daniel-cottone / serverless-es-logs

A Serverless plugin to transport logs to ElasticSearch
MIT License
54 stars 32 forks source link

Feature request: STS AssumeRole to allow posting ES logs to another AWS Account #433

Open jrmuir opened 4 years ago

jrmuir commented 4 years ago

Currently AWS elasticsearch in a VPC configuration will not allow a remote account to post to it while VPC peering unless the lambda assumes a role in the remote account that has permissions to ESHttpPost.

🐞 Problem

A simple way to address this would be to provide a methodology to inject credentials other than the current execution role into the Post call. This requires invoking STS AssumeRole to get new credentials against the targeted role arn and providing those to the Post call. This could be expanded upon to provide alternate posting methodologies to support self hosted elasticsearch but that would also require either a non-aws post function call with the necessary authorization headers/information or rework of the existing post function call to determine which authorization headers/information need to be sent.

🎯 Goal

Good security isolation would indicate to leverage multiple AWS accounts for serverless services. By separating out the accounts, you limit blast radius. However, in doing so you also want to have an account that can handle centralized log aggregation of some kind. Elasticsearch is a good target for that. This change would allow you to use the plugin as is, provide an environment variable for the role arn to assume, and provide for cross-account ESHttpPost calls.

💡 Possible Solutions

429 is a possible solution. I have tested and used it in the VPC elasticsearch configuration with vpc peering in place and assuming a role in the elasticsearch account which is separate from the serverless deployment account.

daniel-cottone commented 4 years ago

I think this is a great feature! Could you raise your PR again without the unrelated formatting changes? I'll add prettier/husky config so that this isn't an issue in the future.

jrmuir commented 4 years ago

As I implemented this myself a bit more in depth I realized to do this properly requires additional parameter inputs. Been working through that a little. Subnets, security groups to assign, and insertion of the iam role permissions are needed if you want it fully automated. It's going to be a while before I can come back to this, but if someone really needs it to work the code provided will function. It just won't set the VPC subnets, security groups, or configure the iam role permissions automatically.