Chore: [AEA-0000] - review security (#296)

## Summary

- Routine Change

### Details

- setup audit logging bucket
- remove slack commands endpoint
- restrict kms key policy
- remove access to secrets from slackbot
- remove unused bedrock policies
- only add direct lambda policy if needed for regression test
- restrict nag suppressions

Author: anthony-nhs

.github/scripts/fix_cdk_json.sh

@@ -62,3 +62,4 @@ fix_string_key slackBotToken "${SLACK_BOT_TOKEN}"
 fix_string_key slackSigningSecret "${SLACK_SIGNING_SECRET}"
 fix_string_key cfnDriftDetectionGroup "${CFN_DRIFT_DETECTION_GROUP}"
 fix_boolean_number_key isPullRequest "${IS_PULL_REQUEST}"
+fix_boolean_number_key runRegressionTests "${RUN_REGRESSION_TESTS}"

.github/workflows/release_all_stacks.yml

@@ -149,6 +149,7 @@ jobs:
           SLACK_SIGNING_SECRET: "${{ secrets.SLACK_SIGNING_SECRET }}"
           CDK_APP_NAME: ${{ inputs.CDK_APP_NAME }}
           IS_PULL_REQUEST: ${{ inputs.IS_PULL_REQUEST }}
+          RUN_REGRESSION_TESTS: ${{ inputs.RUN_REGRESSION_TESTS }}
 
       - name: Show diff for stack
         run: |

Makefile

@@ -102,7 +102,10 @@ cdk-deploy: guard-STACK_NAME
 		--context logRetentionInDays=$$LOG_RETENTION_IN_DAYS \
 		--context slackBotToken=$$SLACK_BOT_TOKEN \
 		--context slackSigningSecret=$$SLACK_SIGNING_SECRET
-cdk-synth:
+
+cdk-synth: cdk-synth-pr cdk-synth-non-pr
+
+cdk-synth-non-pr:
 	mkdir -p .dependencies/slackBotFunction
 	mkdir -p .dependencies/syncKnowledgeBaseFunction
 	mkdir -p .dependencies/bedrockLoggingConfigFunction
@@ -114,6 +117,25 @@ cdk-synth:
 	SLACK_SIGNING_SECRET=dummy_secret \
 	LOG_RETENTION_IN_DAYS=30 \
 	LOG_LEVEL=debug \
+	RUN_REGRESSION_TESTS=true \
+		 ./.github/scripts/fix_cdk_json.sh .local_config/epsam.config.json
+	CONFIG_FILE_NAME=.local_config/epsam.config.json npx cdk synth \
+		--quiet \
+		--app "npx ts-node --prefer-ts-exts packages/cdk/bin/EpsAssistMeApp.ts"
+
+cdk-synth-pr:
+	mkdir -p .dependencies/slackBotFunction
+	mkdir -p .dependencies/syncKnowledgeBaseFunction
+	mkdir -p .dependencies/bedrockLoggingConfigFunction
+	mkdir -p .local_config
+	STACK_NAME=epsam-pr-123 \
+	COMMIT_ID=undefined \
+	VERSION_NUMBER=undefined \
+	SLACK_BOT_TOKEN=dummy_token \
+	SLACK_SIGNING_SECRET=dummy_secret \
+	LOG_RETENTION_IN_DAYS=30 \
+	LOG_LEVEL=debug \
+	RUN_REGRESSION_TESTS=true \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/epsam.config.json
 	CONFIG_FILE_NAME=.local_config/epsam.config.json npx cdk synth \
 		--quiet \

packages/cdk/constructs/S3Bucket.ts

@@ -6,7 +6,8 @@ import {
   BlockPublicAccess,
   ObjectOwnership,
   CfnBucket,
-  CfnBucketPolicy
+  CfnBucketPolicy,
+  IBucket
 } from "aws-cdk-lib/aws-s3"
 import {CfnKey, Key} from "aws-cdk-lib/aws-kms"
 import {
@@ -21,6 +22,7 @@ export interface S3BucketProps {
   readonly bucketName: string
   readonly versioned: boolean
   readonly deploymentRole: IPrincipal
+  readonly auditLoggingBucket: IBucket
 }
 
 export class S3Bucket extends Construct {
@@ -40,12 +42,14 @@ export class S3Bucket extends Construct {
     const bucket = new Bucket(this, props.bucketName, {
       blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
       encryption: BucketEncryption.KMS,
-      encryptionKey: this.kmsKey,
+      encryptionKey: kmsKey,
       removalPolicy: RemovalPolicy.DESTROY,
       autoDeleteObjects: true,
       enforceSSL: true,
       versioned: props.versioned ?? false,
-      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED,
+      serverAccessLogsBucket: props.auditLoggingBucket,
+      serverAccessLogsPrefix: "epsam-kb"
     })
 
     // Adding full deployment roles to this bucket
@@ -83,7 +87,7 @@ export class S3Bucket extends Construct {
           principals: [props.deploymentRole],
           actions: [
             "kms:Encrypt",
-            "kms:GenerateDataKey*"
+            "kms:GenerateDataKey"
           ],
           resources:["*"]
         })

packages/cdk/nagSuppressions.ts

@@ -3,8 +3,7 @@
 import {Stack} from "aws-cdk-lib"
 import {NagPackSuppression, NagSuppressions} from "cdk-nag"
 
-export const nagSuppressions = (stack: Stack) => {
-  const stackName = stack.node.tryGetContext("stackName") || "epsam"
+export const nagSuppressions = (stack: Stack, account: string) => {
   // Suppress granular wildcard on log stream for SlackBot Lambda
   safeAddNagSuppression(
     stack,
@@ -57,22 +56,6 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // Suppress unauthenticated API route warnings
-  safeAddNagSuppression(
-    stack,
-    "/EpsAssistMeStack/Apis/EpsAssistApiGateway/ApiGateway/Default/slack/commands/POST/Resource",
-    [
-      {
-        id: "AwsSolutions-APIG4",
-        reason: "Slack command endpoint is intentionally unauthenticated."
-      },
-      {
-        id: "AwsSolutions-COG4",
-        reason: "Cognito not required for this public endpoint."
-      }
-    ]
-  )
-
   // Suppress missing WAF on API stage for Apis construct
   safeAddNagSuppression(
     stack,
@@ -92,31 +75,49 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection."
+        reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",
+        appliesTo: [
+          "Action::bedrock:Delete*",
+          "Resource::arn:aws:bedrock:eu-west-2:<AWS::AccountId>:knowledge-base/*",
+          "Resource::arn:aws:aoss:eu-west-2:<AWS::AccountId>:collection/*",
+          "Resource::arn:aws:logs:eu-west-2:<AWS::AccountId>:delivery-destination:*",
+          "Resource::arn:aws:logs:eu-west-2:<AWS::AccountId>:delivery-source:*",
+          "Resource::arn:aws:logs:eu-west-2:<AWS::AccountId>:delivery:*",
+          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
+          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
+          `Resource::arn:aws:logs:eu-west-2:${account}:delivery-destination:*`,
+          `Resource::arn:aws:logs:eu-west-2:${account}:delivery-source:*`,
+          `Resource::arn:aws:logs:eu-west-2:${account}:delivery:*`
+        ]
       }
     ]
   )
-
-  // Suppress wildcard permissions for SlackBot policy
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/RuntimePolicies/SlackBotPolicy/Resource",
+    "/EpsAssistMeStack/BedrockExecutionRole/WildcardPolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "SlackBot Lambda needs wildcard permissions for guardrails, knowledge bases, and function invocation."
+        reason: "Bedrock Knowledge Base requires these wildcard permissions to access S3 documents and OpenSearch collection."
       }
     ]
   )
 
-  // Suppress S3 server access logs for knowledge base documents bucket
+  // Suppress wildcard permissions for SlackBot policy
   safeAddNagSuppression(
     stack,
-    `/EpsAssistMeStack/Storage/DocsBucket/${stackName}-Docs/Resource`,
+    "/EpsAssistMeStack/RuntimePolicies/SlackBotPolicy/Resource",
     [
       {
-        id: "AwsSolutions-S1",
-        reason: "Server access logging not required for knowledge base documents bucket."
+        id: "AwsSolutions-IAM5",
+        reason: "SlackBot Lambda needs wildcard permissions for guardrails, knowledge bases, and function invocation.",
+        appliesTo: [
+          "Resource::arn:aws:lambda:eu-west-2:<AWS::AccountId>:function:epsam*",
+          "Resource::arn:aws:cloudformation:eu-west-2:<AWS::AccountId>:stack/epsam-pr-*",
+          `Resource::arn:aws:lambda:eu-west-2:${account}:function:epsam*`,
+          `Resource::arn:aws:cloudformation:eu-west-2:${account}:stack/epsam-pr-*`,
+          "Resource::arn:aws:bedrock:*"
+        ]
       }
     ]
   )
@@ -136,17 +137,6 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  safeAddNagSuppression(
-    stack,
-    "/EpsAssistMeStack/Secrets/SlackBotSigning/Secret/Resource",
-    [
-      {
-        id: "AwsSolutions-SMG4",
-        reason: "Slack signing secret rotation is handled manually as part of the Slack app configuration process."
-      }
-    ]
-  )
-
   // Suppress AWS managed policy usage in BucketNotificationsHandler (wildcard for any hash)
   const bucketNotificationHandlers = stack.node.findAll().filter(node =>
     node.node.id.startsWith("BucketNotificationsHandler")
@@ -159,47 +149,8 @@ export const nagSuppressions = (stack: Stack) => {
       [
         {
           id: "AwsSolutions-IAM4",
-          reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution."
-        }
-      ]
-    )
-
-    safeAddNagSuppression(
-      stack,
-      `${handler.node.path}/Role/DefaultPolicy/Resource`,
-      [
-        {
-          id: "AwsSolutions-IAM5",
-          reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications."
-        }
-      ]
-    )
-  })
-
-  const logRetentionHandlers = stack.node.findAll().filter(node =>
-    node.node.id.startsWith("LogRetention") &&
-    !node.node.path.includes("DelayProvider")
-  )
-
-  logRetentionHandlers.forEach(handler => {
-    safeAddNagSuppression(
-      stack,
-      `${handler.node.path}/ServiceRole/Resource`,
-      [
-        {
-          id: "AwsSolutions-IAM4",
-          reason: "Auto-generated CDK log retention role uses AWS managed policy for basic Lambda execution."
-        }
-      ]
-    )
-
-    safeAddNagSuppression(
-      stack,
-      `${handler.node.path}/ServiceRole/DefaultPolicy/Resource`,
-      [
-        {
-          id: "AwsSolutions-IAM5",
-          reason: "Auto-generated CDK log retention role requires wildcard permissions for log management."
+          reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution.",
+          appliesTo: ["Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
         }
       ]
     )
@@ -212,7 +163,8 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM4",
-        reason: "DelayResource Lambda uses AWS managed policy for basic Lambda execution role."
+        reason: "DelayResource Lambda uses AWS managed policy for basic Lambda execution role.",
+        appliesTo: ["Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
       }
     ]
   )
@@ -223,7 +175,8 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM4",
-        reason: "DelayResource Lambda uses AWS managed policy for basic Lambda execution role."
+        reason: "DelayResource Lambda uses AWS managed policy for basic Lambda execution role.",
+        appliesTo: ["Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
       }
     ]
   )
@@ -235,7 +188,8 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM4",
-        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution."
+        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution.",
+        appliesTo: ["Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
       }
     ]
   )
@@ -246,7 +200,8 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Auto-generated CDK Provider role requires wildcard permissions for Lambda invocation."
+        reason: "Auto-generated CDK Provider role requires wildcard permissions for Lambda invocation.",
+        appliesTo: ["Resource::<VectorIndexPolicySyncWaitDelayFunctionBDE3D308.Arn>:*"]
       }
     ]
   )
@@ -257,7 +212,8 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM4",
-        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution."
+        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution.",
+        appliesTo: ["Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
       }
     ]
   )
@@ -268,7 +224,8 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Auto-generated CDK Provider role requires wildcard permissions for Lambda invocation."
+        reason: "Auto-generated CDK Provider role requires wildcard permissions for Lambda invocation.",
+        appliesTo: ["Resource::<VectorIndexIndexReadyWaitDelayFunction56EB971B.Arn>:*"]
       }
     ]
   )
@@ -302,7 +259,11 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Auto-generated CDK Provider role requires wildcard permissions for cloudformation stack listing."
+        reason: "Auto-generated CDK Provider role requires wildcard permissions for cloudformation stack listing.",
+        appliesTo: [
+          "Resource::arn:aws:cloudformation:eu-west-2:<AWS::AccountId>:stack/epsam*",
+          `Resource::arn:aws:cloudformation:eu-west-2:${account}:stack/epsam*`
+        ]
       }
     ]
   )
@@ -338,7 +299,12 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "KMS wildcard permissions (GenerateDataKey*, ReEncrypt*) are required for CloudWatch Logs encryption operations."
+        reason: "KMS wildcard permissions (GenerateDataKey*, ReEncrypt*) are required for CloudWatch Logs encryption operations.",
+        appliesTo: [
+          "Action::kms:GenerateDataKey*",
+          "Action::kms:ReEncrypt*",
+          "Resource::<BedrockLoggingModelInvocationLogGroupC58FAE2D.Arn>:*"
+        ]
       }
     ]
   )
@@ -374,7 +340,10 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM4",
-        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution."
+        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution.",
+        appliesTo: [
+          "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ]
       }
     ]
   )

packages/cdk/resources/Apis.ts

@@ -37,17 +37,6 @@ export class Apis extends Construct {
       lambdaFunction: props.functions.slackBot
     })
 
-    // Create the '/slack/commands' POST endpoint for Slack Events API
-    // This endpoint will handle slash commands, such as /test
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const slackCommandsEndpoint = new LambdaEndpoint(this, "SlackCommandsEndpoint", {
-      parentResource: slackResource,
-      resourceName: "commands",
-      method: HttpMethod.POST,
-      restApiGatewayRole: apiGateway.role,
-      lambdaFunction: props.functions.slackBot
-    })
-
     this.apis = {
       api: apiGateway
     }