aws-samples / amazon-cloudfront-waf-secretsmanager Goto Github PK

AMI needs to be updated to python3.9 in CloudFormation Template

AMIInfoFunction	CREATE_FAILED	Resource handler returned message: "The runtime parameter of python3.6 is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (python3.9) while creating or updating functions. (Service: Lambda, Status Code: 400, Request ID: bc6fd4aa-0dd1-4ea2-9242-76d4f0fb323e)" (RequestToken: 123cf4a1-1802-2814-db2d-a7d59a5ba8d1, HandlerErrorCode: InvalidRequest)

Hello,

I can across an issue with the IAM policy used for the lamba function when it attempted to update the managed rule set on the managed rule set.

This is the error I received:
Error: An error occurred (AccessDeniedException) when calling the UpdateWebACL operation: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/xxxxxxxxxxx/xxxxxxxxxxx is not authorized to perform: wafv2:UpdateWebACL on resource: arn:aws:wafv2:ap-southeast-2:xxxxxxxxxxx:regional/managedruleset/

To overcome this issue, I applied the following to the CFN template.

• Effect: Allow
  Action:
  • wafv2:UpdateWebACL
    Resource: !Sub 'arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:regional/managedruleset/*'

Is my workaround the best approach and is this expected behaviour?

Hi,

I was testing the SM only deployment of this solution and found that the IAM policy in the template wasn't able to create the CloudWatch log group for the lambda function.

After reviewing I found that the IAM policy is limited to the resource that it is trying to create but can't do so because of the restricted access.

To get around this issue, I modified the IAM policy to the following:
- Effect: Allow
Action:
- logs:CreateLogGroup
Resource: '*'
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/OriginSecretRotateFunction'