From 50259f9ccddd95d7504815dac524ec5dca4cbd9c Mon Sep 17 00:00:00 2001 From: "Ezequiel Bibbins Alvarado (TATA CONSULTANCY SERVICES LTD)" Date: Thu, 5 Feb 2026 13:44:37 -0600 Subject: [PATCH 1/3] Fixed the vulnerability reported by the MSRC team in the AWSSEServerAccessAndConfig file related to the SQS and Bucket hardcoded default name. --- .../AWSS3ServerAccessAndConfig.json | 99 +++++++++++++----- Solutions/AWS_AccessLogs/Package/3.0.2.zip | Bin 0 -> 6815 bytes .../AWS_AccessLogs/Package/mainTemplate.json | 4 +- 3 files changed, 75 insertions(+), 28 deletions(-) create mode 100644 Solutions/AWS_AccessLogs/Package/3.0.2.zip diff --git a/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json b/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json index 7256fed0b66..82f2056cb49 100644 --- a/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json +++ b/Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json @@ -10,14 +10,18 @@ }, "BucketName": { "Type": "String", + "MinLength": "3", + "MaxLength": "63", "AllowedPattern": "^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$", - "Description": "Enter the name of the S3 bucket for storing server access logs.", - "Default": "microsoft-sentinel-s3-server-logs" + "ConstraintDescription": "S3 bucket name is required. Must be 3-63 characters, lowercase letters, numbers, dots, and hyphens only. Must start and end with letter or number.", + "Description": "Enter a unique S3 bucket name for storing server access logs. Bucket name must be globally unique." }, "SentinelSQSQueueName": { - "Default": "MicrosoftSentinelS3ServerAccessLogsQueue", "Type": "String", - "Description": "Enter the name for the SQS Queue." + "MinLength": "1", + "MaxLength": "80", + "ConstraintDescription": "SQS queue name is required. Must be 1-80 characters.", + "Description": "Enter a unique SQS queue name." }, "SentinelWorkspaceId": { "Type": "String", @@ -87,11 +91,11 @@ "DeletionPolicy": "Retain", "Properties": { "BucketName": { - "Fn::Sub": "${BucketName}" + "Ref": "BucketName" }, "LoggingConfiguration": { "DestinationBucketName": { - "Fn::Sub": "${BucketName}" + "Ref": "BucketName" }, "LogFilePrefix": "server-logs/" }, @@ -137,12 +141,26 @@ }, "Action": "s3:PutObject", "Resource": { - "Fn::Sub": "arn:aws:s3:::${BucketName}/*" + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "S3Bucket", + "Arn" + ] + }, + "/*" + ] + ] }, "Condition": { "ArnLike": { "aws:SourceArn": { - "Fn::Sub": "arn:aws:s3:::${BucketName}" + "Fn::GetAtt": [ + "S3Bucket", + "Arn" + ] } } } @@ -157,7 +175,18 @@ }, "Action": "s3:GetObject", "Resource": { - "Fn::Sub": "arn:aws:s3:::${BucketName}/*" + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "S3Bucket", + "Arn" + ] + }, + "/*" + ] + ] } } ] @@ -168,7 +197,7 @@ "Type": "AWS::SQS::Queue", "Properties": { "QueueName": { - "Fn::Sub": "${SentinelSQSQueueName}" + "Ref": "SentinelSQSQueueName" } } }, @@ -179,42 +208,53 @@ "Version": "2008-10-17", "Statement": [ { - "Sid": "StmtAllowReceiveDeleteChangeVisibility", + "Sid": "AllowS3ToSendToQueue", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, - "Action": [ - "SQS:ReceiveMessage", - "SQS:DeleteMessage", - "SQS:ChangeMessageVisibility" - ], + "Action": "SQS:SendMessage", "Resource": { "Fn::GetAtt": [ "SentinelSQSQueue", "Arn" ] + }, + "Condition": { + "StringEquals": { + "aws:SourceAccount": { + "Ref": "AWS::AccountId" + } + }, + "ArnLike": { + "aws:SourceArn": { + "Fn::Sub": "arn:aws:s3:::*" + } + } } }, { - "Sid": "AllowS3ToSendToQueue", + "Sid": "AllowSentinelRoleToReadFromQueue", "Effect": "Allow", "Principal": { - "Service": "s3.amazonaws.com" + "AWS": { + "Fn::GetAtt": [ + "SentinelWebIdentityBasedRole", + "Arn" + ] + } }, - "Action": "SQS:SendMessage", + "Action": [ + "SQS:ReceiveMessage", + "SQS:DeleteMessage", + "SQS:ChangeMessageVisibility", + "SQS:GetQueueUrl" + ], "Resource": { "Fn::GetAtt": [ "SentinelSQSQueue", "Arn" ] - }, - "Condition": { - "ArnLike": { - "aws:SourceArn": { - "Fn::Sub": "arn:aws:s3:::${BucketName}" - } - } } } ] @@ -237,6 +277,13 @@ }, "Description": "Role ARN for Sentinel Role that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal." }, + "S3BucketName": { + "Value": { + "Ref": "S3Bucket" + }, + "Description": "S3 Bucket name where server access logs are stored.", + "Condition": "CreateNewBucketCondition" + }, "SentinelSQSQueueURL": { "Description": "AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.", "Value": { diff --git a/Solutions/AWS_AccessLogs/Package/3.0.2.zip b/Solutions/AWS_AccessLogs/Package/3.0.2.zip new file mode 100644 index 0000000000000000000000000000000000000000..8615fed76256dbf8a53d0d2c84d72f70982e2a36 GIT binary patch literal 6815 zcmZ{pMN}LBv!