Security Related Updates:

woznij · woznij · commit a0f1fe0db2ab · 2023-06-28T13:08:30.000+02:00
- Adding CMK for DynamoDB table
- Adding CMK for Cloudwatch Logs
- Add ability to disable Catch-All functionality
- Updated README files
diff --git a/README.md b/README.md
@@ -20,6 +20,8 @@ In this solution there are two flows:
 > In the above diagram, this flow begins typically with an automated account vending solution or automation or invoked manually.  In this request, Lambda is invoked with a payload (examples in [src/events](src/events)) containing metadata, the solution uses this information to generate a unique account name and email address, stores it in a database and returns the values to the caller.  These values can then be used to create a new AWS account (typically using AWS Organizations)
 2. Forward email
 > When an AWS account is created using the account email generated from the flow mentioned above, AWS will send various emails to that email address, like account registration confirmation and periodic notifications.  As part of the solution, you configure your AWS account with SES to receive emails for the entire domain.  This solution configures forward rules that allow AWS Lambda to process all incoming emails, check to see if the TO address is in the table and forwards the message on to the account owner's email address instead.  This allows account owners to have multiple accounts associated with one email address.
+3. Read / Update / Delete Email Configuration (not pictured)
+> Because this is an example of one way this functionality could be created, this solution does not yet implement a read, update, or delete flow that could be used to read the configuration, make modifications or remove mappings.  However, an administrator could create more Lambda functions to do this or use the AWS console directly to interact with the Account Table.  A recommended pattern is to implement [Amazon API Gateway](https://aws.amazon.com/api-gateway/) to provide an API for other applications to consume this functionality.
 
 ## Prerequisites
 - Administrative access to an AWS account  
@@ -57,6 +59,7 @@ variables.
 - ADDRESS_ADMIN: This is the email address you wish to use if the solution is unable to find or forward an email to a valid account owner.  Emails will be SENT to this email address.  Typically customers set this to a shared mailbox that the IT team monitors.
 - MAIL_HEADER_VALUE: This is the value of the X-Processed-By header that is added to every email forwarded through this system
 - COUNTER_LENGTH: This is the length of the number appended to account names (including leading zeros). e.g. this-is-my-account-name-001
+- DISABLE_CATCH_ALL: This setting is not present in cdk.json by default. By adding this setting with any value, it will disable the catch-all behavior and the solution will no longer forward messages where the account owner email is not found.  To help prevent a denial of service attack, the catch-all functionality should be disabled.  To enable catch-all, ensure this setting is NOT present in cdk.json.
 
 ## Deployment
 
@@ -139,8 +142,9 @@ Alternatively, you can delete the CloudFormation stack "AwsMailFwdStack" through
  * `cdk diff`        compare deployed stack with current state
  * `cdk docs`        open CDK documentation
 
-
-
+## Improvement Ideas
+- Implement Read/Update/Delete flows for email address configurations
+- Implement a Dead Letter Queue (DLQ) where undeliverable messages can go for archive or reprocessing
 
 ## Security
 
diff --git a/aws_mail_fwd/aws_mail_fwd_stack.py b/aws_mail_fwd/aws_mail_fwd_stack.py
@@ -34,9 +34,18 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
         mail_key = kms.Key(
             self, "KmsKey", enable_key_rotation=True, alias="alias/email-processing"
         )
+        # KMS key for SNS
         sns_key = kms.Key(
             self, "KmsKeySns", enable_key_rotation=True, alias="alias/sns-mail-receipt"
         )
+        # KMS Key for DynamoDb Table
+        ddb_key: kms.Key = kms.Key(
+            self, "KmsDdb", enable_key_rotation=True, alias="alias/acct-factory-email-ddb"
+        )
+        # KMS key for CloudWatch Logs Group
+        logs_key = kms.Key(
+            self, "KmsLogs", enable_key_rotation=True, alias="alias/acct-factory-email-cw-logs"
+        )
         mail_key.grant_decrypt(iam.ServicePrincipal("ses.amazonaws.com"))
         sns_key.grant_encrypt_decrypt(iam.ServicePrincipal("ses.amazonaws.com"))
         # Allow SES to decrypt messages as per requirement
@@ -79,7 +88,8 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
                 name="AccountEmail", type=dynamodb.AttributeType.STRING
             ),
             table_name=self.node.try_get_context("ACCOUNT_TABLE_NAME"),
-            encryption=dynamodb.TableEncryption.AWS_MANAGED,
+            encryption=dynamodb.TableEncryption.CUSTOMER_MANAGED,
+            encryption_key=ddb_key,
             billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
             point_in_time_recovery=True,
         )
@@ -104,6 +114,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
             "VendEmailLogGroup",
             removal_policy=RemovalPolicy.DESTROY,
             retention=aws_logs.RetentionDays.ONE_MONTH,
+            encryption_key=logs_key,
         )
 
         # Create Vend Email Lambda IAM Role
@@ -114,6 +125,9 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
             description="AwsMailFwd Vend Email Lambda Function role",
         )
         vend_email_log_group.grant_write(vend_email_role)
+        ddb_key.grant_encrypt_decrypt(vend_email_role)
+        logs_key.grant_encrypt_decrypt(vend_email_role)
+        logs_key.grant_encrypt_decrypt(iam.ServicePrincipal("logs.amazonaws.com"))
 
