Update to version v1.0.2

- Enabled Amazon S3 server access logging on logging bucket(s) using bucket policy
aws-solutions · May 4, 2023 · 8be832c · 8be832c
2 parents 9139b29 + d7b830c
commit 8be832c
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -27,3 +27,4 @@
 **/.DS_Store
 **/.vscode
 source/test
+.idea
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.2] - 2023-05-03
+### Changed
+- Enabled Amazon S3 server access logging on logging bucket(s) using bucket policy
+
 ## [1.0.1] - 2021-05-21
 ### Added
 - Updated SNS Topic Display Name ([#7](https://github.com/awslabs/cognito-user-profiles-export-reference-architecture/issues/7))

diff --git a/deployment/cognito-user-profiles-export-reference-architecture.yaml b/deployment/cognito-user-profiles-export-reference-architecture.yaml
@@ -755,6 +755,7 @@ Resources:
                 Action:
                   - states:CreateStateMachine
                   - states:DeleteStateMachine
+                  - states:DescribeStateMachine
                   - states:UpdateStateMachine
                   - states:TagResource
                   - states:ListTagsForResource
@@ -792,6 +793,9 @@ Resources:
                   - s3:PutBucketAcl
                   - s3:PutBucketLogging
                   - s3:PutBucketTagging
+                  - s3:GetBucketPolicy
+                  - s3:PutBucketPolicy
+                  - s3:DeleteBucketPolicy
                 Resource:
                   - !Sub arn:${AWS::Partition}:s3:::${SolutionConstantsCustomResource.UserImportJobMappingFileBucketPrefix}-${AWS::Region}
                   - !Sub arn:${AWS::Partition}:s3:::${SolutionConstantsCustomResource.UserImportJobMappingFileBucketPrefix}-${AWS::Region}-logs

diff --git a/deployment/stack-set-template.yaml b/deployment/stack-set-template.yaml
@@ -1388,7 +1388,6 @@ Resources:
         - Key: solution-id-SO0126
           Value: !Sub ${StackSetConstantsCustomResource.ParentStackName}-${PrimaryRegion}
       BucketName: !Sub ${StackSetConstantsCustomResource.UserImportJobMappingFileBucketPrefix}-${AWS::Region}-logs
-      AccessControl: LogDeliveryWrite
       PublicAccessBlockConfiguration:
         BlockPublicAcls: True
         BlockPublicPolicy: True
@@ -1399,6 +1398,43 @@ Resources:
           - ServerSideEncryptionByDefault:
               SSEAlgorithm: aws:kms
 
+  S3ServerAccessLogsPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref UserImportJobMappingFilesLogsBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: S3ServerAccessLogsPolicy
+            Effect: Allow
+            Principal:
+              Service: logging.s3.amazonaws.com
+            Action:
+              - s3:PutObject
+            Resource:
+              Fn::Join: [
+                '', [
+                  'arn:',
+                  !Ref AWS::Partition,
+                  ':s3:::',
+                  !Ref UserImportJobMappingFilesLogsBucket,
+                  '/cupera-userimportjob*',
+                ]
+              ]
+            Condition:
+              ArnLike:
+                aws:SourceArn:
+                  - Fn::Join: [
+                    '', [
+                      'arn:',
+                      !Ref AWS::Partition,
+                      ':s3:::',
+                      !Ref UserImportJobMappingFiles
+                    ]
+                  ]
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+
   CheckExecutionsLambda:
     Type: AWS::Lambda::Function
     Metadata:

diff --git a/source/custom-resources/package.json b/source/custom-resources/package.json
@@ -5,7 +5,7 @@
     "name": "aws-solutions-builder"
   },
   "license": "Apache-2.0",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "private": true,
   "dependencies": {
     "axios": "^0.21.1",

diff --git a/source/utils/package.json b/source/utils/package.json
@@ -1,6 +1,6 @@
 {
   "name": "utils",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Custom Resource Helper functions",
   "scripts": {
     "clean": "rm -rf dist/ node_modules/ coverage/ package-lock.json",

diff --git a/source/workflow-common/package.json b/source/workflow-common/package.json
@@ -1,6 +1,6 @@
 {
     "name": "workflow-common",
-    "version": "1.0.1",
+    "version": "1.0.2",
     "description": "Common functionality for all Step Functions Workflows",
     "author": {
         "name": "aws-solutions-builder"

diff --git a/source/workflow-export/package.json b/source/workflow-export/package.json
@@ -5,7 +5,7 @@
     "name": "aws-solutions-builder"
   },
   "license": "Apache-2.0",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "private": true,
   "dependencies": {
     "uuid": "^8.3.0"

diff --git a/source/workflow-import/package.json b/source/workflow-import/package.json
@@ -1,6 +1,6 @@
 {
   "name": "workflow-import",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Populates a new user pool with user profiles, groups and group memberships from the backup table",
   "scripts": {
     "clean": "rm -rf dist/ node_modules/ coverage/ package-lock.json",