feat(core): Additional enhancements (#669)

* feat(core): Additional enhancements
- enable access logging on Rsyslog NLB
- Enable DeletionProtection on ELB
- Deny non https calls to S3 buckets
* Updating installerBucket Policy to allow only secure requests
* Fix adding subscription filter to loggroups
- Using .map instead of regular for loop
* Fix adding subscription filter for existing user by changing construct name
- add additional back-off, retry conditions

Author: naveenkoppula

src/deployments/cdk/src/apps/phase-3.ts

@@ -6,7 +6,7 @@ import * as rsyslogDeployment from '../deployments/rsyslog';
 import { ImportedVpc } from '../deployments/vpc';
 import { VpcOutput } from '@aws-accelerator/common-outputs/src/vpc';
 import { getStackJsonOutput } from '@aws-accelerator/common-outputs/src/stack-output';
-import { CentralBucketOutput, AccountBucketOutput } from '../deployments/defaults';
+import { CentralBucketOutput, AccountBucketOutput, AesBucketOutput } from '../deployments/defaults';
 import * as securityHub from '../deployments/security-hub';
 import * as macie from '../deployments/macie';
 import * as transitGateway from '../deployments/transit-gateway';
@@ -25,6 +25,12 @@ import * as awsConfig from '../deployments/config';
  */
 
 export async function deploy({ acceleratorConfig, accountStacks, accounts, context, outputs }: PhaseInput) {
+  const aesLogArchiveBucket = AesBucketOutput.getBucket({
+    accountStacks,
+    config: acceleratorConfig,
+    outputs,
+  });
+
   /**
    * Code to create Peering Connection Routes in all accounts
    */
@@ -73,6 +79,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     accountStacks,
     config: acceleratorConfig,
     outputs,
+    aesLogArchiveBucket,
   });
 
   // Import all VPCs from all outputs
@@ -95,6 +102,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     vpcs: allVpcs,
     centralBucket,
     context,
+    aesLogArchiveBucket,
   });
 
   // Deploy Security Hub Step-2

src/deployments/cdk/src/deployments/alb/step-1.ts

@@ -27,16 +27,11 @@ export interface AlbStep1Props {
   accountStacks: AccountStacks;
   config: AcceleratorConfig;
   outputs: StackOutput[];
+  aesLogArchiveBucket: s3.IBucket;
 }
 
 export async function step1(props: AlbStep1Props) {
-  const { accountStacks, config, outputs } = props;
-
-  const aesLogArchiveBucket = AesBucketOutput.getBucket({
-    accountStacks,
-    config,
-    outputs,
-  });
+  const { accountStacks, config, outputs, aesLogArchiveBucket } = props;
 
   const vpcConfigs = config.getVpcConfigs();
   for (const { ouKey, accountKey, albs: albConfigs } of config.getAlbConfigs()) {

src/deployments/cdk/src/deployments/defaults/step-1.ts

@@ -92,15 +92,7 @@ function createCentralBucketCopy(props: DefaultsStep1Props) {
     encryptionKey,
     blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
     removalPolicy: cdk.RemovalPolicy.RETAIN,
-  });
-
-  // TODO: Remove and use fields directly when CDK enhanced s3.Bucket.
-  (bucket.node.defaultChild as s3.CfnBucket).addPropertyOverride('OwnershipControls', {
-    Rules: [
-      {
-        ObjectOwnership: 'BucketOwnerPreferred',
-      },
-    ],
+    objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
   });
 
   // Let the bucket name be generated by CloudFormation
@@ -137,6 +129,21 @@ function createCentralBucketCopy(props: DefaultsStep1Props) {
     }),
   );
 