         # Create lambda function for vending emails
         vend_email_function = aws_lambda.Function(
@@ -145,6 +159,7 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
             "SesMailForwardLogGroup",
             removal_policy=RemovalPolicy.DESTROY,
             retention=aws_logs.RetentionDays.ONE_MONTH,
+            encryption_key=logs_key,
         )
         ses_fwd_function_role = iam.Role(
             self,
@@ -210,6 +225,10 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
         ses_fwd_function.add_environment(
             "TABLE_NAME", account_table.table_name
         )
+        disable_catch_all = self.node.try_get_context("DISABLE_CATCH_ALL")
+        if disable_catch_all:
+            ses_fwd_function.add_environment("DISABLE_CATCH_ALL", str(disable_catch_all))
+        
         vend_email_function.add_environment(
             "SES_DOMAIN_NAME", self.node.try_get_context("SES_DOMAIN_NAME")
         )
@@ -269,6 +288,10 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
         mail_bucket.grant_read(ses_fwd_function_role)
         mail_key.grant_decrypt(ses_fwd_function_role)
         sns_key.grant_encrypt_decrypt(ses_fwd_function_role)
+        ddb_key.grant_decrypt(ses_fwd_function_role)
+        ddb_key.grant_encrypt_decrypt(iam.ServicePrincipal("dynamodb.amazonaws.com"))
+        logs_key.grant_encrypt_decrypt(ses_fwd_function_role)
+        logs_key.grant_encrypt_decrypt(iam.ServicePrincipal("logs.amazonaws.com"))
 
         # Grant permissions to Lambda to perform SES actions
         ses_fwd_function_role.add_to_policy(
@@ -457,6 +480,20 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
             ],
             True
         )
+        NagSuppressions.add_resource_suppressions(
+            vend_email_role,
+            [
+                {
+                    "id": "AwsSolutions-IAM5",
+                    "reason": "All the KMS actions are needed for the role to encrypt and decrypt DynamoDb items",
+                    "appliesTo": [
+                        "Action::kms:GenerateDataKey*",
+                        "Action::kms:ReEncrypt*"
+                    ],
+                }
+            ],
+            True
+        )
         NagSuppressions.add_resource_suppressions(
             vend_email_role,
             [
diff --git a/src/README.md b/src/README.md
@@ -37,6 +37,7 @@ This function delivers incoming message to the proper recipient.  The process is
 |ADDRESS_FROM | cdk.json context.ADDRESS_FROM
 |ADDRESS_ADMIN | cdk.json context.ADDRESS_ADMIN
 |TABLE_NAME | cdk.json context.ACCOUNT_TABLE_NAME
+|DISABLE_CATCH_ALL | cdk.json context.DISABLE_CATCH_ALL
 
 # /events
 The /events folder contains several sample events that are used to debug or build further functionality in the future.
diff --git a/src/fwdEmail/app.py b/src/fwdEmail/app.py
@@ -9,11 +9,23 @@
 
 ADDRESS_FROM = os.getenv("ADDRESS_FROM")
 ADDRESS_ADMIN = os.getenv("ADDRESS_ADMIN")
+DISABLE_CATCH_ALL = os.getenv("DISABLE_CATCH_ALL", False)
 LOG_LEVEL = os.getenv("LOG_LEVEL", "INFO")
 logger = logging.getLogger("FWD-EMAIL")
 logging.getLogger().setLevel(getattr(logging, LOG_LEVEL.upper(), logging.INFO))
 
 
+def get_recipient(source_mail_to: str, account_owner: str) -> str:
+    """Returns the proper recipient or None"""
+    if source_mail_to == ADDRESS_FROM:
+        # Forward emails for the solution's FROM address to the admin
+        return ADDRESS_ADMIN
+    if DISABLE_CATCH_ALL and not account_owner:
+        # IF catch-all is disabled, do not forward to ADDRESS_ADMIN
+        return None
+    return account_owner if account_owner else ADDRESS_ADMIN
+
+
 def lambda_handler(event, context):
     # Get the unique ID of the message. This corresponds to the name of the file
     # in S3.
@@ -37,13 +49,14 @@ def lambda_handler(event, context):
                 # Retrieve the file from the S3 bucket.
                 file_dict = ses.get_message_from_s3(mail_bucket, object_path)
 
-                # Determine who to send the email to
-                if mail_to == ADDRESS_FROM:
-                    # Forward emails for the solution's FROM address to the admin
-                    send_to = ADDRESS_ADMIN
-                else:
-                    account_owner = ddb.get_account_owner_address(mail_to)
-                    send_to = account_owner if account_owner else ADDRESS_ADMIN
+                # Get the account owner
+                account_owner = ddb.get_account_owner_address(mail_to)
+
+                # Determine the recipient
+                send_to = get_recipient(mail_to, account_owner)
+                if not send_to:
+                    logger.info(f"Unable to determine the proper recipient for {mail_to}")
+                    return
 
                 # Create the message.
                 message = ses.create_message(ADDRESS_FROM, send_to, file_dict)
