Merge pull request #62 from lvthillo/feat-cloudtrail

Feature: Add parameter to choose between read-write events or only write events in CloudTrail Event Data Store

amplify/backend/custom/cloudtrailLake/cloudtrailLake-cloudformation-template.json

@@ -1,50 +1,131 @@
 {
-    "AWSTemplateFormatVersion": "2010-09-09",
-    "Parameters": {
-      "env": {
-        "Type": "String"
-      }
+  "AWSTemplateFormatVersion":"2010-09-09",
+  "Parameters":{
+    "env":{
+      "Type":"String"
     },
-    "Conditions": {
-        "IsOrganizationsSupported": {
-            "Fn::Not": [
-                {
-                    "Fn::Equals": [
-                        {
-                            "Ref": "AWS::Partition"
-                        },
-                        "aws-cn"
-                    ]
-                }
-            ]
+    "CloudTrailAuditLogs":{
+      "Type":"String",
+      "AllowedValues":[
+        "read_write",
+        "read",
+        "write",
+        "none"
+      ]
+    }
+  },
+  "Conditions":{
+    "IsOrganizationsSupported":{
+      "Fn::Not":[
+        {
+          "Fn::Equals":[
+            {
+              "Ref":"AWS::Partition"
+            },
+            "aws-cn"
+          ]
         }
+      ]
     },
-    "Resources": {
-        "myEventDataStore": {
-            "Type": "AWS::CloudTrail::EventDataStore",
-            "Properties": {
-                "Name": { "Ref" : "AWS::StackName" },
-                "MultiRegionEnabled": true,
-                "RetentionPeriod": 365,
-                "OrganizationEnabled": {
-                    "Fn::If": [
-                        "IsOrganizationsSupported",
-                        true,
-                        {
-                            "Ref": "AWS::NoValue"
-                        }
-                    ]
-                },
-                "TerminationProtectionEnabled": false
-            }
-        }
+    "IsReadAndWriteEnabled":{
+      "Fn::Equals":[
+        {
+          "Ref":"CloudTrailAuditLogs"
+        },
+        "read_write"
+      ]
     },
-    "Outputs": {
-        "EventDataStoreOutput": {
-            "Description": "The event data store ID",
-            "Value": {
-                "Ref":"myEventDataStore"
+    "IsReadOnlyEnabled":{
+      "Fn::Equals":[
+        {
+          "Ref":"CloudTrailAuditLogs"
+        },
+        "read"
+      ]
+    },
+    "IsAuditLogsDisabled":{
+      "Fn::Equals":[
+        {
+          "Ref":"CloudTrailAuditLogs"
+        },
+        "none"
+      ]
+    }
+  },
+  "Resources":{
+    "myEventDataStore":{
+      "Type":"AWS::CloudTrail::EventDataStore",
+      "Properties":{
+        "Name":{
+          "Ref":"AWS::StackName"
+        },
+        "MultiRegionEnabled":true,
+        "IngestionEnabled":{
+          "Fn::If":[
+            "IsAuditLogsDisabled",
+            false,
+            true
+          ]
+        },
+        "RetentionPeriod":7,
+        "OrganizationEnabled":{
+          "Fn::If":[
+            "IsOrganizationsSupported",
+            true,
+            {
+              "Ref":"AWS::NoValue"
             }
-        }
+          ]
+        },
+        "TerminationProtectionEnabled":false,
+        "AdvancedEventSelectors":[
+          {
+            "Fn::If":[
+              "IsReadAndWriteEnabled",
+              {
+                "FieldSelectors":[
+                  {
+                    "Field":"eventCategory",
+                    "Equals":[
+                      "Management"
+                    ]
+                  }
+                ]
+              },
+              {
+                "FieldSelectors":[
+                  {
+                    "Field":"readOnly",
+                    "Equals":[
+                      {
+                        "Fn::If":[
+                          "IsReadOnlyEnabled",
+                          true,
+                          false
+                        ]
+                      }
+                    ]
+                  },
+                  {
+                    "Field":"eventCategory",
+                    "Equals":[
+                      "Management"
+                    ]
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    }
+  },
+  "Outputs":{
+    "EventDataStoreOutput":{
+      "Description":"The event data store ID",
+      "Value":{
+        "Ref":"myEventDataStore"
+      }
     }
+  }
 }

amplify/backend/custom/cloudtrailLake/parameters.json

@@ -0,0 +1,3 @@
+{
+    "CloudTrailAuditLogs": "read_write"
+}

deployment/deploy.sh

@@ -21,7 +21,7 @@ export AWS_PROFILE=$TEAM_ACCOUNT_PROFILE
 
 cd ..
 
-aws codecommit create-repository --repository-name team-idc-app --repository-description "Temporary Elevated Access Management (TEAM) Application"
+aws codecommit create-repository --region $REGION --repository-name team-idc-app --repository-description "Temporary Elevated Access Management (TEAM) Application"
 git remote remove origin
 git remote add origin codecommit::$REGION://team-idc-app
 git push origin main
@@ -34,6 +34,7 @@ then
   --parameter-overrides \
     Source=$EMAIL_SOURCE \
     Login=$IDC_LOGIN_URL \
+    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
     teamAdminGroup="$TEAM_ADMIN_GROUP" \
     teamAuditGroup="$TEAM_AUDITOR_GROUP" \
     tags="$TAGS" \
@@ -45,6 +46,7 @@ else
   --parameter-overrides \
     Source=$EMAIL_SOURCE \
     Login=$IDC_LOGIN_URL \
+    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
     teamAdminGroup="$TEAM_ADMIN_GROUP" \
     teamAuditGroup="$TEAM_AUDITOR_GROUP" \
     tags="$TAGS" \

deployment/parameters-template.sh

@@ -21,3 +21,4 @@ TEAM_ACCOUNT_PROFILE=team_account_profile
 TEAM_ADMIN_GROUP="team_admin_group_name"
 TEAM_AUDITOR_GROUP="team_auditor_group_name"
 TAGS="project=iam-identity-center-team environment=prod"
+CLOUDTRAIL_AUDIT_LOGS=read_write

deployment/template.yml

@@ -7,6 +7,14 @@ Parameters:
   Login:
     Type: String
     Description: IAM IDC Login URL
+  CloudTrailAuditLogs:
+    Type: "String"
+    AllowedValues:
+      - read_write
+      - read
+      - write
+      - none
+    Description: "Read and Write CloudTrail logs"
   teamAdminGroup:
     Type: String
     Description: TEAM application Admin group
@@ -18,6 +26,9 @@ Parameters:
     Description: TEAM application tags
     Default: ""
 
+Conditions:
+  IsEmptyCloudTrailAuditLogs: !Equals [!Ref CloudTrailAuditLogs, ""]
+
 Resources:
   TriggerAmplifyBuild:
     Type: Custom::TriggerAmplifyBuild
@@ -113,6 +124,11 @@ Resources:
           Value: !Ref Source
         - Name: SSO_LOGIN
           Value: !Ref Login
+        - Name: CLOUDTRAIL_AUDIT_LOGS
+          Value: !If
+            - IsEmptyCloudTrailAuditLogs
+            - "read_write"
+            - !Ref CloudTrailAuditLogs
         - Name: TEAM_ADMIN_GROUP
           Value: !Ref teamAdminGroup
         - Name: TEAM_AUDITOR_GROUP

deployment/update.sh

@@ -31,6 +31,7 @@ then
   --parameter-overrides \
     Source=$EMAIL_SOURCE \
     Login=$IDC_LOGIN_URL \
+    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
     teamAdminGroup="$TEAM_ADMIN_GROUP" \
     teamAuditGroup="$TEAM_AUDITOR_GROUP" \
     tags="$TAGS" \
@@ -42,6 +43,7 @@ else
   --parameter-overrides \
     Source=$EMAIL_SOURCE \
     Login=$IDC_LOGIN_URL \
+    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
     teamAdminGroup="$TEAM_ADMIN_GROUP" \
     teamAuditGroup="$TEAM_AUDITOR_GROUP" \
     tags="$TAGS" \

docs/docs/deployment/deployment_process.md

@@ -36,6 +36,7 @@ Create a new file named **parameters.sh** in the **deployment** directory. Copy
 
 **Parameters**
 
+Required:
 - **EMAIL_SOURCE** - Verified Email address for originating TEAM notifications
 - **IDC_LOGIN_URL** - AWS IAM Identity Center Login URL
 - **REGION** - AWS region where the application will be deployed.
@@ -46,7 +47,14 @@ Create a new file named **parameters.sh** in the **deployment** directory. Copy
 - **TEAM_ACCOUNT_PROFILE** - Named profile for TEAM Application deployment Account
 - **TEAM_ADMIN_GROUP** - Name of IAM Identity Center group for TEAM administrators
 - **TEAM_AUDITOR_GROUP** - Name of IAM Identity Center group for TEAM auditors
+
+Optional:
 - **TAGS** - Tags that should be propagated to nested stacks and underlying resources
+- **CLOUDTRAIL_AUDIT_LOGS** - CloudTrail Event Data Store logging configuration. Options:
+  - `read_write` - record read and write events
+  - `read` - record only read events
+  - `write` - record only write events
+  - `none` - disable event logging
 
