Fix: destination policy length scale issue (#899)

Amrib24 · hickeydh-aws · web-flow · commit 3c11049cab18 · 2022-02-21T21:07:28.000-06:00
* fix: change log destination policy in the logs account to be based on ASEA roles and source is from within the org

* fix: reference org id from log stack account app to avoid cross app reference

* feat: add check for home region log account stack and throw error if not found

* fix: create the iam policy document leveraging the cdk, multiple conditions made easier

* fix: change entry for principal org id condition to array

* fix: remove unsupported condition key from aws logs destination policy

* fix: extend env vars of subscription filter lambda to be provided the roleArn for the filter

* feat: create separate role for the filter subscription on cloud watch logs destionation

* feat: add policy iam constrcut to enforce policy change to org id being condition source of log destination policy

* Update index.ts

fix es-lint error

* fixed duplicate iam import

Co-authored-by: hickeydh-aws &lt;88673813+hickeydh-aws@users.noreply.github.com&gt;
Co-authored-by: hickeydh &lt;hickeydh@amazon.com&gt;
diff --git a/src/deployments/cdk/src/apps/phase--1.ts b/src/deployments/cdk/src/apps/phase--1.ts
@@ -77,6 +77,13 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts }: Pha
     config: acceleratorConfig,
   });
 
+  // Creates roles for cloud watch logs group subscriptions
+  await globalRoles.createCwlSubscriptionFilterRoles({
+    accountStacks,
+    accounts,
+    config: acceleratorConfig,
+  });
+
   // Creates role for SnsSubscriberLambda function
   await globalRoles.createSnsSubscriberLambdaRole({
     accountStacks,
diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts
@@ -575,7 +575,6 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
   // Central Services step 1
   await cwlCentralLoggingToS3.step1({
     accountStacks,
-    accounts,
     logBucket,
     outputs,
     config: acceleratorConfig,
diff --git a/src/deployments/cdk/src/deployments/central-services/central-logging-s3/step-1.ts b/src/deployments/cdk/src/deployments/central-services/central-logging-s3/step-1.ts
@@ -20,19 +20,17 @@ import * as s3 from '@aws-cdk/aws-s3';
 import * as logs from '@aws-cdk/aws-logs';
 import * as kinesisfirehose from '@aws-cdk/aws-kinesisfirehose';
 import { AccountStacks } from '../../../common/account-stacks';
-import { Account } from '../../../utils/accounts';
-import { JsonOutputValue } from '../../../common/json-output';
 import { CLOUD_WATCH_CENTRAL_LOGGING_BUCKET_PREFIX } from '@aws-accelerator/common/src/util/constants';
 import * as c from '@aws-accelerator/common-config';
 import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 import { CfnLogDestinationOutput } from './outputs';
+import { Organizations } from '@aws-accelerator/custom-resource-organization';
 
 import path from 'path';
 
 export interface CentralLoggingToS3Step1Props {
   accountStacks: AccountStacks;
-  accounts: Account[];
   logBucket: s3.IBucket;
   outputs: StackOutput[];
   config: c.AcceleratorConfig;
@@ -42,9 +40,8 @@ export interface CentralLoggingToS3Step1Props {
  * Enable Central Logging to S3 in "log-archive" account Step 1
  */
 export async function step1(props: CentralLoggingToS3Step1Props) {
-  const { accountStacks, accounts, logBucket, config, outputs } = props;
-  // Setup for CloudWatch logs storing in logs account
-  const allAccountIds = accounts.map(account => account.id);
+  const { accountStacks, logBucket, config, outputs } = props;
+  // Setup for CloudWatch logs storing in logs account for org
   const centralLogServices = config['global-options']['central-log-services'];
   const cwlRegionsConfig = config['global-options']['additional-cwl-regions'];
   if (!cwlRegionsConfig[centralLogServices.region]) {
@@ -69,6 +66,16 @@ export async function step1(props: CentralLoggingToS3Step1Props) {
     console.error(`Skipping CWL Central logging setup due to unavailability of roles in output`);
     return;
   }
+  const logAccountStack = accountStacks.tryGetOrCreateAccountStack(
+    centralLogServices.account,
+    centralLogServices.region,
+  );
+  if (!logAccountStack) {
+    throw new Error(
+      `Cannot find mandatory ${centralLogServices.account} account in home region ${centralLogServices.region}.`,
+    );
+  }
+  const organizations = new Organizations(logAccountStack, 'Organizations');
 
