Skip to content

fix: apply global tags to Config Rules and CloudWatch Log Groups #915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jtaylortech wants to merge 1 commit into
base: release/v1.13.1
Choose a base branch
from
Open

fix: apply global tags to Config Rules and CloudWatch Log Groups #915

jtaylortech wants to merge 1 commit into from

Conversation

@jtaylortech
Copy link

@jtaylortech jtaylortech commented Oct 14, 2025
edited
Loading

*Issues, #907 & #891

This PR ensures global tags and LZA accelerator tags are consistently applied to AWS Config Rules and CloudWatch Log Groups created by custom resources.

Problem:
Two related tagging issues were identified:

  1. AWS Config Rules do not receive global tags or the LZA Accelerator tag, creating a security gap where rules can be modified/deleted without proper SCP controls
  2. CloudWatch Log Groups created by custom resources (e.g., SecurityHub events) do not receive global tags

Solution:
This PR implements consistent tagging across both resource types:

Config Rules (#907):

  • Modified setupConfigServicesTagging() in security-resources-stack.ts to include:
    • Global tags from globalConfig.tags
    • LZA Accelerator tag (Accelerator: <prefix>)
    • Rule-specific tags (which can override global tags)
  • Ensures all Config Rules have proper tags for SCP-based access controls

CloudWatch Log Groups (#891):

  • Updated SecurityHubEventsLog construct to pass tags to custom resource
  • Enhanced security-hub-event-log lambda handler to accept and apply tags
  • Enhanced create-log-groups lambda handler to accept and apply tags
  • Modified securityHubEventForwardToLogs() to prepare and pass global + accelerator tags

Files Changed:

  • security-resources-stack.ts: Config Rules tagging + SecurityHub log group tags
  • security-hub-events-log.ts: Added tags property to interface and passed through
  • security-hub-event-log/index.ts: Lambda handler accepts and applies tags
  • create-log-groups/index.ts: Lambda handler accepts and applies tags

Testing:

  • Code compiles without TypeScript errors
  • Maintains backward compatibility (tags are optional)
  • Existing behavior preserved when tags are not provided

Benefits:

  • Closes security gap for Config Rules SCP controls
  • Consistent tagging across all LZA-created resources
  • Improved compliance and governance

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jtaylortech
fix: apply global tags to Config Rules and CloudWatch Log Groups
bf34fc5 
Ensures global tags and LZA accelerator tags are consistently applied to:
- AWS Config Rules created in security-resources-stack
- CloudWatch Log Groups created by custom resources

This closes a security gap where Config Rules lacked LZA tags, making
them vulnerable to unauthorized modification via SCP controls.

Changes:
- Modified setupConfigServicesTagging to include global tags and Accelerator tag
- Updated SecurityHubEventsLog to pass tags through to log group creation
- Enhanced create-log-groups lambda to accept and apply tags parameter
- Enhanced security-hub-event-log lambda to accept and apply tags parameter

Fixes awslabs#907
Fixes awslabs#891
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jtaylortech