fix(cloudtrail): do not attach s3 bucket permission when orgId is not set for organization trail#30778
Conversation
github-actions
bot
added
beginning-contributor
aws-cdk-automation
left a comment
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
Exemption Request: deploying this requires AWS organization management account |
aws-cdk-automation
added
pr-linter/exemption-requested
|
could someone review this please? I'm waiting this for 4 months, thanks! |
|
@sarisia Hello, apologize for the extraa long wait time on the PR review. This seems to be an accident when we introduced The reason I asked this is because I'm thinking why don't we validate and raise an error if organization trail is used but no |
GavinZZ
added
pr-linter/exempt-readme
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
@GavinZZ Thank you for reviewing!
Actually yes. Back in 2023 there were no # trail
trail = cloudtrail.Trail(
self,
"Trail",
bucket=bucket,
is_organization_trail=True
)
# add bucket policy
# https://docs.aws.amazon.com/ja_jp/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
cloudtrail_principal = iam.ServicePrincipal(
"cloudtrail.amazonaws.com"
)
bucket.add_to_resource_policy(
iam.PolicyStatement(
actions=["s3:GetBucketAcl"],
principals=[cloudtrail_principal],
resources=[bucket.bucket_arn],
)
)
bucket.add_to_resource_policy(
iam.PolicyStatement(
actions=["s3:PutObject"],
principals=[cloudtrail_principal],
resources=[
bucket.arn_for_objects(f"AWSLogs/{Stack.of(self).account}/*"),
bucket.arn_for_objects(
f"AWSLogs/{organization_principal.organization_id}/*"
),
],
conditions={
"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}
},
)
)Recently I upgraded CDK and found there's a diff with new weird permission attached to the bucket, so I'm trying to get rid of them without breaking deploys and forcing code changes. |
|
Actually there's another issue which Initially I tried to fix them in separated PR (#30489) which makes |
xazhao
removed
the
pr-linter/exemption-requested
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #30778 +/- ##
=======================================
Coverage 81.41% 81.41%
=======================================
Files 223 223
Lines 13721 13721
Branches 2416 2416
=======================================
Hits 11171 11171
Misses 2271 2271
Partials 279 279
Flags with carried forward coverage won't be shown. Click here to find out more.
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@sarisia sorry for the delayed response. I think that makes sense. Let's fix both issue here. |
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
1 similar comment
|
This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state. |
|
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing To prevent automatic closure:
This PR will automatically close in 7 days if no action is taken. |
|
@sarisia I see that this PR will be closed soon. Do you plan to work on this same PR or open a new PR for the changes we discussed? |
|
@GavinZZ sorry for delayed progress, been busy recentry. I'm planning to work on this PR. |
GavinZZ
added
the
pr-linter/do-not-close
aws-cdk-automation
removed
the
pr/needs-community-review
|
This pull request has been removed from the queue for the following reason: Pull request #30778 has been dequeued. The pull request rule doesn't match anymore. The following conditions don't match anymore:
You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it. |
Abogical
added
pr/requires-two-approvers
| 's3:x-amz-acl': 'bucket-owner-full-control', | ||
| 'aws:SourceArn': `arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${props.trailName}`, | ||
| if (props.orgId === undefined) { | ||
| Annotations.of(this).addWarningV2('@aws-cdk/aws-cloudtrail:missingOrgIdForOrganizationTrail', 'Skipped attaching a policy to the bucket which allows organization trail to write because of missing orgId. Consider specifying orgId to add missing permissions'); |
There was a problem hiding this comment.
Can you explain to me the reason for choosing it warning vs throwing an error?
Is there any such use case that the user intentionally want to have isOrganizationTrail true but not send orgId or trailName?
There was a problem hiding this comment.
For backward compatibility and avoiding breaking changes. See #30778 (comment)
There was a problem hiding this comment.
My question was a bit unclear, is there a real use case for having isOrganizationTrail and not send orgId?
According to @Abogical for ppl who want to have the policy by themselves.
So if that's the argument is valid i'm happy with it.
There was a problem hiding this comment.
but for other issues if we're going to break ppl cause we were not doing what they're expecting and now we're doing what they're expecting but failing we're happy to go this way, since it's better than failing silently.
There was a problem hiding this comment.
I don't think there's a real use case too so I'happy to change these warnings to throwing error if introducing breaking changes is acceptable here!
| 'aws:SourceArn': `arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${props.trailName}`, | ||
| if (props.orgId === undefined) { | ||
| Annotations.of(this).addWarningV2('@aws-cdk/aws-cloudtrail:missingOrgIdForOrganizationTrail', 'Skipped attaching a policy to the bucket which allows organization trail to write because of missing orgId. Consider specifying orgId to add missing permissions'); | ||
| } else if (props.trailName === undefined) { |
There was a problem hiding this comment.
is there any reason for this if condition?
I believe in L301
You can use something like
'aws:SourceArn': `arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${this.physicalName}`,
There was a problem hiding this comment.
The trail name is not necessarily equal to the physical name. How the trail name is generated if its not defined can be different than the physicalName.
There was a problem hiding this comment.
I can expect the majority users are under this category of not defining trailName.
I believe we can get the generated trailName from the arn, then we don't have this if condition at all.
But with introducing this PR we're fixing the bug, but introducing another bug
There was a problem hiding this comment.
Referencing trail's cloudformation attributes in bucket policy makes circular dependency which cannot be deployed so we need hard-coded value here.
There was a problem hiding this comment.
Can you write a code comment in line 301 stating this fact? cause otherwise ppl will try to do what i'm asking in the future
mergify
bot
dismissed
Abogical’s stale review
Pull request has been modified.
mergify
bot
dismissed
gasolima’s stale review
Pull request has been modified.
Abogical
removed
the
pr/requires-two-approvers
aws-cdk-automation
removed
the
pr/needs-further-review
Merge Queue Status🚫 The pull request has left the queue (rule: This pull request spent 4 minutes 23 seconds in the queue, with no time running CI. Required conditions to merge
ReasonPull request #30778 has been dequeued. The pull request rule doesn't match anymore. The following conditions don't match anymore:
HintYou should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it. |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Merge Queue Status🚫 The pull request has left the queue (rule: This pull request spent 5 seconds in the queue, with no time running CI. ReasonThe pull request can't be updated
HintYou should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again. |
|
@Mergifyio update |
❌ Mergify doesn't have permission to updateDetailsFor security reasons, Mergify can't update this pull request. Try updating locally. |
|
||||||||||||||
|
||||||||||||||
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Merge Queue Status✅ The pull request has been merged at 31bdb3f This pull request spent 6 seconds in the queue, with no time running CI. Required conditions to merge
|
|
Comments on closed issues and PRs are hard for our team to see. |
8 participants
Recreate #30490
Issue # (if applicable)
no open issue
Reason for this change
Organization trail without
orgIdattaches improper s3 bucket policywhich allows cloudtrail to write to
/AWSLogs/undefined/*prefix.{ "Action": "s3:PutObject", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:us-east-1:123456789012:trail/undefined" ] ] } } }, "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrailS30071F172", "Arn" ] }, "/AWSLogs/undefined/*" ] ] } }Description of changes
isOrganizationTrailis set andorgIdis not setDescription of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license