Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudTrail: Allow external/existing Bucket to be supplied #3651

Closed
1 of 5 tasks
slipdexic opened this issue Aug 14, 2019 · 1 comment · Fixed by #3680
Closed
1 of 5 tasks

CloudTrail: Allow external/existing Bucket to be supplied #3651

slipdexic opened this issue Aug 14, 2019 · 1 comment · Fixed by #3680
Assignees
@eladb
Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail needs-triage This issue or PR still needs to be triaged.

Comments

@slipdexic
Copy link
Contributor

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior?
    Currently if you create a CloudTrail
    const cloudTrail = new CloudTrail(this, 'MyTrail');
    It automaticly creates a bucket , which is also Unecrytped.
    const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.UNENCRYPTED});

  • What is the expected behavior (or behavior of feature suggested)?
    An option to pass in an existing Bucket class, this will give greater flexibility and allow user to control policy and encryption.
    And change the default bucket creation encryption policy to use
    encryption: s3.BucketEncryption.S3_MANAGED

  • What is the motivation / use case for changing the behavior or adding this feature?

  1. In an enterprise , CloudTrail logs to central logging , even cross account
  2. The "CIS AWS Foundations controls" (found under Security Hub)
    2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
    https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

  1. Well-Architected Framework
    https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf

  • Please tell us about your environment:

    • CDK CLI Version: 1.3.0
    • Module Version: xx.xx.xx
    • OS: [all ]
    • Language: [all]

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)
@slipdexic slipdexic added the needs-triage This issue or PR still needs to be triaged. label Aug 14, 2019
@slipdexic slipdexic changed the title CloudTrail: Allow external/existing Bucket to be supplies CloudTrail: Allow external/existing Bucket to be supplied Aug 14, 2019
@eladb eladb added the @aws-cdk/aws-cloudtrail Related to AWS CloudTrail label Aug 14, 2019
@eladb eladb self-assigned this Aug 14, 2019
@slipdexic
Copy link
Contributor Author

I'm going to see if I can do this

slipdexic added a commit to slipdexic/aws-cdk that referenced this issue Aug 15, 2019
@slipdexic
Allow external/existing Bucket to be supplied (aws#3651)
edbf83a
slipdexic added a commit to slipdexic/aws-cdk that referenced this issue Aug 15, 2019
@slipdexic
added tests, fixed bug (aws#3651)
afef742
@slipdexic slipdexic mentioned this issue Aug 22, 2019
Merged
slipdexic added a commit to slipdexic/aws-cdk that referenced this issue Aug 22, 2019
@slipdexic
(chore) applied change sugested in code review
1ee3d6d 
closes aws#3651
rix0rrr pushed a commit that referenced this issue Aug 22, 2019
@slipdexic @rix0rrr
feat(cloudtrail): accept existing S3 bucket (#3680)
c2d6847 
Make CloudTrail accept existing S3 bucket to write to.

Fixes #3651.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eladb eladb

Labels
@aws-cdk/aws-cloudtrail Related to AWS CloudTrail needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cloudtrail): accept existing S3 bucket slipdexic/aws-cdk
2 participants
@eladb @slipdexic