Merge pull request #170 from SumoLogic/sec-review

Security review | CVE fix

Author: himsharma01

awsautoenableS3Logging/packaged.yaml

@@ -24,10 +24,10 @@ Metadata:
     - s3logging
     - flowlogs
     Name: sumologic-s3-logging-auto-enable
-    SemanticVersion: 1.0.4
+    SemanticVersion: 1.0.5
     SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/awsautoenableS3Logging
-    LicenseUrl: s3://appdevstore/AutoEnableS3Logs/v1.0.3/978602b5b9ec16f8bab0e38fd6b3998f
-    ReadmeUrl: s3://appdevstore/AutoEnableS3Logs/v1.0.3/d05d411471e0bb4db3389f2523f515f0
+    LicenseUrl: s3://appdevstore/AutoEnableS3Logs/v1.0.5/978602b5b9ec16f8bab0e38fd6b3998f
+    ReadmeUrl: s3://appdevstore/AutoEnableS3Logs/v1.0.5/d05d411471e0bb4db3389f2523f515f0
     SpdxLicenseId: Apache-2.0
 Mappings:
   Region2ELBAccountId:
@@ -193,8 +193,6 @@ Resources:
             Action:
             - elasticloadbalancing:DescribeLoadBalancerAttributes
             - elasticloadbalancing:DescribeLoadBalancers
-            - elasticloadbalancing:AddTags
-            - elasticloadbalancing:RemoveTags
             - elasticloadbalancing:ModifyLoadBalancerAttributes
             - logs:CreateLogGroup
             - logs:CreateLogStream
@@ -217,11 +215,13 @@ Resources:
             - s3:GetBucketLogging
             - s3:PutBucketLogging
             Resource: '*'
+    Metadata:
+      SamResourceId: SumoLambdaRole
   EnableNewAWSResourcesLambda:
     Type: AWS::Serverless::Function
     Condition: auto_enable_new
     Properties:
-      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.8/sumo_app_utils.zip
+      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.10/sumo_app_utils.zip
       Handler: awsresource.enable_s3_logs
       Runtime: python3.7
       Role:
@@ -246,6 +246,8 @@ Resources:
             - Region2ELBAccountId
             - Ref: AWS::Region
             - AccountId
+    Metadata:
+      SamResourceId: EnableNewAWSResourcesLambda
   AutoEnableS3LogEventsInvokePermission:
     Type: AWS::Lambda::Permission
     Condition: enable_s3_buckets_logging
@@ -258,6 +260,8 @@ Resources:
         Fn::GetAtt:
         - AutoEnableS3LogEventsRuleTrigger
         - Arn
+    Metadata:
+      SamResourceId: AutoEnableS3LogEventsInvokePermission
   AutoEnableS3LogEventsRuleTrigger:
     Type: AWS::Events::Rule
     Condition: enable_s3_buckets_logging
@@ -293,6 +297,8 @@ Resources:
           - EnableNewAWSResourcesLambda
           - Arn
         Id: Main
+    Metadata:
+      SamResourceId: AutoEnableS3LogEventsRuleTrigger
   AutoEnableVPCEventsInvokePermission:
     Type: AWS::Lambda::Permission
     Condition: enable_vpc_flow_logs_logging
@@ -305,6 +311,8 @@ Resources:
         Fn::GetAtt:
         - AutoEnableVPCEventsRuleTrigger
         - Arn
+    Metadata:
+      SamResourceId: AutoEnableVPCEventsInvokePermission
   AutoEnableVPCEventsRuleTrigger:
     Type: AWS::Events::Rule
     Condition: enable_vpc_flow_logs_logging
@@ -340,6 +348,8 @@ Resources:
           - EnableNewAWSResourcesLambda
           - Arn
         Id: Main
+    Metadata:
+      SamResourceId: AutoEnableVPCEventsRuleTrigger
   AutoEnableAlbLogEventsInvokePermission:
     Type: AWS::Lambda::Permission
     Condition: enable_alb_logging
@@ -352,6 +362,8 @@ Resources:
         Fn::GetAtt:
         - AutoEnableAlbLogEventsRuleTrigger
         - Arn
+    Metadata:
+      SamResourceId: AutoEnableAlbLogEventsInvokePermission
   AutoEnableAlbLogEventsRuleTrigger:
     Type: AWS::Events::Rule
     Condition: enable_alb_logging
@@ -387,6 +399,8 @@ Resources:
           - EnableNewAWSResourcesLambda
           - Arn
         Id: Main
+    Metadata:
+      SamResourceId: AutoEnableAlbLogEventsRuleTrigger
   AutoEnableElbLogEventsInvokePermission:
     Type: AWS::Lambda::Permission
     Condition: enable_elb_logging
@@ -399,6 +413,8 @@ Resources:
         Fn::GetAtt:
         - AutoEnableElbLogEventsRuleTrigger
         - Arn
+    Metadata:
+      SamResourceId: AutoEnableElbLogEventsInvokePermission
   AutoEnableElbLogEventsRuleTrigger:
     Type: AWS::Events::Rule
     Condition: enable_elb_logging
@@ -435,19 +451,23 @@ Resources:
           - EnableNewAWSResourcesLambda
           - Arn
         Id: Main
+    Metadata:
+      SamResourceId: AutoEnableElbLogEventsRuleTrigger
   EnableExisitngAWSResourcesLambda:
     Type: AWS::Serverless::Function
     Condition: auto_enable_existing
     Properties:
       Handler: main.handler
       Runtime: python3.7
-      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.8/sumo_app_utils.zip
+      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.10/sumo_app_utils.zip
       MemorySize: 128
       Timeout: 900
       Role:
         Fn::GetAtt:
         - SumoLambdaRole
         - Arn
+    Metadata:
+      SamResourceId: EnableExisitngAWSResourcesLambda
   ExistingAWSResources:
     Type: Custom::EnableS3LogsResources
     Condition: auto_enable_existing
@@ -482,6 +502,8 @@ Resources:
         - AccountId
       RemoveOnDeleteStack:
         Ref: RemoveOnDeleteStack
+    Metadata:
+      SamResourceId: ExistingAWSResources
 Outputs:
   EnableNewAWSResourcesLambda:
     Description: Lambda Function ARN for New AWS Resources

