Closed stmag closed 3 years ago
neisije
commented
3 years ago @stemcg1 : knowing that a lambda is triggered on s3:putobject events to share the content of the zipped log to cloudwatch we already have a protection against deletion by "mirroring" the objects stored in this S3 bucket.
=> If we protect this lambda we should met your requirement
Thoughts ?
stmag
commented
3 years ago @neisije i see your point, but i dont see this as a protection, its moving the problem elsewhere in the stack.
Having said that though, it could work, but we would need the cloudwatch log groups to be protected from deletion/modification first (i requested this under issue 89) to trusted entities (ie the broker).
I guess its down to whatever is easier for you guys to support via the LZ?
neisije
commented
3 years ago Hello @stemcg1 , as https://github.com/digitc1/AWSLandingZone/issues/89 is implemented, I propose to close this ticket. OK for you ?
stmag
commented
3 years ago Hi guys that’s fine, thank you
Stephen McGowan External Service Provider (AIRBUS/ATOS) In intra-muros mission for the European Commission DIGIT.S.2 Cloud Phone: +352 4301-34434 Email: @.**@.>
Disclaimer: The author of this message does not belong to the staff of the European Commission. The content of this message does not represent a communication of the European Commission.
From: Jean-Christophe Neisius @.> Sent: Friday, June 25, 2021 3:52 PM To: digitc1/AWSLandingZone @.> Cc: MCGOWAN Stephen (DIGIT-EXT) @.>; Mention @.> Subject: Re: [digitc1/AWSLandingZone] LZ SecLog - Prevent S3 Bucket (and zipped log files inside it) from being deleted (#90)
Hello @stemcg1https://urldefense.com/v3/__https:/github.com/stemcg1__;!!DOxrgLBm!WzynfQqrw22gNakW8S4s5qE9gLsUUB1OaAZj8PGauR32NaVxjNtBpQr9Gob7lDs9Z5FhQtnUcS1l$ , as #89https://urldefense.com/v3/__https:/github.com/digitc1/AWSLandingZone/issues/89__;!!DOxrgLBm!WzynfQqrw22gNakW8S4s5qE9gLsUUB1OaAZj8PGauR32NaVxjNtBpQr9Gob7lDs9Z5FhQslZz-SZ$ is implemented, I propose to close this ticket. OK for you ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/digitc1/AWSLandingZone/issues/90*issuecomment-868515350__;Iw!!DOxrgLBm!WzynfQqrw22gNakW8S4s5qE9gLsUUB1OaAZj8PGauR32NaVxjNtBpQr9Gob7lDs9Z5FhQpu3heTE$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ARBEDN6X5AEZR3PLIZIICN3TUSCZXANCNFSM4VEAMHQA__;!!DOxrgLBm!WzynfQqrw22gNakW8S4s5qE9gLsUUB1OaAZj8PGauR32NaVxjNtBpQr9Gob7lDs9Z5FhQuAY7iqN$.
On Landing zone accounts Seclog accounts, it is possible to delete the cloudtrail-logs-033261678000-do-not-delete bucket_ and delete zipped log files inside the bucket.
Deletion of these files and buckets (either maliciously or inadvertently) could result in valuable security logs not being seen in Splunk and thus not be investigated by SOC team.
We require that this is protected from deletion in all LZ Seclog accounts. We cannot think of a good reason why a tenant would want to do this, as by doing so, i guess invalidates use of the Landing zone solution.
A protected centralised IAM admin role would presumably be needed should a tenant (or Splunk team) require to change this (an agreement needed on which team would own this and what breakglass/change mgt controls should be around this), along with some form of MFA delete as well as an additional control.