Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒 Update Grafana API key rotator's CloudWatch log publishing #57

Open
6 tasks
jacobwoffenden opened this issue Apr 9, 2024 · 0 comments
Open
6 tasks

🔒 Update Grafana API key rotator's CloudWatch log publishing #57

jacobwoffenden opened this issue Apr 9, 2024 · 0 comments
Labels
story Observability Platform Story

Comments

@jacobwoffenden
Copy link
Member

User Story

As an Observability Platform product engineer
I want my AWS Lambda functions to follow prescribed best practice from static analysis providers
So that we have a healthy and secure codebase

Value / Purpose

Grafana API key rotator's IAM role (via Terraform module) has wildcard permissions to logs:CreateLogGroup

Useful Contacts

@jacobwoffenden

User Types

Observability Platform Product Engineering

Hypothesis

If we create a KMS CMK encrypted CloudWatch Log group, and provide scoped access to the Lambda's role
Then we can resolve static analysis alerts

Proposal

  1. Create KMS CMK
  2. Create CloudWatch log group
  3. Set logging_log_group to output of 2
  4. Update Lambda IAM policy to access KMS and publish to CloudWatch Logs
  5. Set attach_cloudwatch_logs_policy to false
  6. Set attach_create_log_group_permission to false

Additional Information

https://registry.terraform.io/modules/terraform-aws-modules/lambda/aws/latest?tab=inputs

Definition of Done

  • KMS CMK created
  • CloudWatch log group created
  • Lambda permissions updated
  • Lambda configuration updated
  • Another team member has reviewed
  • Tests are green
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
story Observability Platform Story
Projects
Observability Platform
Status: 👀 TODO
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jacobwoffenden