(aws-cloudtrail): isOrganizationTrail attaches insufficient permissions to bucket #22267
Comments
danilobuerger
added
bug
|
Thanks for reporting this @danilobuerger, I can reproduce this just with this snippet new Trail(this, 'Trail', {
isOrganizationTrail: true
});@daschaa did you ever run into this error? It's suspicious to me that the integration test you submitted with this PR works if I can't get it to deploy now here |
peterwoodworth
added
p2
effort/small
|
@peterwoodworth That's very strange. The integration tests should have failed in the pull request. The challenge that we will now face is, that we have to pass/retrieve the belonging organization id to construct the correct permission statement. @peterwoodworth Afaik there is no way to get the organization id from the props that are passed when instantiating a trail. Do you know if this is possible? |
|
@daschaa a few ideas:
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:region:111111111111:trail/trailName"
}
} |
|
@danilobuerger Thanks for the good hints. ❤️ At the first glance the third option you mentioned would maybe be the easiest to implement and it would not introduce big changes to the current implementation. But I'm not sure if that would violate the principle of least privilege. The second option is not a possibility from my point of view, as it may be that the lambda for the custom resource would have to run in a VPC. I know this from my experience and therefore I would not prefer this option. @danilobuerger What is the best option in your opinion? |
|
I recently ran into the same issue and had to attach the missing organization policy to the bucket to make it work. I hope I'm not putting in, but I do like the suggestion to have a new construct |
|
This bug still seems to have been active for a year since first reported. Are there any plans to fix this? Also, documentation in AWS seems to be inaccurate as the policies attached to the bucket are a bit different from the ones in the documentation. Namely, the documentation does not specify using organisation id for the "write" bucket policy's conditions section. Any plans to have that updated? To be frank, I'm still facing this problem despite these suggestions so any assistance with the workaround would be massively appreciated! |
|
Hey @beniusij, a fix is in the works but for now I've found this comment which explains the workaround of adding in the missing policy in more detail from a duplicate issue: #11602 (comment). |
…s to bucket (#29242) ### Issue #22267 (if applicable) Closes #22267. ### Reason for this change Setting the `isOrganizationTrail` property to `true` attaches insufficient permissions to the bucket thus failing to deploy the `Trail` with: ``` Invalid request provided: Incorrect S3 bucket policy is detected for bucket: ... ``` ### Description of changes This PR adds a new property `orgId` to `TrailProps` that will be used to attach the [missing permission](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy) ``` "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myOrganizationBucket/AWSLogs/o-organizationID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceArn": "arn:aws:cloudtrail:region:managementAccountID:trail/trailName" } ``` when `isOrganizationTrail: true`. ### Description of how you validated changes Validated locally that I can deploy when `Trail.isOrganizationTrail: true` with a valid `orgId` + added unit test case. I can't think of a way to test this with an integ test as it requires a valid `orgId` to deploy but any suggestions are welcome. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
When using a Trail with
isOrganizationTrail: true, the bucket policy contains insufficient permissions and the stack creation fails with:The Trail attaches the following permissions:
aws-cdk/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts
Lines 226 to 241 in c425e8c
However, it is missing:
as described here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy
Expected Behavior
It creates an organization trail.
Current Behavior
It fails with
Reproduction Steps
Possible Solution
Adding the permission as outlined above.
Additional Information/Context
No response
CDK CLI Version
2.43.1
Framework Version
No response
Node.js Version
18.9.0
OS
macOS
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: