Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudtrail with sendToCloudWatchLogs: true, invalid Resource for Policy #1848

Closed
ygoodmn opened this issue Feb 24, 2019 · 3 comments · Fixed by #1851
Closed

Cloudtrail with sendToCloudWatchLogs: true, invalid Resource for Policy #1848

ygoodmn opened this issue Feb 24, 2019 · 3 comments · Fixed by #1851
Assignees
@RomainMuller
Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug.

Comments

@ygoodmn
Copy link

ygoodmn commented Feb 24, 2019
edited by RomainMuller
Loading

Steps: Enable CloudTrail Construct in Typescript CDK version 0.24.1

sendToCloudWatchLogs: false, : OK

sendToCloudWatchLogs: true, : Error in Resource name
Resource: undefined:log-stream:*

3/5 | 16:26:47 | CREATE_FAILED        | AWS::IAM::Policy         | CloudTrail/CloudTrail/LogsRole/DefaultPolicy (CloudTrailLogsRoleDefaultPolicyA8386E82) Partition "log-stream" is not valid for resource "arn:log-stream:*:*:*:*". (Service: AmazonIdentityManagement;
Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 377ea60c-3840-11e9-a2a3-5910350b4863)

YAML for policy:

CloudTrailLogsRoleDefaultPolicyA8386E82:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:PutLogEvents
              - logs:CreateLogStream
            Effect: Allow
            Resource: undefined:log-stream:*
        Version: "2012-10-17"
      PolicyName: CloudTrailLogsRoleDefaultPolicyA8386E82
      Roles:
        - Ref: CloudTrailLogsRole81106C20
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/LogsRole/DefaultPolicy/Resource

code:

const trail = new cloudtrail.CloudTrail(this, 'CloudTrail',{
                isMultiRegionTrail: false,
                trailName: 'Trail-' + this.stackName + '-' + this.region,
                sendToCloudWatchLogs: true,
                cloudWatchLogsRetentionTimeDays: LogRetention.OneYear
            });

YAML:

Resources:
  CloudTrailS3857D5C80:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/S3/Resource
  CloudTrailS3Policy4A413820:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: CloudTrailS3857D5C80
      PolicyDocument:
        Statement:
          - Action: s3:GetBucketAcl
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource:
              Fn::GetAtt:
                - CloudTrailS3857D5C80
                - Arn
          - Action: s3:PutObject
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Resource:
              Fn::Join:
                - ""
                - - Fn::GetAtt:
                      - CloudTrailS3857D5C80
                      - Arn
                  - /AWSLogs/
                  - Ref: AWS::AccountId
                  - /*
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/S3/Policy/Resource
  CloudTrailLogGroupDFE5546D:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 365
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/LogGroup
  CloudTrailLogsRole81106C20:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
        Version: "2012-10-17"
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/LogsRole/Resource
  CloudTrailLogsRoleDefaultPolicyA8386E82:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:PutLogEvents
              - logs:CreateLogStream
            Effect: Allow
            Resource: undefined:log-stream:*
        Version: "2012-10-17"
      PolicyName: CloudTrailLogsRoleDefaultPolicyA8386E82
      Roles:
        - Ref: CloudTrailLogsRole81106C20
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/LogsRole/DefaultPolicy/Resource
  CloudTrailF3F91E1B:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      S3BucketName:
        Ref: CloudTrailS3857D5C80
      CloudWatchLogsLogGroupArn:
        Fn::GetAtt:
          - CloudTrailLogGroupDFE5546D
          - Arn
      CloudWatchLogsRoleArn:
        Fn::GetAtt:
          - CloudTrailLogsRole81106C20
          - Arn
      EnableLogFileValidation: true
      EventSelectors: []
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: false
      TrailName:
        Fn::Join:
          - ""
          - - Trail-
            - Ref: AWS::StackName
            - "-"
            - Ref: AWS::Region
    DependsOn:
      - CloudTrailS3Policy4A413820
    Metadata:
      aws:cdk:path: sdllaas-ivp-01admin-yg/CloudTrail/CloudTrail/Resource
@ygoodmn
Copy link
Author

