include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://aws.amazon.com/s3/[Amazon S3 access requests]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties: 
      BucketName: "mynoncompliantbucket"
----

For https://aws.amazon.com/api-gateway/[Amazon API Gateway] stages:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Prod: # Sensitive
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      TracingEnabled: false # Sensitive
----

For https://aws.amazon.com/neptune/[Amazon Neptune] clusters:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      EnableCloudwatchLogsExports: []  # Sensitive
----

For https://aws.amazon.com/msk/[Amazon MSK] broker logs:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  SensitiveCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: Sensitive Cluster
      LoggingInfo:
        BrokerLogs: # Sensitive
          CloudWatchLogs:
            Enabled: false
            LogGroup: CWLG
          Firehose:
            DeliveryStream: DS
            Enabled: false
----

For https://aws.amazon.com/documentdb/[Amazon DocDB]:

[source,yaml]
----
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  DocDBOmittingLogs: # Sensitive
    Type: "AWS::DocDB::DBCluster"
    Properties:
      DBClusterIdentifier : "DB Without Logs"
----

For https://aws.amazon.com/amazon-mq/[Amazon MQ]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Broker:
    Type: AWS::AmazonMQ::Broker
    Properties:
      Logs:  # Sensitive
        Audit: false
        General: false
----

For https://aws.amazon.com/redshift/[Amazon Redshift]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  ClusterOmittingLogging: # Sensitive
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "Redshift Warehouse Cluster"
----     
      
For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service or Amazon Elasticsearch service:

[source,yaml]
----
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  OpenSearchServiceDomain:
    Type: 'AWS::OpenSearchService::Domain'
    Properties:
      LogPublishingOptions: # Sensitive
        ES_APPLICATION_LOGS:
          CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-application-logs'
          Enabled: true
        INDEX_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-index-slow-logs'
          Enabled: true
----

For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFrontDistribution: # Sensitive
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultRootObject: "index.html"
----

For https://aws.amazon.com/elasticloadbalancing/[Amazon Elastic Load Balancing]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  LoadBalancer:
      Type: AWS::ElasticLoadBalancing::LoadBalancer
      Properties:
        AccessLoggingPolicy:
          Enabled: false # Sensitive
----

For https://aws.amazon.com/elasticloadbalancing/[Amazon Load Balancing (v2)]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  ApplicationLoadBalancer:
   Type: AWS::ElasticLoadBalancingV2::LoadBalancer
   Properties:
     Name: CompliantLoadBalancer
     LoadBalancerAttributes:
       - Key: "access_logs.s3.enabled"
         Value: false # Sensitive
----

== Compliant Solution

For https://aws.amazon.com/s3/[Amazon S3 access requests]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketLogs:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantloggingbucket"
      AccessControl: LogDeliveryWrite

  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantbucket"
      LoggingConfiguration:
        DestinationBucketName: !Ref S3BucketLogs
        LogFilePrefix: testing-logs
----

For https://aws.amazon.com/api-gateway/[Amazon API Gateway] stages:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      TracingEnabled: true
      AccessLogSetting:
        DestinationArn: "arn:aws:logs:eu-west-1:123456789:test"
        Format: "..."
----

For https://aws.amazon.com/neptune/[Amazon Neptune] clusters:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      EnableCloudwatchLogsExports: ["audit"]
----

For https://aws.amazon.com/msk/[Amazon MSK] broker logs:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  SensitiveCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: Sensitive Cluster
      LoggingInfo:
        BrokerLogs:
          Firehose:
            DeliveryStream: DS
            Enabled: true
          S3:
            Bucket: Broker Logs
            Enabled: true
            Prefix: "logs/msk-brokers-"
----

For https://aws.amazon.com/documentdb/[Amazon DocDB]:

[source,yaml]
----
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  DocDBWithLogs:
    Type: "AWS::DocDB::DBCluster"
    Properties:
      DBClusterIdentifier : "DB With Logs"
      EnableCloudwatchLogsExports:
         - audit
----

For https://aws.amazon.com/amazon-mq/[Amazon MQ] enable `Audit` or `General`:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Broker:
    Type: AWS::AmazonMQ::Broker
    Properties:
      Logs:
        Audit: true
        General: true
----        
        
For https://aws.amazon.com/redshift/[Amazon Redshift]:


[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  CompliantCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "Redshift Warehouse Cluster"
      LoggingProperties:
        BucketName: "Infra Logs"
        S3KeyPrefix: "log/redshift-"
----

For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service, or Amazon Elasticsearch service:

[source,yaml]
----
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  OpenSearchServiceDomain:
    Type: 'AWS::OpenSearchService::Domain'
    Properties:
      LogPublishingOptions:
        AUDIT_LOGS:
          CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-audit-logs'
          Enabled: true
----

For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultRootObject: "index.html"
        Logging:
          Bucket: "mycompliantbucket"
          Prefix: "log/cloudfront-"
----

For https://aws.amazon.com/elasticloadbalancing/[Amazon Elastic Load Balancing]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  LoadBalancer:
      Type: AWS::ElasticLoadBalancing::LoadBalancer
      Properties:
        AccessLoggingPolicy:
          Enabled: true
          S3BucketName: mycompliantbucket
          S3BucketPrefix: "log/loadbalancer-"
----

For https://aws.amazon.com/elasticloadbalancing/[Amazon Load Balancing (v2)]:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  ApplicationLoadBalancer:
   Type: AWS::ElasticLoadBalancingV2::LoadBalancer
   Properties:
     Name: CompliantLoadBalancer
     LoadBalancerAttributes:
       - Key: "access_logs.s3.enabled"
         Value: true
       - Key: "access_logs.s3.bucket"
         Value: "mycompliantbucket"
       - Key: "access_logs.s3.prefix"
         Value: "log/elbv2-"
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]