fix(s3): enabling EventBridge on many buckets exceeds IAM policy size limit#38054
Open
vishwakt wants to merge 2 commits into
Open
fix(s3): enabling EventBridge on many buckets exceeds IAM policy size limit#38054vishwakt wants to merge 2 commits into
vishwakt wants to merge 2 commits into
Conversation
…many buckets Enabling EventBridge notifications on a bucket (via the `eventBridgeEnabled` prop or `enableEventBridgeNotification()`) routes through the stack-singleton `BucketNotificationsHandler` custom resource. That handler's IAM role accumulates one `s3:PutBucketNotification` policy statement per bucket, so stacks with many EventBridge-enabled buckets exceed the 10,240 byte IAM role policy size limit at deploy time. EventBridge enablement is a simple boolean on the bucket and, unlike Lambda/SQS/SNS notification targets, has no circular-dependency reason to go through the custom resource. It can be set directly on the bucket resource's `NotificationConfiguration.EventBridgeConfiguration` property. Behind the new `@aws-cdk/aws-s3:eventBridgeNotificationViaCfnProperty` feature flag, EventBridge notifications for buckets created in the current stack are rendered directly on the `AWS::S3::Bucket` resource. An EventBridge-only bucket no longer creates the custom resource or its per-bucket IAM policy. Buckets that also have Lambda/SQS/SNS notifications keep the custom resource, which continues to render EventBridge so its (full-overwrite) PutBucketNotification call does not drop it. Imported buckets have no bucket resource to set and keep using the custom resource. The change is gated behind a feature flag so existing stacks are not migrated in place: deleting the custom resource and adding the native property in a single deployment could let the custom resource's Delete handler wipe the notification configuration depending on resource ordering. New stacks get the recommended behavior; existing stacks keep the custom resource until they opt in. Closes aws#38041.
github-actions
Bot
added
the
beginning-contributor
github-actions
Bot
added
bug
aws-cdk-automation
previously requested changes
Jun 1, 2026
1 task
vishwakt
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
…notification-direct # Conflicts: # packages/aws-cdk-lib/recommended-feature-flags.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #38041.
Reason for this change
Enabling EventBridge notifications on a bucket (via the
eventBridgeEnabledprop orenableEventBridgeNotification()) routes through the stack-singletonBucketNotificationsHandlercustom resource. That handler's IAM role accumulates ones3:PutBucketNotificationpolicy statement per bucket, so stacks with many EventBridge-enabled buckets exceed the 10,240 byte IAM role policy size limit at deploy time:EventBridge enablement is a simple boolean on the bucket and, unlike Lambda/SQS/SNS notification targets, has no circular-dependency reason to go through the custom resource. It can be set directly on the bucket resource's
NotificationConfiguration.EventBridgeConfigurationproperty.Description of changes
Behind a new feature flag
@aws-cdk/aws-s3:eventBridgeNotificationViaCfnProperty(FlagType.BugFix, recommendedtrue,unconfiguredBehavesLike: { v2: false }):AWS::S3::Bucketresource. An EventBridge-only bucket no longer creates the custom resource or its per-bucket IAM policy.PutBucketNotificationcall does not drop it. This is handled for both orderings (enable EventBridge first then add a target, and vice versa).Why a feature flag (migration safety): switching an existing stack from the custom resource to the native property in place would, in a single deployment, add the native property and delete the custom resource. CloudFormation does not guarantee the bucket update runs after the resource deletion, and the custom resource's
Deletehandler issuesput_bucket_notification_configuration({}), which could wipe the configuration on a live bucket. Gating behind a flag means existing stacks keep the current behavior and only new stacks (or explicit opt-in) get the native property.Describe any new or updated permissions being added
None. This change removes IAM policy statements (the per-bucket handler policy is no longer created for EventBridge-only buckets).
Description of how you validated changes
Unit tests in
aws-s3/test/notification.test.tscovering:enableEventBridgeNotification()called after construction.Added integ test
integ.bucket-eventbridge-notification-via-propertywhose snapshot shows a singleAWS::S3::BucketcarryingEventBridgeConfigurationand zeroCustom::S3BucketNotificationsresources.Checklist
Credit to @fsojye for the report and reproduction, and to @pahud for the root-cause diagnosis on the issue.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license