feat(s3): Allow separate logging bucket for AWS Config

For the case where the central logs bucket has Object Lock enabled, AWS
Config does not support logging directly to the central logs bucket. A
workaround for that issue is to create a separate bucket without Object
Lock enabled and replicate everything over to the central logs bucket.
This change adds the option to create that separate bucket with a
replication rule into the central logs bucket and repointing AWS Config
to use that separate bucket instead.

Author: omnibrian

source/packages/@aws-accelerator/accelerator/lib/stacks/accelerator-stack.ts

@@ -108,6 +108,11 @@ export abstract class AcceleratorStack extends cdk.Stack {
    */
   public static readonly ACCELERATOR_CONFIGURATION_REPOSITORY_NAME = 'aws-accelerator-config';
 
+  /**
+   * Accelerator AWS Config bucket name prefix
+   */
+  public static readonly ACCELERATOR_CONFIG_BUCKET_PREFIX = 'aws-accelerator-aws-config';
+
   /**
    * Accelerator S3 access logs bucket name prefix
    */

source/packages/@aws-accelerator/accelerator/lib/stacks/logging-stack.ts

@@ -251,6 +251,65 @@ export class LoggingStack extends AcceleratorStack {
     // Create VPC Flow logs destination bucket
     this.createVpcFlowLogsBucket(s3Key, serverAccessLogsBucket, replicationProps);
 
+    if (
+      cdk.Stack.of(this).account === this.props.accountsConfig.getLogArchiveAccountId() &&
+      this.props.securityConfig.awsConfig.enableDeliveryChannel &&
+      this.props.securityConfig.awsConfig.useSeparateBucket
+    ) {
+      const configBucket = new Bucket(this, 'ConfigBucket', {
+        encryptionType: BucketEncryptionType.SSE_KMS,
+        s3BucketName: `${AcceleratorStack.ACCELERATOR_CONFIG_BUCKET_PREFIX}-${cdk.Stack.of(this).account}-${
+          cdk.Stack.of(this).region
+        }`,
+        kmsKey: this.centralLogsBucket?.getS3Bucket().getKey(),
+        serverAccessLogsBucket: serverAccessLogsBucket.getS3Bucket(),
+        replicationProps,
+        s3LifeCycleRules: this.getS3LifeCycleRules(this.props.globalConfig.logging.configBucket?.lifecycleRules),
+      });
+
+      // To make sure central log bucket created before elb access log bucket, this is required when logging stack executes in home region
+      if (this.centralLogsBucket) {
+        configBucket.node.addDependency(this.centralLogsBucket);
+      }
+
+      // AwsSolutions-IAM5: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.
+      NagSuppressions.addResourceSuppressionsByPath(
+        this,
+        `/${this.stackName}/ConfigBucket/ConfigBucketReplication/` +
+          pascalCase(this.centralLogsBucketName) +
+          '-ReplicationRole/DefaultPolicy/Resource',
+        [
+          {
+            id: 'AwsSolutions-IAM5',
+            reason: 'Allows only specific policy.',
+          },
+        ],
+      );
+
+      configBucket.getS3Bucket().addToResourcePolicy(
+        new cdk.aws_iam.PolicyStatement({
+          principals: [new cdk.aws_iam.ServicePrincipal('config.amazonaws.com')],
+          actions: ['s3:PutObject'],
+          resources: [configBucket.getS3Bucket().arnForObjects('*')],
+          conditions: {
+            StringEquals: {
+              's3:x-amz-acl': 'bucket-owner-full-control',
+            },
+          },
+        }),
+      );
+
+      configBucket.getS3Bucket().addToResourcePolicy(
+        new cdk.aws_iam.PolicyStatement({
+          principals: [new cdk.aws_iam.ServicePrincipal('config.amazonaws.com')],
+          actions: ['s3:GetBucketAcl', 's3:ListBucket'],
+          resources: [configBucket.getS3Bucket().bucketArn],
+        }),
+      );
+
+      this.configBucketAddResourcePolicies(configBucket.getS3Bucket());
+    }
+
     /**
      * Create S3 Bucket for ELB Access Logs, this is created in log archive account
      * For ELB to write access logs bucket is needed to have SSE-S3 server-side encryption
@@ -1741,6 +1800,24 @@ export class LoggingStack extends AcceleratorStack {
     ]);
   }
 
+  private configBucketAddResourcePolicies(configBucket: cdk.aws_s3.IBucket) {
+    this.logger.info('Adding AWS Config bucket resource policies to S3');
+    for (const attachment of this.props.globalConfig.logging.configBucket?.s3ResourcePolicyAttachments ?? []) {
+      const policyDocument = JSON.parse(
+        this.generatePolicyReplacements(path.join(this.props.configDirPath, attachment.policy), false),
+      );
+      // Create a statements list using the PolicyStatement factory
+      const statements: cdk.aws_iam.PolicyStatement[] = [];
+      for (const statement of policyDocument.Statement) {
+        statements.push(cdk.aws_iam.PolicyStatement.fromJson(statement));
+      }
+
+      for (const statement of statements) {
+        configBucket.addToResourcePolicy(statement);
+      }
+    }
+  }
+
   private elbLogBucketAddResourcePolicies(elbLogBucket: cdk.aws_s3.IBucket) {
     this.logger.info(`Adding elb log bucket resource policies to S3`);
     for (const attachment of this.props.globalConfig.logging.elbLogBucket?.s3ResourcePolicyAttachments ?? []) {

source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts

@@ -496,7 +496,9 @@ export class SecurityResourcesStack extends AcceleratorStack {
 
       if (this.props.securityConfig.awsConfig.enableDeliveryChannel) {
         new config.CfnDeliveryChannel(this, 'ConfigDeliveryChannel', {
-          s3BucketName: `${AcceleratorStack.ACCELERATOR_CENTRAL_LOGS_BUCKET_NAME_PREFIX}-${this.logArchiveAccountId}-${this.props.centralizedLoggingRegion}`,
+          s3BucketName: this.props.securityConfig.awsConfig.useSeparateBucket
+            ? `${AcceleratorStack.ACCELERATOR_CONFIG_BUCKET_PREFIX}-${this.logArchiveAccountId}-${this.props.centralizedLoggingRegion}`
+            : `${AcceleratorStack.ACCELERATOR_CENTRAL_LOGS_BUCKET_NAME_PREFIX}-${this.logArchiveAccountId}-${this.props.centralizedLoggingRegion}`,
           configSnapshotDeliveryProperties: {
             deliveryFrequency: 'One_Hour',
           },