From 1afdab31f1ea856051588b5e455d927993deefb2 Mon Sep 17 00:00:00 2001 From: kefoster951 <42386206+kefoster951@users.noreply.github.com> Date: Fri, 1 Sep 2023 10:35:15 -0400 Subject: [PATCH 1/2] Update s3_enable_logging.py --- bots/s3_enable_logging.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/bots/s3_enable_logging.py b/bots/s3_enable_logging.py index 562a864..1ce9319 100644 --- a/bots/s3_enable_logging.py +++ b/bots/s3_enable_logging.py @@ -31,21 +31,18 @@ def run_action(boto_session,rule,entity,params): try: if region == "us-east-1": result = s3_client.create_bucket( - Bucket=target_bucket_name, - ACL='log-delivery-write' + Bucket=target_bucket_name ) elif region == "eu-west-1": region = "EU" result = s3_client.create_bucket( Bucket=target_bucket_name, - CreateBucketConfiguration={'LocationConstraint': region}, - ACL='log-delivery-write' + CreateBucketConfiguration={'LocationConstraint': region} ) else: result = s3_client.create_bucket( Bucket=target_bucket_name, - CreateBucketConfiguration={'LocationConstraint': region}, - ACL='log-delivery-write' + CreateBucketConfiguration={'LocationConstraint': region} ) responseCode = result['ResponseMetadata']['HTTPStatusCode'] @@ -53,7 +50,17 @@ def run_action(boto_session,rule,entity,params): text_output = "Unexpected error: %s \n" % str(result) else: text_output = "Logging bucket created %s \n" % target_bucket_name - + try: + result = s3_client.put_bucket_policy(Bucket=target_bucket_name,Policy=bucket_policy) + except ClientError as e: + text_output = text_output + "Unexpected error: %s \n" % e + + responseCode = result['ResponseMetadata']['HTTPStatusCode'] + if responseCode >= 400: + text_output = text_output + "Unexpected error: %s \n" % str(result) + else: + text_output = text_output + "bucket policy created %s \n" % target_bucket_name + except ClientError as e: text_output = "Unexpected error: %s \n" % e From 57b7796feea0cff9186e4f57e57d74eb43b0721d Mon Sep 17 00:00:00 2001 From: kefoster951 <42386206+kefoster951@users.noreply.github.com> Date: Wed, 6 Sep 2023 09:12:18 -0400 Subject: [PATCH 2/2] Update s3_enable_logging.py --- bots/s3_enable_logging.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bots/s3_enable_logging.py b/bots/s3_enable_logging.py index 1ce9319..fbbb37b 100644 --- a/bots/s3_enable_logging.py +++ b/bots/s3_enable_logging.py @@ -20,7 +20,10 @@ def run_action(boto_session,rule,entity,params): bucket_logging = s3_resource.BucketLogging(bucket_name) target_bucket_name = accountNumber + "s3accesslogs" + region - + bucket_policy = '{"Version": "2012-10-17", \ + "Statement": [ {"Sid": "S3ServerAccessLogsPolicy", \ + "Effect": "Allow", "Principal": {"Service": "logging.s3.amazonaws.com"},\ + "Action": "s3:PutObject", "Resource": "arn:aws:s3:::'+target_bucket_name+'/*"}]}' #The target bucket needs to be in the same region as the remediation bucket or it'll throw a CrossLocationLoggingProhibitted error. try: #Check if the bucket exists. If not, create one