How to apply DataProtectionPolicy to the log group created by a lambda function?

[ericxinzhang]

I need to apply DataProtectionPolicy to the log group automatically created by a lambda function.

I can't find a way to do that because:

• Lambda Function construct always creates its log group automatically, does not accept a passed-in log group.
• LogGroup construct accepts data protection policy as a construct property and does not provide a method to apply a data protection policy into an existing log group instance.

Thanks all for your help.

[peterwoodworth]

@github-actions proposed-answer CDK has a couple ways to interact with this automatically created log group: a few of the props in the Lambda Function construct can be used to configure the retention policy of this automatically created log group, and you can also reference the log group by referring to the logGroup prop of a Lambda Function.

Under the hood, the CDK manages this log group with the help of the LogRetention construct. However, this construct doesn't offer the ability to set DataProtectionPolicy. What it does give us is an easy way to reference the Log Group.

I think the easiest way to achieve what you need will be to take the Function.logGroup.logGroupArn and supply it into an AwsCustomResource which makes the CloudwatchLogs.PutDataProtectionPolicy API call. The following deployed successfully for me with the data policy attached:

    const s3Destination = new s3.Bucket(this, 'audit-bucket-id');
    const dataProtectionPolicy = {
      Name: "data-protection-policy",
      Description: "test description",
      Version: "2021-06-01",
      Statement: [
        {
          Sid: "audit-policy test",
          DataIdentifier: [
            "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
            "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
          ],
          Operation: {
            Audit: {
              FindingsDestination: {
                S3: {
                  Bucket: s3Destination.bucketName
                }
              }
            }
          }
        },
        {
          Sid: "redact-policy",
          DataIdentifier: [
            "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
            "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
          ],
          Operation: {
            "Deidentify": {
              "MaskConfig": {}
            }
          }
        }
      ]
    }
    const fn = new lambda.Function(this, 'fn', {
      code: lambda.Code.fromInline('exports.handler = async () => "hello world";'),
      handler: 'index.handler',
      runtime: lambda.Runtime.NODEJS_16_X,
    });

    const crPolicy = new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: ['*'],
      resources: ['*'],
    });

    const putDataProtectionPolicyCR = new cr.AwsCustomResource(this, 'PutDataProtectionPolicy', {
      onCreate: {
        service: 'CloudWatchLogs',
        action: 'putDataProtectionPolicy',
        parameters: {
          logGroupIdentifier: fn.logGroup.logGroupName,
          policyDocument: JSON.stringify(dataProtectionPolicy)
        },
        physicalResourceId: cr.PhysicalResourceId.of('PutDataProtectionPolicyCR'),
      },
      policy: cr.AwsCustomResourcePolicy.fromStatements([crPolicy]),
    });

If you'd like for there to be an easier way to manage this log group, maybe we could extend the functionality of LogRetention, or add other constructs similar to LogRetention. In that case, please open a feature request so we can track support for that

[github-actions]

Hello! A team member has marked the above comment as the likely answer to this discussion thread.

• If you agree, please upvote that comment, or click on Mark as answer. I will automatically mark the comment as the answer next time I check.

• If this answer does not help you, please downvote the answer instead and let us know why it was not helpful. I will add a label to this discussion to gain attention from the team.

[ericxinzhang]

Thanks @peterwoodworth. I knew a custom resource would be the last resort, and your example will save me lots of time.

[sanjaysaini23]

@peterwoodworth I want to apply data protection policy of all log groups that created by lambda function using cloudformation template.

[ericxinzhang]

The improved version for your reference:

      new cr.AwsCustomResource(this, 'UpdateDataProtectionPolicy', {
        // Lambda runtime provides SDK 3.188.0 only at the moment
        // which does not have `PutDataProtectionPolicy` yet
        // With `installLatestAwsSdk` flag set the lambda takes around 1 minute to install latest SDK at deployment time
        installLatestAwsSdk: true,
        resourceType: 'Custom::UpdateDataProtectionPolicy',
        onCreate: {
          service: 'CloudWatchLogs',
          action: dataProtectionPolicy ? 'putDataProtectionPolicy': 'deleteDataProtectionPolicy',
          parameters: {
            logGroupIdentifier: lambda.logGroup.logGroupName,
            policyDocument: dataProtectionPolicy ? JSON.stringify(dataProtectionPolicy) : undefined,
          },
          physicalResourceId: cr.PhysicalResourceId.of('UpdateDataProtectionPolicyCustomResource'),
        },
        // Least privilege
        policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
          resources: [lambda.logGroup.logGroupArn],
        }),
      });

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.