Update saas-boost.yaml reflect the new S3 policy (#508)

* Add Tier to tag setting * added the Tier tag to the resources * To pass the Tier tag as a parameter to the tenant-onboarding-app.yaml CloudFormation stack through handleOnboardingBaseProvisioned * Fargate Service Quota check logic change from Task based quota to vCPU based quota * Add logic for Fargate Spot vCPU resource count check * Add logic for Fargate Spot vCPU resource count check * Modify logic for Fargate Spot vCPU resource count check * Update saas-boost.yaml Changed the way log storage permissions are granted to buckets for writing S3 Access logs from ACLs to IAM policies. New policy practices of S3 https://aws.amazon.com/about-aws/whats-new/2023/04/amazon-s3-two-security-best-practices-buckets-default/ --------- Co-authored-by: Kim <[email protected]> Co-authored-by: PoeppingT <[email protected]>
awslabs · Apr 24, 2023 · 5b21f4d · 5b21f4d
1 parent 16aa427
commit 5b21f4d
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/resources/saas-boost.yaml b/resources/saas-boost.yaml
@@ -139,7 +139,7 @@ Resources:
   Logging:
     Type: AWS::S3::Bucket
     Properties:
-      AccessControl: LogDeliveryWrite
+      AccessControl: Private
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
@@ -165,14 +165,23 @@ Resources:
       Bucket: !Ref Logging
       PolicyDocument:
         Statement:
-          - Effect: Deny
+          - Sid: DenyNonSecureTransport
+            Effect: Deny
             Action: s3:*
             Principal: '*'
             Resource:
               - !Sub arn:${AWS::Partition}:s3:::${Logging}/*
               - !Sub arn:${AWS::Partition}:s3:::${Logging}
             Condition:
-              Bool: { 'aws:SecureTransport': false }
+              Bool: { 'aws:SecureTransport': false }        
+          - Sid: AllowLogging
+            Effect: Allow
+            Action: s3:PutObject
+            Principal: 
+              Service: 
+                - logging.s3.amazonaws.com
+            Resource:
+              - !Sub arn:${AWS::Partition}:s3:::${Logging}/*
   # Bucket needed for CodePipeline to drive tenant deployment workflow
   Pipelines:
     Type: AWS::S3::Bucket
@@ -1216,4 +1225,4 @@ Outputs:
   PrivateSubnet2:
     Description: Private Subnet AZ 2
     Value: !GetAtt network.Outputs.PrivateSubnet2
-...
+...