Feat: encrypt kinesis by default (#888)

* feat: create kms keys for all other regions in log account, provided with new output variable in phase 0

* refactor: reuse create default s3 key, add policy for aws services

* chore: fix typo in default kms key output type

* feat: retrieve appropriate kms keys for sns in phase 2 based on account and region

* fix: change condition checks to be against account ID and not key

* fix: create topics with encryption keys for management & logs accounts

* feat: add policy for sns to installer cmk and reuse it to encrypt main machine state machine sns topic

* fix: add kms abilities to lambda and cloud watch as well to allow topics communication

* refactor: retrieve account keys from config object instead of hardcoded

* feat: add kms key and encrypt sns topic for main security account region if add sns topic is set

* refactor: extra default key creation and output to a function for code clean up

* refactor: extract logic of retrieving default key arn to its own function for code clean up

* feat: add default kms keys to other regions in security account and reuse account bucket for main region

* feat: allow macie to leverage the default keys created in other regions of security account

* fix: reference to accountstack region and not global region variable

* refactor: remove uneeded region function param for try find default key arn

* chore: lint fix

* chore: prettier fix

* tests: spec entries for new phases introduced for kms keys

* feat: leverage bucket kms keys to encrypt kinesis delivery stream & log stream

* feat: add encryption configs to extended s3 destination of firehose

* fix: remove uneeded configuration from firehose

* chore: prettier fix

* fixed bracket to dot notation

Co-authored-by: hickeydh-aws <hickeydh@amazon.com>

Author: Amrib24

src/deployments/cdk/src/deployments/central-services/central-logging-s3/step-1.ts

@@ -27,6 +27,9 @@ import * as c from '@aws-accelerator/common-config';
 import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 import { CfnLogDestinationOutput } from './outputs';
+import * as kms from '@aws-cdk/aws-kms';
+import { LogBucketOutputTypeOutputFinder } from '@aws-accelerator/common-outputs/src/buckets';
+import { DefaultKmsOutputFinder } from '@aws-accelerator/common-outputs/src/kms';
 
 import path from 'path';
 
@@ -47,6 +50,7 @@ export async function step1(props: CentralLoggingToS3Step1Props) {
   const allAccountIds = accounts.map(account => account.id);
   const centralLogServices = config['global-options']['central-log-services'];
   const cwlRegionsConfig = config['global-options']['additional-cwl-regions'];
+  const homeRegion = config['global-options']['central-log-services'].region;
   if (!cwlRegionsConfig[centralLogServices.region]) {
     cwlRegionsConfig[centralLogServices.region] = {
       'kinesis-stream-shard-count': centralLogServices['kinesis-stream-shard-count'],
@@ -80,6 +84,32 @@ export async function step1(props: CentralLoggingToS3Step1Props) {
       );
       continue;
     }
+    let keyArn: string;
+    logAccountStack.region === centralLogServices.region
+      ? (keyArn = LogBucketOutputTypeOutputFinder.findOneByName({
+          outputs,
+          accountKey: logAccountStack.accountKey,
+          region: logAccountStack.region,
+        })?.encryptionKeyArn!)
+      : (keyArn = DefaultKmsOutputFinder.findOneByName({
+          outputs,
+          accountKey: logAccountStack.accountKey,
+          region: logAccountStack.region,
+        })?.encryptionKeyArn!);
+
+    const homeRegionEncryptionKeyArn = LogBucketOutputTypeOutputFinder.findOneByName({
+      outputs,
+      accountKey: logAccountStack.accountKey,
+      region: homeRegion,
+    })?.encryptionKeyArn!;
+
+    const homeRegionEncryptionKey = kms.Key.fromKeyArn(
+      logAccountStack,
+      'Default-Home-Region-Key-Phase-1',
+      homeRegionEncryptionKeyArn,
+    );
+    const encryptionKey = kms.Key.fromKeyArn(logAccountStack, 'Default-Key-Phase-1', keyArn);
+
     await cwlSettingsInLogArchive({
       scope: logAccountStack,
       accountIds: allAccountIds,
@@ -89,6 +119,8 @@ export async function step1(props: CentralLoggingToS3Step1Props) {
       kinesisStreamRoleArn: cwlKinesisStreamRoleOutput.roleArn,
       dynamicS3LogPartitioning: centralLogServices['dynamic-s3-log-partitioning'],
       region,
+      encryptionKey,
+      homeRegionEncryptionKey,
     });
   }
 }
@@ -103,6 +135,8 @@ async function cwlSettingsInLogArchive(props: {
   bucketArn: string;
   logStreamRoleArn: string;
   kinesisStreamRoleArn: string;
+  encryptionKey: kms.IKey;
+  homeRegionEncryptionKey: kms.IKey;
   shardCount?: number;
   dynamicS3LogPartitioning?: c.S3LogPartition[];
   region: string;
@@ -116,6 +150,8 @@ async function cwlSettingsInLogArchive(props: {
     shardCount,
     dynamicS3LogPartitioning,
     region,
+    encryptionKey,
+    homeRegionEncryptionKey,
   } = props;
 
