Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cfn_nag fails for CloudWatchLogs for KinesisStreamToS3 #121

Closed
knihit opened this issue Jan 19, 2021 · 2 comments
Closed

cfn_nag fails for CloudWatchLogs for KinesisStreamToS3 #121

knihit opened this issue Jan 19, 2021 · 2 comments
Assignees
@hnishar
Labels
bug Something isn't working

Comments

@knihit
Copy link
Member

knihit commented Jan 19, 2021

cfn_nag is enforcing rules for CloudWatchLog for retention period to be specified in days and supply a KMS key for encryption. The construct should add rules to suppress the following:

Reproduction Steps

Create a construct using

const firehoseToS3 = new KinesisFirehoseToS3(this, 'KinesisFirehose', {
    kinesisFirehoseProps: defaultKinesisFirehoseProps,
    existingBucketObj: props.s3Bucket
});

Error Log

| WARN W84
|
| Resources: []
| Line Numbers: []
|
| CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data

| WARN W86
|
| Resources: []
| Line Numbers: []
|
| CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data

Environment

  • **CDK CLI Version :1.85.0
  • **CDK Framework Version:1.81.0
  • **AWS Solutions Constructs Version :1.81.0
  • **OS :MacOS
  • **Language :Typscript

Other

This is 🐛 Bug Report
@knihit knihit added bug Something isn't working needs-triage The issue or PR still needs to be triaged labels Jan 19, 2021
@knihit
Copy link
Member Author

knihit commented Jan 19, 2021

As a workaround, I am adding the following code to suppress cfn_nag.

  (firehoseToS3.node.findChild('firehose-log-group').node.defaultChild as CfnLogGroup).cfnOptions.metadata = {
      cfn_nag: {
          rules_to_suppress: [{
              id: 'W84',
              reason: 'Log group data is always encrypted in CloudWatch Logs using AWS Managed KMS Key. For customers wanting to us CMK for \
              CloudWatchLogs should customize the solution further to add encryption options'
          }, {
              id: 'W86',
              reason: 'Log Groups are set to \'Never Expire\'. Customers should customize the retention policy based on their organization\'s \
              retention policies'
          }]
      }
  }

@hnishar hnishar self-assigned this Jan 19, 2021
@hnishar hnishar added in-progress This issue is being actively worked on and removed needs-triage The issue or PR still needs to be triaged in-progress This issue is being actively worked on labels Jan 19, 2021
@hnishar
Copy link
Contributor

hnishar commented Jan 21, 2021

Fix for this has been pushed out in the latest release v1.82.0

@hnishar hnishar closed this as completed Jan 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hnishar hnishar

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hnishar @knihit