From 03caa391492f79169c8a45862f7171d196246ce1 Mon Sep 17 00:00:00 2001 From: Joshua Leaverton Date: Tue, 10 Nov 2020 15:39:03 -0500 Subject: [PATCH] Version 3.1.0 --- .github/ISSUE_TEMPLATE/bug_report.md | 9 +- .gitignore | 2 + CHANGELOG.md | 5 + ...urity-automations-firehose-athena.template | 8 +- ...s-waf-security-automations-webacl.template | 2 +- .../aws-waf-security-automations.template | 124 +++++++++--------- 6 files changed, 79 insertions(+), 71 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 7233e10..f7d7da6 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -17,16 +17,17 @@ Steps to reproduce the behavior. A clear and concise description of what you expected to happen. **Please complete the following information about the solution:** -- [ ] Version: [e.g. v1.0.0] +- [ ] Version: [e.g. v3.1] -To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "_(SO0021) - Video On Demand workflow with AWS Step Functions, MediaConvert, MediaPackage, S3, CloudFront and DynamoDB. Version **v5.0.0**_". If the description does not contain the version information, you can look at the mappings section of the template: +To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "AWS WAF Security Automations v3.1: This AWS CloudFormation template helps you provision the AWS WAF Security Automations stack without worrying about creating and configuring the underlying AWS infrastructure". If the description does not contain the version information, you can look at the mappings section of the template: ```yaml Mappings: SourceCode: General: - S3Bucket: "solutions" - KeyPrefix: "video-on-demand-on-aws/v5.0.0" + TemplateBucket: 'solutions-reference' + SourceBucket: 'solutions' + KeyPrefix: 'waf-security-automation/v3.1' ``` - [ ] Region: [e.g. us-east-1] diff --git a/.gitignore b/.gitignore index 6d2e67d..b375019 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ **/package-lock.json **/.pyc /deployment/open-source/ +source/tests/__pycache__/ +source/log_parser/__pycache__/ \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 7647e85..2149a55 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,3 +25,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Upgraded from WAF classic to WAFV2 API - Eliminated dependency on NodeJS and use Python as the standardized programming language +## [3.1] - 2020-10-22 +### Changed +- Replaced s3 path-style with virtual-hosted style +- Added partition variable to all ARNs +- Updated bug report diff --git a/deployment/aws-waf-security-automations-firehose-athena.template b/deployment/aws-waf-security-automations-firehose-athena.template index f52236d..eb9a8ca 100644 --- a/deployment/aws-waf-security-automations-firehose-athena.template +++ b/deployment/aws-waf-security-automations-firehose-athena.template @@ -110,8 +110,8 @@ Resources: - s3:ListBucketMultipartUploads - s3:PutObject Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}' - - !Sub 'arn:aws:s3:::${WafLogBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/*' - PolicyName: KinesisAccess PolicyDocument: Statement: @@ -121,7 +121,7 @@ Resources: - kinesis:GetShardIterator - kinesis:GetRecords Resource: - - !Sub 'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${DeliveryStreamName}' + - !Sub 'arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${DeliveryStreamName}' - PolicyName: CloudWatchAccess PolicyDocument: Statement: @@ -129,7 +129,7 @@ Resources: Action: - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/kinesisfirehose/${DeliveryStreamName}:*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/kinesisfirehose/${DeliveryStreamName}:*' Metadata: cfn_nag: rules_to_suppress: diff --git a/deployment/aws-waf-security-automations-webacl.template b/deployment/aws-waf-security-automations-webacl.template index 5228e67..d61cf8a 100644 --- a/deployment/aws-waf-security-automations-webacl.template +++ b/deployment/aws-waf-security-automations-webacl.template @@ -337,7 +337,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*CustomTimer*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*CustomTimer*' CustomTimer: Type: 'AWS::Lambda::Function' diff --git a/deployment/aws-waf-security-automations.template b/deployment/aws-waf-security-automations.template index 25bf7c0..5200e66 100644 --- a/deployment/aws-waf-security-automations.template +++ b/deployment/aws-waf-security-automations.template @@ -313,7 +313,7 @@ Resources: DependsOn: CheckRequirements Properties: TemplateURL: !Sub - - 'https://s3.amazonaws.com/${S3Bucket}/${KeyPrefix}/aws-waf-security-automations-firehose-athena.template' + - 'https://${S3Bucket}.s3.amazonaws.com/${KeyPrefix}/aws-waf-security-automations-firehose-athena.template' - S3Bucket: !FindInMap ["SourceCode", "General", "TemplateBucket"] KeyPrefix: !FindInMap ["SourceCode", "General", "KeyPrefix"] @@ -336,7 +336,7 @@ Resources: DependsOn: CheckRequirements Properties: TemplateURL: !Sub - - 'https://s3.amazonaws.com/${S3Bucket}/${KeyPrefix}/aws-waf-security-automations-webacl.template' + - 'https://${S3Bucket}.s3.amazonaws.com/${KeyPrefix}/aws-waf-security-automations-webacl.template' - S3Bucket: !FindInMap ["SourceCode", "General", "TemplateBucket"] KeyPrefix: !FindInMap ["SourceCode", "General", "KeyPrefix"] @@ -382,7 +382,7 @@ Resources: - 's3:GetObject' - 's3:ListBucket' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}' - PolicyName: WAFAccess PolicyDocument: Statement: @@ -390,8 +390,8 @@ Resources: Action: - 'wafv2:ListWebACLs' Resource: - - !Sub 'arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:regional/webacl/*' - - !Sub 'arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:global/webacl/*' + - !Sub 'arn:${AWS::Partition}:wafv2:${AWS::Region}:${AWS::AccountId}:regional/webacl/*' + - !Sub 'arn:${AWS::Partition}:wafv2:${AWS::Region}:${AWS::AccountId}:global/webacl/*' - PolicyName: LogsAccess PolicyDocument: Version: 2012-10-17 @@ -402,7 +402,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*Helper*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*Helper*' Metadata: cfn_nag: rules_to_suppress: @@ -436,14 +436,14 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*BadBotParser*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*BadBotParser*' - PolicyName: 'CloudFormationAccess' PolicyDocument: Statement: - Effect: Allow Action: 'cloudformation:DescribeStacks' Resource: - - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' - PolicyName: WAFGetAndUpdateIPSet PolicyDocument: Statement: @@ -492,7 +492,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*ReputationListsParser*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*ReputationListsParser*' - PolicyName: WAFGetAndUpdateIPSet PolicyDocument: Statement: @@ -510,7 +510,7 @@ Resources: - Effect: Allow Action: 'cloudformation:DescribeStacks' Resource: - - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' - PolicyName: CloudWatchAccess PolicyDocument: Statement: @@ -552,12 +552,12 @@ Resources: - Effect: Allow Action: 's3:GetObject' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/*' - Effect: Allow Action: 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/${AWS::StackName}-app_log_out.json' - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/${AWS::StackName}-app_log_conf.json' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/${AWS::StackName}-app_log_out.json' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/${AWS::StackName}-app_log_conf.json' - Effect: Allow Action: - 'wafv2:GetIPSet' @@ -577,7 +577,7 @@ Resources: - 'athena:GetNamedQuery' - 'athena:StartQueryExecution' Resource: - - !Sub 'arn:aws:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' # S3 Resources - Effect: Allow Action: @@ -590,17 +590,17 @@ Resources: - 's3:CreateBucket' - 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/athena_results/*' - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/athena_results/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}' # Glue Resources - Effect: Allow Action: - 'glue:GetTable' - 'glue:GetPartitions' Resource: - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueAppAccessLogsTable}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueAppAccessLogsTable}' - !Ref 'AWS::NoValue' - !If - HttpFloodProtectionLogParserActivated @@ -611,12 +611,12 @@ Resources: - Effect: Allow Action: 's3:GetObject' Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/*' - Effect: Allow Action: 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}/${AWS::StackName}-waf_log_out.json' - - !Sub 'arn:aws:s3:::${WafLogBucket}/${AWS::StackName}-waf_log_conf.json' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/${AWS::StackName}-waf_log_out.json' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/${AWS::StackName}-waf_log_conf.json' # AWS WAF Resources - Effect: Allow Action: @@ -637,7 +637,7 @@ Resources: - 'athena:GetNamedQuery' - 'athena:StartQueryExecution' Resource: - - !Sub 'arn:aws:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' # S3 Resources - Effect: Allow Action: @@ -650,17 +650,17 @@ Resources: - 's3:CreateBucket' - 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}/athena_results/*' - - !Sub 'arn:aws:s3:::${WafLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/athena_results/*' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}' # Glue Resources - Effect: Allow Action: - 'glue:GetTable' - 'glue:GetPartitions' Resource: - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueWafAccessLogsTable}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueWafAccessLogsTable}' - !Ref 'AWS::NoValue' - PolicyName: LogsAccess PolicyDocument: @@ -671,7 +671,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*LogParser*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*LogParser*' - PolicyName: CloudWatchAccess PolicyDocument: Statement: @@ -711,7 +711,7 @@ Resources: - 's3:PutEncryptionConfiguration' - 's3:PutBucketPublicAccessBlock' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}' - !If - HttpFloodProtectionLogParserActivated - PolicyName: S3AccessGeneralWafLog @@ -723,7 +723,7 @@ Resources: - 's3:GetBucketNotification' - 's3:PutBucketNotification' Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}' - !Ref 'AWS::NoValue' - PolicyName: S3Access PolicyDocument: @@ -734,7 +734,7 @@ Resources: - 's3:GetObject' - 's3:ListBucket' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}' - !If - ScannersProbesLambdaLogParser - PolicyName: S3AppAccessPut @@ -743,7 +743,7 @@ Resources: - Effect: Allow Action: 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/${AWS::StackName}-app_log_conf.json' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/${AWS::StackName}-app_log_conf.json' - !Ref 'AWS::NoValue' - !If - HttpFloodLambdaLogParser @@ -753,7 +753,7 @@ Resources: - Effect: Allow Action: 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}/${AWS::StackName}-waf_log_conf.json' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/${AWS::StackName}-waf_log_conf.json' - !Ref 'AWS::NoValue' - !If - CustomResourceLambdaAccess @@ -763,7 +763,7 @@ Resources: - Effect: Allow Action: 'lambda:InvokeFunction' Resource: - - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}*' + - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}*' - !Ref 'AWS::NoValue' - PolicyName: WAFAccess PolicyDocument: @@ -783,8 +783,8 @@ Resources: - 'wafv2:GetIPSet' - 'wafv2:DeleteIPSet' Resource: - - !Sub 'arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:regional/ipset/${AWS::StackName}*' - - !Sub 'arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:global/ipset/${AWS::StackName}*' + - !Sub 'arn:${AWS::Partition}:wafv2:${AWS::Region}:${AWS::AccountId}:regional/ipset/${AWS::StackName}*' + - !Sub 'arn:${AWS::Partition}:wafv2:${AWS::Region}:${AWS::AccountId}:global/ipset/${AWS::StackName}*' - !If - HttpFloodProtectionLogParserActivated - PolicyName: WAFLogsAccess @@ -798,7 +798,7 @@ Resources: - Effect: Allow Action: 'iam:CreateServiceLinkedRole' Resource: - - 'arn:aws:iam::*:role/aws-service-role/wafv2.amazonaws.com/AWSServiceRoleForWAFV2Logging' + - !Sub 'arn:${AWS::Partition}:iam::*:role/aws-service-role/wafv2.amazonaws.com/AWSServiceRoleForWAFV2Logging' Condition: StringLike: iam:AWSServiceName: 'wafv2.amazonaws.com' @@ -809,7 +809,7 @@ Resources: - Effect: Allow Action: 'cloudformation:DescribeStacks' Resource: - - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' + - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*' - PolicyName: LogsAccess PolicyDocument: Statement: @@ -819,7 +819,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*CustomResource*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*CustomResource*' Metadata: cfn_nag: rules_to_suppress: @@ -866,7 +866,7 @@ Resources: - 's3:DeleteObject' - 's3:PutObject' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/*' - !Ref 'AWS::NoValue' - PolicyName: LogsAccess PolicyDocument: @@ -877,7 +877,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*MoveS3LogsForPartition*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*MoveS3LogsForPartition*' LambdaRoleAddAthenaPartitions: Type: 'AWS::IAM::Role' @@ -917,15 +917,15 @@ Resources: - 's3:AbortMultipartUpload' - 's3:CreateBucket' Resource: - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/athena_results/*' - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}' - - !Sub 'arn:aws:s3:::${AppAccessLogBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/athena_results/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AppAccessLogBucket}/*' # Athena Resources - Effect: Allow Action: - 'athena:StartQueryExecution' Resource: - - !Sub 'arn:aws:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' # Glue Resources - Effect: Allow Action: @@ -935,10 +935,10 @@ Resources: - 'glue:CreateDatabase' - 'glue:BatchCreatePartition' Resource: - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/default' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueAppAccessLogsTable}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/default' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueAppAccessLogsTable}' - !Ref 'AWS::NoValue' - !If - HttpFloodAthenaLogParser @@ -957,15 +957,15 @@ Resources: - 's3:AbortMultipartUpload' - 's3:CreateBucket' Resource: - - !Sub 'arn:aws:s3:::${WafLogBucket}/athena_results/*' - - !Sub 'arn:aws:s3:::${WafLogBucket}' - - !Sub 'arn:aws:s3:::${WafLogBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/athena_results/*' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${WafLogBucket}/*' # Athena Resources - Effect: Allow Action: - 'athena:StartQueryExecution' Resource: - - !Sub 'arn:aws:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/WAF*' # Glue Resources - Effect: Allow Action: @@ -975,10 +975,10 @@ Resources: - 'glue:CreateDatabase' - 'glue:BatchCreatePartition' Resource: - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/default' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' - - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueWafAccessLogsTable}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/default' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${WebACLStack.Outputs.GlueAccessLogsDatabase}' + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${WebACLStack.Outputs.GlueAccessLogsDatabase}/${WebACLStack.Outputs.GlueWafAccessLogsTable}' - !Ref 'AWS::NoValue' - PolicyName: LogsAccess PolicyDocument: @@ -989,7 +989,7 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*AddAthenaPartitions*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*AddAthenaPartitions*' Helper: Type: 'AWS::Lambda::Function' @@ -1436,7 +1436,7 @@ Resources: Integration: Type: AWS_PROXY IntegrationHttpMethod: POST - Uri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${BadBotParser.Arn}/invocations" + Uri: !Sub "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${BadBotParser.Arn}/invocations" Metadata: cfn_nag: rules_to_suppress: @@ -1458,7 +1458,7 @@ Resources: Integration: Type: AWS_PROXY IntegrationHttpMethod: POST - Uri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${BadBotParser.Arn}/invocations" + Uri: !Sub "arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${BadBotParser.Arn}/invocations" Metadata: cfn_nag: rules_to_suppress: @@ -1536,7 +1536,7 @@ Resources: - logs:FilterLogEvents Effect: Allow Resource: - - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*' + - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' ApiGatewayBadBotAccount: Type: AWS::ApiGateway::Account