AWS solutions high security documentation change
Summary
Removed Step 2 deployment instructions, simplified S3 bucket policy examples, and deleted build preparation requirements/prerequisites
Security assessment
The change removes critical Condition blocks from S3 bucket policies that previously enforced aws:PrincipalOrgID and aws:PrincipalArn restrictions. This weakens bucket policy examples by eliminating organization ID validation and IAM role restrictions for PutObject operations, which could lead to insecure bucket configurations if followed.
Diff
diff --git a/solutions/latest/automated-security-response-on-aws/cfctdeployment.md b/solutions/latest/automated-security-response-on-aws/cfctdeployment.md index 5510db36f..0b40373ca 100644 --- a//solutions/latest/automated-security-response-on-aws/cfctdeployment.md +++ b//solutions/latest/automated-security-response-on-aws/cfctdeployment.md @@ -5 +5 @@ -PrerequisitesDeployment overviewStep 1: Build and deploy to S3 bucketStep 2: Stacks deployment to AWS Control Tower +PrerequisitesDeployment overviewStep 1: Build and deploy to S3 bucket @@ -104,2 +104,2 @@ Update the $TEMPLATE_BUCKET_NAME S3 bucket policy to include PutObject permissio - "arn:aws:s3:::<template bucket name>/*", - "arn:aws:s3:::<template bucket name>" + "arn:aws:s3::: name>/*", + "arn:aws:s3::: name>" @@ -109,67 +109 @@ Update the $TEMPLATE_BUCKET_NAME S3 bucket policy to include PutObject permissio - "aws:PrincipalOrgID": "<org id>" - } - } - }, - { - "Effect": "Allow", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": [ - "arn:aws:s3:::<template bucket name>/*", - "arn:aws:s3:::<template bucket name>" - ], - "Condition": { - "ArnLike": { - "aws:PrincipalArn": "arn:aws:iam::<execute_account_id>:role/<iam_role_name>" - } - } - } - ] - } - -Alter the asset S3 bucket policy to include permissions. Assign this permission to an IAM role within the execute account that is authorized to write to the bucket. Repeat this setup for each regional asset bucket (e.g., asr-staging-us-east-1, asr-staging-eu-west-1, etc.), allowing deployments across multiple regions without needing to create the buckets in the Management account. - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": "*", - "Action": "s3:GetObject", - "Resource": [ - "arn:aws:s3:::<asset bucket name>-<region>/*", - "arn:aws:s3:::<asset bucket name>-<region>" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalOrgID": "<org id>" - } - } - }, - { - "Effect": "Allow", - "Principal": "*", - "Action": "s3:PutObject", - "Resource": [ - "arn:aws:s3:::<asset bucket name>-<region>/*", - "arn:aws:s3:::<asset bucket name>-<region>" - ], - "Condition": { - "ArnLike": { - "aws:PrincipalArn": "arn:aws:iam::<execute_account_id>:role/<iam_role_name>" - } - } - } - ] - } - -###### 4\. Build Preparation - - * Prerequisites: - - * AWS CLI v2 - - * Python 3.11+ with pip - - * AWS CDK 2.171.1+ + "aws:PrincipalOrgID": " @@ -177,137 +110,0 @@ Alter the asset S3 bucket policy to include permissions. Assign this permission - * Node.js 20+ with npm - - * Poetry v2 with plugin to export - - * Git clone [https://github.com/aws-solutions/automated-security-response-on-aws.git](https://github.com/aws-solutions/automated-security-response-on-aws.git) - - - - -First ensure that you’ve run npm install in the source folder. - -Next from the deployment folder in your cloned repo, run build-s3-dist.sh, passing the root name of your bucket (ex. mybucket) and the version you are building (ex. v1.0.0). We recommend using a semver version based on the version downloaded from GitHub (ex. GitHub: v1.0.0, your build: v1.0.0.mybuild) - - - chmod +x build-s3-dist.sh - export SOLUTION_NAME=automated-security-response-on-aws - export SOLUTION_VERSION=v1.0.0.mybuild - ./build-s3-dist.sh -b $BASE_BUCKET_NAME -v $SOLUTION_VERSION - -**5\. Deploy packages to S3** - - - cd deployment - aws s3 cp global-s3-assets/ s3://$TEMPLATE_BUCKET_NAME/$SOLUTION_NAME/$SOLUTION_VERSION/ --recursive --acl bucket-owner-full-control - aws s3 cp regional-s3-assets/ s3://$ASSET_BUCKET_NAME/$SOLUTION_NAME/$SOLUTION_VERSION/ --recursive --acl bucket-owner-full-control - -## Step 2: Stacks deployment to AWS Control Tower - -###### 1\. Build manifest for ASR components - -After deploying ASR artifacts to the S3 buckets, update the Control Tower [pipeline manifest](https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-customizations.html) to reference the new version, and then trigger the pipeline run, refer to: [controltower deployment](https://docs.aws.amazon.com/controltower/latest/userguide/deployment.html) - -###### Important - -To ensure correct deployment of the ASR solution, refer to the official AWS documentation for detailed information on the CloudFormation templates overview and parameters description. Info links below: [CloudFormation Templates](https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/aws-cloudformation-template.html) [Parameters overview Guide](https://docs.aws.amazon.com/solutions/latest/automated-security-response-on-aws/deployment.html) - -The manifest for the ASR components looks like this: - - - region: us-east-1 #<HOME_REGION_NAME> - version: 2021-03-15 - - # Control Tower Custom CloudFormation Resources - resources: - - name: <ADMIN STACK NAME> - resource_file: s3://<ADMIN TEMPLATE BUCKET path> - parameters: - - parameter_key: UseCloudWatchMetricsAlarms - parameter_value: "yes" - - parameter_key: TicketGenFunctionName - parameter_value: "" - - parameter_key: LoadSCAdminStack - parameter_value: "yes" - - parameter_key: LoadCIS120AdminStack - parameter_value: "no" - - parameter_key: TargetAccountIDsStrategy - parameter_value: "INCLUDE" - - parameter_key: LoadCIS300AdminStack - parameter_value: "no" - - parameter_key: UseCloudWatchMetrics - parameter_value: "yes" - - parameter_key: LoadNIST80053AdminStack - parameter_value: "no" - - parameter_key: LoadCIS140AdminStack - parameter_value: "no" - - parameter_key: ReuseOrchestratorLogGroup - parameter_value: "yes" - - parameter_key: LoadPCI321AdminStack - parameter_value: "no" - - parameter_key: RemediationFailureAlarmThreshold - parameter_value: "5" - - parameter_key: LoadAFSBPAdminStack - parameter_value: "no" - - parameter_key: TargetAccountIDs - parameter_value: "ALL" - - parameter_key: EnableEnhancedCloudWatchMetrics - parameter_value: "no" - deploy_method: stack_set - deployment_targets: - accounts: # :type: list - - <ACCOUNT_NAME> # and/or - - <ACCOUNT_NUMBER> - regions: - - <REGION_NAME> - - - name: <ROLE MEMBER STACK NAME> - resource_file: s3://<ROLE MEMBER TEMPLATE BUCKET path> - parameters: - - parameter_key: SecHubAdminAccount - parameter_value: <ADMIN_ACCOUNT_NAME> - - parameter_key: Namespace - parameter_value: <NAMESPACE> - deploy_method: stack_set - deployment_targets: - organizational_units: - - <ORG UNIT> - - - name: <MEMBER STACK NAME> - resource_file: s3://<MEMBER TEMPLATE BUCKET path> - parameters: - - parameter_key: SecHubAdminAccount - parameter_value: <ADMIN_ACCOUNT_NAME> - - parameter_key: LoadCIS120MemberStack - parameter_value: "no" - - parameter_key: LoadNIST80053MemberStack - parameter_value: "no" - - parameter_key: Namespace - parameter_value: <NAMESPACE> - - parameter_key: CreateS3BucketForRedshiftAuditLogging - parameter_value: "no" - - parameter_key: LoadAFSBPMemberStack - parameter_value: "no" - - parameter_key: LoadSCMemberStack - parameter_value: "yes" - - parameter_key: LoadPCI321MemberStack - parameter_value: "no" - - parameter_key: LoadCIS140MemberStack - parameter_value: "no"