aws_s3: minimum_tls_version alllows setting invalid TLS versions

[ericprice3678]

Describe the bug

You can currently set an invalid TLS Version using the minimumTLSVersion prop on s3.Bucket which will lock you out of being able to interact with the bucket after its created.

Obviously you should never do this, but its still possible.

my_broken_s3_bucket = s3.Bucket( self, "bucket", enforce_ssl=True, minimum_tls_version=1.4 )

Will deploy and create an S3 bucket, however because its not possible to meet its Bucket Policy's TLS requirements you cannot interact with this AWS Bucket at all. I presume you'd need to contact AWS Support to get it deleted.

Expected Behavior

Some type of input validation to this to make sure you can't do this.

Current Behavior

It allows you to set invalid the minimum tls version to an invalid result

Reproduction Steps

my_broken_s3_bucket = s3.Bucket( self, "bucket", enforce_ssl=True, minimum_tls_version=1.4 )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.132.1 (build 9df7dd3)

Framework Version

No response

Node.js Version

v21.4.0

OS

macos

Language

Python

Language Version

No response

Other information

No response

[ericprice3678]

Forgot to mention, once this is done its not fixable. You can't delete the bucket manually and you also can't change the version number to a supported one and deploy an updated Stack because that will also get an Access Denied result.

[pahud]

Thank you for bringing this to our attention.

my_broken_s3_bucket = s3.Bucket( self, "bucket", enforce_ssl=True, minimum_tls_version=1.4 )

Can you share a sample bucket policy that would conflict with this prop so we can have more context about it?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.