy for you if you do not create one. For example, if you create an S3 Bucket to be used as the destination for VPC Flow Logs and you do not create a Bucket Policy, AWS will automatically create a bucket policy for you. The full list of resources can be found here

• CloudFront access logs and streaming access logs.
• Amazon EC2 Spot Instance data feed
• AWS Global Accelerator flow logs
• Amazon Managed Streaming for Apache Kafka broker logs
• Network Load Balancer access logs
• AWS Network Firewall logs
• Amazon Virtual Private Cloud flow logs

For these type of resources we should default to providing a bucket policy with the correct permissions instead of relying on AWS to create one automatically.

Use Case

An example of why this is a good idea can be found in #18676. If this type of bucket is created without a bucket policy you can never decide to add one later.

Proposed Solution

In cases where we know that a bucket policy is required (i.e. AWS will create one if you do not) we will default to creating the required policy. Since this would be a breaking change for anyone that has already deployed a bucket, this functionality would be placed behind a feature flag.

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.