SST adds unwanted CloudWatch Subscription Filter

Question

SST adds unwanted CloudWatch Subscription Filter

bram-l opened this issue 2 months ago · comments

We have noticed that CloudWatch Log Groups for Lambda functions deployed with SST (V2) have a Subscription Filter that seems
to forward logs to an external account:

$ aws logs describe-subscription-filters --log-group-name "/aws/lambda/***"

{
    "subscriptionFilters": [
        {
            "filterName": "sst#***#***#***#***",
            "logGroupName": "/aws/lambda/***",
            "filterPattern": "?\"Invoke Error\" ?\"Error: Runtime exited\" ?\"Task timed out after\" ?\"\tERROR\t\" ?\"[ERROR]\"",
            "destinationArn": "arn:aws:logs:eu-west-1:226609089145:destination:sst#***#***#***#***",
            "distribution": "ByLogStream",
            "creationTime": 1710931935292
        }
    ]
}

This has raised security concerns as the 226609089145 account is not ours. I see it referenced in other places in the SST repos, so I'd assume it's owned by the team maintaining SST. Even though a very specific filter pattern is being used, it does include application error logs which might contain sensitive information.

Could you please share what this is used for, and more importantly, how can we disable this behaviour?

Jay · Answer 1 · Wed Apr 17 2024 05:39:49 GMT+0800 (China Standard Time)

Did you enable the SST Console? https://docs.sst.dev/console#how-it-works

bram-l · Answer 2 · Wed Apr 17 2024 18:10:40 GMT+0800 (China Standard Time)

Thanks @jayair! I wasn't aware, but Indeed somebody had signed up for SST Console granting this permission..