Add ssm-log-archive-read-only-access flag for IAM roles (#543) (#589)

Authored-by: Brian Fanning <bfannin@amazon.com>

Author: BrianFanning

src/core/runtime/src/save-outputs-to-ssm/iam-utils.ts

@@ -249,15 +249,17 @@ export async function saveIamPolicy(
       }
     }
 
-    const ssmPolicyLength = iamConfig.roles?.filter(r => r['ssm-log-archive-access']).length;
+    const ssmPolicyLength = iamConfig.roles?.filter(
+      r => r['ssm-log-archive-write-access'] || r['ssm-log-archive-access'],
+    ).length;
     if (ssmPolicyLength && ssmPolicyLength !== 0) {
       const ssmPolicyOutput = IamPolicyOutputFinder.findOneByName({
         outputs,
         accountKey,
-        policyKey: 'IamSsmAccessPolicy',
+        policyKey: 'IamSsmWriteAccessPolicy',
       });
       if (!ssmPolicyOutput) {
-        console.warn(`Didn't find IAM SSM Log Archive Access Policy in output`);
+        console.warn(`Didn't find IAM SSM Log Archive Write Access Policy in output`);
         continue;
       }
       let currentIndex: number;

src/deployments/cdk/package.json

@@ -100,6 +100,7 @@
     "@aws-accelerator/custom-resource-disassociate-hosted-zones": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-ec2-modify-transit-gateway-vpc-attachment": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-s3-put-bucket-versioning": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-s3-update-logarchive-policy": "workspace:^0.0.1",
     "@aws-cdk/aws-accessanalyzer": "1.85.0",
     "@aws-cdk/aws-autoscaling": "1.85.0",
     "@aws-cdk/aws-budgets": "1.85.0",

src/deployments/cdk/src/apps/phase-2.ts

@@ -27,6 +27,7 @@ import * as guardDutyDeployment from '../deployments/guardduty';
 import * as snsDeployment from '../deployments/sns';
 import * as ssmDeployment from '../deployments/ssm';
 import { getStackJsonOutput } from '@aws-accelerator/common-outputs/src/stack-output';
+import { logArchiveReadOnlyAccess } from '../deployments/s3/log-archive-read-access';
 
 /**
  * This is the main entry point to deploy phase 2
@@ -345,6 +346,14 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     outputs,
   });
 
+  await logArchiveReadOnlyAccess({
+    accountStacks,
+    accounts,
+    logBucket,
+    config: acceleratorConfig,
+    acceleratorPrefix: context.acceleratorPrefix,
+  });
+
   await tgwDeployment.acceptPeeringAttachment({
     accountStacks,
     accounts,

src/deployments/cdk/src/common/iam-assets.ts

@@ -119,14 +119,18 @@ export class IamAssets extends cdk.Construct {
       }
     };
 
-    const createIamSSMLogArchivePolicy = (): iam.ManagedPolicy => {
-      const policyName = createPolicyName('SSMAccessPolicy');
-      const iamSSMLogArchiveAccessPolicy = new iam.ManagedPolicy(this, `IAM-SSM-LogArchive-Policy-${accountKey}`, {
-        managedPolicyName: policyName,
-        description: policyName,
-      });
+    const createIamSSMLogArchiveWritePolicy = (): iam.ManagedPolicy => {
+      const policyName = createPolicyName('SSMWriteAccessPolicy');
+      const iamSSMLogArchiveWriteAccessPolicy = new iam.ManagedPolicy(
+        this,
+        `IAM-SSM-LogArchive-Write-Policy-${accountKey}`,
+        {
+          managedPolicyName: policyName,
+          description: policyName,
+        },
+      );
 
