Patch release 2 1 2 (#419)

* fix: adding log stream resource * chore: update changelog doc * fix: doc typo * fix: adding line in Changelog for CW arn fix
awslabs · Apr 1, 2021 · ceb76ba · ceb76ba
1 parent a8c1aae
commit ceb76ba
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [2.1.2] - 2021-04-01
+
+### Added
+- fix: managing AppDeployer role permission boundary
+- fix: CW log resources corrected in backend CFN template
+- refactor: restrict ApiHandler role permissions
+- refactor: restrict WorkflowLoopRunner role permissions
+- refactor: restrict CrossAcctExec role permissions
+- chore: team email removed from feedback section in readme
+- chore: updates to npm dependencies
+
 ## [2.1.1] - 2021-03-19
 
 ### Added

diff --git a/main/solution/backend/config/infra/cloudformation.yml b/main/solution/backend/config/infra/cloudformation.yml
@@ -429,9 +429,12 @@ Resources:
               - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-xacc-env-mgmt'
           - Effect: Allow
             Action:
-              - logs:CreateLog*
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
               - logs:PutLogEvents
-            Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws/lambda/${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-backend-${self:custom.settings.envName}*'
+            Resource:
+              - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-backend-${self:custom.settings.envName}-*:*'
+              - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-backend-${self:custom.settings.envName}-*:log-stream:*'
 
   # IAM Role for the apiHandler Function
   RoleApiHandler:
@@ -577,9 +580,12 @@ Resources:
               - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-xacc-env-mgmt'
           - Effect: Allow
             Action:
-              - logs:CreateLog*
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
               - logs:PutLogEvents
-            Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws/lambda/${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-backend-${self:custom.settings.envName}*'
+            Resource:
+              - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-backend-${self:custom.settings.envName}-workflowLoopRunner:*'
+              - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-backend-${self:custom.settings.envName}-workflowLoopRunner:log-stream:*'
 
   # IAM Role for the workflowLoopRunner Function
   RoleWorkflowLoopRunner: