Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cloudtrail): isOrganizationTrail attaches insufficient permissions to bucket #29242

Merged
merged 8 commits into from
Feb 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions packages/aws-cdk-lib/aws-cloudtrail/lib/cloudtrail.ts
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,14 @@ export interface TrailProps {
*/
readonly isOrganizationTrail?: boolean;

/** The orgId.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does it call orgId? Reaching this link, it seems to be The name of the folder where the log files are stored, including the bucket name, a prefix (if you specified one), and your AWS account ID. So more like account id?

Copy link
Contributor Author

@paulhcsun paulhcsun Feb 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The missing permission is specified under this section for organization trails. Specifically the third policy in that section which requires the o-organizationID:

{
            "Sid": "AWSCloudTrailOrganizationWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:managementAccountID:trail/trailName"
                }
            }
        }

Apologies, I just realized the link to the exact code block just redirects you to the top of the page which is a bit misleading.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes a lot more sense! Thanks!

*
* Required when `isOrganizationTrail` is set to true to attach the necessary permissions.
*
* @default - No orgId
*/
readonly orgId?: string;

/**
* A JSON string that contains the insight types you want to log on a trail.
*
Expand Down Expand Up @@ -262,6 +270,22 @@ export class Trail extends Resource {
},
}));

if (props.isOrganizationTrail) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could also add a warning in the case that isOrganizationTrai: true and orgId is not provided. Probably not an error even though it would fail to deploy since some users may have manually added the missing policy already and won't need to use the new orgId prop.

Warning could be something like this but any alternative suggestions are welcome:
Organization Trails require passing in an organization id using the orgId property to attach a missing policy.

this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
resources: [this.s3bucket.arnForObjects(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the doc, it mentions "arn:aws:s3:::myBucketName/[optionalPrefix]/AWSLogs/myAccountID/*". I haven't looked deep into it, but is the optional prefix part of the bucket and it would be handled by this.s3bucket.arnForObjects?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be this value for the resources: "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*" where arn:aws:s3:::myOrganizationBucket/ is handled by this.s3bucket.arnForObjects. But for the case you're talking about it would not handle it, the optional prefix part is passed in from props:

    this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
      resources: [this.s3bucket.arnForObjects(
        `${props.s3KeyPrefix ? `${props.s3KeyPrefix}/` : ''}AWSLogs/${Stack.of(this).account}/*`,
      )],

`AWSLogs/${props.orgId}/*`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the below snippet, wouldn't the orgId be this.s3bucket.stack.account?

Resource": "arn:aws:s3:::myBucketName/[optionalPrefix]/AWSLogs/myAccountID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:myAccountID:trail/trailName"
                }
            }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a different permission from that one we are adding here:

"Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:managementAccountID:trail/trailName"
                }
            }

)],
actions: ['s3:PutObject'],
principals: [cloudTrailPrincipal],
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
'aws:SourceArn': `arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${props.trailName}`,
},
},
}));
}

this.topic = props.snsTopic;
if (this.topic) {
this.topic.grantPublish(cloudTrailPrincipal);
Expand Down
130 changes: 130 additions & 0 deletions packages/aws-cdk-lib/aws-cloudtrail/test/cloudtrail.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,136 @@ describe('cloudtrail', () => {
});
});

test('with orgId', () => {
// GIVEN
const stack = getTestStack();

// WHEN
new Trail(stack, 'Trail', { isOrganizationTrail: true, orgId: 'o-xxxxxxxxx', trailName: 'trailname123' });

Template.fromStack(stack).resourceCountIs('AWS::CloudTrail::Trail', 1);
Template.fromStack(stack).resourceCountIs('AWS::S3::Bucket', 1);
Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', {
Bucket: { Ref: 'TrailS30071F172' },
PolicyDocument: {
Statement: [
{
Action: 's3:*',
Condition: {
Bool: {
'aws:SecureTransport': 'false',
},
},
Effect: 'Deny',
Principal: {
AWS: '*',
},
Resource: [
{
'Fn::GetAtt': [
'TrailS30071F172',
'Arn',
],
},
{
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'TrailS30071F172',
'Arn',
],
},
'/*',
],
],
},
],
},
{
Action: 's3:GetBucketAcl',
Effect: 'Allow',
Principal: {
Service: 'cloudtrail.amazonaws.com',
},
Resource: {
'Fn::GetAtt': [
'TrailS30071F172',
'Arn',
],
},
},
{
Action: 's3:PutObject',
Condition: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
},
},
Effect: 'Allow',
Principal: {
Service: 'cloudtrail.amazonaws.com',
},
Resource: {
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'TrailS30071F172',
'Arn',
],
},
'/AWSLogs/123456789012/*',
],
],
},
},
{
Action: 's3:PutObject',
Condition: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
'aws:SourceArn': {
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':cloudtrail:us-east-1:123456789012:trail/trailname123',
],
],
},
},
},
Effect: 'Allow',
Principal: {
Service: 'cloudtrail.amazonaws.com',
},
Resource: {
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'TrailS30071F172',
'Arn',
],
},
'/AWSLogs/o-xxxxxxxxx/*',
],
],
},
},
],
Version: '2012-10-17',
},
});
});

test('encryption keys', () => {
const stack = new Stack();
const key = new kms.Key(stack, 'key');
Expand Down