Skip to content

Commit

Permalink
feat(aws-s3-stepfunctions): added logS3AccessLogs and S3BucketInterfa…
Browse files Browse the repository at this point in the history 
…ce (#500)

* added logS3AccessLogs and S3BucketInterface to s3-stepfunctions

* added logS3AccessLogs and s3BucketInterface to s3-step-function
  • Loading branch information
@mickychetta
mickychetta committed Nov 16, 2021
1 parent 674b50b commit d7d10f6
Show file tree
Hide file tree
Showing 17 changed files with 115 additions and 1,763 deletions.
3 changes: 2 additions & 1 deletion source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ _Parameters_
|createCloudWatchAlarms|`boolean`|Whether to create recommended CloudWatch alarms|
|logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroupProps.html)|User provided props to override the default props for for the CloudWatchLogs LogGroup.|
|loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.|
|logS3AccessLogs?| boolean|Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true|

## Pattern Properties

Expand All @@ -76,7 +77,7 @@ _Parameters_
|cloudtrail|[`cloudtrail.Trail`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudtrail.Trail.html)|Returns an instance of the cloudtrail.Trail created by the construct|
|cloudtrailBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of the s3.Bucket created by the construct for CloudTrail|
|cloudtrailLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary CloudTrail bucket.|

|s3BucketInterface|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Returns an instance of s3.IBucket created by the construct.|
## Default settings

Out of the box implementation of the Construct without any override will set the following defaults:
Expand Down
15 changes: 12 additions & 3 deletions source/patterns/@aws-solutions-constructs/aws-s3-step-function/lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ export interface S3ToStepFunctionProps {
*
* @default - None
*/
readonly eventRuleProps?: events.RuleProps;
readonly eventRuleProps?: events.RuleProps,
/**
* Whether to deploy a Trail in AWS CloudTrail to log API events in Amazon S3
*
Expand All @@ -66,13 +66,20 @@ export interface S3ToStepFunctionProps {
*
* @default - Default props are used
*/
readonly logGroupProps?: logs.LogGroupProps
readonly logGroupProps?: logs.LogGroupProps,
/**
* Optional user provided props to override the default props for the S3 Logging Bucket.
*
* @default - Default props are used
*/
readonly loggingBucketProps?: s3.BucketProps
readonly loggingBucketProps?: s3.BucketProps,
/**
* Whether to turn on Access Logs for the S3 bucket with the associated storage costs.
* Enabling Access Logging is a best practice.
*
* @default - true
*/
readonly logS3AccessLogs?: boolean;
}

export class S3ToStepFunction extends Construct {
Expand All @@ -84,6 +91,7 @@ export class S3ToStepFunction extends Construct {
public readonly cloudtrail?: cloudtrail.Trail;
public readonly cloudtrailBucket?: s3.Bucket;
public readonly cloudtrailLoggingBucket?: s3.Bucket;
public readonly s3BucketInterface: s3.IBucket;

/**
* @summary Constructs a new instance of the S3ToStepFunction class.
Expand All @@ -110,5 +118,6 @@ export class S3ToStepFunction extends Construct {
this.cloudtrail = wrappedConstruct.cloudtrail;
this.cloudtrailBucket = wrappedConstruct.cloudtrailBucket;
this.cloudtrailLoggingBucket = wrappedConstruct.cloudtrailLoggingBucket;
this.s3BucketInterface = wrappedConstruct.s3BucketInterface;
}
}
264 changes: 2 additions & 262 deletions ...ws-solutions-constructs/aws-s3-step-function/test/integ.customLoggingBucket.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,273 +176,13 @@
}
}
},
"tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for another bucket"
}
]
}
}
},
"tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucketPolicy7547A73F": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7"
},
"PolicyDocument": {
"Statement": [
{
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7",
"Arn"
]
},
"/*"
]
]
},
{
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7",
"Arn"
]
}
],
"Sid": "HttpsOnly"
}
],
"Version": "2012-10-17"
}
}
},
"tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"LifecycleConfiguration": {
"Rules": [
{
"NoncurrentVersionTransitions": [
{
"StorageClass": "GLACIER",
"TransitionInDays": 90
}
],
"Status": "Enabled"
}
]
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7"
}
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"tests3stepfunctiontests3stepfunctionWCloudTrailS3BucketPolicy9ACF9ADC": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489"
},
"PolicyDocument": {
"Statement": [
{
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
"Arn"
]
},
"/*"
]
]
},
{
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
"Arn"
]
}
],
"Sid": "HttpsOnly"
},
{
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Resource": {
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
"Arn"
]
},
"/AWSLogs/",
{
"Ref": "AWS::AccountId"
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
}
}
},
"tests3stepfunctiontests3stepfunctionWS3EventsTrailA0FDE626": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsLogging": true,
"S3BucketName": {
"Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489"
},
"EnableLogFileValidation": true,
"EventSelectors": [
{
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"tests3stepfunctiontests3stepfunctionWS3Bucket9BE64924",
"Arn"
]
},
"/"
]
]
}
]
}
],
"IncludeManagementEvents": false,
"ReadWriteType": "All"
}
],
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": true
},
"DependsOn": [
"tests3stepfunctiontests3stepfunctionWCloudTrailS3BucketPolicy9ACF9ADC"
]
},
"tests3stepfunctiontests3stepfunctionWtests3stepfunctionWeventrulestepfunctionconstructStateMachineLogGroupE83EECDD": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": "/aws/vendedlogs/states/customloggingbuckettests3stepfunctionweventrulestepfunctionconstructstatemachinelog0a1bbb9b57e8"
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
Expand Down
6 changes: 5 additions & 1 deletion ...patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.customLoggingBucket.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ new S3ToStepFunction(stack, 'test-s3-step-function', {
bucketName: 'custom-logging-bucket',
encryption: BucketEncryption.S3_MANAGED,
versioned: true
}
},
logGroupProps: {
removalPolicy: RemovalPolicy.DESTROY
},
deployCloudTrail: false
});
app.synth();
Loading

0 comments on commit d7d10f6

Please sign in to comment.