#*X5P}mN0s$JA4(?9VxVyVcaQ8qX!5VjW2o_u#55e6vSa7$O_ck;0 zpLtb_I`=N__B-d6G6?YTaiMxe{jiiO8 zjiZgbjgup*t(%i$la_-dNiyxTDJBp6ci}VuBv5*Cbtq*Bk zN@P=tPFf9uUQ%CvynNp(BLdYYd63`2>V|hZFWL^`D0772&xLth;*hT5ddI3+eqETW z)=DBJG4~@BLl&Rp&G0J=mbjAo|1kJ`VFlLk*3g%dq{DKJvQ0+mTJ%T$c+fEi>PdEg zq!YOkw_>v5#3>t@x1+GLP`52CpIMukM6FdOt)WH3js>pJ%~XlTEPD-|2dBbyXpbaY ztsue0XWG5y91aLXB%_6zv@{w=40X;pa){yC87>cA@^lRM{JA$@w~%S{NOsB8iW$v| zOZkyZJqn2_dL=h1_@Q3_#UIz6O>#?N}Mc{iWKTzTwZ zjtw-IM*tb9p;6x+k#n?9ILQ%v&~}ivTy(t#iE44a1nZ9_IB6{t<3fOyOrsZ?!si}Z zyv#e)D$SA$gYZET+~qR)q&6u6wy6wML!Duj?J-+S^BAK?#Qk*BzoaNV!(5S36ps=t4jNByX~NvK+l zK13&O0i0xs$8s+x_FC|aF3TqE`mm^aiCEJ@^r%`{v3jvFw;H48$ecECuc_rPb-J;y zROtnJBnk6Jz$`QCOT-gR5m*ge*)qt2KnTS6#Ci(IKh5ay7Tn~XnB5@iPY4#4Zh;AsB2f%| zRDzg}$N&<{Wt8vwD#zD`U9BWEGfe5fvSHdIP@Qh0tbh*}v}89GTV@!4^fWJBW*(Jt z$b|*SC)rc^|mUP1<0KM@l7Ueoau*`xCP z={4*+!;gXyA(EAx`TH&V;z4=7TB_GnQxahhX$kC_T&&egM!e7tivscG8%rdn7m|bk z1BzE`ZMZ@z-9#@`h&~+s?{XH^D`1z#fi2|cQj8aF*ksKq%;-bdrdv$-j2frIq?0oD zBYUlz@Lk-&I>S3$w^DK9U!Bf>`IK(Y)*&IrQ76bN`eqGdI4`jdjOA>zaHk~}*k<+5 zGM7}Er_#ucl;AtvGf``5?GUY1ekY0)$*sqE#nN`AKTkpeBzhf90x$c$kF9-rPua>B zt_M-BQr(D6y5vjN@EfWY0)cJ4uwPtv5mk|q9Dy)KN;GucBV5Fd8Mh#G`lwAJ4YBbe zJB>FfwbPGjH;YYH=f~*45F1++5$>=^e8bVkZ4(YDE z8YrIS2)Fq@?m8*|KUnBhDKPEEgM(9zg@eQShXn@{8%K2u2WR_#aQGh}oEjWElD2(+ z73t|f%x9)rnS_0v$bxZj_CE5a4-gL}X-~YvSQ%DcvxpvAGshlD-8M(avRaZ^q1VBG zT0d$pinYQ+LA3|g!b~;l@BNRIHUed2&qR`eC~3EGvQ9NkrE!Bhn@NcvzU*KO{rEpJ zMt#G$j`s=>>^tmNj@7pn=Qm^f(1R#nW>2)517)njK*nCm8{`s1kTaJ48@eh-Z+&j) zl<+G?ZhKxi7#O#S7a%Gd|LDU?OXv?{W=w9KGnY+1^AUuWnwF zx63jFkNkbqD!N?U26&xPkC4IRvt>o(jWCMDd07#wbpim0Dx-~0Dkn@+RC*@VLy?>s z`@3Mmg)lZ3KKIc3EQ*Yla>W_sFY_i(zA@YWJui%n#fv)p?DQnAz|e8pp<0&K9;EZ# zdkgAwAdY7gEJUSdg!kS!6#RpVLgSnA;rphpPbA5oyR*ZyG3nj51a8mu|7?kv+<%u} z!Tqw>4MFur33Dk9US0%DxlwhqgmG#L|PUGX$zaoH(CX}-ud!)30@Z)I#-4bj#Z z7sZI=h8iJ=;Z5r~G^G1oh1j#yFoB$7j6mR1WOx{=}a2o-YvY`F_nJ22z|CGL^Y zCYZ;AgX{)-d-pW*{A=9-AA!Q9tnPZSl+z$Yhi-xb&0)+;G|Lr#$I;vpy)#ahNI++y zVB}%8yPZJ$CrfPEK>OLEQ|1{K97|8A$>=UinYsIs=<;?jC>`%w-NI&LXs>2l^Xub& ze*kCo`jfR$_|eqZ(ng9aBld;Y4-x)YkR+0#gP)~eBKiS|SBc5>0Xu-d2qXnIQZz9V zQ#-t%SDH?WYB`ZAGc|$9?kJvS2hbE72__6;Djy^>eaW-~#_{AIVaqO?4}eQk@*{1X zX?RgU7~Zaz{AXX1%FRK@inp_IBHqX?v0P;1!8os~UmySatmV+QnfbV@s? zJ*O+zm_DfompqYT1Zx9rZPv}vH^ihpo%(Lb#;#yc$0;=+;)>X6+`a4i8ymZZAS2;8 za`|9=I0-DXz$^A4BF1xgHvf4d%v%drFjBW}CifPF_P%x!A)NY;9i#om^cLZJy8J_O zb4@x2RAiBp9nM=6|Gn#9Y_!