optionally enable s3 server access logging

ievgeniia ieromenko · ievgeniia ieromenko · commit 16602a93acbb · 2025-03-13T11:47:50.000-04:00
diff --git a/aws_sra_examples/solutions/genai/sra_guardduty_malware_protection_for_s3/README.md b/aws_sra_examples/solutions/genai/sra_guardduty_malware_protection_for_s3/README.md
@@ -18,6 +18,7 @@ A key use case for this solution is in the preparation of knowledge bases for Re
 - Creates or uses existing S3 bucket for malware protection
 - Creates a new KMS key for encrypting the S3 bucket (when creating a new bucket)
 - Creates a KMS key alias for easy management
+- Provides an option to enable S3 server access logging during bucket creation
 - Configures GuardDuty Malware Protection Plan
 - Sets up EventBridge rules for scan result notifications
 - Implements SNS notifications for alerts
diff --git a/aws_sra_examples/solutions/genai/sra_guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml b/aws_sra_examples/solutions/genai/sra_guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml
@@ -25,6 +25,7 @@ Metadata:
         Parameters:
           - pCreateNewBucket
           - pS3MalwareProtectedBucketNamePrefix
+          - pS3AccessLogsBucket
           - pKmsKeyAlias
       - Label:
           default: EventBridge Properties
@@ -35,81 +36,83 @@ Metadata:
         Parameters:
           - pSRAAlarmEmail
     ParameterLabels:
-      pExistingBucketName:
-        default: Existing S3 Bucket Name
+      pEventRuleRoleName:
+        default: Event Rule Role Name
       pExistingBucketKmsKey:
         default: Existing S3 KMS Key ARN
-      pSRAAlarmEmail:
-        default: (Optional) SRA Alarm Email
-      pSRASolutionName:
-        default: SRA Solution Name
+      pExistingBucketName:
+        default: Existing S3 Bucket Name
       pKmsKeyAlias:
         default: KMS Key Alias
+      pS3AccessLogsBucket:
+        default: S3 Access Logs Bucket Name
       pS3MalwareProtectedBucketNamePrefix:
         default: S3 Malware Protected Bucket Name Prefix
-      pEventRuleRoleName:
-        default: Event Rule Role Name
+      pSRAAlarmEmail:
+        default: (Optional) SRA Alarm Email
+      pSRASolutionName:
+        default: SRA Solution Name
       pUseExistingBucket:
         default: Use Existing S3 Bucket
 
 Parameters:
   pCreateNewBucket:
     AllowedValues: ['true', 'false']
     Default: 'true'
-    Description: Create a new S3 bucket for malware protection
+    Description: Create a new S3 bucket
     Type: String
-  pUseExistingBucket:
-    AllowedValues: ['true', 'false']
-    Default: 'false'
-    Description: Use an existing S3 bucket for malware protection
+  pEventRuleRoleName:
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
+    Default: sra-guardduty-malware-protection-for-s3-events
+    Description: Event rule role name
+    Type: String
+  pExistingBucketKmsKey:
+    AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$
+    ConstraintDescription: "Key ARN example:  arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+    Default: ''
+    Description: (Optional) Existing S3 KMS key ARN for existing S3 bucket
     Type: String
   pExistingBucketName:
     AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
-    ConstraintDescription: Bucket name can include numbers, lowercase letters,
-      uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
+    ConstraintDescription: Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
     Default: ''
-    Description: (Optional) Existing S3 bucket name for malware protection
+    Description: (Optional) Existing S3 bucket name for malware protection.
     Type: String
-  pExistingBucketKmsKey:
-    AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$
-    ConstraintDescription: "Key ARN example:  arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+  pKmsKeyAlias:
+    AllowedPattern: ^[a-zA-Z0-9/_-]+$
+    ConstraintDescription: The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-).
+    Default: sra-guardduty-malware-protection-for-s3-key
+    Description: KMS Key Alias
+    Type: String
+  pS3AccessLogsBucket:
+    AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
+    ConstraintDescription: Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
     Default: ''
-    Description: (Optional) Existing S3 KMS key ARN for malware protection
+    Description: (Optional) S3 bucket name for the S3 Server Access Logs
+    Type: String
+  pS3MalwareProtectedBucketNamePrefix:
+    AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
+    ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
+    Default: sra-protected-bucket
+    Description: S3 Malware Protected Bucket Name Prefix
     Type: String
   pSRAAlarmEmail:
     AllowedPattern: ^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$
     ConstraintDescription: Must be a valid email address.
     Default: ''
-    Description: (Optional) Email address for receiving SRA alarms
+    Description: Email address for receiving SRA alarms
     Type: String
   pSRASolutionName:
     AllowedValues:
       - sra-guardduty-malware-protection-for-s3
     Default: sra-guardduty-malware-protection-for-s3
     Description: The SRA solution name. The default value is the folder name of the solution
     Type: String
-  pKmsKeyAlias:
-    AllowedPattern: ^[a-zA-Z0-9/_-]+$
-    ConstraintDescription: The alias must be string of 1-256 characters. It can
-      contain only alphanumeric characters, forward slashes (/), underscores
-      (_), and dashes (-).
-    Default: sra-guardduty-malware-protection-for-s3-key
-    Description: Organization CloudTrail KMS Key Alias
-    Type: String
-  pS3MalwareProtectedBucketNamePrefix:
-    AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
-    ConstraintDescription: S3 bucket name can include numbers, lowercase letters,
-      uppercase letters, and hyphens (-). It cannot start or end with a hyphen
-      (-).
-    Default: sra-protected-bucket
-    Description: S3 Malware Protected Bucket Name Prefix
-    Type: String
-  pEventRuleRoleName:
-    AllowedPattern: ^[\w+=,.@-]{1,64}$
-    ConstraintDescription: Max 64 alphanumeric characters. Also special characters
-      supported [+, =, ., @, -].
-    Default: sra-guardduty-malware-protection-for-s3-events
-    Description: Event rule role name for putting events on the home region event bus
+  pUseExistingBucket:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Use an existing S3 bucket for malware protection
     Type: String
 