-      iamSSMLogArchiveAccessPolicy.addStatements(
+      iamSSMLogArchiveWriteAccessPolicy.addStatements(
         new iam.PolicyStatement({
           effect: iam.Effect.ALLOW,
           actions: ['kms:DescribeKey', 'kms:GenerateDataKey*', 'kms:Decrypt', 'kms:Encrypt', 'kms:ReEncrypt*'],
@@ -152,11 +156,43 @@ export class IamAssets extends cdk.Construct {
         }),
       );
       new CfnIamPolicyOutput(this, `IamSsmPolicyOutput`, {
-        policyName: iamSSMLogArchiveAccessPolicy.managedPolicyName,
-        policyArn: iamSSMLogArchiveAccessPolicy.managedPolicyArn,
-        policyKey: 'IamSsmAccessPolicy',
+        policyName: iamSSMLogArchiveWriteAccessPolicy.managedPolicyName,
+        policyArn: iamSSMLogArchiveWriteAccessPolicy.managedPolicyArn,
+        policyKey: 'IamSsmWriteAccessPolicy',
       });
-      return iamSSMLogArchiveAccessPolicy;
+      return iamSSMLogArchiveWriteAccessPolicy;
+    };
+
+    const createIamSSMLogArchiveReadOnlyPolicy = (): iam.ManagedPolicy => {
+      const policyName = createPolicyName('SSMReadOnlyAccessPolicy');
+      const iamSSMLogArchiveReadOnlyAccessPolicy = new iam.ManagedPolicy(
+        this,
+        `IAM-SSM-LogArchive-ReadOnly-Policy-${accountKey}`,
+        {
+          managedPolicyName: policyName,
+          description: policyName,
+        },
+      );
+
+      iamSSMLogArchiveReadOnlyAccessPolicy.addStatements(
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['kms:Decrypt', 'kms:DescribeKey', 'kms:GenerateDataKey'],
+          resources: [logBucket.encryptionKey?.keyArn || '*'],
+        }),
+
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['s3:GetObject'],
+          resources: [logBucket.arnForObjects('*')],
+        }),
+      );
+      new CfnIamPolicyOutput(this, `IamSsmReadOnlyPolicyOutput`, {
+        policyName: iamSSMLogArchiveReadOnlyAccessPolicy.managedPolicyName,
+        policyArn: iamSSMLogArchiveReadOnlyAccessPolicy.managedPolicyArn,
+        policyKey: 'IamSsmReadOnlyAccessPolicy',
+      });
+      return iamSSMLogArchiveReadOnlyAccessPolicy;
     };
 
     if (!IamConfigType.is(iamConfig)) {
@@ -191,8 +227,15 @@ export class IamAssets extends cdk.Construct {
         return;
       }
 
-      const ssmLogArchivePolicy =
-        iamRoles.filter(i => i['ssm-log-archive-access']).length > 0 ? createIamSSMLogArchivePolicy() : undefined;
+      const ssmLogArchiveWritePolicy =
+        iamRoles.filter(i => i['ssm-log-archive-write-access'] || i['ssm-log-archive-access']).length > 0
+          ? createIamSSMLogArchiveWritePolicy()
+          : undefined;
+
+      const ssmLogArchiveReadOnlyPolicy =
+        iamRoles.filter(i => i['ssm-log-archive-read-only-access']).length > 0
+          ? createIamSSMLogArchiveReadOnlyPolicy()
+          : undefined;
 
       for (const iamRole of iamRoles) {
         if (!IamRoleConfigType.is(iamRole)) {
@@ -224,8 +267,15 @@ export class IamAssets extends cdk.Construct {
             roleKey: 'IamAccountRole',
           });
 
-          if (iamRole['ssm-log-archive-access'] && ssmLogArchivePolicy) {
-            role.addManagedPolicy(ssmLogArchivePolicy);
+          if (
+            (iamRole['ssm-log-archive-write-access'] || iamRole['ssm-log-archive-access']) &&
+            ssmLogArchiveWritePolicy
+          ) {
+            role.addManagedPolicy(ssmLogArchiveWritePolicy);
+          }
+
+          if (iamRole['ssm-log-archive-read-only-access'] && ssmLogArchiveReadOnlyPolicy) {
+            role.addManagedPolicy(ssmLogArchiveReadOnlyPolicy);
           }
         }
       }

src/deployments/cdk/src/deployments/s3/index.ts

@@ -0,0 +1 @@
+export * from './log-archive-read-access';

src/deployments/cdk/src/deployments/s3/log-archive-read-access.ts

@@ -0,0 +1,38 @@
+import * as s3 from '@aws-cdk/aws-s3';
+import * as iam from '@aws-cdk/aws-iam';
+import { AccountStacks } from '../../common/account-stacks';
+import { AcceleratorConfig } from '@aws-accelerator/common-config/src';
+import { Account, getAccountId } from '@aws-accelerator/common-outputs/src/accounts';
+import { S3UpdateLogArchivePolicy } from '@aws-accelerator/custom-resource-s3-update-logarchive-policy';
+
+export interface LogArchiveReadAccessProps {
+  accountStacks: AccountStacks;
+  accounts: Account[];
+  logBucket: s3.IBucket;
+  config: AcceleratorConfig;
+  acceleratorPrefix: string;
+}
+
+export async function logArchiveReadOnlyAccess(props: LogArchiveReadAccessProps) {
+  const { accountStacks, accounts, logBucket, config, acceleratorPrefix } = props;
+  const logArchiveAccountKey = config['global-options']['central-log-services'].account;
+  const logArchiveStack = accountStacks.getOrCreateAccountStack(logArchiveAccountKey);
+  const logArchiveReadOnlyRoles = [];
+
+  // Update Log Archive Bucket and KMS Key policies for roles with ssm-log-archive-read-only-access
+  for (const { accountKey, iam: iamConfig } of config.getIamConfigs()) {
+    const accountId = getAccountId(accounts, accountKey);
+    const roles = iamConfig.roles || [];
+    for (const role of roles) {
+      if (role['ssm-log-archive-read-only-access']) {
+        logArchiveReadOnlyRoles.push(`arn:aws:iam::${accountId}:role/${role.role}`);
+      }
+    }
+  }
+
+  const LogBucketPolicy = new S3UpdateLogArchivePolicy(logArchiveStack, 'UpdateLogArchivePolicy', {
+    roles: logArchiveReadOnlyRoles,
+    logBucket,
+    acceleratorPrefix,
+  });
+}

src/lib/common-config/src/index.ts

@@ -242,6 +242,8 @@ export const IamPolicyConfigType = t.interface({
   policy: NonEmptyString,
 });
 
+// ssm-log-archive-access will be deprecated in a future release.
+// ssm-log-archive-write-access should be used instead
 export const IamRoleConfigType = t.interface({
   role: NonEmptyString,
   type: NonEmptyString,
@@ -251,6 +253,8 @@ export const IamRoleConfigType = t.interface({
   'source-account-role': optional(t.string),
   'trust-policy': optional(t.string),
   'ssm-log-archive-access': optional(t.boolean),
+  'ssm-log-archive-write-access': optional(t.boolean),
+  'ssm-log-archive-read-only-access': optional(t.boolean),
 });
 
 export const IamConfigType = t.interface({

src/lib/custom-resources/cdk-s3-update-logarchive-bucket-policy/README.md

@@ -0,0 +1,14 @@
+# S3 Update LogArchive Policy
+
+This is a custom resource to grant any roles with 'ssm-log-archive-read-only-access: true' read access to the Log Archive Bucket and its corresponding KMS key
+
+## Usage
+
+    import { S3UpdateLogArchivePolicy } from '@aws-accelerator/custom-resource-s3-update-logarchive-policy';
+
+    new S3UpdateLogArchivePolicy(scope, `UpdateLogArchivePolicy`, {
+      roles: string[],
+      logBucket: s3.IBucket,
+      removalPolicy?: cdk.RemovalPolicy;,
+      acceleratorPrefix: string
+    });

src/lib/custom-resources/cdk-s3-update-logarchive-bucket-policy/cdk/index.ts

@@ -0,0 +1,89 @@
+import * as path from 'path';
+import * as cdk from '@aws-cdk/core';
+import * as iam from '@aws-cdk/aws-iam';
+import * as lambda from '@aws-cdk/aws-lambda';
+import * as s3 from '@aws-cdk/aws-s3';
+import { HandlerProperties } from '@aws-accelerator/custom-resource-s3-update-logarchive-policy-runtime';
+
+const resourceType = 'Custom::S3UpdateLogArchivePolicy';
+
+export interface LogArchiveReadAccessProps {
+  roles: string[];
+  logBucket: s3.IBucket;
+  removalPolicy?: cdk.RemovalPolicy;
+  acceleratorPrefix: string;
+}
+
+/**
+ * Adds IAM roles with {'ssm-log-archive-read-only-access': true} to the LogArchive bucket policy
+ */
+export class S3UpdateLogArchivePolicy extends cdk.Construct {
+  private resource: cdk.CustomResource | undefined;
+
+  constructor(scope: cdk.Construct, id: string, private readonly props: LogArchiveReadAccessProps) {
+    super(scope, id);
+
+    const { roles, logBucket, acceleratorPrefix } = props;
+  }
+
+  get role(): iam.IRole {
+    return this.lambdaFunction.role!;
+  }
+
+  protected onPrepare() {
+    const handlerProperties: HandlerProperties = {
+      roles: this.props.roles,
+      logBucketArn: this.props.logBucket.bucketArn,
+      logBucketName: this.props.logBucket.bucketName,
+      logBucketKmsKeyArn: this.props.logBucket.encryptionKey?.keyArn,
+    };
+
+    this.resource = new cdk.CustomResource(this, 'Resource', {
+      resourceType,
+      serviceToken: this.lambdaFunction.functionArn,
+      removalPolicy: this.props.removalPolicy ?? cdk.RemovalPolicy.DESTROY,
+      properties: handlerProperties,
+    });
+  }
+
+  private get lambdaFunction(): lambda.Function {
+    const constructName = `${resourceType}Lambda`;
+    const stack = cdk.Stack.of(this);
+    const existing = stack.node.tryFindChild(constructName);
+    if (existing) {
+      return existing as lambda.Function;
+    }
+
+    const lambdaPath = require.resolve('@aws-accelerator/custom-resource-s3-update-logarchive-policy-runtime');
+    const lambdaDir = path.dirname(lambdaPath);
+
+    const role = new iam.Role(stack, 'Role', {
+      roleName: `${this.props.acceleratorPrefix}S3UpdateLogArchivePolicy`,
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
+
+    role.addToPrincipalPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          's3:GetBucketPolicy',
+          's3:PutBucketPolicy',
+          'kms:GetKeyPolicy',
+          'kms:PutKeyPolicy',
+          'logs:CreateLogGroup',
+          'logs:CreateLogStream',
+          'logs:PutLogEvents',
+          'tag:GetResources',
+        ],
+        resources: ['*'],
+      }),
+    );
+
+    return new lambda.Function(stack, constructName, {
+      runtime: lambda.Runtime.NODEJS_12_X,
+      code: lambda.Code.fromAsset(lambdaDir),
+      handler: 'index.handler',
+      role,
+      timeout: cdk.Duration.seconds(30),
+    });
+  }
+}

src/lib/custom-resources/cdk-s3-update-logarchive-bucket-policy/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@aws-accelerator/custom-resource-s3-update-logarchive-policy", 
+  "peerDependencies": {
+    "@aws-cdk/aws-iam": "1.85.0", 
+    "@aws-cdk/core": "1.85.0", 
+    "@aws-cdk/aws-lambda": "1.85.0"
+  }, 
+  "main": "cdk/index.ts",
+  "private": true, 
+  "version": "0.0.1", 
+  "dependencies": {
+    "@aws-cdk/aws-iam": "1.85.0", 
+    "@aws-cdk/core": "1.85.0", 
+    "@aws-cdk/aws-lambda": "1.85.0", 
+    "@aws-cdk/aws-s3": "1.85.0"
+  }, 
+  "devDependencies": {
+    "@aws-accelerator/custom-resource-s3-update-logarchive-policy-runtime": "workspace:^0.0.1", 
+    "eslint": "7.10.0",
+    "@typescript-eslint/eslint-plugin": "4.4.0",
+    "@typescript-eslint/parser": "4.4.0", 
+    "ts-node": "6.2.0", 
+    "eslint-config-standard": "14.1.1",
+    "eslint-plugin-standard": "4.0.1",
+    "eslint-plugin-deprecation": "1.1.0",
+    "eslint-plugin-promise": "4.2.1",
+    "eslint-plugin-import": "2.22.1",
+    "eslint-plugin-node": "11.1.0",
+    "eslint-plugin-jsdoc": "30.6.4",
+    "eslint-plugin-prefer-arrow": "1.2.2",
+    "eslint-plugin-react": "7.21.3",
+    "eslint-plugin-unicorn": "22.0.0", 
+    "eslint-config-prettier": "6.12.0", 
+    "typescript": "3.8.3", 
+    "@types/node": "12.12.6"
+  }
+}