_HM9&3GNQ>vda||R{BxTH?Z#fa4;XJ4@S;a{yhL}1( zxe|rb3V(P;7q;G9RNEH& zI=xQ>uWZmVXT9S~tT|VSa5+jpF$?u5h^28- z*l2$3GTN-lqI9&aGytmX#WHJ6H03s8bKw~O)d{wU4&cOH+Lb;d!{4;Fk6PHUJC8VariFiOWB)$x(Yx3$J zSn;ix|D-!JwzUjjOXW`BAL=Z)oFD`>KBu{r$aY|c@yBTcT-p4_!R*5Qv*5Nx;)R0E za~_&BH)YZD#ZZXdC~v)(+I|q2R$F{|v_XXjkaAonK*^D=_ z?N49HxWR%IK-n7PfrxUE%&ku)$=CpEveruu!cPEh#sS=#1NKoC;uPj#1y!flL6i|u zgKcE_hs>()Jl4i@lF}mKDVjxSYPD6AsIRb`)(Kasp{@gd;FHPi7G2?ggbA<)B z$$*~x4Ku`CVS>@^s{>x#;n%SAuoER*W^;bk*&8x#3Hi3?A&g0L(`88mh1_F|qgO+L zemliiD&m)<&=;(6LjRt<&IN~(L<|WDA`U!lBAbrNMXNaV!)=+sfvFQ42TqvTA9c82QXDb2`mOm`6g zZ&%}RlxBRzWy57Y7tKIrWjMw7$b-0wEK%=>fdP<)wYvS2 zLN<*tHcVj(}0iO4H_SdF3qe6QX`vB%0YQLLe*xKA>p>t-2}Y$-Fj%+KE@39@XchrDzLdTbS}dTyLYT3J$$ z5}~G1JPL8x;}oin*k_wvw9Yl_W=##xu8&UFwM)p>%G~SlSfhh_aGszva^>f|MYFs+ zuE@4;lleZ!l3V?5UB;@;>iwg@5hTqw7QgLB`6NDrccXqx=j>{g1ou~>5UGh{2qGLfRha2<{oF4GsJ78nu1@#sRLN}p+|^>5fZ$ztNA2oS@a*E~r zCrev}P3&RwqvAOB(bjWWq&Le*ovUMpOJTlIqs+py)2GX%dh?P7`tak!o?FT6?0yvT zYtshgpn|MOHCky@h4U%kn~7wc6Gt142$uMusN!vqb3O;MwyT<{)0sH0XdK&w1mEc? zcwIrf@cwpte0cx&%nshx+K$V4tYYs{5vM?jn1YRDrHiv zo`v4SkhrA^5JmafVhu5K)AIu-2MWnlzv`S@f7rX&oKFK}3j0v&NXa+96tvA=A^ef9 z_F3Sz$Y>1PX%|G!qiYfQ6x$MS0qL{QjaCdv#Hd_Sm}^)cz@I%ks&=29dj&`83<$Rb zkN~9%C(PS=UevJWhFV*%x!lOWtof7`FwT}*%4@q(lO1U$>)QtBe&Amow=pP>Op`{6 z$gg#kn&tlcZ#B*Ji{Z_bGFOc@?FK0d6AfX%J={?itm%OwC(R`4>~+p_95_4#lo_$5 zO{oMdVEZ|euTT=eky(tbie^bT(tA7BvVQv=20bumibEyXpo!DJ`rDjuXm>~kt>aG2 z;mFzIp5CD!@SCbp+4L#Uy0CGD+1I`C^@U1eq1knz+)%~g7kyuu_y}xFo~;f0QozYh zxf)e6>tfOS-d4ug6D#W2*p8|O8a4&5u&0tvMg8VJVD*vAAsY#R+1UaQZvg)@#T2;n zJ?6&vy9rY-LQ26V=XE^iJBJZ?x+PC30>oiIojF-doNpbQdCI#kc<=X0M{(wYH_+RJ z;So`XR-M_Y^UEHrhocj6P`}8m4Fi_s+vGEV{m*={8y3c0Vw6jE%O#E2bz40bA(iUy z=1KC>Aof8w&F->V<+gm&yTiQM%9>_O_BVXY2K1HZVpA% z3c+lKzcHX3A_wFSV(GZzg8+@=lCoRxF^0T_>=tR$?FWLkNJrjb`Xz&X1G&KNj6o1dw{N;4mXSal$ zTZ|ZAj1ySQ<+Mj?v=@A?!GEQ0d(T)|??f*w&qE>4^C~x=XhpBr&!v;?fMPh}G7Y%j-r7B&VrC@@_$d65b^>d*LY0Y293f8Yb5L2e8)% zkLSpr=6bIkMldG^)x8M6h;ICNYPJG&dgXW|otwZLWr%5tEwX~Wd-kiw<$GbCG0Xs) zt-u`|zdgYa$R7*DDsQg6RaUklfn`PctFh=Xe3(RPEI{>To2@=)C zSktvc!`(Bb#bLG3_p1dq=D7o_jfruBL^^>C9m9N`qC7WB{HuGDS{ASEw&w*l=XgTY z&VrPj!a=pu+pN6Tn)g@yePSRg7Z98ak)JoH!`WBR+t5k_yLTMlg4SBJ$+{WboodWVD8$)u|)s@nG?y6_L9>s&z2G zUAzz)ow`{luvH+inP2HV`H@?T<8RyhvsJQ#ti!5z3#-V#SJ8*`BaIv(dK2R%=%xC> zN`_!*C%E_yZ!%YbXBS4-x_J~oh*1ZH{L2bajmQ9-KHD;`(NWAi=yqA_5^}7QG@bb{ z9(TzrRaUeL3ajB|Ho6~QXZ&G#F&3r#($^BR>#&H98}61c;^AJXl6(>j#v0Lu*k9Hr z0mxS@yVW|p?ki!OPCk|CYnNgp%gyEwTAc?nYO*g3VcR?G=W@y5K0&wVDvF2r@ieuC z8{prjp5{Hhq%Op;;?Z5w7kySLju#^BpNiZnip3+GDf>pv`C=}vc_YK4TxglZx{tpr zJmq#RC(ot8=px0O;?W#aqBmV<6+vJVKNmAZlm8@g+Du3MwR2u$9sjBahKC~J0 zZw&tqM1Syxv1kdjpo8?yzco(Tg(BK-IQw!2Z`p0}qM~4K=VgJTcdkm<2z&%rMV>j? z2$lgrUgLM2p*9038G?UJZ^tAaSlO^gKYWsx8`RKhiW=tWL>Z2mE31dCxq6&r6`V_R zL$hlbg8MZO41<^^{U;&qOJ)(YF>yz~G z1YW})N$kmXYaJa>Kz=?zD*5Eb?Na4Si=KR!TWUKuQ3r#!&R3VkRR?NKw*jQHvx&<@ zw_PaB2Qvp~W{F3~Yz>-Qu9s3S0}E2FkPs0`Tuy9%_plvGnfQ+#mVyeYxLb~JJz8Aq zgec_1TzJDsS3V!k+Z@9y`t_N&m%FzFj7HmZgk3Z`H?$TJ!=c{u*uypv;L^TX{};|T z?7{~~(>vmJ{B+ok?5k~7%Gy1`c$o{pc6WK9vviAo!0*~zA=fhEtIaT!wUb_rfmjU{ z7QY@s0Wn;2so#Zvxc_-K`%K`PSdT(mLxnObi-a_UA1y6NwO*mWrr{E|ZDJUKAG;k^ zr4j1ztA3CSR~P??tu!K{EcO> zDITCXbj7zfGz!Kf1#Ap$5e~8$EAQ+S_c@ug{!OH7ym=lvUJrcT^#7;$@{Xh40+v7Q zsr>!S)z)aKAs_TnLy_vqLyJzc(|f&?Htq=-w)h?&Q3B!HgQ$MjmDNM$IH4#cVxztl ziCy}Rsum`;ohnysgi=4!$o|o}HSj)EZsl31{j4B}jjg%w3?zqMBo;0dV+)Nww_|9q zv&85)VC6NxDHtdCh^)?y>z|PBLjBI75*lw>6mlpCbyvDyzVbMKJwNMydVcYILs167 zBjCgR?{A=gmEZq0|I1V8KSTbrH2gmaM9BZ23Q-w^^v{NaL-@C0|1J{Af2;oj#)#~X literal 0 HcmV?d00001 diff --git a/Solutions/AWS_AccessLogs/Package/mainTemplate.json b/Solutions/AWS_AccessLogs/Package/mainTemplate.json index 0fcf84cf70b..048b5ef2d2c 100644 --- a/Solutions/AWS_AccessLogs/Package/mainTemplate.json +++ b/Solutions/AWS_AccessLogs/Package/mainTemplate.json @@ -47,7 +47,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "AWS_AccessLogs", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-awsaccesslogs", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", @@ -682,7 +682,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "AWS_AccessLogs", From a7b44ecf8e6525967d57cd7ab5e3a61e7466c8c0 Mon Sep 17 00:00:00 2001 From: v-ezequielbi Date: Thu, 5 Feb 2026 14:32:36 -0600 Subject: [PATCH 2/3] Update ReleaseNotes with version 3.0.2 changes --- Solutions/AWS_AccessLogs/ReleaseNotes.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Solutions/AWS_AccessLogs/ReleaseNotes.md b/Solutions/AWS_AccessLogs/ReleaseNotes.md index 2c12ea8fd37..13a4825b65c 100644 --- a/Solutions/AWS_AccessLogs/ReleaseNotes.md +++ b/Solutions/AWS_AccessLogs/ReleaseNotes.md @@ -1,4 +1,5 @@ **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** | |------------|-------------------------------|-------------------------------------------------------------------------------------------| +| 3.0.2 | 02-05-2026 | Resolved vulnerability reported in AWS Access log in CloudFoundation template file. | | 3.0.1 | 10-06-2025 | AWS S3 Server Access Log CCF **Data Connector** Moving to GA. | -| 3.0.0 | 08-08-2025 | Initial Solution Release.
New CCF **Data Connector** for AWS_AccessLogs. | \ No newline at end of file +| 3.0.0 | 08-08-2025 | Initial Solution Release.
New CCF **Data Connector** for AWS_AccessLogs. | From c53fbc519f5af6835d9647dd52238f8212de3f8f Mon Sep 17 00:00:00 2001 From: maheshji001 Date: Fri, 6 Feb 2026 11:40:27 +0530 Subject: [PATCH 3/3] Fix release date in ReleaseNotes Correct the modification date for version 3.0.2 in Solutions/AWS_AccessLogs/ReleaseNotes.md, changing '02-05-2026' to '05-02-2026' to reflect the accurate date. No other content changes. --- Solutions/AWS_AccessLogs/ReleaseNotes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/AWS_AccessLogs/ReleaseNotes.md b/Solutions/AWS_AccessLogs/ReleaseNotes.md index 13a4825b65c..b7b0f96c0a2 100644 --- a/Solutions/AWS_AccessLogs/ReleaseNotes.md +++ b/Solutions/AWS_AccessLogs/ReleaseNotes.md @@ -1,5 +1,5 @@ **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** | |------------|-------------------------------|-------------------------------------------------------------------------------------------| -| 3.0.2 | 02-05-2026 | Resolved vulnerability reported in AWS Access log in CloudFoundation template file. | +| 3.0.2 | 05-02-2026 | Resolved vulnerability reported in AWS Access log in CloudFoundation template file. | | 3.0.1 | 10-06-2025 | AWS S3 Server Access Log CCF **Data Connector** Moving to GA. | | 3.0.0 | 08-08-2025 | Initial Solution Release.
New CCF **Data Connector** for AWS_AccessLogs. |