Update to version v1.7.4

- Updated the bucket policy on the logging bucket to grant access to the logging service principal (logging.s3.amazonaws.com) for access log delivery.
- Updated org.json package to address security issues

CHANGELOG.md

@@ -5,11 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.4] - 2023-04-18
+
+### Fixed
+
+- Updated the bucket policy on the logging bucket to grant access to the logging service principal (logging.s3.amazonaws.com) for access log delivery.
+- Updated `org.json` package to address security issues
+
 ## [1.7.3] - 2023-04-13
 
-### Updated
+### Fixed
 
-- npm package security patching
+- Update AWS-SDK V2 that addresses the security issue identified in xml2js (https://github.com/aws/aws-sdk-js/issues/4387)
 
 ## [1.7.2] - 2023-01-10
 

source/kinesis/kpl-demo/pom.xml

@@ -40,7 +40,7 @@
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20201115</version>
+            <version>20230227</version>
         </dependency>
     </dependencies>
 

source/lib/s3-bucket.ts

@@ -12,8 +12,8 @@
  *********************************************************************************************************************/
 
 import * as cdk from '@aws-cdk/core';
-import * as s3 from '@aws-cdk/aws-s3';
 import * as iam from '@aws-cdk/aws-iam';
+import * as s3 from '@aws-cdk/aws-s3';
 
 import { CfnNagHelper } from './cfn-nag-helper';
 
@@ -30,49 +30,70 @@ export class EncryptedBucket extends cdk.Construct {
         const securitySettings: s3.BucketProps = {
             blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
             encryption: s3.BucketEncryption.S3_MANAGED
-        }
+        };
 
         const accessLogsBucket = new s3.Bucket(this, 'AccessLogsBucket', securitySettings);
-        CfnNagHelper.addSuppressions(accessLogsBucket.node.defaultChild as s3.CfnBucket, [
-            { Id: 'W35', Reason: 'This bucket is used to store access logs for another bucket' },
-            { Id: 'W51', Reason: 'This bucket does not need a bucket policy' }
-        ]);
 
-        const rules: s3.LifecycleRule[] = [{
-            id: 'multipart-upload-rule',
-            enabled: true,
-            abortIncompleteMultipartUploadAfter: cdk.Duration.days(7)
-        }];
+        const rules: s3.LifecycleRule[] = [
+            {
+                id: 'multipart-upload-rule',
+                enabled: true,
+                abortIncompleteMultipartUploadAfter: cdk.Duration.days(7)
+            }
+        ];
 
         if (props.enableIntelligentTiering) {
             rules.push({
                 id: 'intelligent-tiering-rule',
                 enabled: true,
-                transitions: [{
-                    storageClass: s3.StorageClass.INTELLIGENT_TIERING,
-                    transitionAfter: cdk.Duration.days(1)
-                }]
+                transitions: [
+                    {
+                        storageClass: s3.StorageClass.INTELLIGENT_TIERING,
+                        transitionAfter: cdk.Duration.days(1)
+                    }
+                ]
             });
         }
 
-       this.Bucket = new s3.Bucket(this, 'Bucket', {
+        this.Bucket = new s3.Bucket(this, 'Bucket', {
             ...securitySettings,
             serverAccessLogsBucket: accessLogsBucket,
             lifecycleRules: rules
         });
 
-        this.Bucket.addToResourcePolicy(new iam.PolicyStatement({
-            sid: 'HttpsOnly',
-            effect: iam.Effect.DENY,
-            resources: [
-                this.Bucket.arnForObjects('*'),
-                this.Bucket.bucketArn
-            ],
-            actions: ['*'],
-            principals: [new iam.AnyPrincipal()],
-            conditions: {
-                Bool: { 'aws:SecureTransport': 'false' }
-            }
-        }));
+        this.Bucket.addToResourcePolicy(
+            new iam.PolicyStatement({
+                sid: 'HttpsOnly',
+                effect: iam.Effect.DENY,
+                resources: [this.Bucket.arnForObjects('*'), this.Bucket.bucketArn],
+                actions: ['*'],
+                principals: [new iam.AnyPrincipal()],
+                conditions: {
+                    Bool: { 'aws:SecureTransport': 'false' }
+                }
+            })
+        );
+
+        // remove ACL and add S3 bucket policy to write to access logging bucket
+        (accessLogsBucket.node.defaultChild as s3.CfnBucket).addDeletionOverride('Properties.AccessControl');
+        accessLogsBucket.addToResourcePolicy(
+            new iam.PolicyStatement({
+                sid: 'S3ServerAccessLogsPolicy',
+                effect: iam.Effect.ALLOW,
+                principals: [new iam.ServicePrincipal('logging.s3.amazonaws.com')],
+                actions: ['s3:PutObject'],
+                resources: [`${accessLogsBucket.bucketArn}/*`],
+                conditions: {
+                    ArnLike: {
+                        'aws:SourceArn': [`${this.Bucket.bucketArn}`]
+                    },
+                    StringEquals: { 'aws:SourceAccount': cdk.Aws.ACCOUNT_ID }
+                }
+            })
+        );
+
+        CfnNagHelper.addSuppressions(accessLogsBucket.node.defaultChild as s3.CfnBucket, [
+            { Id: 'W35', Reason: 'This bucket is used to store access logs for another bucket' }
+        ]);
     }
 }

source/package.json

@@ -1,6 +1,6 @@
 {
   "name": "streaming-data-solution",
-  "version": "1.7.2",
+  "version": "1.7.4",
   "bin": {
     "streaming-data-solution": "bin/streaming-data-solution.js"
   },

source/test/__snapshots__/kdf-delivery-stream.test.ts.snap

@@ -175,15 +175,10 @@ Object {
               "id": "W35",
               "reason": "This bucket is used to store access logs for another bucket",
             },
-            Object {
-              "id": "W51",
-              "reason": "This bucket does not need a bucket policy",
-            },
           ],
         },
       },
       "Properties": Object {
-        "AccessControl": "LogDeliveryWrite",
         "BucketEncryption": Object {
           "ServerSideEncryptionConfiguration": Array [
             Object {
@@ -203,6 +198,58 @@ Object {
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "TestDeliveryStreamOutputAccessLogsBucketPolicyA3079E22": Object {
+      "Properties": Object {
+        "Bucket": Object {
+          "Ref": "TestDeliveryStreamOutputAccessLogsBucketFF8475CB",
+        },
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "s3:PutObject",
+              "Condition": Object {
+                "ArnLike": Object {
+                  "aws:SourceArn": Array [
+                    Object {
+                      "Fn::GetAtt": Array [
+                        "TestDeliveryStreamOutputBucket4037EDA5",
+                        "Arn",
+                      ],
+                    },
+                  ],
+                },
+                "StringEquals": Object {
+                  "aws:SourceAccount": Object {
+                    "Ref": "AWS::AccountId",
+                  },
+                },
+              },
+              "Effect": "Allow",
+              "Principal": Object {
+                "Service": "logging.s3.amazonaws.com",
+              },
+              "Resource": Object {
+                "Fn::Join": Array [
+                  "",
+                  Array [
+                    Object {
+                      "Fn::GetAtt": Array [
+                        "TestDeliveryStreamOutputAccessLogsBucketFF8475CB",
+                        "Arn",
+                      ],
+                    },
+                    "/*",
+                  ],
+                ],
+              },
+              "Sid": "S3ServerAccessLogsPolicy",
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "TestDeliveryStreamOutputBucket4037EDA5": Object {
       "DeletionPolicy": "Retain",
       "Properties": Object {