   // Create Kinesis Stream for Logs streaming
@@ -124,7 +160,8 @@ async function cwlSettingsInLogArchive(props: {
       name: 'Kinesis-Logs-Stream',
       suffixLength: 0,
     }),
-    encryption: kinesis.StreamEncryption.UNENCRYPTED,
+    encryption: kinesis.StreamEncryption.KMS,
+    encryptionKey,
     shardCount,
   });
 
@@ -186,6 +223,7 @@ async function cwlSettingsInLogArchive(props: {
     deliveryStreamName: createName({
       name: 'Firehose-Delivery-Stream-Partition',
     }),
+
     deliveryStreamType: 'KinesisStreamAsSource',
     kinesisStreamSourceConfiguration: {
       kinesisStreamArn: logsStream.streamArn,
@@ -203,6 +241,11 @@ async function cwlSettingsInLogArchive(props: {
         enabled: true,
       },
       errorOutputPrefix: `${CLOUD_WATCH_CENTRAL_LOGGING_BUCKET_PREFIX}/processing-failed`,
+      encryptionConfiguration: {
+        kmsEncryptionConfig: {
+          awskmsKeyArn: homeRegionEncryptionKey.keyArn,
+        },
+      },
       prefix: '!{partitionKeyFromLambda:dynamicPrefix}',
       processingConfiguration: {
         enabled: true,

src/deployments/cdk/src/deployments/defaults/shared.ts

@@ -44,21 +44,23 @@ export function createDefaultS3Key(props: { accountStack: AccountStack; prefix:
   );
   encryptionKey.addToResourcePolicy(
     new iam.PolicyStatement({
-      sid: 'Allow ASEA Roles to use the encryption key',
+      sid: 'Allow AWS services to use the encryption key',
       actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey'],
       principals: [
         new iam.ServicePrincipal('sns.amazonaws.com'),
         new iam.ServicePrincipal('cloudwatch.amazonaws.com'),
         new iam.ServicePrincipal('lambda.amazonaws.com'),
         // For macie usage in security account
         new iam.ServicePrincipal('macie.amazonaws.com'),
+        // Kinesis for usage in the log account
+        new iam.ServicePrincipal('kinesis.amazonaws.com'),
       ],
       resources: ['*'],
     }),
   );
   encryptionKey.addToResourcePolicy(
     new iam.PolicyStatement({
-      sid: 'Allow AWS services to use the encryption key',
+      sid: 'Allow Accelerator Role to use the encryption key',
       actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey'],
       principals: [new iam.AnyPrincipal()],
       resources: ['*'],

src/lib/common-outputs/src/kms.ts

@@ -24,6 +24,8 @@ export const DefaultKmsOutput = t.interface(
   'DefaultKms',
 );
 
+export type EbsKmsOutput = t.TypeOf<typeof DefaultKmsOutput>;
+
 export const DefaultKmsOutputFinder = createStructuredOutputFinder(DefaultKmsOutput, finder => ({
   findOneByName: (props: { outputs: StackOutput[]; accountKey: string; region?: string }) =>
     finder.tryFindOne({