 For example:
 
@@ -60,6 +68,7 @@ TEAM_ACCOUNT_PROFILE=TeamAccountProfileName
 TEAM_ADMIN_GROUP=team_admin_group_name
 TEAM_AUDITOR_GROUP=team_auditor_group_name
 TAGS="tag1=value1 tag2=value2"
+CLOUDTRAIL_AUDIT_LOGS=read_write
 ```
 
 ---

docs/docs/overview/cost.md

@@ -18,3 +18,9 @@ The TEAM solution consists of numerous AWS serverless services. As cost is accru
 - [Amazon Cognito](https://aws.amazon.com/es/cognito/pricing)
 - [AWS CloudTrail Lake](https://aws.amazon.com/cloudtrail/pricing/)
 - [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) (free)
+
+## Managing CloudTrail Lake cost 
+
+TEAM uses [AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) for querying, auditing and logging API activities and actions performed by a user during the period of elevated access. For CloudTrail Lake, you pay for ingestion and storage together, where the billing is based on the amount of uncompressed data ingested during the month. When you run queries in Lake, you pay based upon the amount of data scanned. 
+
+TEAM CloudTrail lake event datastore records all [management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) and no [data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) by default. Depending on your organization's auditing and compliance requirement, you can chose to either log all events or specific events (read-only, write, read-write, management, data events). Recording only specific events can help to reduce the overall cost of running the TEAM solution. For more information about managing CloudTrail lake costs, see [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html).

docs/docs/overview/security.md

@@ -47,6 +47,10 @@ In the case of TEAM, you can enforce the required TLS versions and cipher suites
 
 Furthermore, the TEAM solution does not enable WAF on the AppSync api endpoint by default. You can use AWS WAF to protect your AppSync API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. Be aware that this could affect API availability and performance, compromise security, or consume excessive resources. For example, you can use rate-based rules to specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period.  [ For further details, see Using AWS WAF to protect your APIs.](https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html)
 
+## Audit logs
+TEAM uses [AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) for querying, auditing and logging API activities and actions performed by a user during the period of elevated access.
+TEAM CloudTrail lake event datastore records all [management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) and no [data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) by default. Depending on your organization's auditing and compliance requirement, consider updating the TEAM CloudTrail lake event data store configuration to either log all events or specific events (read-only, write, read-write, management, data events).
+
 ## Amplify S3 bucket access logging
 AWS Amplify creates an s3 bucket for storing artifacts for deploying the TEAM application. 
 > It is recommended to enable **Server access logging** for the bucket. However, each organization has its own directives on how this must be achieved. E.g. some organizations mandate that the server access logs be sent to a bucket in a central log archive account which entails additional cross-account permissions. Please refer to [Enabling Amazon S3 server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html) for an explanation on how this can be achieved.

parameters.js

@@ -6,7 +6,7 @@
 const fs = require("fs");
 const path = require("path");
 
-const { AWS_APP_ID, AWS_BRANCH, EMAIL_SOURCE, SSO_LOGIN, TEAM_ADMIN_GROUP, TEAM_AUDITOR_GROUP, TAGS } = process.env;
+const { AWS_APP_ID, AWS_BRANCH, EMAIL_SOURCE, SSO_LOGIN, TEAM_ADMIN_GROUP, TEAM_AUDITOR_GROUP, TAGS, CLOUDTRAIL_AUDIT_LOGS } = process.env;
 
 async function update_auth_parameters() {
   console.log(`updating amplify config for branch "${AWS_BRANCH}"...`);
@@ -105,10 +105,28 @@ async function update_tag_parameters() {
   fs.writeFileSync(tagsParametersJsonPath, JSON.stringify(tagsArray, null, 2));
 }
 
+async function update_cloudtrail_parameters() {
+  console.log(`updating amplify/backend/custom/cloudtrailLake/parameters.json"...`);
+
+  const cloudtrailParametersJsonPath = path.resolve(
+    `./amplify/backend/custom/cloudtrailLake/parameters.json`
+  );
+
+  const cloudtrailParametersJson = require(cloudtrailParametersJsonPath);
+
+  cloudtrailParametersJson.CloudTrailAuditLogs = CLOUDTRAIL_AUDIT_LOGS;
+
+  fs.writeFileSync(
+    cloudtrailParametersJsonPath,
+    JSON.stringify(cloudtrailParametersJson, null, 4)
+  );
+}
+
 
 
 update_custom_parameters();
 update_auth_parameters();
 update_react_parameters();
 update_groups_parameters();
-update_tag_parameters();
+update_tag_parameters();
+update_cloudtrail_parameters();