awsautoenableS3Logging/sumologic-s3-logging-auto-enable.yaml

@@ -24,7 +24,7 @@ Metadata:
       - s3logging
       - flowlogs
     Name: sumologic-s3-logging-auto-enable
-    SemanticVersion: 1.0.4
+    SemanticVersion: 1.0.5
     SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/awsautoenableS3Logging
     LicenseUrl: ./LICENSE
     ReadmeUrl: ./README.md
@@ -177,8 +177,6 @@ Resources:
                 Action:
                   - elasticloadbalancing:DescribeLoadBalancerAttributes
                   - elasticloadbalancing:DescribeLoadBalancers
-                  - elasticloadbalancing:AddTags
-                  - elasticloadbalancing:RemoveTags
                   - elasticloadbalancing:ModifyLoadBalancerAttributes
                   - logs:CreateLogGroup
                   - logs:CreateLogStream
@@ -206,7 +204,7 @@ Resources:
     Type: 'AWS::Serverless::Function'
     Condition: auto_enable_new
     Properties:
-      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.8/sumo_app_utils.zip
+      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.10/sumo_app_utils.zip
       Handler: "awsresource.enable_s3_logs"
       Runtime: python3.7
       Role: !GetAtt SumoLambdaRole.Arn
@@ -383,7 +381,7 @@ Resources:
     Properties:
       Handler: main.handler
       Runtime: python3.7
-      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.8/sumo_app_utils.zip
+      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.10/sumo_app_utils.zip
       MemorySize: 128
       Timeout: 900
       Role:

loggroup-lambda-connector/sam/packaged.yaml

@@ -21,10 +21,10 @@ Metadata:
     - serverless
     - loggroups
     - cloudwatch
-    LicenseUrl: s3://appdevstore/LoggroupConnector/v1.0.6/6092dd6c323e33634657102f570628e0
+    LicenseUrl: s3://appdevstore/LoggroupConnector/v1.0.7/6092dd6c323e33634657102f570628e0
     Name: sumologic-loggroup-connector
-    ReadmeUrl: s3://appdevstore/LoggroupConnector/v1.0.6/5a9a6e956be7449cbd5f8653e4475071
-    SemanticVersion: 1.0.6
+    ReadmeUrl: s3://appdevstore/LoggroupConnector/v1.0.7/5a9a6e956be7449cbd5f8653e4475071
+    SemanticVersion: 1.0.7
     SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/loggroup-lambda-connector
     SpdxLicenseId: Apache-2.0
 Parameters:
@@ -107,7 +107,7 @@ Resources:
   SumoLogGroupLambdaConnector:
     Type: AWS::Serverless::Function
     Properties:
-      CodeUri: s3://appdevstore/LoggroupConnector/v1.0.6/d8e8545bf4f818fdb41a52d27024bbcd
+      CodeUri: s3://appdevstore/LoggroupConnector/v1.0.7/d8e8545bf4f818fdb41a52d27024bbcd
       Handler: loggroup-lambda-connector.handler
       Runtime: nodejs16.x
       Environment:
@@ -137,7 +137,7 @@ Resources:
           Action:
           - lambda:InvokeFunction
           Resource:
-          - Fn::Sub: arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*
+          - Fn::Sub: arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*SumoLogGroupLambdaConnector*
       Events:
         LambdaTrigger:
           Type: CloudWatchEvent

