Merge pull request #18 from aws-solutions/feature/v2.0.4

Updated to version v2.0.4

Author: groverlalit

.gitignore

@@ -21,6 +21,9 @@ reports
 
 # Node dependencies
 node_modules
+*.js
+!jest.config.js
+*.d.ts
 
 
 # CDK asset staging directory

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.4] - 2023-04-21
+
+### Changed
+
+- Fix npm json5 vulnerabilites [CVE-2022-46175](https://nvd.nist.gov/vuln/detail/CVE-2022-46175)
+- Upgrade AWS CDK dependencies to version 2
+ - Changed the Object Ownership for logging bucket from 'Object writer' to 'Bucket owner enforced' to mitigate the impact caused by new S3 default settings.
+ - Updated S3 bucket policy to support access logging.
+
 ## [2.0.3] - 2022-12-14
 
 ### Changed

deployment/aws-fms-automations.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.3",
+  "Description": "(SO0134) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.4",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -38,7 +38,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.0.3"
+        "SolutionVersion": "v2.0.4"
       }
     }
   },
@@ -286,7 +286,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.3/asset54a12c7d450d721fedbaa133a5a32cdea47192567f7d4d08b792bb889ff747f8.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.4/asset24842558b9c75d96211d69797ccc4f45a68b0202cdad21acedf6f2e97515a608.zip"
         },
         "Role": {
           "Fn::GetAtt": [
@@ -463,7 +463,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.3/asset3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.4/asset1eabd374284db340b74179e3429008132f5b6b0b7b28d472d852807d7f5f9746.zip"
         },
         "Role": {
           "Fn::GetAtt": [
@@ -788,7 +788,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.3/asset9beecce4339c9851978aae9af0c33c0e9ba2465e683752b88b71112398b517fa.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.4/assetaffb1a48bf50e8217e27ad04a18c084f4333ab82cce043250c7db971ef92de29.zip"
         },
         "Role": {
           "Fn::GetAtt": [
@@ -901,7 +901,7 @@
     "CDKMetadata": {
       "Type": "AWS::CDK::Metadata",
       "Properties": {
-        "Analytics": "v2:deflate64:H4sIAAAAAAAA/2WQwU7DMAyGn2X31KOagCusGjdE6XiBNDFT1iYpcVI0RX13mhSVSlziz47t33YJ5eMB7nZP/JsKIbt9FNYhxLPnomPVp6m54xo9uuS88mFQ5pKwskYqr6xhz0To5/xL/rGGvAvCsyqQt7pBssEJTCUrb4Or0FvwQ/ATS4PEnutWcogvwYgsMiesfBrR+HPusBnof3RiimuIje0X+WRr2ytxy4tlmhgdCp42IMiLzD4cg+jQHzkhkzfDtZUtxA/eLn0yzHVfBPE9YMjBBfKb6zL9iW3caWIin6Zwv2cgqJ0dlUQ3MWMlwpX2Y/kA5T2UuyspVbhgvNIIzWJ/AH5YZtS1AQAA"
+        "Analytics": "v2:deflate64:H4sIAAAAAAAA/2VRTU/DMAz9LdzTwECAOLIJbojSca/cxJuytkmJk6Kp6n8ncVGZxCV+z/bzV27l4728uYJvKpRui840ctoHUK3YHWwJHnoM6DN5g2Ew9pjhzlltgnFWJF09ddA3GuT0Gq1ib0pZ8cuINuxd9AovKvz3zsJAL6fKdZgT2JauM+rMkzCaBd3VQISB5HM2icttVC2GLRAKfbbQO51W+IRmqcMg6b5ITh8RIzsXwC/rGP01u6DzLCoknlNwx3SbY95BRQqur/1vkGTp3Wh0PhVHVlXe5QKvt32PYYhhFtZplCe6HjcPcvOUvuJExhQ+2mB6lNVifwARyTzapgEAAA=="
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/CDKMetadata/Default"
@@ -911,7 +911,7 @@
     "ComplianceStack": {
       "Type": "AWS::CloudFormation::Stack",
       "Properties": {
-        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.3/aws-fms-compliance.template",
+        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.4/aws-fms-compliance.template",
         "Parameters": {
           "MetricsQueue": {
             "Fn::GetAtt": [
@@ -939,7 +939,7 @@
     "PolicyStack": {
       "Type": "AWS::CloudFormation::Stack",
       "Properties": {
-        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.3/aws-fms-policy.template",
+        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.4/aws-fms-policy.template",
         "Parameters": {
           "PolicyTable": {
             "Ref": "FMSTable84B8646C"

deployment/aws-fms-compliance.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations compliance reporter resources. Version v2.0.3",
+  "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations compliance reporter resources. Version v2.0.4",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -41,15 +41,14 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.0.3"
+        "SolutionVersion": "v2.0.4"
       }
     }
   },
   "Resources": {
     "AccessLogsBucket83982689": {
       "Type": "AWS::S3::Bucket",
       "Properties": {
-        "AccessControl": "LogDeliveryWrite",
         "BucketEncryption": {
           "ServerSideEncryptionConfiguration": [
             {
@@ -104,6 +103,92 @@
         }
       }
     },
+    "AccessLogsBucketPolicy7F77476F": {
+      "Type": "AWS::S3::BucketPolicy",
+      "Properties": {
+        "Bucket": {
+          "Ref": "AccessLogsBucket83982689"
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false"
+                }
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*"
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "AccessLogsBucket83982689",
+                    "Arn"
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "AccessLogsBucket83982689",
+                          "Arn"
+                        ]
+                      },
+                      "/*"
+                    ]
+                  ]
+                }
+              ]
+            },
+            {
+              "Action": "s3:PutObject",
+              "Condition": {
+                "ArnLike": {
+                  "aws:SourceArn": {
+                    "Fn::GetAtt": [
+                      "ComplianceReportBucketC209518B",
+                      "Arn"
+                    ]
+                  }
+                },
+                "StringEquals": {
+                  "aws:SourceAccount": {
+                    "Ref": "AWS::AccountId"
+                  }
+                }
+              },
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "logging.s3.amazonaws.com"
+              },
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    {
+                      "Fn::GetAtt": [
+                        "AccessLogsBucket83982689",
+                        "Arn"
+                      ]
+                    },
+                    "/*"
+                  ]
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        }
+      },
+      "Metadata": {
+        "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/AccessLogsBucket/Policy/Resource"
+      }
+    },
     "ComplianceReportBucketC209518B": {
       "Type": "AWS::S3::Bucket",
       "Properties": {
@@ -144,6 +229,56 @@
         }
       }
     },
+    "ComplianceReportBucketPolicy00A36248": {
+      "Type": "AWS::S3::BucketPolicy",
+      "Properties": {
+        "Bucket": {
+          "Ref": "ComplianceReportBucketC209518B"
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false"
+                }
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*"
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "ComplianceReportBucketC209518B",
+                    "Arn"
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "ComplianceReportBucketC209518B",
+                          "Arn"
+                        ]
+                      },
+                      "/*"
+                    ]
+                  ]
+                }
+              ]
+            }
+          ],
+          "Version": "2012-10-17"
+        }
+      },
+      "Metadata": {
+        "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceReportBucket/Policy/Resource"
+      }
+    },
     "TopicBFC7AF6E": {
       "Type": "AWS::SNS::Topic",
       "Properties": {
@@ -320,7 +455,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.3/asset41a5407bca18500cf7b553e770434e9d34140172c609dfc3e73ac0427410c36b.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.4/asset7ca48ba4c31630e32e9bbd83b4930a1cc50ce235d4df68ede7e2560ed40a09e1.zip"
         },
         "Role": {
           "Fn::GetAtt": [
@@ -629,7 +764,7 @@
     "CDKMetadata": {
       "Type": "AWS::CDK::Metadata",
       "Properties": {
-        "Analytics": "v2:deflate64:H4sIAAAAAAAA/01Q0W7DIAz8lr4Td1HU7XVrpb5tzdL9ACVeRZNAhqHThPj3AUnbvPju7OOMXEL5UsHT6pX/UiHabu2FNgj+A8lie7RcdGz3rWpu+IAWTRLvfBylOrMGSTsjkL0RoY3ec+pGw8HZ0Vm204qsccKm3t0ceRy00kqtAktrPVXgt050mJ0zm2DLCQMjReC/9ChFMkwk11r3Uvzdm7M8uhMJI8e0Is2WOob9xLBPhy7/ZSK5PsIWMrCeD6eWg987JW6JS16jGSRRzpZ8AN/oPkdnfITe8qgqeDoYQb4bwyuqKHzj5mcRQwhM6RbhQutr+QzlBsrVhaQsjFNWDgjNhP/ayCChwAEAAA=="
+        "Analytics": "v2:deflate64:H4sIAAAAAAAA/02RzU7DMBCEn4W7YygVII60EjdoSLlXjrOttkns1GsXISvvjn9Skotnxrv7SV4/8pcn/nAnfqiQTVt0WHP/CWSh2VshW7Y9qlIY0YMFE8OHGAZUJxYGDp7W3G+cbMHG0uSylLpD+TtfTzmHjSAYGSni/lsPKGNbNumcZ5dx72qSBgeLWsXaMgfYJcC+HDiItWzSOcMWcWSd6OtGcP/ulLwRl74E0yNRYqPoua90l9BJZ+iNR+uDIAJL/C0KgyuoEHzlprGg48gqIO2MBJa6wopPcZmhvnN2cGmN/y3Bb7VqMD9Q6Qb4me6vq2e+eg1fdibEwjhlsQdeZf0DWOxBKM4BAAA="
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/CDKMetadata/Default"