@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
🔗 CVE IDs covered (1)
📋 Description
Affected: @hulumi/baseline < 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-1059 (Insufficient Technical Documentation / Behavioral Inconsistency)
Summary
The S3 bucket that AccountFoundation creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant — if someone with delete access can erase from it, the forensic trail is gone. There were three independent ways the protection could be silently weakened:
- No Write-Once-Read-Many on the startup-hardened audit bucket. The startup-hardened tier hard-coded
objectLock: falseon the audit bucket. (The reason was real — bucket-wide Object Lock blocks an AWS Config write-then-delete probe — but the fix was a sledgehammer that disabled WORM for all objects, not just the probe key.) forceDestroywas forwarded to the audit bucket. Nothing prevented a downstream stack from settinglogBucketForceDestroy: true, which madepulumi destroypurge every audit-log object on teardown.- Sandbox tier dropped everything. Sandbox-tier
AccountFoundationcreated its audit bucket withtier: "sandbox", which skipped Object Lock, server access logging, AND the CloudTrail-LakeEventDataStore(the independent immutable mirror) — leaving sandbox accounts with no audit immutability at all.
Impact
Consumers using AccountFoundation could ship an AWS account whose CloudTrail / Config audit logs were deletable by any S3-delete-capable principal — while believing the startup-hardened tier guaranteed tamper-resistance. Sandbox-tier deployments had no audit immutability at all (defects 1 and 3 compounded).
Patches
Upgrade to @hulumi/[email protected]. A single invariant in SecureBucket now fires whenever the bucket actually backs CloudTrail/Config delivery (i.e. awsServiceLogDelivery.cloudTrail === true || .config === true):
- refuses
forceDestroy: trueon the startup-hardened tier; - emits the CloudTrail-Lake
EventDataStoreregardless of parent tier (so sandbox accounts regain immutable audit capture); - adds a deny-
s3:DeleteObject*bucket-policy statement scoped to the CloudTrail and Config history/snapshot prefixes (a retention floor on the audit objects). The deny excludes the AWS ConfigConfigWritabilityCheckFileprobe key so Config's write-then-delete still works, which is why bucket-wide Object Lock is intentionally NOT re-enabled.
Workarounds
Replicating audit logs out-of-account to an Object-Locked archive bucket partially mitigates while you upgrade.
Resources
- PR #178 (Cluster C); see CHANGELOG
### Migrationfor theforceDestroybehaviour change.
🎯 Affected products1
- npm/@hulumi/baseline:< 1.4.0