terraform.aws-baseline-infra/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf



data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
  statement {
    sid = "AWSCloudTrailAclCheck"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}",
    ]
  }

  statement {
    sid = "AWSCloudTrailWrite"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:PutObject"
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}/*"
    ]
  }

  statement {
    sid = "ReadAccessForAccountOwner"

    principals {
      type        = "AWS"
      identifiers = [data.aws_caller_identity.this.account_id]
    }

    actions = [
      "s3:Get*"
    ]

    resources = [
      "arn:aws:s3:::${local.ct-bucket-name}",
      "arn:aws:s3:::${local.ct-bucket-name}/*"
    ]
  }

}


resource "aws_s3_bucket" "ct-bucket" {
  bucket = local.ct-bucket-name
  policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json

  versioning {
    enabled = false
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.ctbucket-key.arn
        sse_algorithm = "aws:kms"
      }
    }
  }
  tags                 = var.default-tags

  lifecycle_rule {
    id = "${local.resource-prefix}-ctbucket-lifecycle-rule"
    enabled = true

    transition {
      days = 30
      storage_class = "INTELLIGENT_TIERING"
    }

    expiration {
      days = var.cloudtrail-retain-days
    }
  }
}


resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
  bucket = aws_s3_bucket.ct-bucket.id

  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls =  true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" {
  bucket = aws_s3_bucket.ct-bucket.id

  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00

			`data "aws_iam_policy_document" "cloudtrail_bucket_policy" {`
			`statement {`
			`sid = "AWSCloudTrailAclCheck"`

			`principals {`
			`type = "Service"`
			`identifiers = ["cloudtrail.amazonaws.com"]`
			`}`

			`actions = [`
			`"s3:GetBucketAcl",`
			`]`

			`resources = [`
			`"arn:aws:s3:::${local.ct-bucket-name}",`
			`]`
			`}`

			`statement {`
			`sid = "AWSCloudTrailWrite"`

			`principals {`
			`type = "Service"`
			`identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]`
			`}`

			`actions = [`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00			`"s3:PutObject"`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`]`

			`resources = [`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00			`"arn:aws:s3:::${local.ct-bucket-name}/*"`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`]`
			`}`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00
			`statement {`
			`sid = "ReadAccessForAccountOwner"`

			`principals {`
			`type = "AWS"`
			`identifiers = [data.aws_caller_identity.this.account_id]`
			`}`

			`actions = [`
			`"s3:Get*"`
			`]`

			`resources = [`
			`"arn:aws:s3:::${local.ct-bucket-name}",`
			`"arn:aws:s3:::${local.ct-bucket-name}/*"`
			`]`
			`}`

NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`}`


			`resource "aws_s3_bucket" "ct-bucket" {`
			`bucket = local.ct-bucket-name`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00			`policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json`

NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`versioning {`
			`enabled = false`
			`}`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`server_side_encryption_configuration {`
			`rule {`
			`apply_server_side_encryption_by_default {`
			`kms_master_key_id = aws_kms_key.ctbucket-key.arn`
			`sse_algorithm = "aws:kms"`
			`}`
			`}`
			`}`
			`tags = var.default-tags`

			`lifecycle_rule {`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00			`id = "${local.resource-prefix}-ctbucket-lifecycle-rule"`
			`enabled = true`

NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`transition {`
			`days = 30`
			`storage_class = "INTELLIGENT_TIERING"`
			`}`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`expiration {`
NEW: iam roles 2021-01-27 09:42:51 +08:00			`days = var.cloudtrail-retain-days`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`}`
			`}`
			`}`


			`resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {`
			`bucket = aws_s3_bucket.ct-bucket.id`

			`block_public_acls = true`
			`block_public_policy = true`
			`ignore_public_acls = true`
			`restrict_public_buckets = true`
UPD: adjusted bucket permissions 2021-01-28 09:25:50 +08:00			`}`

			`resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" {`
			`bucket = aws_s3_bucket.ct-bucket.id`

			`rule {`
			`object_ownership = "BucketOwnerPreferred"`
			`}`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`}`