+  // Allow only https requests
+  bucket.addToResourcePolicy(
+    new iam.PolicyStatement({
+      actions: ['s3:*'],
+      resources: [bucket.bucketArn, bucket.arnForObjects('*')],
+      principals: anyAccountPrincipal,
+      conditions: {
+        Bool: {
+          'aws:SecureTransport': 'false',
+        },
+      },
+      effect: iam.Effect.DENY,
+    }),
+  );
+
   new CfnCentralBucketOutput(masterAccountStack, 'CentralBucketOutput', {
     bucketArn: bucket.bucketArn,
     bucketName: bucket.bucketName,
@@ -310,15 +317,7 @@ function createAesLogBucket(props: DefaultsStep1Props) {
     blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
     encryption: s3.BucketEncryption.S3_MANAGED,
     removalPolicy: cdk.RemovalPolicy.RETAIN,
-  });
-
-  // TODO: Remove and use fields directly when CDK enhanced s3.Bucket.
-  (logBucket.node.defaultChild as s3.CfnBucket).addPropertyOverride('OwnershipControls', {
-    Rules: [
-      {
-        ObjectOwnership: 'BucketOwnerPreferred',
-      },
-    ],
+    objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
   });
 
   // Let the bucket name be generated by CloudFormation
@@ -354,6 +353,21 @@ function createAesLogBucket(props: DefaultsStep1Props) {
     }),
   );
 
+  // Allow only https requests
+  logBucket.addToResourcePolicy(
+    new iam.PolicyStatement({
+      actions: ['s3:*'],
+      resources: [logBucket.bucketArn, logBucket.arnForObjects('*')],
+      principals: [new iam.AnyPrincipal()],
+      conditions: {
+        Bool: {
+          'aws:SecureTransport': 'false',
+        },
+      },
+      effect: iam.Effect.DENY,
+    }),
+  );
+
   new CfnAesBucketOutput(logAccountStack, 'AesLogBucketOutput', {
     bucketArn: logBucket.bucketArn,
     bucketName: logBucket.bucketName,

src/deployments/cdk/src/deployments/defaults/step-2.ts

@@ -82,6 +82,21 @@ function createDefaultS3Buckets(props: DefaultsStep2Props) {
       }),
     );
 
+    // Allow only https requests
+    bucket.addToResourcePolicy(
+      new iam.PolicyStatement({
+        actions: ['s3:*'],
+        resources: [bucket.bucketArn, bucket.arnForObjects('*')],
+        principals: [new iam.AnyPrincipal()],
+        conditions: {
+          Bool: {
+            'aws:SecureTransport': 'false',
+          },
+        },
+        effect: iam.Effect.DENY,
+      }),
+    );
+
     buckets[accountKey] = bucket;
 
     new CfnAccountBucketOutput(accountStack, 'DefaultBucketOutput', {

src/deployments/cdk/src/deployments/rsyslog/step-2.ts

@@ -17,6 +17,7 @@ import { ImageIdOutputFinder } from '@aws-accelerator/common-outputs/src/ami-out
 import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 import { Context } from '../../utils/context';
 import { CfnLoadBalancerOutput } from '../alb/outputs';
+import { AesBucketOutput } from '../defaults';
 
 export interface RSysLogStep1Props {
   accountStacks: AccountStacks;
@@ -25,10 +26,11 @@ export interface RSysLogStep1Props {
   vpcs: Vpc[];
   centralBucket: s3.IBucket;
   context: Context;
+  aesLogArchiveBucket: s3.IBucket;
 }
 
 export async function step2(props: RSysLogStep1Props) {
-  const { accountStacks, config, outputs, vpcs, centralBucket, context } = props;
+  const { accountStacks, config, outputs, vpcs, centralBucket, context, aesLogArchiveBucket } = props;
 
   for (const [accountKey, accountConfig] of config.getMandatoryAccountConfigs()) {
     const rsyslogConfig = accountConfig.deployments?.rsyslog;
@@ -54,7 +56,7 @@ export async function step2(props: RSysLogStep1Props) {
     }
 
     const rsyslogTargetGroup = createTargetGroupForInstance(accountStack, 'RsyslogTG', vpc.id);
-    createNlb(accountKey, rsyslogConfig, accountStack, vpc, rsyslogTargetGroup.ref);
+    createNlb(accountKey, rsyslogConfig, accountStack, vpc, rsyslogTargetGroup.ref, aesLogArchiveBucket);
     createAsg(
       accountKey,
       rsyslogConfig,
@@ -74,6 +76,7 @@ export function createNlb(
   accountStack: AcceleratorStack,
   vpc: Vpc,
   targetGroupArn: string,
+  aesLogArchiveBucket: s3.IBucket,
 ) {
   const nlbSubnetIds: string[] = [];
   for (const subnetConfig of rsyslogConfig['web-subnets']) {
@@ -95,6 +98,7 @@ export function createNlb(
     scheme: 'internal',
     subnetIds: nlbSubnetIds,
     ipType: 'ipv4',
+    aesLogArchiveBucket,
   });
 
   // Add default listener

src/installer/cdk/src/index.ts

@@ -325,16 +325,23 @@ async function main() {
   // Encryption is not necessary for this pipeline so we create a custom unencrypted bucket
   const installerArtifactsBucket = new s3.Bucket(stack, 'ArtifactsBucket', {
     removalPolicy: cdk.RemovalPolicy.DESTROY,
+    objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
   });
 
-  // TODO: Remove and use fields directly when CDK enhanced s3.Bucket.
-  (installerArtifactsBucket.node.defaultChild as s3.CfnBucket).addPropertyOverride('OwnershipControls', {
-    Rules: [
-      {
-        ObjectOwnership: 'BucketOwnerPreferred',
+  // Allow only https requests
+  installerArtifactsBucket.addToResourcePolicy(
+    new iam.PolicyStatement({
+      actions: ['s3:*'],
+      resources: [installerArtifactsBucket.bucketArn, installerArtifactsBucket.arnForObjects('*')],
+      principals: [new iam.AnyPrincipal()],
+      conditions: {
+        Bool: {
+          'aws:SecureTransport': 'false',
+        },
       },
-    ],
-  });
+      effect: iam.Effect.DENY,
+    }),
+  );
 
   new codepipeline.Pipeline(stack, 'Pipeline', {
     role: installerPipelineRole,

src/lib/cdk-constructs/package.json

@@ -17,55 +17,56 @@
     "@types/hash-sum": "1.0.0",
     "@types/jest": "25.2.1",
     "@types/node": "12.12.6",
-    "babel-jest": "25.2.0",
-    "jest": "25.2.4",
-    "prettier": "2.2.0",
-    "ts-jest": "25.3.0",
-    "ts-node": "8.8.1",
-    "eslint": "7.10.0",
     "@typescript-eslint/eslint-plugin": "4.4.0",
     "@typescript-eslint/parser": "4.4.0",
+    "babel-jest": "25.2.0",
+    "eslint": "7.10.0",
     "eslint-config-prettier": "6.12.0",
     "eslint-config-standard": "14.1.1",
-    "eslint-plugin-standard": "4.0.1",
     "eslint-plugin-deprecation": "1.1.0",
-    "eslint-plugin-promise": "4.2.1",
     "eslint-plugin-import": "2.22.1",
-    "eslint-plugin-node": "11.1.0",
     "eslint-plugin-jsdoc": "30.6.4",
+    "eslint-plugin-node": "11.1.0",
     "eslint-plugin-prefer-arrow": "1.2.2",
+    "eslint-plugin-promise": "4.2.1",
     "eslint-plugin-react": "7.21.3",
+    "eslint-plugin-standard": "4.0.1",
     "eslint-plugin-unicorn": "22.0.0",
+    "jest": "25.2.4",
+    "prettier": "2.2.0",
+    "ts-jest": "25.3.0",
+    "ts-node": "8.8.1",
     "typescript": "3.8.3"
   },
   "dependencies": {
+    "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-elb-deletion-protection": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-r53-dns-endpoint-ips": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-s3-put-bucket-replication": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-s3-template": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-security-hub-accept-invites": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1",
     "@aws-cdk/aws-autoscaling": "1.85.0",
     "@aws-cdk/aws-budgets": "1.85.0",
     "@aws-cdk/aws-cloudformation": "1.85.0",
+    "@aws-cdk/aws-config": "1.85.0",
     "@aws-cdk/aws-ec2": "1.85.0",
     "@aws-cdk/aws-iam": "1.85.0",
     "@aws-cdk/aws-kms": "1.85.0",
     "@aws-cdk/aws-lambda": "1.85.0",
+    "@aws-cdk/aws-route53resolver": "1.85.0",
     "@aws-cdk/aws-s3": "1.85.0",
     "@aws-cdk/aws-s3-assets": "1.85.0",
+    "@aws-cdk/aws-securityhub": "1.85.0",
     "@aws-cdk/aws-ssm": "1.85.0",
     "@aws-cdk/core": "1.85.0",
-    "@aws-cdk/aws-securityhub": "1.85.0",
-    "@aws-cdk/aws-route53resolver": "1.85.0",
-    "@aws-cdk/aws-config": "1.85.0",
-    "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-ec2-keypair": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-s3-template": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-security-hub-accept-invites": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-security-hub-enable": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-security-hub-send-invites": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-r53-dns-endpoint-ips": "workspace:^0.0.1",
-    "@aws-accelerator/custom-resource-s3-put-bucket-replication": "workspace:^0.0.1",
+    "aws-sdk": "2.787.0",
     "hash-sum": "2.0.0",
     "ip-num": "1.2.2",
     "pascal-case": "3.1.1",
-    "tempy": "0.5.0",
-    "aws-sdk": "2.787.0"
+    "tempy": "0.5.0"
   },
   "jest": {
     "preset": "ts-jest",

src/lib/cdk-constructs/src/s3/bucket.ts

@@ -38,19 +38,11 @@ export class Bucket extends s3.Bucket {
           noncurrentVersionExpiration: props.versioned ? cdk.Duration.days(props.expirationInDays) : undefined,
         },
       ],
+      objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
     });
 
     // Get the underlying resource
     this.resource = this.node.findChild('Resource') as s3.CfnBucket;
-
-    // TODO: Remove and use fields directly when CDK enhanced s3.Bucket.
-    this.resource.addPropertyOverride('OwnershipControls', {
-      Rules: [
-        {
-          ObjectOwnership: 'BucketOwnerPreferred',
-        },
-      ],
-    });
   }
 
   replicateFrom(principals: iam.IPrincipal[], organizationId: string, prefix: string) {

src/lib/cdk-constructs/src/security-hub/security-hub.ts

@@ -1,5 +1,4 @@
 import * as cdk from '@aws-cdk/core';
-import { CfnHub } from '@aws-cdk/aws-securityhub';
 import { SecurityHubEnable } from '@aws-accelerator/custom-resource-security-hub-enable';
 import { SecurityHubSendInvites } from '@aws-accelerator/custom-resource-security-hub-send-invites';
 import { SecurityHubAcceptInvites } from '@aws-accelerator/custom-resource-security-hub-accept-invites';

src/lib/cdk-constructs/src/vpc/alb.ts

@@ -1,6 +1,7 @@
 import * as cdk from '@aws-cdk/core';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as elb from '@aws-cdk/aws-elasticloadbalancingv2';
+import { ElbDeletionProtection } from '@aws-accelerator/custom-resource-elb-deletion-protection';
 
 export interface ApplicationLoadBalancerProps extends cdk.StackProps {
   albName: string;
@@ -26,6 +27,11 @@ export class ApplicationLoadBalancer extends cdk.Construct {
       subnets: subnetIds,
       securityGroups: securityGroupIds,
     });
+
+    new ElbDeletionProtection(this, 'AlbDeletionProtection', {
+      loadBalancerArn: this.resource.ref,
+      loadBalancerName: albName,
+    });
   }
 
   logToBucket(bucket: s3.IBucket) {