[cli] Enable logging for the cdktoolkit-stagingbucket
See original GitHub issueIt has been identified during a security audit that the cdktoolkit-stagingbucket
that is created by CDK bootstrap does not have logging enabled. The request is to enhance the bootstrap so that it can include deployment of a logging bucket.
Use Case
Security – “Inadequate log information could negatively impact forensics investigations, preventing engineers from appropriately root causing incidents.”
This is particularly important, in my opinion, because the zip files that contain Lambda code are, by default, staged in the CDK staging bucket when using an Asset to deploy – as many of the CDK constructs do. If those assets were modified in the staging bucket by an attacker, then there would be no way to perform an investigation on how/when that happened without S3 access logging.
Proposed Solution
Enable either:
- Enable server access logs for the S3 bucket – https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html ; or
- Logging S3 API calls for the bucket using CloudTrail – https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html
Storing logs is not free, so there should be some consideration for making the logging optional (default: enabled), or providing a lifecycle rule that will expire logs older than some period.
Other
N/A
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (4 by maintainers)
Top GitHub Comments
This is not being actively worked on, the current recommended way to achieve this is to customize the bootstrap stack, explained here: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html#bootstrapping-customizing
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.