diff --git a/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json b/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json
index 7256fed0b66..82f2056cb49 100644
--- a/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json
+++ b/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json
@@ -10,14 +10,18 @@
},
"BucketName": {
"Type": "String",
+ "MinLength": "3",
+ "MaxLength": "63",
"AllowedPattern": "^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$",
- "Description": "Enter the name of the S3 bucket for storing server access logs.",
- "Default": "microsoft-sentinel-s3-server-logs"
+ "ConstraintDescription": "S3 bucket name is required. Must be 3-63 characters, lowercase letters, numbers, dots, and hyphens only. Must start and end with letter or number.",
+ "Description": "Enter a unique S3 bucket name for storing server access logs. Bucket name must be globally unique."
},
"SentinelSQSQueueName": {
- "Default": "MicrosoftSentinelS3ServerAccessLogsQueue",
"Type": "String",
- "Description": "Enter the name for the SQS Queue."
+ "MinLength": "1",
+ "MaxLength": "80",
+ "ConstraintDescription": "SQS queue name is required. Must be 1-80 characters.",
+ "Description": "Enter a unique SQS queue name."
},
"SentinelWorkspaceId": {
"Type": "String",
@@ -87,11 +91,11 @@
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": {
- "Fn::Sub": "${BucketName}"
+ "Ref": "BucketName"
},
"LoggingConfiguration": {
"DestinationBucketName": {
- "Fn::Sub": "${BucketName}"
+ "Ref": "BucketName"
},
"LogFilePrefix": "server-logs/"
},
@@ -137,12 +141,26 @@
},
"Action": "s3:PutObject",
"Resource": {
- "Fn::Sub": "arn:aws:s3:::${BucketName}/*"
+ "Fn::Join": [
+ "",
+ [
+ {
+ "Fn::GetAtt": [
+ "S3Bucket",
+ "Arn"
+ ]
+ },
+ "/*"
+ ]
+ ]
},
"Condition": {
"ArnLike": {
"aws:SourceArn": {
- "Fn::Sub": "arn:aws:s3:::${BucketName}"
+ "Fn::GetAtt": [
+ "S3Bucket",
+ "Arn"
+ ]
}
}
}
@@ -157,7 +175,18 @@
},
"Action": "s3:GetObject",
"Resource": {
- "Fn::Sub": "arn:aws:s3:::${BucketName}/*"
+ "Fn::Join": [
+ "",
+ [
+ {
+ "Fn::GetAtt": [
+ "S3Bucket",
+ "Arn"
+ ]
+ },
+ "/*"
+ ]
+ ]
}
}
]
@@ -168,7 +197,7 @@
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": {
- "Fn::Sub": "${SentinelSQSQueueName}"
+ "Ref": "SentinelSQSQueueName"
}
}
},
@@ -179,42 +208,53 @@
"Version": "2008-10-17",
"Statement": [
{
- "Sid": "StmtAllowReceiveDeleteChangeVisibility",
+ "Sid": "AllowS3ToSendToQueue",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
- "Action": [
- "SQS:ReceiveMessage",
- "SQS:DeleteMessage",
- "SQS:ChangeMessageVisibility"
- ],
+ "Action": "SQS:SendMessage",
"Resource": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
+ },
+ "Condition": {
+ "StringEquals": {
+ "aws:SourceAccount": {
+ "Ref": "AWS::AccountId"
+ }
+ },
+ "ArnLike": {
+ "aws:SourceArn": {
+ "Fn::Sub": "arn:aws:s3:::*"
+ }
+ }
}
},
{
- "Sid": "AllowS3ToSendToQueue",
+ "Sid": "AllowSentinelRoleToReadFromQueue",
"Effect": "Allow",
"Principal": {
- "Service": "s3.amazonaws.com"
+ "AWS": {
+ "Fn::GetAtt": [
+ "SentinelWebIdentityBasedRole",
+ "Arn"
+ ]
+ }
},
- "Action": "SQS:SendMessage",
+ "Action": [
+ "SQS:ReceiveMessage",
+ "SQS:DeleteMessage",
+ "SQS:ChangeMessageVisibility",
+ "SQS:GetQueueUrl"
+ ],
"Resource": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
- },
- "Condition": {
- "ArnLike": {
- "aws:SourceArn": {
- "Fn::Sub": "arn:aws:s3:::${BucketName}"
- }
- }
}
}
]
@@ -237,6 +277,13 @@
},
"Description": "Role ARN for Sentinel Role that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal."
},
+ "S3BucketName": {
+ "Value": {
+ "Ref": "S3Bucket"
+ },
+ "Description": "S3 Bucket name where server access logs are stored.",
+ "Condition": "CreateNewBucketCondition"
+ },
"SentinelSQSQueueURL": {
"Description": "AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.",
"Value": {
diff --git a/Solutions/AWS_AccessLogs/Package/3.0.2.zip b/Solutions/AWS_AccessLogs/Package/3.0.2.zip
new file mode 100644
index 00000000000..8615fed7625
Binary files /dev/null and b/Solutions/AWS_AccessLogs/Package/3.0.2.zip differ
diff --git a/Solutions/AWS_AccessLogs/Package/mainTemplate.json b/Solutions/AWS_AccessLogs/Package/mainTemplate.json
index 0fcf84cf70b..048b5ef2d2c 100644
--- a/Solutions/AWS_AccessLogs/Package/mainTemplate.json
+++ b/Solutions/AWS_AccessLogs/Package/mainTemplate.json
@@ -47,7 +47,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "AWS_AccessLogs",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-awsaccesslogs",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
@@ -682,7 +682,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "AWS_AccessLogs",
diff --git a/Solutions/AWS_AccessLogs/ReleaseNotes.md b/Solutions/AWS_AccessLogs/ReleaseNotes.md
index 2c12ea8fd37..b7b0f96c0a2 100644
--- a/Solutions/AWS_AccessLogs/ReleaseNotes.md
+++ b/Solutions/AWS_AccessLogs/ReleaseNotes.md
@@ -1,4 +1,5 @@
**Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** |
|------------|-------------------------------|-------------------------------------------------------------------------------------------|
+| 3.0.2 | 05-02-2026 | Resolved vulnerability reported in AWS Access log in CloudFoundation template file. |
| 3.0.1 | 10-06-2025 | AWS S3 Server Access Log CCF **Data Connector** Moving to GA. |
-| 3.0.0 | 08-08-2025 | Initial Solution Release.
New CCF **Data Connector** for AWS_AccessLogs. |
\ No newline at end of file
+| 3.0.0 | 08-08-2025 | Initial Solution Release.
New CCF **Data Connector** for AWS_AccessLogs. |