How to apply DataProtectionPolicy to the log group created by a lambda function? #26394
-
I need to apply DataProtectionPolicy to the log group automatically created by a lambda function. I can't find a way to do that because:
Thanks all for your help. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
@github-actions proposed-answer CDK has a couple ways to interact with this automatically created log group: a few of the props in the Lambda Function construct can be used to configure the retention policy of this automatically created log group, and you can also reference the log group by referring to the Under the hood, the CDK manages this log group with the help of the LogRetention construct. However, this construct doesn't offer the ability to set DataProtectionPolicy. What it does give us is an easy way to reference the Log Group. I think the easiest way to achieve what you need will be to take the const s3Destination = new s3.Bucket(this, 'audit-bucket-id');
const dataProtectionPolicy = {
Name: "data-protection-policy",
Description: "test description",
Version: "2021-06-01",
Statement: [
{
Sid: "audit-policy test",
DataIdentifier: [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
Operation: {
Audit: {
FindingsDestination: {
S3: {
Bucket: s3Destination.bucketName
}
}
}
}
},
{
Sid: "redact-policy",
DataIdentifier: [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
Operation: {
"Deidentify": {
"MaskConfig": {}
}
}
}
]
}
const fn = new lambda.Function(this, 'fn', {
code: lambda.Code.fromInline('exports.handler = async () => "hello world";'),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_16_X,
});
const crPolicy = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['*'],
resources: ['*'],
});
const putDataProtectionPolicyCR = new cr.AwsCustomResource(this, 'PutDataProtectionPolicy', {
onCreate: {
service: 'CloudWatchLogs',
action: 'putDataProtectionPolicy',
parameters: {
logGroupIdentifier: fn.logGroup.logGroupName,
policyDocument: JSON.stringify(dataProtectionPolicy)
},
physicalResourceId: cr.PhysicalResourceId.of('PutDataProtectionPolicyCR'),
},
policy: cr.AwsCustomResourcePolicy.fromStatements([crPolicy]),
}); If you'd like for there to be an easier way to manage this log group, maybe we could extend the functionality of |
Beta Was this translation helpful? Give feedback.
-
The improved version for your reference: new cr.AwsCustomResource(this, 'UpdateDataProtectionPolicy', {
// Lambda runtime provides SDK 3.188.0 only at the moment
// which does not have `PutDataProtectionPolicy` yet
// With `installLatestAwsSdk` flag set the lambda takes around 1 minute to install latest SDK at deployment time
installLatestAwsSdk: true,
resourceType: 'Custom::UpdateDataProtectionPolicy',
onCreate: {
service: 'CloudWatchLogs',
action: dataProtectionPolicy ? 'putDataProtectionPolicy': 'deleteDataProtectionPolicy',
parameters: {
logGroupIdentifier: lambda.logGroup.logGroupName,
policyDocument: dataProtectionPolicy ? JSON.stringify(dataProtectionPolicy) : undefined,
},
physicalResourceId: cr.PhysicalResourceId.of('UpdateDataProtectionPolicyCustomResource'),
},
// Least privilege
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: [lambda.logGroup.logGroupArn],
}),
}); |
Beta Was this translation helpful? Give feedback.
-
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
@github-actions proposed-answer CDK has a couple ways to interact with this automatically created log group: a few of the props in the Lambda Function construct can be used to configure the retention policy of this automatically created log group, and you can also reference the log group by referring to the
logGroup
prop of a Lambda Function.Under the hood, the CDK manages this log group with the help of the LogRetention construct. However, this construct doesn't offer the ability to set DataProtectionPolicy. What it does give us is an easy way to reference the Log Group.
I think the easiest way to achieve what you need will be to take the
Function.logGroup.logGroupArn
and supply it into…