Skip to content

Fixed the vulnerability reported by the MSRC team in the AWSSEServerAccessAndConfig cloud formation template file related to the SQS and Bucket hardcoded default name. #13580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
v-ezequielbi wants to merge 3 commits into
base: master
Choose a base branch
from
+77 −29
Open

Fixed the vulnerability reported by the MSRC team in the AWSSEServerAccessAndConfig cloud formation template file related to the SQS and Bucket hardcoded default name. #13580

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
50259f9
Fixed the vulnerability reported by the MSRC team in the AWSSEServerA…
v-ezequielbi Feb 5, 2026
a7b44ec
Update ReleaseNotes with version 3.0.2 changes
v-ezequielbi Feb 5, 2026
c53fbc5
Fix release date in ReleaseNotes
v-maheshbh Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 73 additions & 26 deletions Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,18 @@
},
"BucketName": {
"Type": "String",
"MinLength": "3",
"MaxLength": "63",
"AllowedPattern": "^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$",
"Description": "Enter the name of the S3 bucket for storing server access logs.",
"Default": "microsoft-sentinel-s3-server-logs"
"ConstraintDescription": "S3 bucket name is required. Must be 3-63 characters, lowercase letters, numbers, dots, and hyphens only. Must start and end with letter or number.",
"Description": "Enter a unique S3 bucket name for storing server access logs. Bucket name must be globally unique."
},
"SentinelSQSQueueName": {
"Default": "MicrosoftSentinelS3ServerAccessLogsQueue",
"Type": "String",
"Description": "Enter the name for the SQS Queue."
"MinLength": "1",
"MaxLength": "80",
"ConstraintDescription": "SQS queue name is required. Must be 1-80 characters.",
"Description": "Enter a unique SQS queue name."
},
"SentinelWorkspaceId": {
"Type": "String",
Expand Down Expand Up @@ -87,11 +91,11 @@
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": {
"Fn::Sub": "${BucketName}"
"Ref": "BucketName"
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Fn::Sub": "${BucketName}"
"Ref": "BucketName"
},
"LogFilePrefix": "server-logs/"
},
Expand Down Expand Up @@ -137,12 +141,26 @@
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${BucketName}/*"
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"/*"
]
]
},
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:aws:s3:::${BucketName}"
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
}
}
}
Expand All @@ -157,7 +175,18 @@
},
"Action": "s3:GetObject",
"Resource": {
"Fn::Sub": "arn:aws:s3:::${BucketName}/*"
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"/*"
]
]
}
}
]
Expand All @@ -168,7 +197,7 @@
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": {
"Fn::Sub": "${SentinelSQSQueueName}"
"Ref": "SentinelSQSQueueName"
}
}
},
Expand All @@ -179,42 +208,53 @@
"Version": "2008-10-17",
"Statement": [
{
"Sid": "StmtAllowReceiveDeleteChangeVisibility",
"Sid": "AllowS3ToSendToQueue",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:ChangeMessageVisibility"
],
"Action": "SQS:SendMessage",
"Resource": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
},
"Condition": {
"StringEquals": {
"aws:SourceAccount": {
"Ref": "AWS::AccountId"
}
},
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:aws:s3:::*"
}
}
}
},
{
"Sid": "AllowS3ToSendToQueue",
"Sid": "AllowSentinelRoleToReadFromQueue",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
"AWS": {
"Fn::GetAtt": [
"SentinelWebIdentityBasedRole",
"Arn"
]
}
},
"Action": "SQS:SendMessage",
"Action": [
"SQS:ReceiveMessage",
"SQS:DeleteMessage",
"SQS:ChangeMessageVisibility",
"SQS:GetQueueUrl"
],
"Resource": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
},
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:aws:s3:::${BucketName}"
}
}
}
}
]
Expand All @@ -237,6 +277,13 @@
},
"Description": "Role ARN for Sentinel Role that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal."
},
"S3BucketName": {
"Value": {
"Ref": "S3Bucket"
},
"Description": "S3 Bucket name where server access logs are stored.",
"Condition": "CreateNewBucketCondition"
},
"SentinelSQSQueueURL": {
"Description": "AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.",
"Value": {
Expand Down
Binary file added Solutions/AWS_AccessLogs/Package/3.0.2.zip
View file
Open in desktop
Binary file not shown.
4 changes: 2 additions & 2 deletions Solutions/AWS_AccessLogs/Package/mainTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "AWS_AccessLogs",
"_solutionVersion": "3.0.1",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-awsaccesslogs",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
Expand Down Expand Up @@ -682,7 +682,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "AWS_AccessLogs",
Expand Down
3 changes: 2 additions & 1 deletion Solutions/AWS_AccessLogs/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
**Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** |
|------------|-------------------------------|-------------------------------------------------------------------------------------------|
| 3.0.2 | 05-02-2026 | Resolved vulnerability reported in AWS Access log in CloudFoundation template file. |
| 3.0.1 | 10-06-2025 | AWS S3 Server Access Log CCF **Data Connector** Moving to GA. |
| 3.0.0 | 08-08-2025 | Initial Solution Release. <br/>New CCF **Data Connector** for AWS_AccessLogs. |
| 3.0.0 | 08-08-2025 | Initial Solution Release. <br/>New CCF **Data Connector** for AWS_AccessLogs. |
Loading