diff --git a/.gitignore b/.gitignore index 967987b..29058df 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ **/.DS_Store **/.vscode source/test +.idea \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 451bc19..1ff7008 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.2] - 2023-05-03 +### Changed +- Enabled Amazon S3 server access logging on logging bucket(s) using bucket policy + ## [1.0.1] - 2021-05-21 ### Added - Updated SNS Topic Display Name ([#7](https://github.com/awslabs/cognito-user-profiles-export-reference-architecture/issues/7)) diff --git a/deployment/cognito-user-profiles-export-reference-architecture.yaml b/deployment/cognito-user-profiles-export-reference-architecture.yaml index e9a948f..87dcae9 100644 --- a/deployment/cognito-user-profiles-export-reference-architecture.yaml +++ b/deployment/cognito-user-profiles-export-reference-architecture.yaml @@ -755,6 +755,7 @@ Resources: Action: - states:CreateStateMachine - states:DeleteStateMachine + - states:DescribeStateMachine - states:UpdateStateMachine - states:TagResource - states:ListTagsForResource @@ -792,6 +793,9 @@ Resources: - s3:PutBucketAcl - s3:PutBucketLogging - s3:PutBucketTagging + - s3:GetBucketPolicy + - s3:PutBucketPolicy + - s3:DeleteBucketPolicy Resource: - !Sub arn:${AWS::Partition}:s3:::${SolutionConstantsCustomResource.UserImportJobMappingFileBucketPrefix}-${AWS::Region} - !Sub arn:${AWS::Partition}:s3:::${SolutionConstantsCustomResource.UserImportJobMappingFileBucketPrefix}-${AWS::Region}-logs diff --git a/deployment/stack-set-template.yaml b/deployment/stack-set-template.yaml index 28a0d2b..9970d15 100644 --- a/deployment/stack-set-template.yaml +++ b/deployment/stack-set-template.yaml @@ -1388,7 +1388,6 @@ Resources: - Key: solution-id-SO0126 Value: !Sub ${StackSetConstantsCustomResource.ParentStackName}-${PrimaryRegion} BucketName: !Sub ${StackSetConstantsCustomResource.UserImportJobMappingFileBucketPrefix}-${AWS::Region}-logs - AccessControl: LogDeliveryWrite PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True @@ -1399,6 +1398,43 @@ Resources: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms + S3ServerAccessLogsPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref UserImportJobMappingFilesLogsBucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: S3ServerAccessLogsPolicy + Effect: Allow + Principal: + Service: logging.s3.amazonaws.com + Action: + - s3:PutObject + Resource: + Fn::Join: [ + '', [ + 'arn:', + !Ref AWS::Partition, + ':s3:::', + !Ref UserImportJobMappingFilesLogsBucket, + '/cupera-userimportjob*', + ] + ] + Condition: + ArnLike: + aws:SourceArn: + - Fn::Join: [ + '', [ + 'arn:', + !Ref AWS::Partition, + ':s3:::', + !Ref UserImportJobMappingFiles + ] + ] + StringEquals: + aws:SourceAccount: !Ref AWS::AccountId + CheckExecutionsLambda: Type: AWS::Lambda::Function Metadata: diff --git a/source/custom-resources/package.json b/source/custom-resources/package.json index b159237..a7cc6a9 100644 --- a/source/custom-resources/package.json +++ b/source/custom-resources/package.json @@ -5,7 +5,7 @@ "name": "aws-solutions-builder" }, "license": "Apache-2.0", - "version": "1.0.1", + "version": "1.0.2", "private": true, "dependencies": { "axios": "^0.21.1", diff --git a/source/utils/package.json b/source/utils/package.json index ee0cc48..14327f5 100644 --- a/source/utils/package.json +++ b/source/utils/package.json @@ -1,6 +1,6 @@ { "name": "utils", - "version": "1.0.1", + "version": "1.0.2", "description": "Custom Resource Helper functions", "scripts": { "clean": "rm -rf dist/ node_modules/ coverage/ package-lock.json", diff --git a/source/workflow-common/package.json b/source/workflow-common/package.json index c0cc5b6..b0fd7ac 100644 --- a/source/workflow-common/package.json +++ b/source/workflow-common/package.json @@ -1,6 +1,6 @@ { "name": "workflow-common", - "version": "1.0.1", + "version": "1.0.2", "description": "Common functionality for all Step Functions Workflows", "author": { "name": "aws-solutions-builder" diff --git a/source/workflow-export/package.json b/source/workflow-export/package.json index 1dfbb73..ba8e527 100644 --- a/source/workflow-export/package.json +++ b/source/workflow-export/package.json @@ -5,7 +5,7 @@ "name": "aws-solutions-builder" }, "license": "Apache-2.0", - "version": "1.0.1", + "version": "1.0.2", "private": true, "dependencies": { "uuid": "^8.3.0" diff --git a/source/workflow-import/package.json b/source/workflow-import/package.json index ba088d0..e46526e 100644 --- a/source/workflow-import/package.json +++ b/source/workflow-import/package.json @@ -1,6 +1,6 @@ { "name": "workflow-import", - "version": "1.0.1", + "version": "1.0.2", "description": "Populates a new user pool with user profiles, groups and group memberships from the backup table", "scripts": { "clean": "rm -rf dist/ node_modules/ coverage/ package-lock.json",