From 57131567c1a666d27d0fd4f72a7b1c5d4587a388 Mon Sep 17 00:00:00 2001 From: Daniel Sotirhos Date: Mon, 22 May 2023 13:05:52 -0700 Subject: [PATCH] [u] Fix: S3 server access logs are inherently incomplete (#5043) --- UPGRADING.rst | 10 ++++++++++ terraform/shared/shared.tf.json.template.py | 10 +++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/UPGRADING.rst b/UPGRADING.rst index e0ec5587e1..0c68dc8c35 100644 --- a/UPGRADING.rst +++ b/UPGRADING.rst @@ -42,6 +42,16 @@ a deployment just before pushing the merge commit to the GitLab instance in that deployment. +#5043 S3 server access logs are inherently incomplete +===================================================== + +Operator +~~~~~~~~ + +Manually deploy the ``shared`` component of any main deployment just before +pushing the merge commit to the GitLab instance in that deployment. + + #5133 Trigger an alarm on absence of logs ========================================= diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py index 6ff7371ac0..4536d2f0a8 100644 --- a/terraform/shared/shared.tf.json.template.py +++ b/terraform/shared/shared.tf.json.template.py @@ -350,7 +350,15 @@ def conformance_pack(name: str) -> str: 'enable_log_file_validation': True, 'is_multi_region_trail': True, 'cloud_watch_logs_group_arn': '${aws_cloudwatch_log_group.trail.arn}:*', - 'cloud_watch_logs_role_arn': '${aws_iam_role.trail.arn}' + 'cloud_watch_logs_role_arn': '${aws_iam_role.trail.arn}', + 'event_selector': { + 'read_write_type': 'All', + 'include_management_events': True, + 'data_resource': { + 'type': 'AWS::S3::Object', + 'values': ['arn:aws:s3'] + } + } } }, 'aws_cloudwatch_log_group': {