diff --git a/packages/aws/_dev/build/docs/config.md b/packages/aws/_dev/build/docs/config.md index de51f241d52..456468a88ba 100644 --- a/packages/aws/_dev/build/docs/config.md +++ b/packages/aws/_dev/build/docs/config.md @@ -58,9 +58,20 @@ Use this integration if you only need to collect data from the AWS Config servic 5. Add all the required integration configuration parameters, including the aws_region to enable data collection. 6. Select "Save and continue" to save the integration. +::::{important} +The AWS Config data stream uses the CEL input with manual AWS SigV4 request signing +rather than the AWS SDK. This means it **only** supports static credentials +(`Access Key ID` + `Secret Access Key`, and optionally `Session Token` for temporary +credentials). + +**Role ARN, IAM instance profiles, shared credential files, and environment-based +credentials are not supported.** If you attempt to use this data stream without +providing static credentials, you will see an error indicating that `access_key_id` +and `secret_access_key` are required. +:::: + **Note** -1. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID. -2. The AWS Config integration performs a full ingestion of all findings during each interval. +1. The AWS Config integration performs a full ingestion of all findings during each interval. ## Troubleshooting diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 0f1d379f4b5..3ddbd7856bf 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,11 @@ # newer versions go on top +- version: "6.5.1" + changes: + - description: | + Add credential validation to AWS Config CEL program to emit a clear error when access_key_id or secret_access_key are missing. + Document that the AWS Config data stream requires static credentials and does not support Role ARN or other SDK-based credential methods. + type: bugfix + link: https://github.com/elastic/integrations/pull/18333 - version: "6.5.0" changes: - description: Add timestamp range filter and storage tier exclusion to latest transform source queries to reduce scan scope and improve performance. diff --git a/packages/aws/data_stream/config/_dev/test/scripts/env.txt b/packages/aws/data_stream/config/_dev/test/scripts/env.txt new file mode 100644 index 00000000000..542bf98a9b3 --- /dev/null +++ b/packages/aws/data_stream/config/_dev/test/scripts/env.txt @@ -0,0 +1,10 @@ +[!exec:echo] skip 'Skipping test requiring absent echo command' + +exec echo ${PACKAGE_NAME} +stdout '^aws$' + +exec echo ${DATA_STREAM} +stdout '^config$' + +exec echo ${CURRENT_VERSION} +stdout '^[0-9]+\.[0-9]+\.[0-9]+$' diff --git a/packages/aws/data_stream/config/_dev/test/scripts/missing_credentials.txt b/packages/aws/data_stream/config/_dev/test/scripts/missing_credentials.txt new file mode 100644 index 00000000000..49867017720 --- /dev/null +++ b/packages/aws/data_stream/config/_dev/test/scripts/missing_credentials.txt @@ -0,0 +1,40 @@ +# Test that the AWS Config data stream emits a clear error event when +# access_key_id and secret_access_key are not provided. + +[!external_stack] skip 'Skipping external stack test.' +[!exec:jq] skip 'Skipping test requiring absent jq command' + +use_stack -profile ${CONFIG_PROFILES}/${PROFILE} +install_agent -profile ${CONFIG_PROFILES}/${PROFILE} -network_name NETWORK_NAME + +add_package -profile ${CONFIG_PROFILES}/${PROFILE} +add_package_policy -profile ${CONFIG_PROFILES}/${PROFILE} test_config.yaml DATA_STREAM_NAME + +# The credential check fires before any HTTP request, so exactly one error +# event should be indexed per evaluation cycle. Wait for at least 1. +get_docs -profile ${CONFIG_PROFILES}/${PROFILE} -want 1 -timeout 5m ${DATA_STREAM_NAME} +cp stdout got_docs.json + +# Verify the error message names the missing credentials. +exec jq -r '[.hits.hits[]._source.error.message // empty] | flatten | .[]' got_docs.json +stdout 'access_key_id and secret_access_key' + +# Verify no data events were produced — only error events. +exec jq '[.hits.hits[]._source | select(.aws.config != null)] | length' got_docs.json +stdout '^0$' + +# Clean up. +remove_package_policy -profile ${CONFIG_PROFILES}/${PROFILE} ${DATA_STREAM_NAME} +uninstall_agent -profile ${CONFIG_PROFILES}/${PROFILE} -timeout 1m + +-- test_config.yaml -- +input: cel +vars: + access_key_id: "" + secret_access_key: "" +data_stream: + vars: + aws_region: us-east-1 + interval: 10s + batch_size: 2 + preserve_original_event: true diff --git a/packages/aws/data_stream/config/agent/stream/cel.yml.hbs b/packages/aws/data_stream/config/agent/stream/cel.yml.hbs index 6f58ad81dbd..75ab7e4ab90 100644 --- a/packages/aws/data_stream/config/agent/stream/cel.yml.hbs +++ b/packages/aws/data_stream/config/agent/stream/cel.yml.hbs @@ -44,6 +44,21 @@ redact: - session_token program: | ( + // Credential validation: access_key_id and secret_access_key are required + // for hand-rolled SigV4 signing. Role ARN, IAM instance profiles, and + // other SDK-based credential methods are not supported. + state.?secret_key.orValue("") == "" || state.?access_key.orValue("") == "" ? + { + "events": { + "error": { + "code": "configuration_error", + "id": "missing_credentials", + "message": "AWS Config requires access_key_id and secret_access_key. Role ARN, IAM instance profiles, and other credential methods are not supported for this data stream.", + }, + }, + "want_more": false, + } + : // Stage 1: Check if we have existing config rules to process // If we have worklist with ConfigRules, we already fetched rules and now need to get compliance details has(state.?worklist.ConfigRules) && size(state.worklist.ConfigRules) > 0 ? diff --git a/packages/aws/data_stream/config/manifest.yml b/packages/aws/data_stream/config/manifest.yml index 77c8559a80e..ed6b7929406 100644 --- a/packages/aws/data_stream/config/manifest.yml +++ b/packages/aws/data_stream/config/manifest.yml @@ -4,7 +4,7 @@ ilm_policy: logs-aws.config-default_policy streams: - input: cel title: Collect AWS Config Findings from AWS - description: Collect AWS Config Findings from AWS via API. + description: Collect AWS Config Findings from AWS via API. Requires Access Key ID and Secret Access Key — Role ARN and other credential methods are not supported. template_path: cel.yml.hbs enabled: false vars: diff --git a/packages/aws/docs/config.md b/packages/aws/docs/config.md index e763e57f00c..38c40b83124 100644 --- a/packages/aws/docs/config.md +++ b/packages/aws/docs/config.md @@ -58,9 +58,20 @@ Use this integration if you only need to collect data from the AWS Config servic 5. Add all the required integration configuration parameters, including the aws_region to enable data collection. 6. Select "Save and continue" to save the integration. +::::{important} +The AWS Config data stream uses the CEL input with manual AWS SigV4 request signing +rather than the AWS SDK. This means it **only** supports static credentials +(`Access Key ID` + `Secret Access Key`, and optionally `Session Token` for temporary +credentials). + +**Role ARN, IAM instance profiles, shared credential files, and environment-based +credentials are not supported.** If you attempt to use this data stream without +providing static credentials, you will see an error indicating that `access_key_id` +and `secret_access_key` are required. +:::: + **Note** -1. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID. -2. The AWS Config integration performs a full ingestion of all findings during each interval. +1. The AWS Config integration performs a full ingestion of all findings during each interval. ## Troubleshooting diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index d6a81f0515f..085a1e40a99 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.4.0 name: aws title: AWS -version: 6.5.0 +version: 6.5.1 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: