diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b4d9b66 --- /dev/null +++ b/.gitignore @@ -0,0 +1,144 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +dist/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# Terraform +terraform +.terraform +terraform.tfstate +terraform.tfstate.backup +.terraform.lock.hcl +.test-data +pkg/ + + +# OS stuff +.DS_Store + + +# pycharm +.idea \ No newline at end of file diff --git a/cloudtrailbenchmark/packaged.yaml b/cloudtrailbenchmark/packaged.yaml index c1931c1..9462ae1 100644 --- a/cloudtrailbenchmark/packaged.yaml +++ b/cloudtrailbenchmark/packaged.yaml @@ -43,9 +43,9 @@ Metadata: - benchmark - cloudtrail Name: sumologic-aws-cloudtrail-benchmark - LicenseUrl: s3://appdevstore/cloudtrailbenchmark/v1.0.22/cac1a6df52c685e0f6ebe4ae72078c80 - ReadmeUrl: s3://appdevstore/cloudtrailbenchmark/v1.0.22/8a901bb4fbbe82f128fc502dd3077508 - SemanticVersion: 1.0.22 + LicenseUrl: s3://appdevstore/cloudtrailbenchmark/v1.0.23/cac1a6df52c685e0f6ebe4ae72078c80 + ReadmeUrl: s3://appdevstore/cloudtrailbenchmark/v1.0.23/8a901bb4fbbe82f128fc502dd3077508 + SemanticVersion: 1.0.23 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudtrailbenchmark Parameters: CollectorName: @@ -70,12 +70,13 @@ Parameters: - ch - de - eu + - esc - fed - jp - kr - us1 - us2 - Description: Enter au, ca, ch, de, eu, fed, jp, kr, us1 or us2 + Description: Enter au, ca, ch, de, eu, esc, fed, jp, kr, us1 or us2 RemoveSumoResourcesOnDeleteStack: AllowedValues: - true @@ -141,7 +142,8 @@ Resources: Statement: - Effect: Allow Principal: - AWS: arn:aws:iam::926226587429:root + AWS: + Fn::Sub: arn:${AWS::Partition}:iam::926226587429:root Action: sts:AssumeRole Condition: StringEquals: @@ -161,11 +163,11 @@ Resources: - s3:ListBucket Resource: - Fn::Sub: - - arn:aws:s3:::${CloudTrailTargetS3BucketName} + - arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName} - S3bucketName: Ref: CloudTrailTargetS3BucketName - Fn::Sub: - - arn:aws:s3:::${CloudTrailTargetS3BucketName}/* + - arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}/* - S3bucketName: Ref: CloudTrailTargetS3BucketName Metadata: @@ -184,14 +186,14 @@ Resources: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: - - Fn::Sub: arn:aws:s3:::${CloudTrailTargetS3BucketName} + - Fn::Sub: arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName} - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: - - Fn::Sub: arn:aws:s3:::${CloudTrailTargetS3BucketName}/* + - Fn::Sub: arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control @@ -201,7 +203,7 @@ Resources: Service: cloudtrail.amazonaws.com Action: s3:ListBucket Resource: - - Fn::Sub: arn:aws:s3:::${CloudTrailTargetS3BucketName} + - Fn::Sub: arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName} DependsOn: - TargetS3Bucket Metadata: @@ -285,7 +287,7 @@ Resources: Ref: AWS::AccountId ArnLike: aws:SourceArn: - Fn::Sub: arn:aws:s3:::${CloudTrailTargetS3BucketName} + Fn::Sub: arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName} Effect: Allow Principal: AWS: '*' diff --git a/cloudtrailbenchmark/template.yaml b/cloudtrailbenchmark/template.yaml index 5fa79d8..c40f0ee 100644 --- a/cloudtrailbenchmark/template.yaml +++ b/cloudtrailbenchmark/template.yaml @@ -49,7 +49,7 @@ Metadata: Name: sumologic-aws-cloudtrail-benchmark LicenseUrl: ./LICENSE ReadmeUrl: ./README.md - SemanticVersion: 1.0.22 + SemanticVersion: 1.0.23 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudtrailbenchmark @@ -76,12 +76,13 @@ Parameters: - ch - de - eu + - esc - fed - jp - kr - us1 - us2 - Description: "Enter au, ca, ch, de, eu, fed, jp, kr, us1 or us2" + Description: "Enter au, ca, ch, de, eu, esc, fed, jp, kr, us1 or us2" RemoveSumoResourcesOnDeleteStack: AllowedValues: - true @@ -137,7 +138,7 @@ Resources: Statement: - Effect: Allow Principal: - AWS: arn:aws:iam::926226587429:root + AWS: !Sub "arn:${AWS::Partition}:iam::926226587429:root" Action: sts:AssumeRole Condition: StringEquals: @@ -157,10 +158,10 @@ Resources: - s3:ListBucket Resource: - !Sub - - arn:aws:s3:::${CloudTrailTargetS3BucketName} + - arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName} - { S3bucketName: !Ref CloudTrailTargetS3BucketName } - !Sub - - arn:aws:s3:::${CloudTrailTargetS3BucketName}/* + - arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}/* - { S3bucketName: !Ref CloudTrailTargetS3BucketName } SumoCloudTrailExportPolicy: @@ -176,14 +177,14 @@ Resources: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: - - !Sub "arn:aws:s3:::${CloudTrailTargetS3BucketName}" + - !Sub "arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}" - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: - - !Sub "arn:aws:s3:::${CloudTrailTargetS3BucketName}/*" + - !Sub "arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}/*" Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control @@ -193,7 +194,7 @@ Resources: Service: cloudtrail.amazonaws.com Action: s3:ListBucket Resource: - - !Sub "arn:aws:s3:::${CloudTrailTargetS3BucketName}" + - !Sub "arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}" DependsOn: - TargetS3Bucket @@ -262,7 +263,7 @@ Resources: StringEquals: aws:SourceAccount: !Ref AWS::AccountId ArnLike: - aws:SourceArn: !Sub "arn:aws:s3:::${CloudTrailTargetS3BucketName}" + aws:SourceArn: !Sub "arn:${AWS::Partition}:s3:::${CloudTrailTargetS3BucketName}" Effect: Allow Principal: AWS: "*" diff --git a/cloudtrailbenchmark/test/custom/app.yaml b/cloudtrailbenchmark/test/custom/app.yaml index b5665e5..543a964 100644 --- a/cloudtrailbenchmark/test/custom/app.yaml +++ b/cloudtrailbenchmark/test/custom/app.yaml @@ -35,12 +35,13 @@ Parameters: - ch - de - eu + - esc - fed - jp - kr - us1 - us2 - Description: "Enter au, ca, ch, de, eu, fed, jp, kr, us1 or us2" + Description: "Enter au, ca, ch, de, eu, esc, fed, jp, kr, us1 or us2" RemoveSumoResourcesOnDeleteStack: AllowedValues: - true diff --git a/cloudtrailbenchmark/testdeploy.sh b/cloudtrailbenchmark/testdeploy.sh index e13ea42..e43d0f4 100755 --- a/cloudtrailbenchmark/testdeploy.sh +++ b/cloudtrailbenchmark/testdeploy.sh @@ -12,7 +12,7 @@ else fi uid=$(cat /dev/random | LC_CTYPE=C tr -dc "[:lower:]" | head -c 6) -version="1.0.22" +version="1.0.23" sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET --output-template-file packaged.yaml --s3-prefix "cloudtrailbenchmark/v$version" --region $AWS_REGION --profile $AWS_PROFILE diff --git a/cloudwatchevents/guardduty/cloudwatchevents.json b/cloudwatchevents/guardduty/cloudwatchevents.json index 1207e61..d8d78b3 100644 --- a/cloudwatchevents/guardduty/cloudwatchevents.json +++ b/cloudwatchevents/guardduty/cloudwatchevents.json @@ -108,7 +108,9 @@ "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", diff --git a/cloudwatchevents/guarddutybenchmark/deploy.sh b/cloudwatchevents/guarddutybenchmark/deploy.sh index 2387126..519eb98 100755 --- a/cloudwatchevents/guarddutybenchmark/deploy.sh +++ b/cloudwatchevents/guarddutybenchmark/deploy.sh @@ -11,7 +11,7 @@ else AWS_REGION="us-east-2" fi -version="1.0.19" +version="1.0.20" echo "Creating package.yaml" sam package --template-file template_v2.yaml --s3-bucket $SAM_S3_BUCKET --output-template-file packaged.yaml --s3-prefix "guarddutybenchmark/v"$version --region $AWS_REGION --profile $AWS_PROFILE diff --git a/cloudwatchevents/guarddutybenchmark/packaged.yaml b/cloudwatchevents/guarddutybenchmark/packaged.yaml index 9774401..61d9b12 100644 --- a/cloudwatchevents/guarddutybenchmark/packaged.yaml +++ b/cloudwatchevents/guarddutybenchmark/packaged.yaml @@ -53,8 +53,8 @@ Metadata: - benchmark - guardduty Name: sumologic-guardduty-benchmark - LicenseUrl: s3://appdevstore/guarddutybenchmark/v1.0.19/6092dd6c323e33634657102f570628e0 - ReadmeUrl: s3://appdevstore/guarddutybenchmark/v1.0.19/cab012d7fb7887671b751e6f5c0d2062 + LicenseUrl: s3://appdevstore/guarddutybenchmark/v1.0.20/6092dd6c323e33634657102f570628e0 + ReadmeUrl: s3://appdevstore/guarddutybenchmark/v1.0.20/cab012d7fb7887671b751e6f5c0d2062 SemanticVersion: 1.0.19 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/cloudwatchevents/guarddutybenchmark SpdxLicenseId: Apache-2.0 @@ -81,12 +81,13 @@ Parameters: - ch - de - eu + - esc - fed - jp - kr - us1 - us2 - Description: Enter au, ca, ch, de, eu, fed, jp, kr, us1 or us2 + Description: Enter au, ca, ch, de, eu, esc, fed, jp, kr, us1 or us2 RemoveSumoResourcesOnDeleteStack: AllowedValues: - true @@ -98,7 +99,7 @@ Parameters: Resources: CloudWatchEventFunction: Properties: - CodeUri: s3://appdevstore/guarddutybenchmark/v1.0.19/22b7b226ca9ec3b9dbb28b94c0e5f824 + CodeUri: s3://appdevstore/guarddutybenchmark/v1.0.20/22b7b226ca9ec3b9dbb28b94c0e5f824 Environment: Variables: SUMO_ENDPOINT: diff --git a/cloudwatchevents/guarddutybenchmark/template_v2.yaml b/cloudwatchevents/guarddutybenchmark/template_v2.yaml index c33edb0..dcc2554 100644 --- a/cloudwatchevents/guarddutybenchmark/template_v2.yaml +++ b/cloudwatchevents/guarddutybenchmark/template_v2.yaml @@ -83,12 +83,13 @@ Parameters: - ch - de - eu + - esc - fed - jp - kr - us1 - us2 - Description: "Enter au, ca, ch, de, eu, fed, jp, kr, us1 or us2" + Description: "Enter au, ca, ch, de, eu, esc, fed, jp, kr, us1 or us2" RemoveSumoResourcesOnDeleteStack: AllowedValues: - true diff --git a/cloudwatchevents/guarddutyeventprocessor.yaml b/cloudwatchevents/guarddutyeventprocessor.yaml index 2b7c62a..2a5455f 100644 --- a/cloudwatchevents/guarddutyeventprocessor.yaml +++ b/cloudwatchevents/guarddutyeventprocessor.yaml @@ -178,7 +178,7 @@ Resources: Service: - lambda.amazonaws.com ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Tags: - Key: 'lambda:createdBy' Value: SAM diff --git a/cloudwatchlogs-with-dlq/DLQLambdaCloudFormation.json b/cloudwatchlogs-with-dlq/DLQLambdaCloudFormation.json index 34fa427..a935406 100644 --- a/cloudwatchlogs-with-dlq/DLQLambdaCloudFormation.json +++ b/cloudwatchlogs-with-dlq/DLQLambdaCloudFormation.json @@ -177,7 +177,7 @@ "logs:DescribeLogStreams" ], "Resource": [ - { "Fn::Join": [ ":", ["arn", "aws", "logs", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" },"log-group","*" ] ] } + { "Fn::Join": [ ":", [ "arn", { "Ref" : "AWS::Partition" }, "logs", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" },"log-group","*" ] ] } ] }] } @@ -192,7 +192,7 @@ "lambda:InvokeFunction" ], "Resource": [ - { "Fn::Join": [ ":", ["arn", "aws", "lambda", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, "function", { "Fn::Join": [ "-", [ "SumoCWProcessDLQLambda", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] } ] ] } + { "Fn::Join": [ ":", [ "arn", { "Ref" : "AWS::Partition" }, "lambda", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, "function", { "Fn::Join": [ "-", [ "SumoCWProcessDLQLambda", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] } ] ] } ] }] } diff --git a/cloudwatchlogs-with-dlq/DLQLambdaCloudFormationWithSecuredEndpoint.json b/cloudwatchlogs-with-dlq/DLQLambdaCloudFormationWithSecuredEndpoint.json index 9d81037..4200d9b 100644 --- a/cloudwatchlogs-with-dlq/DLQLambdaCloudFormationWithSecuredEndpoint.json +++ b/cloudwatchlogs-with-dlq/DLQLambdaCloudFormationWithSecuredEndpoint.json @@ -177,7 +177,7 @@ "logs:DescribeLogStreams" ], "Resource": [ - { "Fn::Join": [ ":", ["arn", "aws", "logs", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" },"log-group","*" ] ] } + { "Fn::Join": [ ":", ["arn", { "Ref" : "AWS::Partition" }, "logs", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" },"log-group","*" ] ] } ] }] } @@ -192,7 +192,7 @@ "lambda:InvokeFunction" ], "Resource": [ - { "Fn::Join": [ ":", ["arn", "aws", "lambda", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, "function", { "Fn::Join": [ "-", [ "SumoCWProcessDLQLambda", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] } ] ] } + { "Fn::Join": [ ":", [ "arn", { "Ref" : "AWS::Partition" }, "lambda", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, "function", { "Fn::Join": [ "-", [ "SumoCWProcessDLQLambda", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] } ] ] } ] }] } @@ -208,14 +208,7 @@ "ssm:GetParameter" ], "Resource": { - "Fn::Join": [ - ":", - [ - "arn:aws:ssm", - { "Ref" : "AWS::Region" }, - { "Ref" : "AWS::AccountId" }, - "parameter/SUMO_ENDPOINT" - ] + "Fn::Join": [ ":", [ "arn", { "Ref" : "AWS::Partition" }, "ssm", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, "parameter/SUMO_ENDPOINT"] ] } }, @@ -225,14 +218,7 @@ "kms:Decrypt" ], "Resource": { - "Fn::Join": [ - ":", - [ - "arn:aws:kms", - { "Ref" : "AWS::Region" }, - { "Ref" : "AWS::AccountId" }, - { "Fn::Sub": [ "key/${KeyID}", { "KeyID": {"Ref" : "SumoURLDecryptKeyID" }} ]} - ] + "Fn::Join": [ ":", [ "arn", { "Ref" : "AWS::Partition" }, "kms", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, { "Fn::Sub": [ "key/${KeyID}", { "KeyID": {"Ref" : "SumoURLDecryptKeyID" }} ]}] ] } } diff --git a/kinesis-firehose-cloudwatch-collection/logs/KinesisFirehoseCWLogs.template.yaml b/kinesis-firehose-cloudwatch-collection/logs/KinesisFirehoseCWLogs.template.yaml index 336a2ea..dcf296b 100644 --- a/kinesis-firehose-cloudwatch-collection/logs/KinesisFirehoseCWLogs.template.yaml +++ b/kinesis-firehose-cloudwatch-collection/logs/KinesisFirehoseCWLogs.template.yaml @@ -67,59 +67,6 @@ Parameters: Conditions: create_bucket: !Equals [ !Ref Section2aCreateS3Bucket, 'Yes' ] -Mappings: - ArnValue: - us-east-1: - ArnValue: "aws" - us-east-2: - ArnValue: "aws" - us-west-1: - ArnValue: "aws" - us-west-2: - ArnValue: "aws" - af-south-1: - ArnValue: "aws" - ca-central-1: - ArnValue: "aws" - eu-central-1: - ArnValue: "aws" - eu-west-1: - ArnValue: "aws" - eu-west-2: - ArnValue: "aws" - eu-south-1: - ArnValue: "aws" - eu-west-3: - ArnValue: "aws" - eu-north-1: - ArnValue: "aws" - ap-east-1: - ArnValue: "aws" - ap-northeast-1: - ArnValue: "aws" - ap-northeast-2: - ArnValue: "aws" - ap-northeast-3: - ArnValue: "aws" - ap-southeast-1: - ArnValue: "aws" - ap-southeast-2: - ArnValue: "aws" - ap-south-1: - ArnValue: "aws" - me-south-1: - ArnValue: "aws" - sa-east-1: - ArnValue: "aws" - us-gov-west-1: - ArnValue: "aws-us-gov" - us-gov-east-1: - ArnValue: "aws-us-gov" - cn-north-1: - ArnValue: "aws-cn" - cn-northwest-1: - ArnValue: "aws-cn" - Resources: # Common Resources including creating bucket, create logs role and attach bucket policy. FailedDataBucket: @@ -175,13 +122,11 @@ Resources: - s3:PutObject Resource: - !Sub - - "arn:${arn}:s3:::${S3Bucket}/*" - - arn: !FindInMap [ArnValue, !Ref "AWS::Region", ArnValue] - S3Bucket: !Ref Section2bFailedDataS3Bucket + - "arn:${AWS::Partition}:s3:::${S3Bucket}/*" + - S3Bucket: !Ref Section2bFailedDataS3Bucket - !Sub - - "arn:${arn}:s3:::${S3Bucket}" - - arn: !FindInMap [ArnValue, !Ref "AWS::Region", ArnValue] - S3Bucket: !Ref Section2bFailedDataS3Bucket + - "arn:${AWS::Partition}:s3:::${S3Bucket}" + - S3Bucket: !Ref Section2bFailedDataS3Bucket Roles: - Ref: FirehoseLogsRole @@ -238,17 +183,15 @@ Resources: - kinesis:PutRecord - kinesis:PutRecordBatch Resource: !Sub - - "arn:${arn}:firehose:${Region}:${AccountId}:*" - - arn: !FindInMap [ArnValue, !Ref "AWS::Region", ArnValue] - Region: !Ref "AWS::Region" + - "arn:${AWS::Partition}:firehose:${Region}:${AccountId}:*" + - Region: !Ref "AWS::Region" AccountId: !Ref "AWS::AccountId" - Effect: Allow Action: - iam:PassRole Resource: !Sub - - "arn:${arn}:iam::${AccountId}:role/${KinesisLogsRole}" - - arn: !FindInMap [ArnValue, !Ref "AWS::Region", ArnValue] - AccountId: !Ref "AWS::AccountId" + - "arn:${AWS::Partition}:iam::${AccountId}:role/${KinesisLogsRole}" + - AccountId: !Ref "AWS::AccountId" KinesisLogsRole: !Ref KinesisLogsRole Roles: - Ref: KinesisLogsRole @@ -288,9 +231,8 @@ Resources: - create_bucket - !GetAtt FailedDataBucket.Arn - !Sub - - "arn:${arn}:s3:::${S3Bucket}" - - arn: !FindInMap [ArnValue, !Ref "AWS::Region", ArnValue] - S3Bucket: !Ref Section2bFailedDataS3Bucket + - "arn:${AWS::Partition}:s3:::${S3Bucket}" + - S3Bucket: !Ref Section2bFailedDataS3Bucket CompressionFormat: UNCOMPRESSED ErrorOutputPrefix: "SumoLogic-Kinesis-Failed-Logs/" RoleARN: !GetAtt FirehoseLogsRole.Arn diff --git a/kinesis-firehose-cloudwatch-collection/metrics/KinesisFirehoseCWMetrics.template.yaml b/kinesis-firehose-cloudwatch-collection/metrics/KinesisFirehoseCWMetrics.template.yaml index df1c0f8..14957fc 100644 --- a/kinesis-firehose-cloudwatch-collection/metrics/KinesisFirehoseCWMetrics.template.yaml +++ b/kinesis-firehose-cloudwatch-collection/metrics/KinesisFirehoseCWMetrics.template.yaml @@ -74,59 +74,6 @@ Parameters: Conditions: create_bucket: !Equals [ !Ref Section2aCreateS3Bucket, 'Yes' ] -Mappings: - ArnValue: - us-east-1: - ArnValue: "aws" - us-east-2: - ArnValue: "aws" - us-west-1: - ArnValue: "aws" - us-west-2: - ArnValue: "aws" - af-south-1: - ArnValue: "aws" - ca-central-1: - ArnValue: "aws" - eu-central-1: - ArnValue: "aws" - eu-west-1: - ArnValue: "aws" - eu-west-2: - ArnValue: "aws" - eu-south-1: - ArnValue: "aws" - eu-west-3: - ArnValue: "aws" - eu-north-1: - ArnValue: "aws" - ap-east-1: - ArnValue: "aws" - ap-northeast-1: - ArnValue: "aws" - ap-northeast-2: - ArnValue: "aws" - ap-northeast-3: - ArnValue: "aws" - ap-southeast-1: - ArnValue: "aws" - ap-southeast-2: - ArnValue: "aws" - ap-south-1: - ArnValue: "aws" - me-south-1: - ArnValue: "aws" - sa-east-1: - ArnValue: "aws" - us-gov-west-1: - ArnValue: "aws-us-gov" - us-gov-east-1: - ArnValue: "aws-us-gov" - cn-north-1: - ArnValue: "aws-cn" - cn-northwest-1: - ArnValue: "aws-cn" - Resources: # Common Resources including creating bucket, create logs role and attach bucket policy. FailedDataBucket: @@ -182,13 +129,11 @@ Resources: - s3:PutObject Resource: - !Sub - - "arn:${arn}:s3:::${S3Bucket}/*" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - S3Bucket: !Ref Section2bFailedDataS3Bucket + - "arn:${AWS::Partition}:s3:::${S3Bucket}/*" + - S3Bucket: !Ref Section2bFailedDataS3Bucket - !Sub - - "arn:${arn}:s3:::${S3Bucket}" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - S3Bucket: !Ref Section2bFailedDataS3Bucket + - "arn:${AWS::Partition}:s3:::${S3Bucket}" + - S3Bucket: !Ref Section2bFailedDataS3Bucket Roles: - Ref: FirehoseLogsRole @@ -243,17 +188,15 @@ Resources: - firehose:PutRecord - firehose:PutRecordBatch Resource: !Sub - - "arn:${arn}:firehose:${Region}:${AccountId}:*" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - Region: !Ref "AWS::Region" + - "arn:${AWS::Partition}:firehose:${Region}:${AccountId}:*" + - Region: !Ref "AWS::Region" AccountId: !Ref "AWS::AccountId" - Effect: Allow Action: - iam:PassRole Resource: !Sub - - "arn:${arn}:iam::${AccountId}:role/${KinesisMetricsRole}" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - AccountId: !Ref "AWS::AccountId" + - "arn:${AWS::Partition}:iam::${AccountId}:role/${KinesisMetricsRole}" + - AccountId: !Ref "AWS::AccountId" KinesisMetricsRole: !Ref KinesisMetricsRole Roles: - Ref: KinesisMetricsRole @@ -293,9 +236,8 @@ Resources: - create_bucket - !GetAtt FailedDataBucket.Arn - !Sub - - "arn:${arn}:s3:::${S3Bucket}" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - S3Bucket: !Ref Section2bFailedDataS3Bucket + - "arn:${AWS::Partition}:s3:::${S3Bucket}" + - S3Bucket: !Ref Section2bFailedDataS3Bucket CompressionFormat: UNCOMPRESSED ErrorOutputPrefix: "SumoLogic-Kinesis-Failed-Metrics/" RoleARN: !GetAtt FirehoseLogsRole.Arn @@ -350,20 +292,18 @@ Resources: - cloudwatch:PutMetricStream - cloudwatch:DeleteMetricStream Resource: !Sub - - "arn:${arn}:cloudwatch:${Region}:${AccountId}:metric-stream/*" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - Region: !Ref "AWS::Region" + - "arn:${AWS::Partition}:cloudwatch:${Region}:${AccountId}:metric-stream/*" + - Region: !Ref "AWS::Region" AccountId: !Ref "AWS::AccountId" - Effect: Allow Action: - iam:PassRole Resource: !Sub - - "arn:${arn}:iam::${AccountId}:role/${KinesisMetricsRole}" - - arn: !FindInMap [ ArnValue, !Ref "AWS::Region", ArnValue ] - AccountId: !Ref "AWS::AccountId" + - "arn:${AWS::Partition}:iam::${AccountId}:role/${KinesisMetricsRole}" + - AccountId: !Ref "AWS::AccountId" KinesisMetricsRole: !Ref KinesisMetricsRole ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole + - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" KinesisMetricsCloudWatchMetricsStreamLambda: Type: AWS::Lambda::Function diff --git a/kinesisfirehose-processor/kinesisfirehose-lambda-cft.json b/kinesisfirehose-processor/kinesisfirehose-lambda-cft.json index 4cd0462..4e5bdb6 100644 --- a/kinesisfirehose-processor/kinesisfirehose-lambda-cft.json +++ b/kinesisfirehose-processor/kinesisfirehose-lambda-cft.json @@ -30,7 +30,7 @@ "logs:DescribeSubscriptionFilters" ], "Resource": [ - { "Fn::Join": [ ":", ["arn", "aws", "logs", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" },"log-group","*" ] ] } + { "Fn::Join": [ ":", ["arn", { "Ref" : "AWS::Partition" }, "logs", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" },"log-group","*" ] ] } ] }] } @@ -57,7 +57,7 @@ "FunctionName": { "Fn::Join": [ "-", [ "SumoKFLambdaProcessor", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] }, "Timeout": 300, "Handler": "kinesisfirehose-processor.handler", - "Runtime": "nodejs10.x", + "Runtime": "nodejs22.x", "MemorySize": 128 } } diff --git a/kinesisfirehose-processor/test-kinesisfirehose-lambda-cft.json b/kinesisfirehose-processor/test-kinesisfirehose-lambda-cft.json index 2659aa4..06859d1 100644 --- a/kinesisfirehose-processor/test-kinesisfirehose-lambda-cft.json +++ b/kinesisfirehose-processor/test-kinesisfirehose-lambda-cft.json @@ -7,7 +7,9 @@ "DeliveryStreamName": { "Fn::Join": [ "-", [ "SumoKFDeliveryStream", { "Fn::Select" : [ "2", {"Fn::Split" : [ "/" , { "Ref": "AWS::StackId" } ]}] } ] ] }, "DeliveryStreamType" : "DirectPut", "ExtendedS3DestinationConfiguration": { - "BucketARN": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"SumoKFS3bucket"}]]}, + "BucketARN": { + "Fn::Sub": "arn:${AWS::Partition}:s3:::${SumoKFS3bucket}" + }, "BufferingHints": { "IntervalInSeconds": "300", "SizeInMBs": "5" @@ -96,8 +98,8 @@ "s3:PutObject" ], "Resource": [ - {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"SumoKFS3bucket"}]]}, - {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"SumoKFS3bucket"}, "*"]]} + {"Fn::Sub": "arn:${AWS::Partition}:s3:::${SumoKFS3bucket}"}, + {"Fn::Sub": "arn:${AWS::Partition}:s3:::${SumoKFS3bucket}/*"} ] }, { diff --git a/loggroup-lambda-connector/sam/packaged.yaml b/loggroup-lambda-connector/sam/packaged.yaml index 0bda684..a29bd55 100644 --- a/loggroup-lambda-connector/sam/packaged.yaml +++ b/loggroup-lambda-connector/sam/packaged.yaml @@ -21,10 +21,10 @@ Metadata: - serverless - loggroups - cloudwatch - LicenseUrl: s3://appdevstore/LoggroupConnector/v1.0.15/6092dd6c323e33634657102f570628e0 + LicenseUrl: s3://appdevstore-test/test-log-group-lambda-connector/6092dd6c323e33634657102f570628e0 Name: sumologic-loggroup-connector - ReadmeUrl: s3://appdevstore/LoggroupConnector/v1.0.15/15e6b49afe3116d3ff8861099b34b973 - SemanticVersion: 1.0.15 + ReadmeUrl: s3://appdevstore-test/test-log-group-lambda-connector/15e6b49afe3116d3ff8861099b34b973 + SemanticVersion: 1.0.16 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/loggroup-lambda-connector SpdxLicenseId: Apache-2.0 Parameters: @@ -107,7 +107,7 @@ Resources: SumoLogGroupLambdaConnector: Type: AWS::Serverless::Function Properties: - CodeUri: s3://appdevstore/LoggroupConnector/v1.0.15/5a44aebff6ae18483b1b5d082d112e85 + CodeUri: s3://appdevstore-test/test-log-group-lambda-connector/b6a9ea7d6405624ba487e5dbfc302468 Handler: loggroup-lambda-connector.handler Runtime: nodejs22.x Environment: @@ -132,13 +132,13 @@ Resources: - logs:PutSubscriptionFilter - logs:ListTagsLogGroup Resource: - - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:* + - Fn::Sub: arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:* - Sid: InvokePolicy Effect: Allow Action: - lambda:InvokeFunction Resource: - - Fn::Sub: arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*SumoLogGroupLambda* + - Fn::Sub: arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*SumoLogGroupLambda* Events: LambdaTrigger: Type: CloudWatchEvent @@ -182,7 +182,7 @@ Resources: SourceAccount: Ref: AWS::AccountId SourceArn: - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:* + Fn::Sub: arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:* Metadata: SamResourceId: SumoCWLambdaInvokePermission SumoLogGroupExistingLambdaConnector: @@ -214,7 +214,7 @@ Resources: Action: - lambda:InvokeFunction Resource: - - Fn::Sub: arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${SumoLogGroupLambdaConnector} + - Fn::Sub: arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${SumoLogGroupLambdaConnector} Metadata: SamResourceId: SumoLogGroupExistingLambdaConnector InvokeLambdaConnector: diff --git a/loggroup-lambda-connector/sam/sam_package.sh b/loggroup-lambda-connector/sam/sam_package.sh index 465d9d3..663a693 100755 --- a/loggroup-lambda-connector/sam/sam_package.sh +++ b/loggroup-lambda-connector/sam/sam_package.sh @@ -10,7 +10,7 @@ else AWS_REGION="us-east-2" fi -version="1.0.15" +version="1.0.16" sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET --output-template-file packaged.yaml --s3-prefix "LoggroupConnector/v$version" --region $AWS_REGION diff --git a/loggroup-lambda-connector/sam/template.yaml b/loggroup-lambda-connector/sam/template.yaml index 30a3fd8..732406a 100644 --- a/loggroup-lambda-connector/sam/template.yaml +++ b/loggroup-lambda-connector/sam/template.yaml @@ -24,7 +24,7 @@ Metadata: LicenseUrl: ../LICENSE Name: sumologic-loggroup-connector ReadmeUrl: ../Readme.md - SemanticVersion: 1.0.15 + SemanticVersion: 1.0.16 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/loggroup-lambda-connector SpdxLicenseId: Apache-2.0 @@ -116,13 +116,13 @@ Resources: - logs:PutSubscriptionFilter - logs:ListTagsLogGroup Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' - Sid: InvokePolicy Effect: Allow Action: - lambda:InvokeFunction Resource: - - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*SumoLogGroupLambda*' + - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*SumoLogGroupLambda*' Events: LambdaTrigger: Type: CloudWatchEvent @@ -159,7 +159,7 @@ Resources: FunctionName: !Ref "DestinationArnValue" Principal: !Sub 'logs.${AWS::Region}.amazonaws.com' SourceAccount: !Ref AWS::AccountId - SourceArn: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*' + SourceArn: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*' SumoLogGroupExistingLambdaConnector: Type: AWS::Serverless::Function @@ -204,7 +204,7 @@ Resources: Action: - lambda:InvokeFunction Resource: - - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${SumoLogGroupLambdaConnector}' + - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${SumoLogGroupLambdaConnector}' InvokeLambdaConnector: Type: AWS::CloudFormation::CustomResource diff --git a/loggroup-lambda-connector/src/loggroup-lambda-connector.js b/loggroup-lambda-connector/src/loggroup-lambda-connector.js index d5020fe..85912d0 100644 --- a/loggroup-lambda-connector/src/loggroup-lambda-connector.js +++ b/loggroup-lambda-connector/src/loggroup-lambda-connector.js @@ -78,8 +78,9 @@ function filterNewLogGroups(event, logGroupRegex) { } async function createSubscriptionFilter(lambdaLogGroupName, destinationArn, roleArn, additionalArgs) { + const partition = additionalArgs.partition ?? "aws"; var params={}; - if (destinationArn.startsWith("arn:aws:lambda")) { + if (destinationArn.startsWith(`arn:${partition}:lambda`)) { params = { destinationArn: destinationArn, filterName: 'SumoLGLBDFilter', @@ -218,10 +219,12 @@ async function processEvents(env, event, additionalArgs, errorHandler, retryCoun } exports.handler = async function (event, context, callback) { + const partition = context.invokedFunctionArn?.split(":")?.[1] ?? "aws"; let additionalArgs = { recordCount: 0, subscribeCount: 0, - invokeCount: 0 + invokeCount: 0, + partition: partition }; if (event.additionalArgs) { additionalArgs = event.additionalArgs diff --git a/loggroup-lambda-connector/test/test-template.yaml b/loggroup-lambda-connector/test/test-template.yaml index a875235..b21b3d3 100644 --- a/loggroup-lambda-connector/test/test-template.yaml +++ b/loggroup-lambda-connector/test/test-template.yaml @@ -116,8 +116,8 @@ Resources: - s3:ListBucketMultipartUploads - s3:PutObject Resource: - - !Sub "arn:aws:s3:::${BucketName}" - - !Sub "arn:aws:s3:::${BucketName}/*" + - !Sub "arn:${AWS::Partition}:s3:::${BucketName}" + - !Sub "arn:${AWS::Partition}:s3:::${BucketName}/*" Roles: - Ref: FirehoseLogsRole @@ -148,11 +148,11 @@ Resources: - firehose:PutRecordBatch - kinesis:PutRecord - kinesis:PutRecordBatch - Resource: !Sub "arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:*" + Resource: !Sub "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:*" - Effect: Allow Action: - iam:PassRole - Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${KinesisLogsRole}" + Resource: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${KinesisLogsRole}" Roles: - Ref: KinesisLogsRole @@ -186,7 +186,7 @@ Resources: DurationInSeconds: 60 S3BackupMode: FailedDataOnly S3Configuration: - BucketARN: !Sub "arn:aws:s3:::${BucketName}" + BucketARN: !Sub "arn:${AWS::Partition}:s3:::${BucketName}" CompressionFormat: UNCOMPRESSED ErrorOutputPrefix: "SumoLogic-Kinesis-Failed-Logs/" RoleARN: !GetAtt FirehoseLogsRole.Arn diff --git a/securityhub-collector/sam/packaged.yaml b/securityhub-collector/sam/packaged.yaml index 8f34a55..924864d 100755 --- a/securityhub-collector/sam/packaged.yaml +++ b/securityhub-collector/sam/packaged.yaml @@ -22,9 +22,9 @@ Metadata: - cloudwatchevents - securityhub Name: sumologic-securityhub-collector - LicenseUrl: s3://appdevstore/SecurityHubCollector/v1.0.10/6092dd6c323e33634657102f570628e0 - ReadmeUrl: s3://appdevstore/SecurityHubCollector/v1.0.10/3edeb049c0e4202e9588e43b957090ed - SemanticVersion: 1.0.10 + LicenseUrl: s3://appdevstore/SecurityHubCollector/v1.0.11/6092dd6c323e33634657102f570628e0 + ReadmeUrl: s3://appdevstore/SecurityHubCollector/v1.0.11/3edeb049c0e4202e9588e43b957090ed + SemanticVersion: 1.0.11 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/securityhub-collector SpdxLicenseId: Apache-2.0 Parameters: @@ -36,7 +36,7 @@ Resources: Properties: Handler: securityhub_collector.lambda_handler Runtime: python3.13 - CodeUri: s3://appdevstore/SecurityHubCollector/v1.0.10/3c2bc2da7576810682419519fdc578bb + CodeUri: s3://appdevstore/SecurityHubCollector/v1.0.11/3c2bc2da7576810682419519fdc578bb MemorySize: 128 Timeout: 300 Policies: @@ -46,8 +46,8 @@ Resources: Action: - s3:PutObject Resource: - - Fn::Sub: arn:aws:s3:::${S3SourceBucketName} - - Fn::Sub: arn:aws:s3:::${S3SourceBucketName}/* + - Fn::Sub: arn:${AWS::Partition}:s3:::${S3SourceBucketName} + - Fn::Sub: arn:${AWS::Partition}:s3:::${S3SourceBucketName}/* Environment: Variables: S3_LOG_BUCKET: diff --git a/securityhub-collector/sam/sam_package.sh b/securityhub-collector/sam/sam_package.sh index 1ebab25..f8bdfdf 100755 --- a/securityhub-collector/sam/sam_package.sh +++ b/securityhub-collector/sam/sam_package.sh @@ -10,7 +10,7 @@ else AWS_REGION="us-east-2" fi -version="1.0.10" +version="1.0.11" echo "Creating package.yaml" sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET --output-template-file packaged.yaml --s3-prefix "SecurityHubCollector/v"$version --region $AWS_REGION --profile $AWS_PROFILE diff --git a/securityhub-collector/sam/template.yaml b/securityhub-collector/sam/template.yaml index 16a2205..6ad2173 100755 --- a/securityhub-collector/sam/template.yaml +++ b/securityhub-collector/sam/template.yaml @@ -21,7 +21,7 @@ Metadata: Name: sumologic-securityhub-collector LicenseUrl: ../LICENSE ReadmeUrl: ../README.md - SemanticVersion: 1.0.10 + SemanticVersion: 1.0.11 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/securityhub-collector SpdxLicenseId: Apache-2.0 @@ -46,8 +46,8 @@ Resources: Action: - "s3:PutObject" Resource: - - !Sub 'arn:aws:s3:::${S3SourceBucketName}' - - !Sub 'arn:aws:s3:::${S3SourceBucketName}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${S3SourceBucketName}' + - !Sub 'arn:${AWS::Partition}:s3:::${S3SourceBucketName}/*' Environment: Variables: diff --git a/securityhub-forwarder/sam/packaged.yaml b/securityhub-forwarder/sam/packaged.yaml index 515687a..8920ed3 100755 --- a/securityhub-forwarder/sam/packaged.yaml +++ b/securityhub-forwarder/sam/packaged.yaml @@ -19,9 +19,9 @@ Metadata: - cloudwatchevents - securityhub Name: sumologic-securityhub-forwarder - LicenseUrl: s3://appdevstore/SecurityHubForwarder/v1.0.11/6092dd6c323e33634657102f570628e0 - ReadmeUrl: s3://appdevstore/SecurityHubForwarder/v1.0.11/56f774fe371f787c17ec137a47c93138 - SemanticVersion: 1.0.11 + LicenseUrl: s3://appdevstore/SecurityHubForwarder/v1.0.12/6092dd6c323e33634657102f570628e0 + ReadmeUrl: s3://appdevstore/SecurityHubForwarder/v1.0.12/56f774fe371f787c17ec137a47c93138 + SemanticVersion: 1.0.12 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/securityhub-forwarder SpdxLicenseId: Apache-2.0 Resources: @@ -56,7 +56,7 @@ Resources: x-amazon-apigateway-integration: type: aws_proxy uri: - Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${SecurityHubForwarderFunction.Arn}/invocations + Fn::Sub: arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${SecurityHubForwarderFunction.Arn}/invocations passthroughBehavior: when_no_match httpMethod: POST requestParameters: @@ -68,7 +68,7 @@ Resources: Properties: Handler: securityhub_forwarder.lambda_handler Runtime: python3.13 - CodeUri: s3://appdevstore/SecurityHubForwarder/v1.0.11/3589bbeb5907b695780f650d5374a74d + CodeUri: s3://appdevstore/SecurityHubForwarder/v1.0.12/c344c0895451a1baae2f6a64ff9aa774 MemorySize: 128 Timeout: 300 Policies: @@ -77,7 +77,8 @@ Resources: Effect: Allow Action: - securityhub:BatchImportFindings - Resource: arn:aws:securityhub:*:*:* + Resource: + Fn::Sub: arn:${AWS::Partition}:securityhub:*:*:* Events: Api1: Type: Api diff --git a/securityhub-forwarder/sam/sam_package.sh b/securityhub-forwarder/sam/sam_package.sh index 397e2e0..c2b402b 100755 --- a/securityhub-forwarder/sam/sam_package.sh +++ b/securityhub-forwarder/sam/sam_package.sh @@ -10,7 +10,7 @@ else SAM_S3_BUCKET="cf-templates-5d0x5unchag-us-east-2" AWS_REGION="us-east-2" fi -version="1.0.11" +version="1.0.12" echo "Creating package.yaml" sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET --output-template-file packaged.yaml --s3-prefix "SecurityHubForwarder/v"$version --region $AWS_REGION --profile $AWS_PROFILE diff --git a/securityhub-forwarder/sam/template.yaml b/securityhub-forwarder/sam/template.yaml index 3fee78e..f47173d 100755 --- a/securityhub-forwarder/sam/template.yaml +++ b/securityhub-forwarder/sam/template.yaml @@ -16,7 +16,7 @@ Metadata: Name: sumologic-securityhub-forwarder LicenseUrl: ../LICENSE ReadmeUrl: ../README.md - SemanticVersion: 1.0.11 + SemanticVersion: 1.0.12 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/securityhub-forwarder SpdxLicenseId: Apache-2.0 @@ -52,7 +52,7 @@ Resources: x-amazon-apigateway-integration: type: "aws_proxy" uri: - Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${SecurityHubForwarderFunction.Arn}/invocations + Fn::Sub: arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${SecurityHubForwarderFunction.Arn}/invocations passthroughBehavior: "when_no_match" httpMethod: "POST" requestParameters: @@ -72,7 +72,7 @@ Resources: Effect: Allow Action: - securityhub:BatchImportFindings - Resource: 'arn:aws:securityhub:*:*:*' + Resource: !Sub 'arn:${AWS::Partition}:securityhub:*:*:*' Events: Api1: Type: Api diff --git a/securityhub-forwarder/src/securityhub_forwarder.py b/securityhub-forwarder/src/securityhub_forwarder.py index 2b28c44..ec07d43 100644 --- a/securityhub-forwarder/src/securityhub_forwarder.py +++ b/securityhub-forwarder/src/securityhub_forwarder.py @@ -10,11 +10,16 @@ from botocore.exceptions import ClientError from utils import retry +def get_partition(region_value): + # Get partition from boto3 session + session = boto3.Session(region_name=region_value) + partition = session.get_partition_for_region(region_value) + return partition def get_product_arn(securityhub_region): - PROVIDER_ACCOUNT_ID = "956882708938" - return "arn:aws:securityhub:%s:%s:product/sumologicinc/sumologic-mda" % (securityhub_region, PROVIDER_ACCOUNT_ID) - + provider_account_id = "956882708938" + partition = get_partition(securityhub_region) + return f"arn:{partition}:securityhub:{securityhub_region}:{provider_account_id}:product/sumologicinc/sumologic-mda" def get_logger(): logger = logging.getLogger() diff --git a/sumologic-app-utils/Test/SampleTemplate.yaml b/sumologic-app-utils/Test/SampleTemplate.yaml index 5c685fa..cb70182 100644 --- a/sumologic-app-utils/Test/SampleTemplate.yaml +++ b/sumologic-app-utils/Test/SampleTemplate.yaml @@ -8,6 +8,7 @@ Parameters: AllowedValues: - au - ca + - ch - de - eu - jp @@ -15,7 +16,7 @@ Parameters: - us1 - in - fed - Description: "Enter au, ca, de, eu, jp, us2, in, fed or us1." + Description: "Enter au, ca, ch, de, eu, jp, us2, in, fed or us1." Section1bSumoAccessID: Type: String Description: "Sumo Logic Access ID. Used for Sumo Logic API calls." @@ -48,7 +49,7 @@ Resources: Properties: Location: ApplicationId: arn:aws:serverlessrepo:us-east-1:956882708938:applications/sumologic-app-utils - SemanticVersion: 2.0.21 + SemanticVersion: 2.0.22 SumoLogicHelperPolicy: Type: AWS::IAM::Policy @@ -118,7 +119,7 @@ Resources: DependsOn: SumoLogicHelperPolicy Type: AWS::S3::BucketPolicy Properties: - Bucket: "cf-templates-1xa70np4sllja-us-east-1" + Bucket: !Sub "cf-templates-1xa70np4sllja-${AWS::Region}" PolicyDocument: Statement: - Sid: AWSCloudTrailAclCheck @@ -127,14 +128,14 @@ Resources: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: - - "arn:aws:s3:::cf-templates-1xa70np4sllja-us-east-1" + - !Sub "arn:${AWS::Partition}:s3:::cf-templates-1xa70np4sllja-${AWS::Region}" - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: - - "arn:aws:s3:::cf-templates-1xa70np4sllja-us-east-1/*" + - !Sub "arn:${AWS::Partition}:s3:::cf-templates-1xa70np4sllja-${AWS::Region}/*" Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control @@ -144,7 +145,7 @@ Resources: Service: cloudtrail.amazonaws.com Action: s3:ListBucket Resource: - - "arn:aws:s3:::cf-templates-1xa70np4sllja-us-east-1" + - !Sub "arn:${AWS::Partition}:s3:::cf-templates-1xa70np4sllja-${AWS::Region}" SumoCloudTrail: Type: Custom::AWSTrail @@ -153,7 +154,7 @@ Resources: ServiceToken: !GetAtt SumoAppUtils.Outputs.SumoAppUtilsFunction IsLogging: true IsMultiRegionTrail: false - S3BucketName: "cf-templates-1xa70np4sllja-us-east-1" + S3BucketName: !Sub "cf-templates-1xa70np4sllja-${AWS::Region}" TrailName: "Aws-Observability-onemoreupdae" RemoveOnDeleteStack: !Ref Section1eRemoveSumoResourcesOnDeleteStack @@ -224,7 +225,7 @@ Resources: Statement: - Effect: Allow Principal: - AWS: arn:aws:iam::926226587429:root + AWS: !Sub "arn:${AWS::Partition}:iam::926226587429:root" Action: sts:AssumeRole Condition: StringEquals: @@ -260,7 +261,7 @@ Resources: SumoAccessID: !Ref Section1bSumoAccessID SumoAccessKey: !Ref Section1cSumoAccessKey SumoDeployment: !Ref Section1aSumoDeployment - TargetBucketName: "cf-templates-1xa70np4sllja-us-east-1" + TargetBucketName: !Sub "cf-templates-1xa70np4sllja-${AWS::Region}" PathExpression: "asdasd" DateFormat: "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'" DateLocatorRegex: '.*"updatedAt":"(.*)".*' @@ -402,7 +403,7 @@ Resources: Properties: ServiceToken: !GetAtt SumoAppUtils.Outputs.SumoAppUtilsFunction AWSResource: "vpc" - BucketName: "cf-templates-1xa70np4sllja-us-east-1" + BucketName: !Sub "cf-templates-1xa70np4sllja-${AWS::Region}" Filter: ".*" BucketPrefix: "vpc/logs" AccountID: !Ref "AWS::AccountId" diff --git a/sumologic-app-utils/deploy.sh b/sumologic-app-utils/deploy.sh index da8f3ba..b689f28 100755 --- a/sumologic-app-utils/deploy.sh +++ b/sumologic-app-utils/deploy.sh @@ -31,7 +31,7 @@ rm sumo_app_utils.zip ./build.sh -version="2.0.21" +version="2.0.23" aws s3 cp sumo_app_utils.zip s3://$SAM_S3_BUCKET/sumo_app_utils/v"$version"/sumo_app_utils.zip --region $AWS_REGION --acl public-read diff --git a/sumologic-app-utils/packaged_sumo_app_utils.yaml b/sumologic-app-utils/packaged_sumo_app_utils.yaml index bb0bff0..f263ab5 100644 --- a/sumologic-app-utils/packaged_sumo_app_utils.yaml +++ b/sumologic-app-utils/packaged_sumo_app_utils.yaml @@ -20,17 +20,17 @@ Metadata: - sumologic - serverless Name: sumologic-app-utils - SemanticVersion: 2.0.21 + SemanticVersion: 2.0.23 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/sumologic-app-utils SpdxLicenseId: Apache-2.0 - ReadmeUrl: s3://appdevstore/sumo_app_utils/v2.0.21/4d5a92c06a7fa9d956a900e51a1f6be4 + ReadmeUrl: s3://appdevstore/sumo_app_utils/v2.0.23/4d5a92c06a7fa9d956a900e51a1f6be4 Resources: SumoAppUtilsFunction: Type: AWS::Serverless::Function Properties: Handler: main.handler Runtime: python3.13 - CodeUri: s3://appdevstore/sumo_app_utils/v2.0.21/sumo_app_utils.zip + CodeUri: s3://appdevstore/sumo_app_utils/v2.0.23/sumo_app_utils.zip MemorySize: 128 Timeout: 300 Policies: @@ -41,7 +41,8 @@ Resources: - cloudtrail:UpdateTrail - cloudtrail:StartLogging Effect: Allow - Resource: arn:aws:cloudtrail:*:*:* + Resource: + Fn::Sub: arn:${AWS::Partition}:cloudtrail:*:*:* Sid: CreateCloudTrailPolicy Metadata: SamResourceId: SumoAppUtilsFunction diff --git a/sumologic-app-utils/src/awsresource.py b/sumologic-app-utils/src/awsresource.py index b04b82f..cf50b37 100644 --- a/sumologic-app-utils/src/awsresource.py +++ b/sumologic-app-utils/src/awsresource.py @@ -443,11 +443,17 @@ class AWSResourcesAbstract(object): } def __init__(self, aws_resource, region_value, account_id): + self.region_value = region_value + self.account_id = account_id + + # Get partition from boto3 session + session = boto3.Session(region_name=region_value) + self.partition = session.get_partition_for_region(region_value) + + # Initialize clients self.tagging_client = boto3.client('resourcegroupstaggingapi', region_name=region_value) self.client = boto3.client(self.event_resource_map[aws_resource] if aws_resource in self.event_resource_map else aws_resource, region_name=region_value) - self.region_value = region_value - self.account_id = account_id @abstractmethod def fetch_resources(self): @@ -522,7 +528,8 @@ def get_arn_list(self, resources): if resources: for resource in resources: arns.append( - "arn:aws:ec2:" + self.region_value + ":" + self.account_id + ":instance/" + resource['InstanceId']) + f"arn:{self.partition}:ec2:{self.region_value}:{self.account_id}:instance/{resource['InstanceId']}" + ) return arns @@ -585,10 +592,11 @@ def get_arn_list(self, resources): if resources: for resource in resources: if "stageName" in resource: - arns.append("arn:aws:apigateway:" + self.region_value + "::/restapis/" + resource["restApiId"] - + "/stages/" + resource["stageName"]) + arns.append( + f"arn:{self.partition}:apigateway:{self.region_value}::/restapis/{resource['restApiId']}/stages/{resource['stageName']}" + ) else: - arns.append("arn:aws:apigateway:" + self.region_value + "::/restapis/" + resource["id"]) + arns.append(f"arn:{self.partition}:apigateway:{self.region_value}::/restapis/{resource['id']}") return arns @@ -604,12 +612,15 @@ def get_arn_list_cloud_trail_event(self, event_detail): if response_elements and "self" in response_elements: details = response_elements.get("self") if event_name == "CreateStage": - arns.append("arn:aws:apigateway:" + self.region_value + "::/restapis/" - + details.get("restApiId") + "/stages/" - + details.get("stageName")) + arns.append( + f"arn:{self.partition}:apigateway:{self.region_value}::/restapis/{details.get('restApiId')}" + f"/stages/{details.get('stageName')}" + ) + elif event_name == "CreateRestApi": - arns.append("arn:aws:apigateway:" + self.region_value + "::/restapis/" - + details.get("restApiId")) + arns.append( + f"arn:{self.partition}:apigateway:{self.region_value}::/restapis/{details.get('restApiId')}" + ) if "requestParameters" in event_detail: request_parameters = event_detail.get("requestParameters") @@ -617,9 +628,11 @@ def get_arn_list_cloud_trail_event(self, event_detail): and "createDeploymentInput" in request_parameters: details = request_parameters.get("createDeploymentInput") if event_name == "CreateDeployment": - arns.append("arn:aws:apigateway:" + self.region_value + "::/restapis/" - + request_parameters.get("restApiId") + "/stages/" - + details.get("stageName")) + arns.append( + f"arn:{self.partition}:apigateway:{self.region_value}::/restapis/" + f"{request_parameters.get('restApiId')}/stages/{details.get('stageName')}" + ) + return arns @retry(retry_on_exception=lambda exc: isinstance(exc, ClientError), stop_max_attempt_number=10, @@ -654,8 +667,9 @@ def get_arn_list(self, resources): arns = [] if resources: for resource in resources: - arns.append("arn:aws:dynamodb:" + self.region_value + ":" + self.account_id + ":table/" + resource) - + arns.append( + f"arn:{self.partition}:dynamodb:{self.region_value}:{self.account_id}:table/{resource}" + ) return arns def process_tags(self, tags): @@ -922,14 +936,15 @@ def add_bucket_policy(self, bucket_name, elb_region_account_id): else: raise e - bucket_policy = [{ - 'Sid': 'AwsAlbLogs', - 'Effect': 'Allow', - 'Principal': { - "AWS": "arn:aws:iam::" + elb_region_account_id + ":root" + bucket_policy = [ + { + "Sid": "AwsAlbLogs", + "Effect": "Allow", + "Principal": { + "AWS": f"arn:{self.partition}:iam::{elb_region_account_id}:root" }, - 'Action': ['s3:PutObject'], - 'Resource': f'arn:aws:s3:::{bucket_name}/*' + "Action": ["s3:PutObject"], + "Resource": f"arn:{self.partition}:s3:::{bucket_name}/*" }, { "Sid": "AWSLogDeliveryAclCheck", @@ -938,7 +953,7 @@ def add_bucket_policy(self, bucket_name, elb_region_account_id): "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::" + bucket_name + "Resource": f"arn:{self.partition}:s3:::{bucket_name}" }, { "Sid": "AWSLogDeliveryWrite", @@ -947,13 +962,14 @@ def add_bucket_policy(self, bucket_name, elb_region_account_id): "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::" + bucket_name + "/*", + "Resource": f"arn:{self.partition}:s3:::{bucket_name}/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } - }] + } + ] existing_policy["Statement"].extend(bucket_policy) s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(existing_policy)) @@ -1097,7 +1113,7 @@ def enable_s3_logs(self, arns, s3_bucket, s3_prefix, region_account_id): ResourceType='VPC', TrafficType='ALL', LogDestinationType='s3', - LogDestination='arn:aws:s3:::' + s3_bucket + '/' + s3_prefix + LogDestination=f"arn:{self.partition}:s3:::{s3_bucket}/{s3_prefix}" ) print(response) if "*Access Denied for LogDestination*" in str(response): @@ -1108,7 +1124,7 @@ def enable_s3_logs(self, arns, s3_bucket, s3_prefix, region_account_id): ResourceType='VPC', TrafficType='ALL', LogDestinationType='s3', - LogDestination='arn:aws:s3:::' + s3_bucket + '/' + s3_prefix + LogDestination=f"arn:{self.partition}:s3:::{s3_bucket}/{s3_prefix}" ) def add_bucket_policy(self, bucket_name, prefix): @@ -1135,7 +1151,7 @@ def add_bucket_policy(self, bucket_name, prefix): "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::" + bucket_name + "Resource": f"arn:{self.partition}:s3:::{bucket_name}" }, { "Sid": "AWSLogDeliveryWrite", @@ -1144,7 +1160,7 @@ def add_bucket_policy(self, bucket_name, prefix): "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::" + bucket_name + "/" + prefix + "/AWSLogs/" + self.account_id + "/*", + "Resource": f"arn:{self.partition}:s3:::{bucket_name}/{prefix}/AWSLogs/{self.account_id}/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" @@ -1189,7 +1205,7 @@ def fetch_resources(self): return resources #there are no arn's associated with Classic elb def get_arn_list(self, resources): - + names = [] if resources: for resource in resources: @@ -1255,14 +1271,15 @@ def add_bucket_policy(self, bucket_name, elb_region_account_id): else: raise e - bucket_policy = [{ - 'Sid': 'AwsElbLogs', - 'Effect': 'Allow', - 'Principal': { - "AWS": "arn:aws:iam::" + elb_region_account_id + ":root" + bucket_policy = [ + { + "Sid": "AwsElbLogs", + "Effect": "Allow", + "Principal": { + "AWS": f"arn:{self.partition}:iam::{elb_region_account_id}:root" }, - 'Action': ['s3:PutObject'], - 'Resource': f'arn:aws:s3:::{bucket_name}/*' + "Action": ["s3:PutObject"], + "Resource": f"arn:{self.partition}:s3:::{bucket_name}/*" }, { "Sid": "AWSLogDeliveryAclCheck", @@ -1271,7 +1288,7 @@ def add_bucket_policy(self, bucket_name, elb_region_account_id): "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::" + bucket_name + "Resource": f"arn:{self.partition}:s3:::{bucket_name}" }, { "Sid": "AWSLogDeliveryWrite", @@ -1280,13 +1297,14 @@ def add_bucket_policy(self, bucket_name, elb_region_account_id): "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::" + bucket_name + "/*", + "Resource": f"arn:{self.partition}:s3:::{bucket_name}/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } - }] + } + ] existing_policy["Statement"].extend(bucket_policy) s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(existing_policy)) diff --git a/sumologic-app-utils/src/sumoresource.py b/sumologic-app-utils/src/sumoresource.py index 059c7fa..f887f36 100644 --- a/sumologic-app-utils/src/sumoresource.py +++ b/sumologic-app-utils/src/sumoresource.py @@ -44,7 +44,7 @@ def extract_params(self, event): def api_endpoint(self): if self.deployment == "us1": return "https://api.sumologic.com/api" - elif self.deployment in ["ca", "au", "de", "eu", "jp", "us2", "fed", "kr", "ch"]: + elif self.deployment in ["ca", "au", "de", "eu", "esc", "jp", "us2", "fed", "kr", "ch"]: return "https://api.%s.sumologic.com/api" % self.deployment else: return 'https://%s-api.sumologic.net/api' % self.deployment diff --git a/sumologic-app-utils/sumo_app_utils.yaml b/sumologic-app-utils/sumo_app_utils.yaml index 0224415..6f1398e 100644 --- a/sumologic-app-utils/sumo_app_utils.yaml +++ b/sumologic-app-utils/sumo_app_utils.yaml @@ -17,7 +17,7 @@ Metadata: - sumologic - serverless Name: sumologic-app-utils - SemanticVersion: 2.0.21 + SemanticVersion: 2.0.23 SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/main/sumologic-app-utils SpdxLicenseId: Apache-2.0 ReadmeUrl: ./README.md @@ -29,7 +29,7 @@ Resources: Properties: Handler: main.handler Runtime: python3.13 - CodeUri: s3://appdevstore/sumo_app_utils/v2.0.21/sumo_app_utils.zip + CodeUri: s3://appdevstore/sumo_app_utils/v2.0.23/sumo_app_utils.zip MemorySize: 128 Timeout: 300 Policies: @@ -40,7 +40,7 @@ Resources: - cloudtrail:UpdateTrail - cloudtrail:StartLogging Effect: Allow - Resource: arn:aws:cloudtrail:*:*:* + Resource: !Sub "arn:${AWS::Partition}:cloudtrail:*:*:*" Sid: CreateCloudTrailPolicy Outputs: diff --git a/sumologic-app-utils/sumo_app_utils.zip b/sumologic-app-utils/sumo_app_utils.zip index ee6fd5b..898ed6e 100644 Binary files a/sumologic-app-utils/sumo_app_utils.zip and b/sumologic-app-utils/sumo_app_utils.zip differ