I have a situation that I'm not able to figure out at this moment. When creating an S3 bucket with Pulumi, our Cloud alarms get triggered because the S3 bucket is created with a "private" acl and then the BucketPublicAccessBlock is then applied after the fact. The issue is that for a few seconds, the bucket is technically "public" in the eyes of the alarm and automated intervention occurs. Is there a way to avoid to potentially avoid this situation?

what api are you using? There are

bucket

and

bucketv2

and they can treat policy as a separate object however API can accept it as an input parameter https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html#API_CreateBucket_RequestParameters but

bucketV2

allows policy as a separate object https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketv2/ however, it can also allow the value directly.

(Cliff — we have the same issue. I’m interested in knowing a good way around this also. We don’t have an automated intervention (yet?), but it does generate noise in our alert stream.)

@great-sunset-355 We are using

bucketv2

. I believe you can supply the ACL, but not the public access block settings. The ACL policy does not solve the problem though.

You may need to tweak your alarm system because there is nothing you can do about it IMO because

PublicAccessPolicyBlock

is a separate object from the bucket https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutPublicAccessBlock.html and it always needs to wait for the creation of S3 bucket. Btw. Finally, after years, S3 buckets are now private by default, not sure if it helps with though.

@great-sunset-355 Yeah I agree with you about that. It likely won't be an issue come April as seen here: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-bl[…]ublic-access-disable-access-control-lists-buckets-april-2023/