Skip to content

Commit

Permalink
Tweaked access logs
Browse files Browse the repository at this point in the history
  • Loading branch information
@latifcabinetoffice
latifcabinetoffice committed Jul 2, 2024
1 parent 87a0c12 commit 29e0025
Showing 1 changed file with 21 additions and 23 deletions.
44 changes: 21 additions & 23 deletions deploy/template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -878,7 +878,7 @@ Resources:
Action:
- sts:AssumeRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
Policies:
- PolicyName: CreateLogGroup
PolicyDocument:
Expand All @@ -902,7 +902,7 @@ Resources:
Action:
- kms:Decrypt
Resource:
- arn:aws:kms:eu-west-2:216552277552:key/*
- !Sub arn:${AWS::Partition}:kms:eu-west-2:216552277552:key/*
PermissionsBoundary: !If
- UsePermissionsBoundary
- !Ref PermissionsBoundary
Expand Down Expand Up @@ -943,7 +943,7 @@ Resources:
Action:
- "sns:Publish"
Resource:
- !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:UserAccountDeletion"
- !Sub "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:UserAccountDeletion"
- Effect: Allow
Action:
- "kms:Decrypt"
Expand All @@ -953,28 +953,28 @@ Resources:
Action:
- "sns:Publish"
Resource:
- !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:SuspiciousActivity"
- !Sub "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:SuspiciousActivity"
- Effect: Allow
Action:
- "ssm:GetParameters"
Resource:
- !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/*"
- !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${BackendStackName}/SNS/DeleteTopic/ARN"
- !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${StubsStackName}/Stub/AccountManagement/Endpoint"
- !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/*"
- !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${BackendStackName}/SNS/DeleteTopic/ARN"
- !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${StubsStackName}/Stub/AccountManagement/Endpoint"
- Effect: Allow
Action:
- "secretsmanager:GetSecretValue"
Resource:
- !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:/${AWS::StackName}/Config/Publishing/API/Key"
- !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:/${AWS::StackName}/Config/Session/Secret"
- !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/${BackendStackName}/Config/Session/Secret"
- !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:/${AWS::StackName}/Config/Publishing/API/Key"
- !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:/${AWS::StackName}/Config/Session/Secret"
- !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/${BackendStackName}/Config/Session/Secret"
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:GetItem
Resource:
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ServiceStoreTableName}"
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ActivityLogTableName}"
- !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ServiceStoreTableName}"
- !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ActivityLogTableName}"
- Effect: Allow
Action:
- dynamodb:DescribeTable
Expand All @@ -991,17 +991,15 @@ Resources:
Action:
- "kms:Sign"
- "kms:GetPublicKey"
Resource: !Join
- ""
- - !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/"
- !Sub "{{resolve:ssm:/${AWS::StackName}/KMS/JwtSigningKey/Id}}"
Resource:
- !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/{{resolve:ssm:/${AWS::StackName}/KMS/JwtSigningKey/Id}}"
- Effect: Allow
Action:
- "kms:GenerateDataKey*"
- "kms:Decrypt"
Resource:
- !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/{{resolve:ssm:/${BackendStackName}/KMS/SnsKmsKey/ID}}"
- !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/{{resolve:ssm:/${BackendStackName}/KMS/DatabaseKmsKey/ID}}"
- !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/{{resolve:ssm:/${BackendStackName}/KMS/SnsKmsKey/ID}}"
- !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/{{resolve:ssm:/${BackendStackName}/KMS/DatabaseKmsKey/ID}}"
- !GetAtt DynamoDBKmsKey.Arn
- Effect: Allow
Action:
Expand All @@ -1020,13 +1018,13 @@ Resources:
Action:
- "secretsmanager:GetSecretValue"
Resource:
- !Sub "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables"
- !Sub "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables"
- !Sub "arn:${AWS::Partition}:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables"
- !Sub "arn:${AWS::Partition}:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables"
- Effect: Allow
Action:
- "kms:Decrypt"
Resource:
- !Sub "arn:aws:kms:eu-west-2:216552277552:key/*"
- !Sub "arn:${AWS::Partition}:kms:eu-west-2:216552277552:key/*"

PermissionsBoundary: !If
- UsePermissionsBoundary
Expand Down Expand Up @@ -1481,7 +1479,7 @@ Resources:
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
LogGroupName: !Sub "/aws/vendedlogs/${AWS::StackName}"
LogGroupName: !Sub "/apigateway/${AWS::StackName}/access"
RetentionInDays: 30
KmsKeyId: !GetAtt LoggingKmsKey.Arn
Tags:
Expand Down Expand Up @@ -1553,7 +1551,7 @@ Resources:
Effect: Allow
Principal:
AWS: !Sub
- "arn:aws:iam::${ElbAccountId}:root"
- "arn:{AWS::Partition}:iam::${ElbAccountId}:root"
- ElbAccountId:
!FindInMap [
ElasticLoadBalancerAccountIds,
Expand Down

0 comments on commit 29e0025

Please sign in to comment.