   // Setting up in default "central-log-services" and "additional-cwl-regions" region
   for (const [region, regionConfig] of Object.entries(cwlRegionsConfig)) {
@@ -82,11 +89,11 @@ export async function step1(props: CentralLoggingToS3Step1Props) {
     }
     await cwlSettingsInLogArchive({
       scope: logAccountStack,
-      accountIds: allAccountIds,
       bucketArn: logBucket.bucketArn,
       shardCount: regionConfig['kinesis-stream-shard-count'],
       logStreamRoleArn: cwlLogStreamRoleOutput.roleArn,
       kinesisStreamRoleArn: cwlKinesisStreamRoleOutput.roleArn,
+      orgId: organizations.organizationId,
       dynamicS3LogPartitioning: centralLogServices['dynamic-s3-log-partitioning'],
       region,
     });
@@ -99,17 +106,17 @@ export async function step1(props: CentralLoggingToS3Step1Props) {
  */
 async function cwlSettingsInLogArchive(props: {
   scope: cdk.Construct;
-  accountIds: string[];
   bucketArn: string;
   logStreamRoleArn: string;
   kinesisStreamRoleArn: string;
+  orgId: string;
   shardCount?: number;
   dynamicS3LogPartitioning?: c.S3LogPartition[];
   region: string;
 }) {
   const {
     scope,
-    accountIds,
+    orgId,
     bucketArn,
     logStreamRoleArn,
     kinesisStreamRoleArn,
@@ -133,20 +140,26 @@ async function cwlSettingsInLogArchive(props: {
     suffixLength: 0,
   });
 
-  const destinatinPolicy = {
-    Version: '2012-10-17',
-    Statement: [
-      {
-        Effect: 'Allow',
-        Principal: {
-          AWS: accountIds,
+  const destinationPolicy = new iam.PolicyDocument({
+    statements: [
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        principals: [new iam.AnyPrincipal()],
+        actions: ['logs:PutSubscriptionFilter'],
+        resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:destination:${destinationName}`],
+        conditions: {
+          StringEquals: {
+            'aws:PrincipalOrgID': [orgId],
+          },
         },
-        Action: 'logs:PutSubscriptionFilter',
-        Resource: `arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:destination:${destinationName}`,
-      },
+      }),
     ],
-  };
-  const destinationPolicyStr = JSON.stringify(destinatinPolicy);
+  });
+  const enforcedPolicy = new iam.Policy(scope, 'Log-Destination-Policy', {
+    force: true,
+    document: destinationPolicy,
+  });
+  const destinationPolicyStr = JSON.stringify(enforcedPolicy.document.toJSON());
   // Create AWS Logs Destination
   const logDestination = new logs.CfnDestination(scope, 'Log-Destination', {
     destinationName,
diff --git a/src/deployments/cdk/src/deployments/central-services/central-logging-s3/step-2.ts b/src/deployments/cdk/src/deployments/central-services/central-logging-s3/step-2.ts
@@ -47,10 +47,10 @@ export async function step2(props: CentralLoggingToS3Step2Props) {
     const subscriptionRoleOutput = IamRoleOutputFinder.tryFindOneByName({
       accountKey,
       outputs,
-      roleKey: 'CWLAddSubscriptionFilter',
+      roleKey: 'CWLSubscriptionFilter',
     });
     if (!subscriptionRoleOutput) {
-      console.error(`Can't find "CWLAddSubscriptionFilter" Role in account ${accountKey} outputs`);
+      console.error(`Can't find "CWLSubscriptionFilter" Role in account ${accountKey} outputs`);
       continue;
     }
     for (const region of cwlRegions) {
diff --git a/src/deployments/cdk/src/deployments/iam/cwl-subscription-filter-role.ts b/src/deployments/cdk/src/deployments/iam/cwl-subscription-filter-role.ts
@@ -0,0 +1,57 @@
+/**
+ *  Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+ *  with the License. A copy of the License is located at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
+import * as c from '@aws-accelerator/common-config/src';
+import * as iam from '@aws-cdk/aws-iam';
+import { AccountStacks } from '../../common/account-stacks';
+import { createRoleName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+import { CfnIamRoleOutput } from './outputs';
+import { Account } from '../../utils/accounts';
+
+export interface CwlSubscriptionFilterRoleProps {
+  accountStacks: AccountStacks;
+  config: c.AcceleratorConfig;
+  accounts: Account[];
+}
+
+export async function createCwlSubscriptionFilterRoles(props: CwlSubscriptionFilterRoleProps): Promise<void> {
+  const { accountStacks, config, accounts } = props;
+  const centralLoggingServices = config['global-options']['central-log-services'];
+  for (const account of accounts) {
+    const accountStack = accountStacks.tryGetOrCreateAccountStack(account.key, centralLoggingServices.region);
+    if (!accountStack) {
+      console.error(
+        `Not able to create stack for "${centralLoggingServices.account}" while creating role for CWL Central logging`,
+      );
+      continue;
+    }
+    // Create IAM Role for reading logs from stream and push to destination
+    const role = new iam.Role(accountStack, 'CWLSubscriptionFilterRole', {
+      roleName: createRoleName('CWL-Subscription-Filter'),
+      assumedBy: new iam.ServicePrincipal('logs.amazonaws.com'),
+    });
+
+    role.addToPrincipalPolicy(
+      new iam.PolicyStatement({
+        actions: ['logs:PutLogEvents'],
+        resources: ['*'],
+      }),
+    );
+
+    new CfnIamRoleOutput(accountStack, `CWLSubscriptionFilterRoleOutput`, {
+      roleName: role.roleName,
+      roleArn: role.roleArn,
+      roleKey: 'CWLSubscriptionFilter',
+    });
+  }
+}
diff --git a/src/deployments/cdk/src/deployments/iam/index.ts b/src/deployments/cdk/src/deployments/iam/index.ts
@@ -22,6 +22,7 @@ export * from './ssm-document-roles';
 export * from './log-group-role';
 export * from './cwl-central-logging-roles';
 export * from './cwl-add-subscription-filter-role';
+export * from './cwl-subscription-filter-role';
 export * from './tgw-create-peering-roles';
 export * from './tgw-accept-peering-roles';
 export * from './logs-metric-filter-role';
diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/src/index.ts b/src/lib/custom-resources/logs-add-subscription-filter/runtime-event-trigger/src/index.ts
@@ -23,6 +23,7 @@ export const handler = async (input: any): Promise<string> => {
   console.log(JSON.stringify(input, null, 2));
 
   const logGroupName = input.detail.requestParameters.logGroupName as string;
+  const roleArn = process.env.ROLE_ARN || '';
   const logDestinationArn = process.env.LOG_DESTINATION;
   if (!logDestinationArn) {
     console.warn(`Log Destination is not parent in env for this account`);
@@ -40,7 +41,7 @@ export const handler = async (input: any): Promise<string> => {
   if (isExcluded(exclusions, logGroupName)) {
     return `No Need of Subscription Filter for "${logGroupName}"`;
   }
-  await addSubscriptionFilter(logGroupName, logDestinationArn);
+  await addSubscriptionFilter(logGroupName, logDestinationArn, roleArn);
   const logRetention = process.env.LOG_RETENTION;
   if (logRetention) {
     // Update Log Retention Policy
@@ -49,7 +50,7 @@ export const handler = async (input: any): Promise<string> => {
   return 'SUCCESS';
 };
 
