Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Check standard logs in AwsSolutions-CFR3 #1877

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

fix: Check standard logs in AwsSolutions-CFR3 #1877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
0e4648c
fix: Check standard logs in AwsSolutions-CFR3
georeeve Jan 14, 2025
259dcbf
Set in a map to check later
georeeve Jan 14, 2025
42ef106
Traverse Stack to find matching CfnDeliverySource
georeeve Jan 14, 2025
25dd43b
Add Noncompliance test to check multiple distributions
georeeve Jan 14, 2025
a73f1bb
Also check CfnDelivery
georeeve Jan 14, 2025
bb16f40
Try to resolve SSM parameters
georeeve Jan 14, 2025
30e092f
Merge branch 'main' into cf-standard-v2
georeeve Feb 13, 2025
123ddb7
Remove corepack package manager
georeeve Feb 13, 2025
b361922
Remove corepack package manager
georeeve Feb 13, 2025
d5090b9
Undo CDK version bump
georeeve Feb 13, 2025
d9709c9
Revert "Undo CDK version bump"
georeeve Feb 13, 2025
df6639e
Traverse CfnDeliverySource and CfnDelivery separately
georeeve Feb 13, 2025
5f91662
Undo test.only
georeeve Feb 13, 2025
10472f8
Update version
georeeve Feb 18, 2025
333c5c1
Merge branch 'main' into cf-standard-v2
georeeve Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .projen/deps.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .projenrc.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ const { awscdk, vscode } = require('projen');
const project = new awscdk.AwsCdkConstructLibrary({
author: 'Arun Donti',
authorAddress: '[email protected]',
cdkVersion: '2.156.0',
cdkVersion: '2.167.0',
defaultReleaseBranch: 'main',
majorVersion: 2,
npmDistTag: 'latest',
Expand Down
4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 40 additions & 0 deletions src/rules/cloudfront/CloudFrontDistributionAccessLogging.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ import {
CfnDistribution,
CfnStreamingDistribution,
} from 'aws-cdk-lib/aws-cloudfront';
import { CfnDelivery, CfnDeliverySource } from 'aws-cdk-lib/aws-logs';
import { NagRuleCompliance, NagRules } from '../../nag-rules';
import { flattenCfnReference } from '../../utils/flatten-cfn-reference';

/**
* CloudFront distributions have access logging enabled
Expand All @@ -21,6 +23,44 @@ export default Object.defineProperty(
node.distributionConfig
);
if (distributionConfig.logging == undefined) {
const distributionArn = flattenCfnReference(
Stack.of(node).resolve(
Stack.of(node).formatArn({
service: 'cloudfront',
region: '',
resource: 'distribution',
resourceName: node.attrId,
})
)
).replace('.Id', '');

let deliverySourceName;
for (const child of Stack.of(node).node.findAll()) {
if (child instanceof CfnDeliverySource) {
const deliverySourceArn = flattenCfnReference(
Stack.of(child).resolve(child.resourceArn)
);
const logType = Stack.of(child).resolve(child.logType);
if (
deliverySourceArn === distributionArn &&
logType === 'ACCESS_LOGS'
) {
deliverySourceName = Stack.of(child).resolve(child.name);
}
}
Comment on lines +37 to +50
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't take into account if the stack has multiple delivery sources defined that reference the distribution. If multiple are found then it will always pick the last one

}

for (const child of Stack.of(node).node.findAll()) {
if (child instanceof CfnDelivery) {
if (
deliverySourceName ===
Stack.of(child).resolve(child.deliverySourceName)
) {
return NagRuleCompliance.COMPLIANT;
}
}
}
Comment on lines +53 to +62
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a nested for loop. We don't need this to execute if a matching delivery source has not been found


