Skip to content

Add aws.config source indices to kibana_system role permissions #128350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 23, 2025
Merged

Add aws.config source indices to kibana_system role permissions #128350

merged 1 commit into from
May 23, 2025

Conversation

@kcreddy
Copy link
Contributor

@kcreddy kcreddy commented May 23, 2025
edited
Loading

Adding logs-aws.config-* data stream indices to the kibana_system privileges. This is required for the latest transform to work.

Related:

Similar to #124074

@kcreddy kcreddy requested a review from a team as a code owner May 23, 2025 07:37
@kcreddy kcreddy self-assigned this May 23, 2025
@kcreddy kcreddy added Team:Security Meta label for security team external-contributor Pull request authored by a developer outside the Elasticsearch team Team:Cloud Security Meta label for Cloud Security team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC auto-backport Automatically create backport pull requests when merged labels May 23, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@kcreddy kcreddy requested a review from maxcold May 23, 2025 07:42
@kcreddy kcreddy mentioned this pull request May 23, 2025
Merged
5 tasks
kc13greiner
kc13greiner approved these changes May 23, 2025
View reviewed changes
Copy link
Contributor

@kc13greiner kc13greiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reasoning:

Although we generally would not grant the system user access to data indexes, an exception is made for logs-* (documented here) as it is a known collision pattern.

@kcreddy kcreddy merged commit 169527f into elastic:main May 23, 2025
18 checks passed
@kcreddy
Copy link
Contributor Author

kcreddy commented May 23, 2025
edited
Loading

@kc13greiner, is there anything that should be done to automatically create all the backport PRs?
This PR is very similar to #124074 where many backport PRs got created automatically.

cc: @maxcold

@kc13greiner
Copy link
Contributor

@kcreddy I am not sure how the es repo labels work. The auto-backport w/ versions seemed like it would work to me 🤔

@kcreddy kcreddy added auto-backport Automatically create backport pull requests when merged and removed auto-backport Automatically create backport pull requests when merged labels May 26, 2025
@kcreddy kcreddy deleted the csp-aws-config branch May 26, 2025 07:27
@kcreddy kcreddy restored the csp-aws-config branch May 26, 2025 07:27
@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025

@kcreddy I am not sure how the es repo labels work. The auto-backport w/ versions seemed like it would work to me 🤔

@kc13greiner can you please tag someone to assist with this issue, considering the public release is tomorrow for these branches?
How about creating manual backport PRs, does that work?

@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025
edited
Loading

@slobodanadamovic, this PR is very similar to #124074 which you approved previously. But the backport PRs aren't getting created here even though auto-backport label is added. Could you please assist?

cc: @maxcold

@slobodanadamovic
Copy link
Contributor

@kcreddy The auto-backport label will only take effect if applied before the PR gets merged. Since it was added after, you'll have to backport it manually or use the the backport tool.

@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025

@kcreddy The auto-backport label will only take effect if applied before the PR gets merged. Since it was added after, you'll have to backport it manually or use the the backport tool.

@slobodanadamovic, Actually I added this label right after creating the PR, even before the review: #128350 (comment)

@slobodanadamovic
Copy link
Contributor

@kcreddy The auto-backport label will only take effect if applied before the PR gets merged. Since it was added after, you'll have to backport it manually or use the the backport tool.

@slobodanadamovic, Actually I added this label right after creating the PR, even before the review: #128350 (comment)

I missed that. Sorry!

Not sure why it did not work. The @elastic/es-delivery team might help diagnosing this.

In any case, I think you'll have to use the backport tool locally or backport the PR manually. There is no way to trigger backporting after the PR got merge. Given that this happens from time to time it would be nice to have the ability to manully trigger backport, e.g. via @elasticmachine backport.

@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025

In any case, I think you'll have to use the backport tool locally or backport the PR manually. There is no way to trigger backporting after the PR got merge

Thanks for the quick help ❤️ I will check the backport tool and create PRs.

Given that this happens from time to time it would be nice to have the ability to manully trigger backport, e.g. via @elasticmachine backport.

Strongly agree with this 💯

This was referenced May 26, 2025
Merged
Merged
Merged
@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025
edited by slobodanadamovic
Loading

💔 Some backports could not be created

Status Branch Result
9.0
8.19
8.18
8.17 Could not create pull request:

Manual backport

To create the backport manually run:

backport --pr 128350

Questions ?

