feat(logs): support DataProtectionPolicy in LogGroup construct (#23402)

Sensitive data protection for CloudWatch Logs was launched at re:Invent 2022. This feature will enable that property under DataProtectionPolicy as a JSON object in the LogGroup construct. Use case: A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks. closes #23399 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 8, 2023 · ed3962a · ed3962a
1 parent 8ef0ba2
commit ed3962a
Show file tree

Hide file tree

Showing 14 changed files with 1,213 additions and 1 deletion.
diff --git a/...test/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json b/...test/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "LogGroupIntegDefaultTestDeployAssertA9999A13.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...st/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.template.json b/...st/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.assets.json b/...-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "cadd724ef1cce56f77546968b304b105422abec3535dfa2a9c10aca7f84f9811": {
+      "source": {
+        "path": "aws-cdk-log-group-integ.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "cadd724ef1cce56f77546968b304b105422abec3535dfa2a9c10aca7f84f9811.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...nteg/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json b/...nteg/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json
@@ -0,0 +1,145 @@
+{
+ "Resources": {
+  "LogGroupLambdaAuditF8F47F46": {
+   "Type": "AWS::Logs::LogGroup",
+   "Properties": {
+    "RetentionInDays": 731
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
+  "auditbucketidE6660EBD": {
+   "Type": "AWS::S3::Bucket",
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
+  "LogGroupLambdaAC756C5B": {
+   "Type": "AWS::Logs::LogGroup",
+   "Properties": {
+    "DataProtectionPolicy": {
+     "name": "policy-name",
+     "description": "policy description",
+     "version": "2021-06-01",
+     "statement": [
+      {
+       "sid": "audit-statement-cdk",
+       "dataIdentifier": [
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":dataprotection::aws:data-identifier/DriversLicense-US"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":dataprotection::aws:data-identifier/EmailAddress"
+          ]
+         ]
+        }
+       ],
+       "operation": {
+        "audit": {
+         "findingsDestination": {
+          "cloudWatchLogs": {
+           "logGroup": {
+            "Ref": "LogGroupLambdaAuditF8F47F46"
+           }
+          },
+          "s3": {
+           "bucket": {
+            "Ref": "auditbucketidE6660EBD"
+           }
+          }
+         }
+        }
+       }
+      },
+      {
+       "sid": "redact-statement-cdk",
+       "dataIdentifier": [
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":dataprotection::aws:data-identifier/DriversLicense-US"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":dataprotection::aws:data-identifier/EmailAddress"
+          ]
+         ]
+        }
+       ],
+       "operation": {
+        "deidentify": {
+         "maskConfig": {}
+        }
+       }
+      }
+     ]
+    },
+    "RetentionInDays": 731
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...s/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/cdk.out b/...s/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"31.0.0"}
diff --git a/...aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/integ.json b/...aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "31.0.0",
+  "testCases": {
+    "LogGroupInteg/DefaultTest": {
+      "stacks": [
+        "aws-cdk-log-group-integ"
+      ],
+      "assertionStack": "LogGroupInteg/DefaultTest/DeployAssert",
+      "assertionStackName": "LogGroupIntegDefaultTestDeployAssertA9999A13"
+    }
+  }
+}
diff --git a/...-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/manifest.json b/...-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/manifest.json
@@ -0,0 +1,123 @@
+{
+  "version": "31.0.0",
+  "artifacts": {
+    "aws-cdk-log-group-integ.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "aws-cdk-log-group-integ.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "aws-cdk-log-group-integ": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "aws-cdk-log-group-integ.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cadd724ef1cce56f77546968b304b105422abec3535dfa2a9c10aca7f84f9811.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "aws-cdk-log-group-integ.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "aws-cdk-log-group-integ.assets"
+      ],
+      "metadata": {
+        "/aws-cdk-log-group-integ/LogGroupLambdaAudit/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LogGroupLambdaAuditF8F47F46"
+          }
+        ],
+        "/aws-cdk-log-group-integ/audit-bucket-id/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "auditbucketidE6660EBD"
+          }
+        ],
+        "/aws-cdk-log-group-integ/LogGroupLambda/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LogGroupLambdaAC756C5B"
+          }
+        ],
+        "/aws-cdk-log-group-integ/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/aws-cdk-log-group-integ/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "aws-cdk-log-group-integ"
+    },
+    "LogGroupIntegDefaultTestDeployAssertA9999A13.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "LogGroupIntegDefaultTestDeployAssertA9999A13": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "LogGroupIntegDefaultTestDeployAssertA9999A13.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "LogGroupIntegDefaultTestDeployAssertA9999A13.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "LogGroupIntegDefaultTestDeployAssertA9999A13.assets"
+      ],
+      "metadata": {
+        "/LogGroupInteg/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/LogGroupInteg/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "LogGroupInteg/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    }
+  }
+}