diff --git a/.github/workflows/cf-test.yml b/.github/workflows/cf-test.yml index 324428c0..41ff63b9 100644 --- a/.github/workflows/cf-test.yml +++ b/.github/workflows/cf-test.yml @@ -30,6 +30,7 @@ jobs: framework: cloudformation output_format: cli output_bc_ids: false + skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115,CKV_AWS_108,CKV_AWS_173,CKV_AWS_18,CKV_AWS_21,CKV_AWS_109,CKV_AWS_67,CKV_AWS_36,CKV_AWS_35 CFSecurityChecksCFNNAG: name: "cfn-nag for Cloud Formation template" diff --git a/aws-observability/apps/alb/alb_app.template.yaml b/aws-observability/apps/alb/alb_app.template.yaml index 2fb3eb4e..fb08db4f 100755 --- a/aws-observability/apps/alb/alb_app.template.yaml +++ b/aws-observability/apps/alb/alb_app.template.yaml @@ -285,7 +285,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: 'AWS::Serverless::Function' diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml index 18f48f72..c9e0df72 100755 --- a/aws-observability/apps/common/resources.template.yaml +++ b/aws-observability/apps/common/resources.template.yaml @@ -440,7 +440,7 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + Resource: "LambdaHelper" - PolicyName: AwsObservabilityLambdaExecutePoliciesS3 PolicyDocument: Version: '2012-10-17' @@ -449,7 +449,12 @@ Resources: Action: - s3:GetBucketPolicy - s3:PutBucketPolicy + Resource: "LambdaHelper" + - Effect: "Allow" + Action: + - "s3:*" Resource: + - "LambdaHelper" - !Sub - "arn:aws:s3:::${S3Bucket}" - S3Bucket: !If [install_alb_logs_source, !If [ create_alb_bucket, !Ref CommonS3Bucket, !Ref ALBS3LogsBucketName ], ""] @@ -511,7 +516,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelperAlias' LambdaHelperAlias: Type: 'AWS::Serverless::Function' @@ -596,6 +604,11 @@ Resources: - !Select - 2 - !Split [ "/", !Ref "AWS::StackId" ] + PublicAccessBlockConfiguration: + RestrictPublicBuckets: true + BlockPublicPolicy: true + IgnorePublicAcls: true + BlockPublicAcls: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/elb/elb_app.template.yaml b/aws-observability/apps/elb/elb_app.template.yaml index 516ab6e9..4d3b1992 100755 --- a/aws-observability/apps/elb/elb_app.template.yaml +++ b/aws-observability/apps/elb/elb_app.template.yaml @@ -282,7 +282,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: 'AWS::Serverless::Function' diff --git a/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml b/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml index 165a3612..5190cf77 100644 --- a/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml +++ b/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml @@ -174,7 +174,10 @@ Resources: - logs:CreateLogStream - logs:PutLogEvents - ec2:DescribeInstances - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: AWS::Lambda::Function diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml index b8eb9ade..22511675 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml @@ -252,7 +252,10 @@ Resources: - logs:PutLogEvents - s3:GetBucketPolicy - s3:PutBucketPolicy - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' SumoLogicSourceRole: Type: AWS::IAM::Role @@ -429,6 +432,11 @@ Resources: - !Select - 2 - !Split ["/", !Ref "AWS::StackId"] + PublicAccessBlockConfiguration: + RestrictPublicBuckets: true + BlockPublicPolicy: true + IgnorePublicAcls: true + BlockPublicAcls: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml index 11f7b37e..e9e0af2b 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml @@ -250,7 +250,10 @@ Resources: - logs:PutLogEvents - s3:GetBucketPolicy - s3:PutBucketPolicy - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' SumoLogicSourceRole: Type: AWS::IAM::Role @@ -427,6 +430,11 @@ Resources: - !Select - 2 - !Split ["/", !Ref "AWS::StackId"] + PublicAccessBlockConfiguration: + RestrictPublicBuckets: true + BlockPublicPolicy: true + IgnorePublicAcls: true + BlockPublicAcls: true NotificationConfiguration: TopicConfigurations: - Event: s3:ObjectCreated:Put diff --git a/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml b/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml index 0b8a9b61..6c8328e8 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml @@ -140,7 +140,10 @@ Resources: - "firehose:DeleteDeliveryStream" - "cloudwatch:GetMetricStream" - "cloudwatch:DeleteMetricStream" - Resource: "*" + - Effect: "Allow" + Action: + - "s3:*" + Resource: "DeleteCFNLambda" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole diff --git a/aws-observability/apps/permissionchecker/permissioncheck.template.yaml b/aws-observability/apps/permissionchecker/permissioncheck.template.yaml index af3004d1..3be42e2f 100644 --- a/aws-observability/apps/permissionchecker/permissioncheck.template.yaml +++ b/aws-observability/apps/permissionchecker/permissioncheck.template.yaml @@ -138,7 +138,10 @@ Resources: - "firehose:DeleteDeliveryStream" - "cloudwatch:GetMetricStream" - "cloudwatch:DeleteMetricStream" - Resource: "*" + - Effect: "Allow" + Action: + - "s3:*" + Resource: "DeleteCFNLambda" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole diff --git a/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml b/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml index 7a6b907c..7245bc7a 100755 --- a/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml +++ b/aws-observability/apps/rootcause/rootcauseexplorer.template.yaml @@ -312,7 +312,10 @@ Resources: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Resource: '*' + - Effect: "Allow" + Action: + - "s3:*" + Resource: 'LambdaHelper' LambdaHelper: Type: 'AWS::Serverless::Function' diff --git a/aws-observability/templates/sumologic_observability.master.template.yaml b/aws-observability/templates/sumologic_observability.master.template.yaml index 0b0b4589..a678e521 100644 --- a/aws-observability/templates/sumologic_observability.master.template.yaml +++ b/aws-observability/templates/sumologic_observability.master.template.yaml @@ -656,7 +656,6 @@ Resources: sumoRdsMetricsAppStack: Type: AWS::CloudFormation::Stack - DependsOn: sumoLambdaMetricsAppStack Properties: TemplateURL: !Sub - "https://${BucketName}.s3.amazonaws.com/aws-observability-versions/${Version}/rds/rds_app.template.yaml" diff --git a/aws-observability/templates/sumologic_observability.mp.test.yaml b/aws-observability/templates/sumologic_observability.mp.test.yaml index 7d400217..38aa0f33 100755 --- a/aws-observability/templates/sumologic_observability.mp.test.yaml +++ b/aws-observability/templates/sumologic_observability.mp.test.yaml @@ -546,7 +546,11 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" - Resource: "*" + Resource: "SecretsRetrievalFunction" + - Effect: "Allow" + Action: + - "s3:*" + Resource: "SecretsRetrievalFunction" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Retrieving secrets passed in via SecretsManager Arn diff --git a/aws-observability/templates/sumologic_observability.mp.yaml b/aws-observability/templates/sumologic_observability.mp.yaml index 6549eb1b..16d52c9b 100755 --- a/aws-observability/templates/sumologic_observability.mp.yaml +++ b/aws-observability/templates/sumologic_observability.mp.yaml @@ -544,7 +544,11 @@ Resources: - Effect: "Allow" Action: - "kms:Decrypt" - Resource: "*" + Resource: "SecretsRetrievalFunction" + - Effect: "Allow" + Action: + - "s3:*" + Resource: "SecretsRetrievalFunction" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Retrieving secrets passed in via SecretsManager Arn