Please refer to the Backport tool documentation

kcreddy added a commit to kcreddy/elasticsearch that referenced this pull request May 26, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (elas…
134fe3b 
…tic#128350)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
kcreddy added a commit to kcreddy/elasticsearch that referenced this pull request May 26, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (elas…
173804a 
…tic#128350)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
kcreddy added a commit to kcreddy/elasticsearch that referenced this pull request May 26, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (elas…
fe10b2b 
…tic#128350)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025
edited
Loading

In any case, I think you'll have to use the backport tool locally or backport the PR manually. There is no way to trigger backporting after the PR got merge

Thanks for the quick help ❤️ I will check the backport tool and create PRs.

Given that this happens from time to time it would be nice to have the ability to manully trigger backport, e.g. via @elasticmachine backport.

Strongly agree with this 💯

@slobodanadamovic, I created backport PRs using the backport tool.
But the PRs #128446 and #128443 got created with next patch version than what we would like to target.
We want: 8.18.2 , the PR created has 8.18.3 label.
We want: 9.0.2 , the PR created has 9.0.3 label.

Also there is an error for 8.17.x which isn't quite intuitive.

kcreddy added a commit to kcreddy/elasticsearch that referenced this pull request May 26, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (elas…
cda18e9 
…tic#128350)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
@kcreddy kcreddy mentioned this pull request May 26, 2025
Merged
@kcreddy
Copy link
Contributor Author

kcreddy commented May 26, 2025

💚 All backports created successfully

Status Branch Result
8.17

Questions ?

Please refer to the Backport tool documentation

elasticsearchmachine pushed a commit that referenced this pull request May 27, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (#128350
9fca3d2 
) (#128443)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
elasticsearchmachine pushed a commit that referenced this pull request May 27, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (#128350
0de462a 
) (#128446)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
elasticsearchmachine pushed a commit that referenced this pull request May 27, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (#128350
8e59a38 
) (#128444)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
elasticsearchmachine pushed a commit that referenced this pull request May 27, 2025
@kcreddy
Add aws.config source indices to kibana_system role permissions (#128350
49d28fc 
) (#128460)

Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges.
This is required for the latest transform to work.

Related:
- elastic/integrations#13830 (comment)

(cherry picked from commit 169527f)
@kcreddy kcreddy mentioned this pull request May 30, 2025
Merged
@kcreddy kcreddy mentioned this pull request Aug 5, 2025
Merged
kcreddy added a commit to elastic/integrations that referenced this pull request Sep 22, 2025
@kcreddy
aws: Add Config and Inspector transforms for extended protections (CD…
285494a 
…R) workflow (#15230)

aws: Add transforms to Config and Inspector data streams for extended protections (CDR) workflow.

- Add latest transform to Config and Inspector data streams
to help with Cloud Native Vulnerability Management (CNVM)[1] 
and Cloud Security Posture Management (CSPM)[2] workflows.
- Add ILM policy to AWS Config as it does full sync every interval.
- Update minimum kibana version to "^8.19.0 || ^9.1.0"  to ensure 
necessary permissions for transform[3].
- Re-add 3.14.2 changelog entry as it is overwritten in VPC Flow PR[4].
- Skip system tests for securityhub* data streams to avoid fleet health 
degradation due to empty template values by httpjson. This is fixed in 
8.19.4 and 9.1.4 by beats#45810[5] and beats#46332[6]. This skip can 
be removed when the stack version is upgraded to ones containing the fix. 

[1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html
[2] https://www.elastic.co/docs/solutions/security/cloud/cloud-security-posture-management
[3] elastic/elasticsearch#128350
[4] #15077
[5] elastic/beats#45810
[6] elastic/beats#46332
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxcold maxcold maxcold approved these changes

@kc13greiner kc13greiner kc13greiner approved these changes

Assignees

@kcreddy kcreddy

Labels

auto-backport Automatically create backport pull requests when merged external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Cloud Security Meta label for Cloud Security team Team:Security Meta label for security team v8.17.7 v8.18.2 v8.19.0 v9.0.2 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kcreddy @elasticsearchmachine @kc13greiner @slobodanadamovic @maxcold