@hulumi/baseline: Audit log S3 bucket immutability bypass in AccountFoundation
AccountFoundation's S3 bucket for CloudTrail and AWS Config audit logs had three vulnerabilities: (1) Object Lock disabled on startup-hardened tier, (2) forceDestroy could be set to true allowing bucket deletion with logs, (3) sandbox tier skipped all immutability protections.
What changed
AccountFoundation's S3 bucket for CloudTrail and AWS Config audit logs had three vulnerabilities: (1) Object Lock disabled on startup-hardened tier, (2) forceDestroy could be set to true allowing bucket deletion with logs, (3) sandbox tier skipped all immutability protections. Fixed in 1.4.0 by enforcing invariants in SecureBucket: refuses forceDestroy on startup-hardened tier, always emits CloudTrail-Lake EventDataStore, and adds a deny-s3:DeleteObject* policy scoped to audit prefixes.
Who it affects
All users of @hulumi/baseline < 1.4.0 using AccountFoundation, especially those relying on startup-hardened or sandbox tiers for audit log immutability.
What to do today
Upgrade to @hulumi/[email protected] immediately.