Skip to content

Add CloudFormation IaC for AWS S3 data connector#14557

Merged
v-atulyadav merged 2 commits into
Azure:masterfrom
KanenasCS:aws-s3-iac-deployment
Jul 1, 2026
Merged

Add CloudFormation IaC for AWS S3 data connector#14557
v-atulyadav merged 2 commits into
Azure:masterfrom
KanenasCS:aws-s3-iac-deployment

Conversation

@KanenasCS

Copy link
Copy Markdown
Contributor

Added CloudFormation Infrastructure-as-Code scripts for the Amazon Web Services S3 data connector.
Added automated deployment support for the required AWS-side resources used by the Microsoft Sentinel Amazon Web Services S3 connector.
Added configuration for the required AWS resources, including S3/SQS-related components and IAM permissions required by the connector.
Added deployment outputs required for the Microsoft Sentinel connector configuration, such as the relevant AWS resource identifiers.
Added/updated documentation to describe prerequisites, deployment steps, parameters, outputs, and validation steps.

Reason for Change(s):

The existing Amazon Web Services S3 data connector provides an automated setup experience using the Microsoft PowerShell script.
This PR adds a CloudFormation-based Infrastructure-as-Code deployment option, allowing customers to deploy the required AWS resources in a controlled, repeatable, and auditable way.
This is useful for enterprise environments where AWS resources must be deployed through approved IaC processes and reviewed before implementation.
The change does not replace the existing PowerShell setup flow. It provides an additional deployment option for the same connector scenario.

Version Updated:

Not applicable.
This PR does not update Detection or Analytic Rule templates.

Testing Completed:

Yes.
Validated that the CloudFormation template can deploy the required AWS-side resources for the Amazon Web Services S3 data connector.
Validated that the required outputs are generated and can be used during the Microsoft Sentinel connector configuration.
Confirmed that no secrets, credentials, customer-specific values, or hardcoded environment-specific identifiers are included.
Reviewed the deployment parameters and documentation for consistency with the existing Amazon Web Services S3 connector setup flow.
Confirmed that the changes are limited to the Amazon Web Services S3 connector CloudFormation/IaC scope.

Checked that the validations are passing and have addressed any issues that are present:

Yes.
Validations were reviewed, and any identified issues were addressed before submitting the PR.

@KanenasCS KanenasCS requested review from a team as code owners June 25, 2026 11:27
@v-maheshbh v-maheshbh added the Connector Connector specialty review needed label Jun 25, 2026
@v-maheshbh v-maheshbh requested a review from Copilot June 25, 2026 12:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a CloudFormation IaC deployment path for the Microsoft Sentinel AWS S3 data connector, including AWS-side resource provisioning and step-by-step setup docs.

Changes:

  • Added CloudFormation templates for OIDC setup and per-signal AWS resources (GuardDuty, VPC Flow Logs, CloudTrail, CloudWatch).
  • Added README documentation guiding deployment via AWS Console and required Sentinel/Azure inputs.
  • Added CloudWatch exporter Lambda + EventBridge schedule for CloudWatch-to-S3 export.

Reviewed changes

Copilot reviewed 11 out of 72 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
DataConnectors/AWS-S3/CloudFormation/OpenID/Template 1_ OpenID connect authentication deployment.json Adds OIDC provider CloudFormation template.
DataConnectors/AWS-S3/CloudFormation/OpenID/README.md Documents OIDC stack creation steps.
DataConnectors/AWS-S3/CloudFormation/GuardDuty/template 2_AWS GuardDuty resources deployment.yaml Provisions GuardDuty integration resources (role, KMS, S3, SQS).
DataConnectors/AWS-S3/CloudFormation/GuardDuty/README.md Documents GuardDuty stack creation and findings export.
DataConnectors/AWS-S3/CloudFormation/Flow Logs/template 2_AWS VPC Flow Logs resources deployment.yaml Provisions VPC Flow Logs integration resources (role, S3, SQS).
DataConnectors/AWS-S3/CloudFormation/Flow Logs/README.md Documents VPC Flow Logs stack creation and manual log enablement.
DataConnectors/AWS-S3/CloudFormation/CloudWatch/template 2_AWS CloudWatch resources deployment.yaml Provisions CloudWatch connector base resources (role, S3, SQS).
DataConnectors/AWS-S3/CloudFormation/CloudWatch/template 3_AWS CloudWatch resources deployment.yaml Adds exporter Lambda and EventBridge schedule.
DataConnectors/AWS-S3/CloudFormation/CloudWatch/README.md Documents CloudWatch stack creation for templates 2 & 3.
DataConnectors/AWS-S3/CloudFormation/CloudTrail/template 2_AWS CloudTrail resources deployment.yaml Provisions CloudTrail integration resources (role, optional S3, SQS).
DataConnectors/AWS-S3/CloudFormation/CloudTrail/README.md Documents CloudTrail stack creation and trail configuration.

Comment thread DataConnectors/AWS-S3/CloudFormation/GuardDuty/README.md Outdated
Comment thread DataConnectors/AWS-S3/CloudFormation/CloudTrail/README.md Outdated
…se to the Copilot/CI feedback, grouped by theme.

**Functional fixes**
- **EventBridge → Lambda invocation (CloudWatch Step 2):** the schedule targeted the Lambda with a `RoleArn`, but EventBridge authorizes Lambda targets via a resource-based permission, not an IAM role — the `RoleArn` was ignored, so the rule would have deployed cleanly but never actually invoked the exporter. Replaced the unused events role with an `AWS::Lambda::Permission` (principal `events.amazonaws.com`, scoped to the rule ARN).
- **OIDC role-name prefix (CloudWatch Step 1):** the `SentinelRoleName` parameter had no pattern; added `AllowedPattern: OIDC_[-_a-zA-Z0-9]+` to match the other templates, since the connector requires the `OIDC_` prefix to fetch its auth token.

**Security hardening**
- **S3 → SQS notifications (all resource templates):** the `SendMessage` grant is now scoped to the `s3.amazonaws.com` service principal (was `*` in CloudTrail/GuardDuty) and conditioned on both `aws:SourceArn` and `aws:SourceAccount`, closing the confused-deputy gap.
- **CloudWatch Step 1:** removed the redundant `CloudWatchReadOnlyAccess` managed policy from the Sentinel role (it reads only from S3/SQS via the resource policies; the CloudWatch API role belongs to the Step 2 Lambda); added SSE-S3 default encryption + `PublicAccessBlockConfiguration` on the bucket and SSE on the queue.
- **CloudWatch Step 2:** scoped the exporter Lambda's execution-role resources (CloudWatch read limited to this account/region's log groups; self-logging pinned to the function's own log group) and removed a hardcoded account ID left in an inline code comment.

**Exporter efficiency (CloudWatch Step 2)**
- Added an optional `LogGroupPrefixes` allowlist plus an early-exit in the stream loop, so the Lambda no longer enumerates every log group/stream on every run (avoids throttling/timeout in large accounts). Empty = previous all-groups behavior.

**VPC Flow Logs**
- Removed environment-specific parameter defaults (the bucket name was a globally-unique value that would collide on deploy) so the bucket/queue names require explicit input; removed the unused `FlowLogsPrefix` parameter and `UseCustomPrefix` condition; cleaned up encoding artifacts in the description/comments.

**OIDC Template 1**
- Corrected the `Description`, which claimed the stack creates an assumed role; it creates only the OIDC web identity provider (the role lives in the resources template, by design — the provider is an account-level singleton meant to be deployed once).

**Documentation (READMEs)**
- Reconciled each README's parameter list against its template: corrected names that had drifted from sibling connectors (e.g. CloudTrail listed GuardDuty's `GuardDutyBucketName` and a non-existent `BucketName` toggle), fixed a `LambdaScheduleMinutes` typo, added the missing required `CloudWatchBucketName` to the CloudWatch doc, and corrected guidance where a template always creates the bucket (no `CreateNewBucket` toggle).

**Template format (YamlFileValidation)**
- Converted the CloudFormation templates from YAML to JSON. The YAML validator parses files with generic js-yaml, which rejects CloudFormation short-form intrinsic tags (`!Ref`, `!Sub`, `!GetAtt`, etc.); JSON is the existing convention for CloudFormation in this folder and is out of scope for that validator. All intrinsics were preserved and every template passes `cfn-lint` with no errors or warnings.
@KanenasCS

Copy link
Copy Markdown
Contributor Author

Hello @v-maheshbh and @v-atulyadav ,

I pushed the updates based on the Copilot and CI feedback. Summary below:

  • Fixed the CloudWatch Step 2 EventBridge to Lambda invocation by replacing the unused RoleArn approach with the required AWS::Lambda::Permission.
  • Added the required OIDC_ prefix validation for SentinelRoleName in CloudWatch Step 1.
  • Hardened S3 to SQS notification permissions by replacing wildcard principals with s3.amazonaws.com and adding aws:SourceArn and aws:SourceAccount conditions.
  • Removed redundant CloudWatch permissions from the Sentinel role and added bucket/queue encryption and public access blocking where needed.
  • Scoped the CloudWatch exporter Lambda permissions more tightly to the relevant account, region, and function log group.
  • Added optional LogGroupPrefixes filtering to reduce unnecessary CloudWatch log group/stream enumeration.
  • Cleaned up the VPC Flow Logs template by removing environment-specific defaults, unused parameters, and encoding artifacts.
  • Corrected the OIDC Template 1 description to clarify that it only creates the OIDC provider, not the IAM role.
  • Updated the README files so the documented parameters match the templates.
  • Converted the CloudFormation templates from YAML to JSON to avoid validation issues with CloudFormation short-form intrinsic functions. All templates pass cfn-lint with no errors or warnings.

Please let me know if anything else needs to be adjusted.

@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @KanenasCS,
Could you please share the output or the invocation logs? Thanks

@KanenasCS

Copy link
Copy Markdown
Contributor Author

proofsAWS.zip

Hi @v-atulyadav

I've validated the connector end-to-end and attached the screenshots below:

  1. CloudFormation deployment — the stack created successfully (resources: OIDC role, S3 bucket, SQS queue + policies).
  2. Connector status — the AWS S3 connector page showing the connection established / data received.
  3. Ingestion in Sentinel — query results showing logs landing in the workspace, with recent TimeGenerated timestamps.

So the full path (S3 -> SQS -> Sentinel) is confirmed working. I've redacted the workspace ID, AWS account ID, and bucket/queue names since this is a public repo. Let me know if you'd like any additional evidence (e.g. SQS queue metrics or the per-interval event counts).

@v-atulyadav v-atulyadav merged commit 9774a18 into Azure:master Jul 1, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Connector Connector specialty review needed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants