Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cloudtrail): isOrganizationTrail attaches insufficient permissions to bucket #29242

Merged
merged 8 commits into from
Feb 29, 2024

Conversation

paulhcsun
Copy link
Contributor

@paulhcsun paulhcsun commented Feb 24, 2024

Issue #22267 (if applicable)

Closes #22267.

Reason for this change

Setting the isOrganizationTrail property to true attaches insufficient permissions to the bucket thus failing to deploy the Trail with:

Invalid request provided: Incorrect S3 bucket policy is detected for bucket: ...

Description of changes

This PR adds a new property orgId to TrailProps that will be used to attach the missing permission

"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*",
"Condition": {
    "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceArn": "arn:aws:cloudtrail:region:managementAccountID:trail/trailName"
}

when isOrganizationTrail: true.

Description of how you validated changes

Validated locally that I can deploy when Trail.isOrganizationTrail: true with a valid orgId + added unit test case.

I can't think of a way to test this with an integ test as it requires a valid orgId to deploy but any suggestions are welcome.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team February 24, 2024 00:56
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Feb 24, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Feb 24, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@paulhcsun paulhcsun added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Feb 24, 2024
@paulhcsun
Copy link
Contributor Author

Exemption Request

I can't think of a way to test this with an integ test as it requires a valid orgId to deploy but any suggestions are welcome. I have validated locally that I can deploy when Trail.isOrganizationalTrail: true with a valid orgId

@aws-cdk-automation aws-cdk-automation dismissed their stale review February 24, 2024 01:00

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@paulhcsun paulhcsun marked this pull request as ready for review February 24, 2024 01:00
@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Feb 24, 2024
@@ -262,6 +270,22 @@ export class Trail extends Resource {
},
}));

if (props.isOrganizationTrail) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could also add a warning in the case that isOrganizationTrai: true and orgId is not provided. Probably not an error even though it would fail to deploy since some users may have manually added the missing policy already and won't need to use the new orgId prop.

Warning could be something like this but any alternative suggestions are welcome:
Organization Trails require passing in an organization id using the orgId property to attach a missing policy.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Feb 27, 2024
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions

@@ -128,6 +128,14 @@ export interface TrailProps {
*/
readonly isOrganizationTrail?: boolean;

/** The orgId.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does it call orgId? Reaching this link, it seems to be The name of the folder where the log files are stored, including the bucket name, a prefix (if you specified one), and your AWS account ID. So more like account id?

Copy link
Contributor Author

@paulhcsun paulhcsun Feb 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The missing permission is specified under this section for organization trails. Specifically the third policy in that section which requires the o-organizationID:

{
            "Sid": "AWSCloudTrailOrganizationWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:managementAccountID:trail/trailName"
                }
            }
        }

Apologies, I just realized the link to the exact code block just redirects you to the top of the page which is a bit misleading.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes a lot more sense! Thanks!

@@ -262,6 +270,22 @@ export class Trail extends Resource {
},
}));

if (props.isOrganizationTrail) {
this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
resources: [this.s3bucket.arnForObjects(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the doc, it mentions "arn:aws:s3:::myBucketName/[optionalPrefix]/AWSLogs/myAccountID/*". I haven't looked deep into it, but is the optional prefix part of the bucket and it would be handled by this.s3bucket.arnForObjects?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be this value for the resources: "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*" where arn:aws:s3:::myOrganizationBucket/ is handled by this.s3bucket.arnForObjects. But for the case you're talking about it would not handle it, the optional prefix part is passed in from props:

    this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
      resources: [this.s3bucket.arnForObjects(
        `${props.s3KeyPrefix ? `${props.s3KeyPrefix}/` : ''}AWSLogs/${Stack.of(this).account}/*`,
      )],

if (props.isOrganizationTrail) {
this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
resources: [this.s3bucket.arnForObjects(
`AWSLogs/${props.orgId}/*`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the below snippet, wouldn't the orgId be this.s3bucket.stack.account?

Resource": "arn:aws:s3:::myBucketName/[optionalPrefix]/AWSLogs/myAccountID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:myAccountID:trail/trailName"
                }
            }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a different permission from that one we are adding here:

"Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:managementAccountID:trail/trailName"
                }
            }

Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

mergify bot commented Feb 29, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Feb 29, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: d15f25e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 457afa9 into aws:main Feb 29, 2024
12 checks passed
Copy link
Contributor

mergify bot commented Feb 29, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@paulhcsun paulhcsun deleted the cloudtrail-fix branch February 29, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort p1 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(aws-cloudtrail): isOrganizationTrail attaches insufficient permissions to bucket
3 participants