-async function addSubscriptionFilter(logGroupName: string, destinationArn: string) {
+async function addSubscriptionFilter(logGroupName: string, destinationArn: string, roleArn: string) {
   // Adding subscription filter
   await throttlingBackOff(() =>
     logs
@@ -58,6 +59,7 @@ async function addSubscriptionFilter(logGroupName: string, destinationArn: strin
         logGroupName,
         filterName: `${CloudWatchRulePrefix}${logGroupName}`,
         filterPattern: '',
+        roleArn,
       })
       .promise(),
   );
diff --git a/src/lib/custom-resources/logs-add-subscription-filter/runtime/src/index.ts b/src/lib/custom-resources/logs-add-subscription-filter/runtime/src/index.ts
@@ -27,6 +27,7 @@ export interface HandlerProperties {
   logDestinationArn: string;
   globalExclusions?: string[];
   logRetention: number;
+  roleArn: string;
 }
 
 export const handler = errorHandler(onEvent);
@@ -90,7 +91,7 @@ const isExcluded = (exclusions: string[], logGroupName: string): boolean => {
 
 async function centralLoggingSubscription(event: CloudFormationCustomResourceEvent): Promise<void> {
   const properties = (event.ResourceProperties as unknown) as HandlerProperties;
-  const { logDestinationArn, logRetention } = properties;
+  const { logDestinationArn, logRetention, roleArn } = properties;
   const globalExclusions = properties.globalExclusions || [];
   const logGroups = await getLogGroups();
   const filterLogGroups = logGroups.filter(lg => !isExcluded(globalExclusions, lg.logGroupName!));
@@ -108,14 +109,14 @@ async function centralLoggingSubscription(event: CloudFormationCustomResourceEve
       await putLogRetentionPolicy(logGroup.logGroupName!, logRetention);
       // Add Subscription filter to logGroup
       console.log(`Adding subscription filter for ${logGroup.logGroupName}`);
-      await addSubscriptionFilter(logGroup.logGroupName!, logDestinationArn);
+      await addSubscriptionFilter(logGroup.logGroupName!, logDestinationArn, roleArn);
     }),
   );
 }
 
 async function centralLoggingSubscriptionUpdate(event: CloudFormationCustomResourceEvent): Promise<void> {
   const properties = (event.ResourceProperties as unknown) as HandlerProperties;
-  const { logDestinationArn, logRetention } = properties;
+  const { logDestinationArn, logRetention, roleArn } = properties;
   const globalExclusions = properties.globalExclusions || [];
   const logGroups = await getLogGroups();
   const filterLogGroups = logGroups.filter(lg => !isExcluded(globalExclusions, lg.logGroupName!));
@@ -142,7 +143,7 @@ async function centralLoggingSubscriptionUpdate(event: CloudFormationCustomResou
       await putLogRetentionPolicy(logGroup.logGroupName!, logRetention);
       // Add Subscription filter to logGroup
       console.log(`Adding subscription filter for ${logGroup.logGroupName}`);
-      await addSubscriptionFilter(logGroup.logGroupName!, logDestinationArn);
+      await addSubscriptionFilter(logGroup.logGroupName!, logDestinationArn, roleArn);
     }),
   );
 }
@@ -167,7 +168,7 @@ async function removeSubscriptionFilter(logGroupName: string, filterName: string
   }
 }
 
-async function addSubscriptionFilter(logGroupName: string, destinationArn: string) {
+async function addSubscriptionFilter(logGroupName: string, destinationArn: string, roleArn: string) {
   try {
     // Adding subscription filter
     await throttlingBackOff(() =>
@@ -177,6 +178,7 @@ async function addSubscriptionFilter(logGroupName: string, destinationArn: strin
           logGroupName,
           filterName: `${CloudWatchRulePrefix}${logGroupName}`,
           filterPattern: '',
+          roleArn,
         })
         .promise(),
     );
diff --git a/src/lib/custom-resources/logs-add-subscription-filter/src/index.ts b/src/lib/custom-resources/logs-add-subscription-filter/src/index.ts
@@ -56,6 +56,7 @@ export class CentralLoggingSubscriptionFilter extends cdk.Construct {
       EXCLUSIONS: JSON.stringify(props.globalExclusions),
       LOG_DESTINATION: props.logDestinationArn,
       LOG_RETENTION: props.logRetention.toString(),
+      ROLE_ARN: props.roleArn,
     };
     const addSubscriptionLambda = this.ensureLambdaFunction(
       this.cloudWatchEnventLambdaPath,
