fix(cloudformation): use AWS::Partition for CSPM SecurityAudit ARN#6726
Open
gsarantid wants to merge 1 commit into
Open
fix(cloudformation): use AWS::Partition for CSPM SecurityAudit ARN#6726gsarantid wants to merge 1 commit into
gsarantid wants to merge 1 commit into
Conversation
Replace hardcoded `arn:aws:` partition with the `${AWS::Partition}`
pseudo-parameter in the four CSPM agent-based CloudFormation templates so
they deploy successfully in both commercial AWS and AWS GovCloud
(`aws-us-gov`) regions without requiring separate templates.
Affected templates:
- elastic-agent-ec2-cspm.yml
- elastic-agent-ec2-cspm-organization.yml
- elastic-agent-direct-access-key-cspm.yml
- elastic-agent-direct-access-key-cspm-organization.yml
Resolves elastic/security-team#17710
Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
|
This pull request does not have a backport label. Could you fix it @gsarantid? 🙏
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of your changes
Replace hardcoded
arn:aws:partition with theAWS::Partitionpseudo-parameter in the four CSPM agent-based CloudFormation templates so they deploy successfully in both commercial AWS and AWS GovCloud (aws-us-gov) regions without requiring separate templates.Each occurrence is swapped from:
to:
CloudFormation resolves
${AWS::Partition}toaws,aws-us-gov, oraws-cnautomatically based on the deployment region, so commercial deployments are unaffected.Affected templates (6 line swaps total):
deploy/cloudformation/elastic-agent-ec2-cspm.ymldeploy/cloudformation/elastic-agent-ec2-cspm-organization.ymldeploy/cloudformation/elastic-agent-direct-access-key-cspm.ymldeploy/cloudformation/elastic-agent-direct-access-key-cspm-organization.ymlOut of scope (deliberately not touched):
cloud-connectors-*.yml— agentless / identity-federation flow, excluded per the linked issue.deploy/asset-inventory-cloudformation/*— not CSPM.console.aws.amazon.com. GovCloud customers will need to manually openconsole.amazonaws-us-gov.comand paste the S3 template URL. The template fix unblocks them, but a one-click GovCloud UX is a separate follow-up.Static verification already performed
pre-commit run --files <the 4 templates>—cfn-python-lintandrain fmtboth pass;rain fmtmade no formatting changes (the!Sub '...'form is already canonical).aws cloudformation validate-template --template-body file://<path>for each of the 4 files — all return valid Parameters/Capabilities, no errors.git diff --statconfirms exactly 6 insertions / 6 deletions, no collateral changes.Deployment verification
Commercial AWS (regression) — completed for
elastic-agent-ec2-cspm.yml:Account:
elastic-security-cloud-security-dev(704479110758), regionus-east-1, branch HEADStack created via
aws cloudformation create-stack --template-body file://deploy/cloudformation/elastic-agent-ec2-cspm.yml ...with parameters mirroring those Kibana's "Launch CloudFormation" deep-link pre-populates (fleet URL, enrollment token, agent version 9.4.2, default AMI / m6g.xlarge).Stack reaches
CREATE_COMPLETEElasticAgentRoleresource created;${AWS::Partition}resolves toawsinus-east-1SecurityAuditmanaged policy attaches with the resolved ARN, verified viaaws iam list-attached-role-policies:Byte-for-byte identical to the previous hardcoded form — zero regression in the standard partition.
EC2 launches, agent installs and enrolls into Fleet, and
cfn-signal --exit-code 0fires within thePT10MCreationPolicy.ResourceSignalwindowThe other three modified templates (
elastic-agent-ec2-cspm-organization.yml,elastic-agent-direct-access-key-cspm.yml,elastic-agent-direct-access-key-cspm-organization.yml) carry the identical single-line!Sub 'arn:${AWS::Partition}:iam::aws:policy/SecurityAudit'substitution with no other differences vs. their priorarn:aws:...form. Because the substitution is identical and CloudFormation's pseudo-parameter resolution is deterministic per region, the regression risk is bounded to the substitution itself.Still pending:
aws-us-gov) deployment — blocked on GovCloud account access. This is the fix-verification half and is what actually exercises${AWS::Partition}producing a different value (arn:aws-us-gov:...). Will follow up once creds are available.Related Issues
Checklist
The "tests" box reflects the static checks above (
cfn-lint+aws cloudformation validate-template); no new automated test was added because the change is a one-line per-file partition substitution with no runtime branching to cover. README is unchanged because the integration manifest and S3 keys are unchanged.