ygoodmn commented Feb 24, 2019
edited by RomainMuller
Loading

Tried workaround of

let badPolicyResourceUndefined = trail.node.findChild('LogsRole/DefaultPolicy/Resource') as CfnPolicy;
            badPolicyResourceUndefined.propertyOverrides.policyDocument = new PolicyDocument()
              .addStatement((new PolicyStatement(PolicyStatementEffect.Allow))
                .addAction('*')
                .addAction('logs:CreateLogStream')
                .addResource('*'));

But got error bad

 3/5 | 16:59:51 | UPDATE_FAILED        | AWS::CloudTrail::Trail   | CloudTrail/CloudTrail (CloudTrailF3F91E1B) Access denied. Check the permissions for your role. (Service: AWSCloudTrail; Status Code: 400; Error Code: InvalidCloudWatchLogsLogGroupArnException; Reque
st ID: 4a9192e3-5f32-4357-b6b5-7515293cf8c4)

@RomainMuller RomainMuller added @aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug. labels Feb 25, 2019
RomainMuller added a commit that referenced this issue Feb 25, 2019
@RomainMuller
fix(cloudtrail): Invalid resource for policy when using sendToCloudWa…
0fac1e4 
…tchLogs

Sets `this.cloudWatchLogsGroupArn` before using it, such that a correct
resource ARN is used in the policy generated for CloudTrail to be able
to create and use the required log stream.

Fixes #1848
@RomainMuller RomainMuller mentioned this issue Feb 25, 2019
Merged
4 tasks
@RomainMuller RomainMuller self-assigned this Feb 25, 2019
@RomainMuller
Copy link
Contributor

RomainMuller commented Feb 25, 2019
edited
Loading

Hello @ygoodmn - thanks for reporting this bug. There was indeed an initialization order bug in the constructor for the CloudTrail class 😨 .

The fix is in #1851!

@ygoodmn
Copy link
Author

ygoodmn commented Feb 25, 2019

@RomainMuller Thanks:
It is interesting to note that on the Role Policy page it separates both actions
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-required-policy-for-cloudwatch-logs.html

I also found that the CloudTrail_log_stream_name_prefix created by cloudtrail is AWS:AccountId + CloudTrail + AWS:Region

yaml
{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Sid": "AWSCloudTrailCreateLogStream2014110",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream"
      ],
      "Resource": [
        "arn:aws:logs:us-east-2:accountID:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
      ]

    },
    {
      "Sid": "AWSCloudTrailPutLogEvents20141101",
      "Effect": "Allow",
      "Action": [
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:us-east-2:accountID:log-group:log_group_name:log-stream:CloudTrail_log_stream_name_prefix*"
      ]
    }
  ]
}

RomainMuller added a commit that referenced this issue Feb 25, 2019
@RomainMuller
fix(cloudtrail): Invalid resource for policy when using sendToCloudWa…
816cfc0 
…tchLogs (#1851)

Sets `this.cloudWatchLogsGroupArn` before using it, such that a correct
resource ARN is used in the policy generated for CloudTrail to be able
to create and use the required log stream.

Fixes #1848
eladb pushed a commit that referenced this issue Feb 26, 2019
@RomainMuller
fix(cloudtrail): Invalid resource for policy when using sendToCloudWa…
f958e04 
…tchLogs (#1851)

Sets `this.cloudWatchLogsGroupArn` before using it, such that a correct
resource ARN is used in the policy generated for CloudTrail to be able
to create and use the required log stream.

Fixes #1848
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RomainMuller RomainMuller

Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cloudtrail): Invalid resource for policy when using sendToCloudWatchLogs aws/aws-cdk
2 participants
@RomainMuller @ygoodmn