return NagRuleCompliance.NON_COMPLIANT;
}
return NagRuleCompliance.COMPLIANT;
Expand Down
124 changes: 124 additions & 0 deletions test/rules/CloudFront.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ import {
S3Origin,
S3BucketOrigin,
} from 'aws-cdk-lib/aws-cloudfront-origins';
import {
CfnDelivery,
CfnDeliveryDestination,
CfnDeliverySource,
LogGroup,
} from 'aws-cdk-lib/aws-logs';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { CfnWebACL } from 'aws-cdk-lib/aws-wafv2';
import { Aspects, Stack } from 'aws-cdk-lib/core';
Expand Down Expand Up @@ -76,6 +82,49 @@ describe('Amazon CloudFront', () => {
});
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});
test('Noncompliance 3', () => {
const distribution1 = new Distribution(stack, 'Distribution1', {
defaultBehavior: {
origin: new S3Origin(new Bucket(stack, 'OriginBucket1')),
},
});
new Distribution(stack, 'Distribution2', {
defaultBehavior: {
origin: new S3Origin(new Bucket(stack, 'OriginBucket2')),
},
});
const distributionDeliverySource = new CfnDeliverySource(
stack,
'DistributionDeliverySource',
{
name: 'distribution-logs-source',
logType: 'ACCESS_LOGS',
resourceArn: Stack.of(stack).formatArn({
service: 'cloudfront',
region: '',
resource: 'distribution',
resourceName: distribution1.distributionId,
}),
}
);

const distributionDeliveryDestination = new CfnDeliveryDestination(
stack,
'DistributionDeliveryDestination',
{
name: 'distribution-logs-destination',
destinationResourceArn: new LogGroup(stack, 'DistributionLogGroup')
.logGroupArn,
outputFormat: 'json',
}
);

new CfnDelivery(stack, 'DistributionDelivery', {
deliverySourceName: distributionDeliverySource.name,
deliveryDestinationArn: distributionDeliveryDestination.attrArn,
}).node.addDependency(distributionDeliverySource);
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});
test('Compliance', () => {
const logsBucket = new Bucket(stack, 'LoggingBucket');
new Distribution(stack, 'Distribution', {
Expand Down Expand Up @@ -108,6 +157,81 @@ describe('Amazon CloudFront', () => {
});
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
test('Compliance 2', () => {
const distribution = new Distribution(stack, 'Distribution', {
defaultBehavior: {
origin: new S3Origin(new Bucket(stack, 'OriginBucket')),
},
});

const distributionDeliverySource = new CfnDeliverySource(
stack,
'DistributionDeliverySource',
{
name: 'distribution-logs-source',
logType: 'ACCESS_LOGS',
resourceArn: Stack.of(stack).formatArn({
service: 'cloudfront',
region: '',
resource: 'distribution',
resourceName: distribution.distributionId,
}),
}
);

const distributionDeliveryDestination = new CfnDeliveryDestination(
stack,
'DistributionDeliveryDestination',
{
name: 'distribution-logs-destination',
destinationResourceArn: new LogGroup(stack, 'DistributionLogGroup')
.logGroupArn,
outputFormat: 'json',
}
);

new CfnDelivery(stack, 'DistributionDelivery', {
deliverySourceName: distributionDeliverySource.name,
deliveryDestinationArn: distributionDeliveryDestination.attrArn,
}).node.addDependency(distributionDeliverySource);
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
test('Compliance 2', () => {
const distribution = new Distribution(stack, 'Distribution', {
defaultBehavior: {
origin: new S3Origin(new Bucket(stack, 'OriginBucket')),
},
});

const distributionDeliveryDestination = new CfnDeliveryDestination(
stack,
'DistributionDeliveryDestination',
{
name: 'distribution-logs-destination',
destinationResourceArn: new LogGroup(stack, 'DistributionLogGroup')
.logGroupArn,
outputFormat: 'json',
}
);

new CfnDelivery(stack, 'DistributionDelivery', {
deliverySourceName: 'distribution-logs-source',
deliveryDestinationArn: distributionDeliveryDestination.attrArn,
});

new CfnDeliverySource(stack, 'DistributionDeliverySource', {
name: 'distribution-logs-source',
logType: 'ACCESS_LOGS',
resourceArn: Stack.of(stack).formatArn({
service: 'cloudfront',
region: '',
resource: 'distribution',
resourceName: distribution.distributionId,
}),
});

validateStack(stack, ruleId, TestType.COMPLIANCE);
});
});

describe('CloudFrontDistributionGeoRestrictions: CloudFront distributions may require Geo restrictions', () => {
Expand Down
50 changes: 25 additions & 25 deletions yarn.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading