aws-samples / amazon-cloudfront-waf-secretsmanager Goto Github PK
View Code? Open in Web Editor NEWEnhance Amazon CloudFront Origin Security with AWS WAF and AWS Secrets Manager
License: MIT No Attribution
Enhance Amazon CloudFront Origin Security with AWS WAF and AWS Secrets Manager
License: MIT No Attribution
Hello,
I can across an issue with the IAM policy used for the lamba function when it attempted to update the managed rule set on the managed rule set.
This is the error I received:
Error: An error occurred (AccessDeniedException) when calling the UpdateWebACL operation: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/xxxxxxxxxxx/xxxxxxxxxxx is not authorized to perform: wafv2:UpdateWebACL on resource: arn:aws:wafv2:ap-southeast-2:xxxxxxxxxxx:regional/managedruleset/
To overcome this issue, I applied the following to the CFN template.
Is my workaround the best approach and is this expected behaviour?
AMI needs to be updated to python3.9 in CloudFormation Template
AMIInfoFunction | CREATE_FAILED | Resource handler returned message: "The runtime parameter of python3.6 is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (python3.9) while creating or updating functions. (Service: Lambda, Status Code: 400, Request ID: bc6fd4aa-0dd1-4ea2-9242-76d4f0fb323e)" (RequestToken: 123cf4a1-1802-2814-db2d-a7d59a5ba8d1, HandlerErrorCode: InvalidRequest) |
---|
Hi,
I was testing the SM only deployment of this solution and found that the IAM policy in the template wasn't able to create the CloudWatch log group for the lambda function.
After reviewing I found that the IAM policy is limited to the resource that it is trying to create but can't do so because of the restricted access.
To get around this issue, I modified the IAM policy to the following:
- Effect: Allow
Action:
- logs:CreateLogGroup
Resource: '*'
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/OriginSecretRotateFunction'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.