 Rules:
@@ -140,12 +143,13 @@ Conditions:
     - 'true'
   cExistingBucket: !Not [!Equals [!Ref pExistingBucketName, '']]
   cExistingKmsKey: !Not [!Equals [!Ref pExistingBucketKmsKey, '']]
+  cEnableAccessLogging: !Not [!Equals [!Ref pS3AccessLogsBucket, '']]
 
 Resources:
   rKMSKeyForBucket:
     Type: AWS::KMS::Key
     Condition: cCreateNewBucket
-    DeletionPolicy: Delete # todo: retain
+    DeletionPolicy: Delete
     UpdateReplacePolicy: Retain
     Properties:
       EnableKeyRotation: true
@@ -169,7 +173,7 @@ Resources:
       AliasName: !Sub alias/${pKmsKeyAlias}-${AWS::AccountId}-${AWS::Region}
       TargetKeyId: !Ref rKMSKeyForBucket
 
-  rS3MalwareProtectedBucket:
+  rGuardDutyMalwareProtectedBucket:
     Type: AWS::S3::Bucket
     Condition: cCreateNewBucket
     DeletionPolicy: Retain
@@ -185,10 +189,12 @@ Resources:
             comment: S3 access logging is not enabled.
     Properties:
       BucketName: !Sub ${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region}
-      # LoggingConfiguration: !If 
-      #   # - cEnableAccessLogging
-      #   - DestinationBucketName: !Ref pAccessLogsBucket
-      #   - LogFilePrefix: !Sub ${pSRASolutionName}-logs/
+      LoggingConfiguration:
+        !If 
+          - cEnableAccessLogging
+          - DestinationBucketName: !Ref pS3AccessLogsBucket
+            LogFilePrefix: !Sub ${pSRASolutionName}-logs/
+          - !Ref AWS::NoValue
       VersioningConfiguration:
         Status: Enabled
       BucketEncryption:
@@ -236,15 +242,15 @@ Resources:
             Statement:
               - Effect: Allow
                 Action: sns:Publish
-                Resource: !GetAtt rS3MalwareProtectionPlanAlarmTopic.TopicArn
+                Resource: !GetAtt rGuardDutyMalwareProtectionForS3AlarmTopic.TopicArn
               - Effect: Allow
                 Action: sqs:SendMessage
-                Resource: !GetAtt rGuardDutyS3ProtectionRuleDLQ.Arn
+                Resource: !GetAtt rGuardDutyMalwareProtectionForS3RuleDLQ.Arn
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
 
-  rGuardDutyS3ProtectionRuleDLQ:
+  rGuardDutyMalwareProtectionForS3RuleDLQ:
     Type: AWS::SQS::Queue
     Properties:
       KmsMasterKeyId: alias/aws/sqs
@@ -256,25 +262,25 @@ Resources:
     DeletionPolicy: Delete
     UpdateReplacePolicy: Delete
 
-  rGuardDutyS3ProtectionRuleDLQPolicy:
+  rGuardDutyMalwareProtectionForS3RuleDLQPolicy:
     Type: AWS::SQS::QueuePolicy
     Properties:
       Queues:
-        - !Ref rGuardDutyS3ProtectionRuleDLQ
+        - !Ref rGuardDutyMalwareProtectionForS3RuleDLQ
       PolicyDocument:
         Statement:
           - Action: SQS:SendMessage
             Condition:
               ArnEquals:
                 aws:SourceArn:
-                  - !GetAtt rGuardDutyS3MalwareProtectionEventRule.Arn
+                  - !GetAtt rGuardDutyMalwareProtectionForS3EventRule.Arn
             Effect: Allow
             Principal:
               Service: events.amazonaws.com
             Resource:
-              - !GetAtt rGuardDutyS3MalwareProtectionEventRule.Arn
+              - !GetAtt rGuardDutyMalwareProtectionForS3EventRule.Arn
 
-  rGuardDutyS3MalwareProtectionEventRule:
+  rGuardDutyMalwareProtectionForS3EventRule:
     Type: AWS::Events::Rule
     Properties:
       Description: GuardDuty Copy S3 Object Rule for source bucket
@@ -303,16 +309,16 @@ Resources:
               - ACCESS_DENIED
       State: ENABLED
       Targets:
-        - Arn: !GetAtt rS3MalwareProtectionPlanAlarmTopic.TopicArn
-          Id: !GetAtt rS3MalwareProtectionPlanAlarmTopic.DisplayName
+        - Arn: !GetAtt rGuardDutyMalwareProtectionForS3AlarmTopic.TopicArn
+          Id: !GetAtt rGuardDutyMalwareProtectionForS3AlarmTopic.DisplayName
           DeadLetterConfig:
-            Arn: !GetAtt rGuardDutyS3ProtectionRuleDLQ.Arn
+            Arn: !GetAtt rGuardDutyMalwareProtectionForS3RuleDLQ.Arn
           RetryPolicy:
             MaximumEventAgeInSeconds: 86400 # 24 hours
             MaximumRetryAttempts: 185
           RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pEventRuleRoleName}-${AWS::Region}
 
-  rIAMS3MalwareBucketPolicy:
+  rGuardDutyMalwareProtectionForS3IamPolicy:
     Type: AWS::IAM::ManagedPolicy
     DeletionPolicy: Delete
     Properties:
@@ -410,9 +416,10 @@ Resources:
                   kms:ViaService: s3.*.amazonaws.com
             - !Ref AWS::NoValue
 
-  rIAMS3MalwareBucketRole:
+  rGuardDutyMalwareProtectionForS3IamRole:
     Type: AWS::IAM::Role
     Properties:
+      RoleName: !Sub ${pSRASolutionName}-${AWS::Region}
       AssumeRolePolicyDocument:
         Statement:
           - Action: sts:AssumeRole
@@ -421,12 +428,12 @@ Resources:
               Service: malware-protection-plan.guardduty.amazonaws.com
         Version: '2012-10-17'
       ManagedPolicyArns:
-        - !Sub ${rIAMS3MalwareBucketPolicy.PolicyArn}
+        - !Sub ${rGuardDutyMalwareProtectionForS3IamPolicy.PolicyArn}
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
 
-  rGuardDutyS3MalwareProtectionPlan:
+  rGuardDutyMalwareProtectionForS3:
     Type: AWS::GuardDuty::MalwareProtectionPlan
     Properties:
       Actions:
@@ -438,12 +445,12 @@ Resources:
             - cExistingBucket
             - !Ref pExistingBucketName
             - !Sub ${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region}
-      Role: !GetAtt rIAMS3MalwareBucketRole.Arn
+      Role: !GetAtt rGuardDutyMalwareProtectionForS3IamRole.Arn
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
 
-  rS3MalwareProtectionPlanAlarmTopic:
+  rGuardDutyMalwareProtectionForS3AlarmTopic:
     Type: AWS::SNS::Topic
     Properties:
       DisplayName: !Sub ${pSRASolutionName}-alarm
@@ -459,17 +466,17 @@ Resources:
 Outputs:
   GuardDutyS3MalwareProtectionPlanArn:
     Description: Amazon Resource Name (ARN) associated with this Malware Protection plan
-    Value: !GetAtt rGuardDutyS3MalwareProtectionPlan.Arn
+    Value: !GetAtt rGuardDutyMalwareProtectionForS3.Arn
 
   GuardDutyS3MalwareProtectionPlanId:
     Description: A unique identifier associated with Malware Protection plan
-    Value: !GetAtt rGuardDutyS3MalwareProtectionPlan.MalwareProtectionPlanId
+    Value: !GetAtt rGuardDutyMalwareProtectionForS3.MalwareProtectionPlanId
 
   S3MalwareProtectionRole:
     Description: IAM role created for S3 Malware Protection
-    Value: !Ref rIAMS3MalwareBucketRole
+    Value: !Ref rGuardDutyMalwareProtectionForS3IamRole
 
   SourceBucketArn:
     Condition: cCreateNewBucket
     Description: The bucket arn which has been created and enabled for S3 Malware protection
-    Value: !GetAtt rS3MalwareProtectedBucket.Arn
+    Value: !GetAtt rGuardDutyMalwareProtectedBucket.Arn
