From 5b21f4dd2de4ae8540e303cf9e19ff93144726b5 Mon Sep 17 00:00:00 2001 From: Beomjun Kim Date: Tue, 25 Apr 2023 04:34:16 +0900 Subject: [PATCH] Update saas-boost.yaml reflect the new S3 policy (#508) * Add Tier to tag setting * added the Tier tag to the resources * To pass the Tier tag as a parameter to the tenant-onboarding-app.yaml CloudFormation stack through handleOnboardingBaseProvisioned * Fargate Service Quota check logic change from Task based quota to vCPU based quota * Add logic for Fargate Spot vCPU resource count check * Add logic for Fargate Spot vCPU resource count check * Modify logic for Fargate Spot vCPU resource count check * Update saas-boost.yaml Changed the way log storage permissions are granted to buckets for writing S3 Access logs from ACLs to IAM policies. New policy practices of S3 https://aws.amazon.com/about-aws/whats-new/2023/04/amazon-s3-two-security-best-practices-buckets-default/ --------- Co-authored-by: Kim Co-authored-by: PoeppingT --- resources/saas-boost.yaml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/resources/saas-boost.yaml b/resources/saas-boost.yaml index c13d833c..d3c57b2f 100644 --- a/resources/saas-boost.yaml +++ b/resources/saas-boost.yaml @@ -139,7 +139,7 @@ Resources: Logging: Type: AWS::S3::Bucket Properties: - AccessControl: LogDeliveryWrite + AccessControl: Private PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true @@ -165,14 +165,23 @@ Resources: Bucket: !Ref Logging PolicyDocument: Statement: - - Effect: Deny + - Sid: DenyNonSecureTransport + Effect: Deny Action: s3:* Principal: '*' Resource: - !Sub arn:${AWS::Partition}:s3:::${Logging}/* - !Sub arn:${AWS::Partition}:s3:::${Logging} Condition: - Bool: { 'aws:SecureTransport': false } + Bool: { 'aws:SecureTransport': false } + - Sid: AllowLogging + Effect: Allow + Action: s3:PutObject + Principal: + Service: + - logging.s3.amazonaws.com + Resource: + - !Sub arn:${AWS::Partition}:s3:::${Logging}/* # Bucket needed for CodePipeline to drive tenant deployment workflow Pipelines: Type: AWS::S3::Bucket @@ -1216,4 +1225,4 @@ Outputs: PrivateSubnet2: Description: Private Subnet AZ 2 Value: !GetAtt network.Outputs.PrivateSubnet2 -... \ No newline at end of file +...