question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[cli] Enable logging for the cdktoolkit-stagingbucket

See original GitHub issue

It has been identified during a security audit that the cdktoolkit-stagingbucket that is created by CDK bootstrap does not have logging enabled. The request is to enhance the bootstrap so that it can include deployment of a logging bucket.

Use Case

Security – “Inadequate log information could negatively impact forensics investigations, preventing engineers from appropriately root causing incidents.”

This is particularly important, in my opinion, because the zip files that contain Lambda code are, by default, staged in the CDK staging bucket when using an Asset to deploy – as many of the CDK constructs do. If those assets were modified in the staging bucket by an attacker, then there would be no way to perform an investigation on how/when that happened without S3 access logging.

Proposed Solution

Enable either:

  1. Enable server access logs for the S3 bucket – https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html ; or
  2. Logging S3 API calls for the bucket using CloudTrail – https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html

Storing logs is not free, so there should be some consideration for making the logging optional (default: enabled), or providing a lifecycle rule that will expire logs older than some period.

Other

N/A

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
NetaNircommented, Dec 8, 2020

This is not being actively worked on, the current recommended way to achieve this is to customize the bootstrap stack, explained here: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html#bootstrapping-customizing

0reactions
github-actions[bot]commented, Jun 17, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS CDK Toolkit (cdk command) - AWS Documentation
The AWS CDK Toolkit, the CLI command cdk , is the primary tool for interacting with your AWS CDK app. It executes your...
Read more >
How to install AWS CDK (step-by-step guide)
The AWS CDK Toolkit provides the command line interface (CLI) command cdk ... --verbose Show debug logs (specify multiple times to increase ...
Read more >
@seed-run/aws-cdk - npm
The AWS CDK Toolkit provides the cdk command-line interface that can ... role credentials (necessary to read the encrypted staging bucket).
Read more >
How to solve ' StagingBucket already exists' when I try to ...
Why did your coworker create this bucket? Are you sure this bucket isn't part of a bootstrap stack? · Its the template in...
Read more >
The CDK pipeline construct | tecRacer Amazon AWS Blog
If you have trouble with awscli v2 using less as a pager: `export AWS_PAGER=""` ... export bucket=cdktoolkit-stagingbucket-whatever123.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found