From d2d708eecf5e2d0b2d00c68fe6a8055e6d763967 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 19:27:57 +0900 Subject: [PATCH 01/11] Add CloudFormation Guard (GitHub Actions) --- .github/workflows/cfn-guard.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/cfn-guard.yml diff --git a/.github/workflows/cfn-guard.yml b/.github/workflows/cfn-guard.yml new file mode 100644 index 0000000..87955f3 --- /dev/null +++ b/.github/workflows/cfn-guard.yml @@ -0,0 +1,22 @@ +name: CloudFormation Guard Action + +on: + push: + paths: + - 'cloudformation/**' + +jobs: + cfn-guard: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: grolston/guard-action@main + with: + data_directory: './cloudformation/' + rule_set: "wa-Reliability-Pillar" + + - uses: grolston/guard-action@main + with: + data_directory: './cloudformation/' + rule_set: "wa-Security-Pillar" \ No newline at end of file From 9989d95c2418933d583d77093065d3f441d2b9d1 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 19:30:59 +0900 Subject: [PATCH 02/11] Add paths --- .github/workflows/cfn-guard.yml | 4 ++-- .github/workflows/cloudformation.yml | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cfn-guard.yml b/.github/workflows/cfn-guard.yml index 87955f3..697a233 100644 --- a/.github/workflows/cfn-guard.yml +++ b/.github/workflows/cfn-guard.yml @@ -2,8 +2,8 @@ name: CloudFormation Guard Action on: push: - paths: - - 'cloudformation/**' + #paths: + # - 'cloudformation/**' jobs: cfn-guard: diff --git a/.github/workflows/cloudformation.yml b/.github/workflows/cloudformation.yml index af3a832..85634fa 100644 --- a/.github/workflows/cloudformation.yml +++ b/.github/workflows/cloudformation.yml @@ -2,9 +2,8 @@ name: Deploy to LocalStack on: push: - branches: [main] - pull_request: - branches: [main] + paths: + - 'cloudformation/**' jobs: deploy: From da500ccd29a05daa27d6dae5b2bca80474fea142 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 19:56:49 +0900 Subject: [PATCH 03/11] Fix CloudFormation Guard --- .../static-web-site-distribution/template.yml | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index 2e19e74..1facdd9 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -12,6 +12,15 @@ Resources: DeletionPolicy: Retain Properties: BucketName: !Ref ContentBucketName + VersioningConfiguration: + Status: Enabled + ObjectLockConfiguration: + ObjectLockEnabled: Enabled + Rule: + DefaultRetention: + Days: 1 + Mode: GOVERNANCE + ObjectLockEnabled: True OwnershipControls: Rules: - ObjectOwnership: BucketOwnerEnforced @@ -24,6 +33,13 @@ Resources: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 + ReplicationConfiguration: + Role: !GetAtt ContentBucketReplicationRole.Arn + Rules: + - Destination: + Bucket: !Ref ContentS3BucketReplica + Status: Enabled + Prefix: "replicated/" ContentBucketPolicy: Type: AWS::S3::BucketPolicy @@ -41,4 +57,90 @@ Resources: Condition: Bool: "aws:SecureTransport": false + Principal: "*" + + ContentBucketReplicationRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub "${AWS::StackName}-bucket-source-role-${AWS::Region}" + Description: "Role For S3" + Path: "/service/" + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - s3.amazonaws.com + Action: + - sts:AssumeRole + Policies: + - PolicyName: "s3-replication-policy" + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:ListBucket + - s3:GetReplicationConfiguration + Resource: + - !Sub "arn:${AWS::Partition}:s3:::${ContentBucketName}" + - Effect: Allow + Action: + - s3:GetObjectVersionForReplication + - s3:GetObjectVersionAcl + - s3:GetObjectVersionTagging + Resource: + - !Sub "arn:${AWS::Partition}:s3:::${ContentBucketName}/*" + - Effect: Allow + Action: + - s3:ReplicateObject + - s3:ReplicateDelete + - s3:ReplicateTags + Resource: + - "arn:aws:s3:::content-s3-bucket-replica/*" + + ContentS3BucketReplica: + Type: "AWS::S3::Bucket" + UpdateReplacePolicy: Retain + DeletionPolicy: Retain + Properties: + BucketName: "content-s3-bucket-replica" + ObjectLockConfiguration: + ObjectLockEnabled: Enabled + Rule: + DefaultRetention: + Days: 1 + Mode: GOVERNANCE + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerEnforced + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + VersioningConfiguration: + Status: Enabled + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + + ContentBucketReplicaPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref ContentS3BucketReplica + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: AllowSSLRequestsOnly + Action: "s3:*" + Effect: Deny + Resource: + - !Sub "arn:${AWS::Partition}:s3:::${ContentS3BucketReplica}" + - !Sub "arn:${AWS::Partition}:s3:::${ContentS3BucketReplica}/*" + Condition: + Bool: + "aws:SecureTransport": false Principal: "*" \ No newline at end of file From 5e2f9a11149bb4852bd2a342145899c21483d17f Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:01:46 +0900 Subject: [PATCH 04/11] Fix --- cloudformation/static-web-site-distribution/template.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index 1facdd9..75fabac 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -20,7 +20,7 @@ Resources: DefaultRetention: Days: 1 Mode: GOVERNANCE - ObjectLockEnabled: True + ObjectLockEnabled: true OwnershipControls: Rules: - ObjectOwnership: BucketOwnerEnforced @@ -112,6 +112,7 @@ Resources: DefaultRetention: Days: 1 Mode: GOVERNANCE + ObjectLockEnabled: true OwnershipControls: Rules: - ObjectOwnership: BucketOwnerEnforced From cdb986bcb435758822ffe478410f0fe89ebd72cd Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:15:03 +0900 Subject: [PATCH 05/11] Add metadata --- cloudformation/static-web-site-distribution/template.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index 75fabac..c822b9d 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -127,6 +127,11 @@ Resources: BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true + Metadata: + guard: + SuppressedRules: + - S3_BUCKET_REPLICATION_ENABLED + ContentBucketReplicaPolicy: Type: AWS::S3::BucketPolicy @@ -144,4 +149,4 @@ Resources: Condition: Bool: "aws:SecureTransport": false - Principal: "*" \ No newline at end of file + Principal: "*" From 8cc7d0699ff6dea7443923c9c11c4dfb497273ed Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:42:52 +0900 Subject: [PATCH 06/11] Fix --- cloudformation/lambda-batch/template.yml | 24 ++++++------- .../static-web-site-distribution/template.yml | 35 ++++++------------- 2 files changed, 22 insertions(+), 37 deletions(-) diff --git a/cloudformation/lambda-batch/template.yml b/cloudformation/lambda-batch/template.yml index e0e3ea8..a8962fb 100644 --- a/cloudformation/lambda-batch/template.yml +++ b/cloudformation/lambda-batch/template.yml @@ -43,17 +43,8 @@ Resources: Principal: Service: "lambda.amazonaws.com" Action: "sts:AssumeRole" - Policies: - - PolicyName: "LambdaBatchPolicy" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: - - "logs:CreateLogGroup" - - "logs:CreateLogStream" - - "logs:PutLogEvents" - Resource: "*" + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" LambdaLogGroup: Type: "AWS::Logs::LogGroup" @@ -62,4 +53,13 @@ Resources: Properties: LogGroupName: !Sub "/aws/lambda/${LambdaBatch}" RetentionInDays: 7 - + KmsKeyId: !Ref LambdaLogGroupKMSKey + + LambdaLogGroupKMSKey: + Type: AWS::KMS::Key + UpdateReplacePolicy: Retain + DeletionPolicy: Retain + Properties: + Description: "KMS key for encrypting CloudWatch Logs" + EnableKeyRotation: true + \ No newline at end of file diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index c822b9d..ed89a4c 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -40,6 +40,9 @@ Resources: Bucket: !Ref ContentS3BucketReplica Status: Enabled Prefix: "replicated/" + LoggingConfiguration: + DestinationBucketName: !Ref ReplicationLogBucket + LogFilePrefix: "logs/" ContentBucketPolicy: Type: AWS::S3::BucketPolicy @@ -57,6 +60,8 @@ Resources: Condition: Bool: "aws:SecureTransport": false + NumericLessThan: + "s3:TlsVersion": "1.2" Principal: "*" ContentBucketReplicationRole: @@ -74,31 +79,8 @@ Resources: - s3.amazonaws.com Action: - sts:AssumeRole - Policies: - - PolicyName: "s3-replication-policy" - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - s3:ListBucket - - s3:GetReplicationConfiguration - Resource: - - !Sub "arn:${AWS::Partition}:s3:::${ContentBucketName}" - - Effect: Allow - Action: - - s3:GetObjectVersionForReplication - - s3:GetObjectVersionAcl - - s3:GetObjectVersionTagging - Resource: - - !Sub "arn:${AWS::Partition}:s3:::${ContentBucketName}/*" - - Effect: Allow - Action: - - s3:ReplicateObject - - s3:ReplicateDelete - - s3:ReplicateTags - Resource: - - "arn:aws:s3:::content-s3-bucket-replica/*" + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/AmazonS3FullAccess" ContentS3BucketReplica: Type: "AWS::S3::Bucket" @@ -131,6 +113,7 @@ Resources: guard: SuppressedRules: - S3_BUCKET_REPLICATION_ENABLED + - S3_BUCKET_LOGGING_ENABLED ContentBucketReplicaPolicy: @@ -149,4 +132,6 @@ Resources: Condition: Bool: "aws:SecureTransport": false + NumericLessThan: + "s3:TlsVersion": "1.2" Principal: "*" From 41cb1f18c7673a73988c4a4635f81450c0259eaa Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:48:36 +0900 Subject: [PATCH 07/11] Fix --- cloudformation/cloudwatch-rum/template.yml | 4 ++++ cloudformation/static-web-site-distribution/template.yml | 7 +++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/cloudformation/cloudwatch-rum/template.yml b/cloudformation/cloudwatch-rum/template.yml index 603dd92..de39c95 100644 --- a/cloudformation/cloudwatch-rum/template.yml +++ b/cloudformation/cloudwatch-rum/template.yml @@ -68,6 +68,10 @@ Resources: # https://docs.aws.amazon.com/ja_jp/aws-managed-policy/latest/reference/AmazonCloudWatchRUMFullAccess.html ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonCloudWatchRUMFullAccess + Metadata: + guard: + SuppressedRules: + - IAM_NO_INLINE_POLICY_CHECK CWRumAppMonitor: # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rum-appmonitor.html diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index ed89a4c..abd3199 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -41,7 +41,7 @@ Resources: Status: Enabled Prefix: "replicated/" LoggingConfiguration: - DestinationBucketName: !Ref ReplicationLogBucket + DestinationBucketName: !Ref ContentS3BucketReplica LogFilePrefix: "logs/" ContentBucketPolicy: @@ -61,7 +61,7 @@ Resources: Bool: "aws:SecureTransport": false NumericLessThan: - "s3:TlsVersion": "1.2" + "s3:TlsVersion": "1.3" Principal: "*" ContentBucketReplicationRole: @@ -115,7 +115,6 @@ Resources: - S3_BUCKET_REPLICATION_ENABLED - S3_BUCKET_LOGGING_ENABLED - ContentBucketReplicaPolicy: Type: AWS::S3::BucketPolicy Properties: @@ -133,5 +132,5 @@ Resources: Bool: "aws:SecureTransport": false NumericLessThan: - "s3:TlsVersion": "1.2" + "s3:TlsVersion": "1.3" Principal: "*" From 694785913e38c7ca68856020af441867c1e080f7 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:51:03 +0900 Subject: [PATCH 08/11] SecureTransport true --- cloudformation/static-web-site-distribution/template.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index abd3199..6a5f31c 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -59,9 +59,7 @@ Resources: - !Sub "arn:${AWS::Partition}:s3:::${ContentBucket}/*" Condition: Bool: - "aws:SecureTransport": false - NumericLessThan: - "s3:TlsVersion": "1.3" + "aws:SecureTransport": true Principal: "*" ContentBucketReplicationRole: @@ -130,7 +128,5 @@ Resources: - !Sub "arn:${AWS::Partition}:s3:::${ContentS3BucketReplica}/*" Condition: Bool: - "aws:SecureTransport": false - NumericLessThan: - "s3:TlsVersion": "1.3" + "aws:SecureTransport": true Principal: "*" From 61783078ef8c546f4d8a7b529c3a5d43a522c977 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:55:10 +0900 Subject: [PATCH 09/11] Fix --- .../static-web-site-distribution/template.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index 6a5f31c..be1a6b6 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -54,13 +54,11 @@ Resources: - Sid: AllowSSLRequestsOnly Action: "s3:*" Effect: Deny - Resource: - - !Sub "arn:${AWS::Partition}:s3:::${ContentBucket}" - - !Sub "arn:${AWS::Partition}:s3:::${ContentBucket}/*" + Principal: "*" + Resource: "*" Condition: Bool: - "aws:SecureTransport": true - Principal: "*" + "aws:SecureTransport": false ContentBucketReplicationRole: Type: AWS::IAM::Role @@ -123,10 +121,8 @@ Resources: - Sid: AllowSSLRequestsOnly Action: "s3:*" Effect: Deny - Resource: - - !Sub "arn:${AWS::Partition}:s3:::${ContentS3BucketReplica}" - - !Sub "arn:${AWS::Partition}:s3:::${ContentS3BucketReplica}/*" + Principal: "*" + Resource: "*" Condition: Bool: - "aws:SecureTransport": true - Principal: "*" + "aws:SecureTransport": false From f43192441da419a6b972932691e0d7e86fc4ef09 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:57:42 +0900 Subject: [PATCH 10/11] Fix --- cloudformation/static-web-site-distribution/template.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index be1a6b6..a1000d2 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -58,7 +58,7 @@ Resources: Resource: "*" Condition: Bool: - "aws:SecureTransport": false + "aws:SecureTransport": true ContentBucketReplicationRole: Type: AWS::IAM::Role @@ -125,4 +125,4 @@ Resources: Resource: "*" Condition: Bool: - "aws:SecureTransport": false + "aws:SecureTransport": true From 1380772668044c07287d4ef295906a57d406f726 Mon Sep 17 00:00:00 2001 From: CHIKAMATSU Naohiro Date: Thu, 8 Feb 2024 20:59:46 +0900 Subject: [PATCH 11/11] Fix --- .../static-web-site-distribution/template.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/cloudformation/static-web-site-distribution/template.yml b/cloudformation/static-web-site-distribution/template.yml index a1000d2..de1187e 100644 --- a/cloudformation/static-web-site-distribution/template.yml +++ b/cloudformation/static-web-site-distribution/template.yml @@ -51,14 +51,13 @@ Resources: PolicyDocument: Version: "2012-10-17" Statement: - - Sid: AllowSSLRequestsOnly - Action: "s3:*" + - Action: "s3:*" Effect: Deny Principal: "*" Resource: "*" Condition: Bool: - "aws:SecureTransport": true + "aws:SecureTransport": false ContentBucketReplicationRole: Type: AWS::IAM::Role @@ -118,11 +117,10 @@ Resources: PolicyDocument: Version: "2012-10-17" Statement: - - Sid: AllowSSLRequestsOnly - Action: "s3:*" + - Action: "s3:*" Effect: Deny Principal: "*" Resource: "*" Condition: Bool: - "aws:SecureTransport": true + "aws:SecureTransport": false