loggroup-lambda-connector/sam/sam_package.sh

@@ -9,9 +9,9 @@ else
     AWS_REGION="us-east-2"
 fi
 
-version="1.0.6"
+version="1.0.7"
 
-sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET  --output-template-file packaged.yaml --s3-prefix "LoggroupConnector/v$version"
+sam package --template-file template.yaml --s3-bucket $SAM_S3_BUCKET  --output-template-file packaged.yaml --s3-prefix "LoggroupConnector/v$version" --region $AWS_REGION
 
 # sam deploy --template-file packaged.yaml --stack-name testingloggrpconnector --capabilities CAPABILITY_IAM --region $AWS_REGION  --parameter-overrides LambdaARN="arn:aws:lambda:us-east-1:956882708938:function:SumoCWLogsLambda" LogGroupTags="env=prod,name=apiassembly" LogGroupPattern="test"
 

loggroup-lambda-connector/sam/template.yaml

@@ -24,7 +24,7 @@ Metadata:
     LicenseUrl: ../LICENSE
     Name: sumologic-loggroup-connector
     ReadmeUrl: ../Readme.md
-    SemanticVersion: 1.0.6
+    SemanticVersion: 1.0.7
     SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/loggroup-lambda-connector
     SpdxLicenseId: Apache-2.0
 
@@ -121,7 +121,7 @@ Resources:
               Action:
                 - lambda:InvokeFunction
               Resource:
-                - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*'
+                - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*SumoLogGroupLambdaConnector*'
       Events:
         LambdaTrigger:
           Type: CloudWatchEvent

sumologic-app-utils/packaged_sumo_app_utils.yaml

@@ -20,17 +20,17 @@ Metadata:
     - sumologic
     - serverless
     Name: sumologic-app-utils
-    SemanticVersion: 2.0.9
+    SemanticVersion: 2.0.10
     SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/sumologic-app-utils
     SpdxLicenseId: Apache-2.0
-    ReadmeUrl: s3://appdevstore/sumo_app_utils/v2.0.9/4d5a92c06a7fa9d956a900e51a1f6be4
+    ReadmeUrl: s3://appdevstore/sumo_app_utils/v2.0.10/4d5a92c06a7fa9d956a900e51a1f6be4
 Resources:
   SumoAppUtilsFunction:
     Type: AWS::Serverless::Function
     Properties:
       Handler: main.handler
       Runtime: python3.7
-      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.9/sumo_app_utils.zip
+      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.10/sumo_app_utils.zip
       MemorySize: 128
       Timeout: 300
       Policies:
@@ -43,6 +43,8 @@ Resources:
           Effect: Allow
           Resource: arn:aws:cloudtrail:*:*:*
           Sid: CreateCloudTrailPolicy
+    Metadata:
+      SamResourceId: SumoAppUtilsFunction
 Outputs:
   SumoAppUtilsFunction:
     Description: SumoAppUtils Function ARN

sumologic-app-utils/sumo_app_utils.yaml

@@ -17,7 +17,7 @@ Metadata:
       - sumologic
       - serverless
     Name: sumologic-app-utils
-    SemanticVersion: 2.0.9
+    SemanticVersion: 2.0.10
     SourceCodeUrl: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/sumologic-app-utils
     SpdxLicenseId: Apache-2.0
     ReadmeUrl: ./README.md
@@ -29,7 +29,7 @@ Resources:
     Properties:
       Handler: main.handler
       Runtime: python3.7
-      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.9/sumo_app_utils.zip
+      CodeUri: s3://appdevstore/sumo_app_utils/v2.0.10/sumo_app_utils.zip
       MemorySize: 128
       Timeout: 300
       Policies: