Merge pull request #90 from aws-solutions/develop

beomseoklee · web-flow · commit 0fffb8f51ff4 · 2022-04-04T09:27:59.000-07:00
Enabled bucket policy for logging S3 bucket to allow secure transport only
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.2] - 2022-03-31
+
+### Added
+
+- Enabled encryption in transit for the logging S3 bucket.
+
 ## [2.0.1] - 2021-12-13
 
 Version 2.0.1 supports upgrading from version 2.0.0 but not from version 1.3.0 and below
@@ -58,14 +64,14 @@ Version 2.0.0 does not support upgrading from previous versions.
   - Added StartedBy tag to tasks for use by task listing functions
   - Modified all ECS task listing functions to support listing 1000 tasks
   - Modified TaskRunning lambda function to support being called multiple times from step functions
-- Tests start simultaneously 
+- Tests start simultaneously
   - Added ecscontroller.py to container package
   - Added ecslistener.py to container package
   - TaskRunner lambda launches worker tasks first, then leader task once workers are running
 - Run tests concurrently
   - Removed disabling of submit buttons if there is a test running
   - Unbuffered bzt output and added test Id to CloudWatch logs for access to test specific logs
-- Added support for Docker Hub login 
+- Added support for Docker Hub login
   - Added Secrets manager parameter to include secret containing Docker Hub credentials
 - Included more metrics
   - Added virtual users, failures, and successes to graph
diff --git a/source/infrastructure/lib/common-resources.ts b/source/infrastructure/lib/common-resources.ts
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 import { Aws, CfnCondition, CfnCustomResource, CfnResource, Construct, CustomResource, Duration, RemovalPolicy, Stack, Tags } from '@aws-cdk/core';
 import { BlockPublicAccess, Bucket, BucketAccessControl, BucketEncryption, IBucket } from '@aws-cdk/aws-s3';
-import { Effect, Policy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
+import { AnyPrincipal, Effect, Policy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 import { Code, Function as LambdaFunction, Runtime } from '@aws-cdk/aws-lambda';
 
 /**
@@ -77,14 +77,23 @@ export class CommonResourcesContruct extends Construct {
     });
     Tags.of(this.s3LogsBucket).add('SolutionId', props.solutionId);
 
+    this.s3LogsBucket.addToResourcePolicy(
+      new PolicyStatement({
+        actions: ['s3:*'],
+        conditions: {
+          Bool: { 'aws:SecureTransport': 'false' }
+        },
+        effect: Effect.DENY,
+        principals: [new AnyPrincipal()],
+        resources: [this.s3LogsBucket.bucketArn, this.s3LogsBucket.arnForObjects('*')]
+      })
+    );
+
     const s3LogsBucketResource = this.s3LogsBucket.node.defaultChild as CfnResource;
     s3LogsBucketResource.addMetadata('cfn_nag', {
       rules_to_suppress: [{
         id: 'W35',
         reason: 'This is the logging bucket, it does not require logging.'
-      }, {
-        id: 'W51',
-        reason: 'Since the bucket does not allow the public access, it does not require to have bucket policy.'
       }]
     })
 
diff --git a/source/infrastructure/test/__snapshots__/common-resources.test.ts.snap b/source/infrastructure/test/__snapshots__/common-resources.test.ts.snap
@@ -191,10 +191,6 @@ Object {
               "id": "W35",
               "reason": "This is the logging bucket, it does not require logging.",
             },
-            Object {
-              "id": "W51",
-              "reason": "Since the bucket does not allow the public access, it does not require to have bucket policy.",
-            },
           ],
         },
       },
@@ -225,6 +221,53 @@ Object {
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "TestCommonResourcesLogsBucketPolicyAB18A08E": Object {
+      "Properties": Object {
+        "Bucket": Object {
+          "Ref": "TestCommonResourcesLogsBucket5B4DBD4F",
+        },
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "s3:*",
+              "Condition": Object {
+                "Bool": Object {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": Object {
+                "AWS": "*",
+              },
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "TestCommonResourcesLogsBucket5B4DBD4F",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      Object {
+                        "Fn::GetAtt": Array [
+                          "TestCommonResourcesLogsBucket5B4DBD4F",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "TestCommonResourcesUUIDFDB821D1": Object {
       "DeletionPolicy": "Delete",
       "Properties": Object {
diff --git a/source/infrastructure/test/__snapshots__/distributed-load-testing-on-aws-stack.test.ts.snap b/source/infrastructure/test/__snapshots__/distributed-load-testing-on-aws-stack.test.ts.snap
@@ -1968,10 +1968,6 @@ Object {
               "id": "W35",
               "reason": "This is the logging bucket, it does not require logging.",
             },
-            Object {
-              "id": "W51",
-              "reason": "Since the bucket does not allow the public access, it does not require to have bucket policy.",
-            },
           ],
         },
       },
@@ -2008,6 +2004,53 @@ Object {
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "DLTCommonResourcesLogsBucketPolicyAA7FFB37": Object {
+      "Properties": Object {
+        "Bucket": Object {
+          "Ref": "DLTCommonResourcesLogsBucket48A2774D",
+        },
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "s3:*",
+              "Condition": Object {
+                "Bool": Object {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": Object {
+                "AWS": "*",
+              },
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "DLTCommonResourcesLogsBucket48A2774D",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      Object {
+                        "Fn::GetAtt": Array [
+                          "DLTCommonResourcesLogsBucket48A2774D",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "DLTCommonResourcesUUID2FD025A2": Object {
       "DeletionPolicy": "Delete",
       "Properties": Object {
