Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

W58 requires excessive logs:CreateLogGroup permission #603

Open
Veetaha opened this issue Jul 19, 2022 · 0 comments
Open

W58 requires excessive logs:CreateLogGroup permission #603

Veetaha opened this issue Jul 19, 2022 · 0 comments

Comments

@Veetaha
Copy link

Veetaha commented Jul 19, 2022

We create log groups for lambda functions as separate resources to be able to configure their logs retention period. To prohibit the lambda principal from creating the log group on its own we disallow the logs:CreateLogGroup for it:

/**
 * Creates a lambda function with execution role and an appropriate log group.
 */
export function createLambdaFunction(
    scope: cdk.Construct, id: string, props: lambda.FunctionProps, executionRoleStatements: iam.PolicyStatementProps[] = [],
): LambdaFunction {
    const role = new iam.Role(scope, `${id}LambdaExecutionRole`, {
        assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
    });

    role.addToPolicy(new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
            // logs:CreateLogGroup is not allowed, because we create the log group on our own via the CFN stack
            "logs:CreateLogStream",
            "logs:PutLogEvents",
        ],
        resources: [
            `arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*`,
            `arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*`,
        ],
    }));
    executionRoleStatements.forEach(st => role.addToPolicy(new iam.PolicyStatement(st)));

    const createdLambda = new lambda.Function(scope, id, {
        ...props,
        role,
    });

    return {
        base: createdLambda,
        logGroup: new logs.LogGroup(
            scope,
            `${id}LogGroup`,
            {
                logGroupName: `/aws/lambda/${createdLambda.functionName}`,
                retention: logs.RetentionDays.ONE_WEEK,
            }
        )
    };
}

However, W58 rule requires that this permission is enabled. I understand that people often don't care about logs retention (but I could be wrong about that, because having infinite retention period for logs by default will kill your budget), so I am not sure if this issue will be accepted.

Rule code that performs the permissions validation:

cfn_nag/lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb

Lines 47 to 49 in 8b5f03d

statement.allows_action?('logs:CreateLogGroup') && \
statement.allows_action?('logs:CreateLogStream') && \
statement.allows_action?('logs:PutLogEvents')

@Veetaha Veetaha changed the title W58 requires excessive logs:logs:CreateLogGroup permission W58 requires excessive logs:CreateLogGroup permission Jul 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Veetaha