From 1a3246f17694ffcee30a9ad4ec99989394c67ebc Mon Sep 17 00:00:00 2001 From: xpk Date: Thu, 28 Jan 2021 09:25:50 +0800 Subject: [PATCH] UPD: adjusted bucket permissions --- .../terraform.tfstate | 554 +++++++++++++++++- .../cloudtrail_cwlogs/ct-s3-bucket.tf | 40 +- 2 files changed, 563 insertions(+), 31 deletions(-) diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate index fa569dd..dd6e6b5 100644 --- a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate +++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate @@ -1,10 +1,28 @@ { "version": 4, "terraform_version": "0.14.5", - "serial": 86, + "serial": 120, "lineage": "26e4bec8-8ad6-a262-52c6-fbcad6b7a499", "outputs": {}, "resources": [ + { + "mode": "data", + "type": "aws_caller_identity", + "name": "this", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "573340405480", + "arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93", + "id": "573340405480", + "user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93" + }, + "sensitive_attributes": [] + } + ] + }, { "module": "module.cloudtrail-cwl", "mode": "data", @@ -17,7 +35,7 @@ "attributes": { "account_id": "573340405480", "arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93", - "id": "2021-01-26 13:37:52.170204471 +0000 UTC", + "id": "573340405480", "user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93" }, "sensitive_attributes": [] @@ -34,8 +52,8 @@ { "schema_version": 0, "attributes": { - "id": "995859125", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AWSCloudTrailAclCheck\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"AWSCloudTrailWrite\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\n \"Principal\": {\n \"Service\": [\n \"config.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n }\n ]\n}", + "id": "2147598273", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AWSCloudTrailAclCheck\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"AWSCloudTrailWrite\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\n \"Principal\": {\n \"Service\": [\n \"config.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n },\n {\n \"Sid\": \"ReadAccessForAccountOwner\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:Get*\",\n \"Resource\": [\n \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\n \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\"\n ],\n \"Principal\": {\n \"AWS\": \"573340405480\"\n }\n }\n ]\n}", "override_json": null, "policy_id": null, "source_json": null, @@ -58,7 +76,7 @@ } ], "resources": [ - "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480" + "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480" ], "sid": "AWSCloudTrailAclCheck" }, @@ -81,9 +99,128 @@ } ], "resources": [ - "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*" + "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*" ], "sid": "AWSCloudTrailWrite" + }, + { + "actions": [ + "s3:Get*" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "573340405480" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480", + "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*" + ], + "sid": "ReadAccessForAccountOwner" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "ct-role-assumerole-policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "3361274866", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n }\n ]\n}", + "override_json": null, + "policy_id": null, + "source_json": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "cloudtrail.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [], + "sid": "" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "ct-role-pdoc", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "1046663528", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:CreateLogStream\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:PutLogEvents\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n }\n ]\n}", + "override_json": null, + "policy_id": null, + "source_json": null, + "statement": [ + { + "actions": [ + "logs:CreateLogStream" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [], + "resources": [ + "arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*" + ], + "sid": "" + }, + { + "actions": [ + "logs:PutLogEvents" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [], + "resources": [ + "arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*" + ], + "sid": "" } ], "version": "2012-10-17" @@ -176,6 +313,291 @@ } ] }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_cloudtrail", + "name": "default", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:cloudtrail:ap-northeast-1:573340405480:trail/lab-apne1-racken-cleanslate-trail-001", + "cloud_watch_logs_group_arn": "arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:*", + "cloud_watch_logs_role_arn": "arn:aws:iam::573340405480:role/lab-apne1-racken-cleanslate-cwl-role", + "enable_log_file_validation": true, + "enable_logging": true, + "event_selector": [ + { + "data_resource": [ + { + "type": "AWS::S3::Object", + "values": [ + "arn:aws:s3:::" + ] + }, + { + "type": "AWS::Lambda::Function", + "values": [ + "arn:aws:lambda" + ] + } + ], + "include_management_events": true, + "read_write_type": "All" + } + ], + "home_region": "ap-northeast-1", + "id": "lab-apne1-racken-cleanslate-trail-001", + "include_global_service_events": true, + "insight_selector": [], + "is_multi_region_trail": true, + "is_organization_trail": false, + "kms_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f", + "name": "lab-apne1-racken-cleanslate-trail-001", + "s3_bucket_name": "lab-apne1-racken-cleanslate-ctbucket-573340405480", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": { + "Application": "infra", + "BuildDate": "20210128", + "CreatedBy": "racker-ken2-eade1d93", + "Environment": "lab", + "Project": "cleanslate", + "ServiceProvider": "RackspaceTechnology", + "TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs", + "TerraformMode": "managed" + } + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_cloudwatch_log_group.ct-cwl", + "module.cloudtrail-cwl.aws_iam_role.iam_cloudtrial_cloudwatch_role", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-assumerole-policy", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_cloudwatch_log_group", + "name": "ct-cwl", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001", + "id": "lab-apne1-racken-cleanslate-cwl-001", + "kms_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f", + "name": "lab-apne1-racken-cleanslate-cwl-001", + "name_prefix": null, + "retention_in_days": 90, + "tags": { + "Application": "infra", + "BuildDate": "20210128", + "CreatedBy": "racker-ken2-eade1d93", + "Environment": "lab", + "Project": "cleanslate", + "ServiceProvider": "RackspaceTechnology", + "TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs", + "TerraformMode": "managed" + } + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_cloudwatch_log_metric_filter", + "name": "cwl-metric-filter-cis11", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "cis11-rootaccess-filter", + "log_group_name": "lab-apne1-racken-cleanslate-cwl-001", + "metric_transformation": [ + { + "default_value": "", + "name": "cis11-rootaccess-metric", + "namespace": "LogMetrics", + "value": "1" + } + ], + "name": "cis11-rootaccess-filter", + "pattern": "{$.userIdentity.type=\"Root\" \u0026\u0026 $.userIdentity.invokedBy NOT EXISTS \u0026\u0026 $.eventType !=\"AwsServiceEvent\"}" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_cloudwatch_log_group.ct-cwl", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_cloudwatch_metric_alarm", + "name": "cis11-rootaccess-alarm", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 1, + "attributes": { + "actions_enabled": true, + "alarm_actions": [], + "alarm_description": "Root access is detected from cloudtrail", + "alarm_name": "cis11-rootaccess-alarm", + "arn": "arn:aws:cloudwatch:ap-northeast-1:573340405480:alarm:cis11-rootaccess-alarm", + "comparison_operator": "GreaterThanOrEqualToThreshold", + "datapoints_to_alarm": 0, + "dimensions": {}, + "evaluate_low_sample_count_percentiles": "", + "evaluation_periods": 1, + "extended_statistic": "", + "id": "cis11-rootaccess-alarm", + "insufficient_data_actions": [], + "metric_name": "cis11-rootaccess-metric", + "metric_query": [], + "namespace": "LogMetrics", + "ok_actions": [], + "period": 300, + "statistic": "Average", + "tags": {}, + "threshold": 1, + "threshold_metric_id": "", + "treat_missing_data": "notBreaching", + "unit": "" + }, + "sensitive_attributes": [], + "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_iam_role", + "name": "iam_cloudtrial_cloudwatch_role", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::573340405480:role/lab-apne1-racken-cleanslate-cwl-role", + "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}", + "create_date": "2021-01-28T01:08:17Z", + "description": "Enables AWS CloudTrail to deliver log to CloudWatch log", + "force_detach_policies": false, + "id": "lab-apne1-racken-cleanslate-cwl-role", + "max_session_duration": 3600, + "name": "lab-apne1-racken-cleanslate-cwl-role", + "name_prefix": null, + "path": "/", + "permissions_boundary": null, + "tags": { + "Application": "infra", + "BuildDate": "20210128", + "CreatedBy": "racker-ken2-eade1d93", + "Environment": "lab", + "Project": "cleanslate", + "ServiceProvider": "RackspaceTechnology", + "TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs", + "TerraformMode": "managed" + }, + "unique_id": "AROAYK7OAJ3ULYJS5RX3N" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-assumerole-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_iam_role_policy", + "name": "iam_cloudtrial_cloudwatach_role_policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "lab-apne1-racken-cleanslate-cwl-role:lab-apne1-racken-cleanslate-cwl-role-policy", + "name": "lab-apne1-racken-cleanslate-cwl-role-policy", + "name_prefix": null, + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:CreateLogStream\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:PutLogEvents\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n }\n ]\n}", + "role": "lab-apne1-racken-cleanslate-cwl-role" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_cloudwatch_log_group.ct-cwl", + "module.cloudtrail-cwl.aws_iam_role.iam_cloudtrial_cloudwatch_role", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-assumerole-policy", + "module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-pdoc", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_kms_alias", + "name": "ctbucket-key-aliaas", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:kms:ap-northeast-1:573340405480:alias/lab-apne1-racken-cleanslate-ctkey-alias", + "id": "alias/lab-apne1-racken-cleanslate-ctkey-alias", + "name": "alias/lab-apne1-racken-cleanslate-ctkey-alias", + "name_prefix": null, + "target_key_arn": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f", + "target_key_id": "1f740a00-6039-4914-91b5-e2f5ba475f5f" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, { "module": "module.cloudtrail-cwl", "mode": "managed", @@ -186,27 +608,34 @@ { "schema_version": 0, "attributes": { - "arn": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274", + "arn": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f", "customer_master_key_spec": "SYMMETRIC_DEFAULT", "deletion_window_in_days": 7, "description": "", "enable_key_rotation": false, - "id": "ba826c02-4153-4056-ad75-2614912c6274", + "id": "1f740a00-6039-4914-91b5-e2f5ba475f5f", "is_enabled": true, - "key_id": "ba826c02-4153-4056-ad75-2614912c6274", + "key_id": "1f740a00-6039-4914-91b5-e2f5ba475f5f", "key_usage": "ENCRYPT_DECRYPT", - "policy": "{\"Statement\":[{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"eks-nodegroup.amazonaws.com\",\"delivery.logs.amazonaws.com\",\"eks.amazonaws.com\",\"events.amazonaws.com\",\"autoscaling.amazonaws.com\",\"logs.amazonaws.com\",\"sqs.amazonaws.com\",\"backup.amazonaws.com\",\"guardduty.amazonaws.com\",\"cloudtrail.amazonaws.com\",\"lambda.amazonaws.com\",\"cloudwatch.amazonaws.com\",\"sns.amazonaws.com\",\"s3.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Key usage by aws services\"},{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":\"*\",\"Sid\":\"Key administrator\"}],\"Version\":\"2012-10-17\"}", + "policy": "{\"Statement\":[{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"logs.amazonaws.com\",\"lambda.amazonaws.com\",\"eks.amazonaws.com\",\"cloudtrail.amazonaws.com\",\"s3.amazonaws.com\",\"backup.amazonaws.com\",\"guardduty.amazonaws.com\",\"events.amazonaws.com\",\"autoscaling.amazonaws.com\",\"sqs.amazonaws.com\",\"delivery.logs.amazonaws.com\",\"sns.amazonaws.com\",\"eks-nodegroup.amazonaws.com\",\"cloudwatch.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Key usage by aws services\"},{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":\"*\",\"Sid\":\"Key administrator\"}],\"Version\":\"2012-10-17\"}", "tags": { "Application": "infra", - "BuildDate": "20210126", + "BuildDate": "20210128", + "CreatedBy": "racker-ken2-eade1d93", "Environment": "lab", - "Project": "lime", - "ServiceProvider": "Rackspace", + "Project": "cleanslate", + "ServiceProvider": "RackspaceTechnology", + "TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs", "TerraformMode": "managed" } }, "sensitive_attributes": [], - "private": "bnVsbA==" + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] } ] }, @@ -222,20 +651,20 @@ "attributes": { "acceleration_status": "", "acl": "private", - "arn": "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480", - "bucket": "lab-apne1-kf-lime-ctbucket-573340405480", - "bucket_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.amazonaws.com", + "arn": "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480", + "bucket": "lab-apne1-racken-cleanslate-ctbucket-573340405480", + "bucket_domain_name": "lab-apne1-racken-cleanslate-ctbucket-573340405480.s3.amazonaws.com", "bucket_prefix": null, - "bucket_regional_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.ap-northeast-1.amazonaws.com", + "bucket_regional_domain_name": "lab-apne1-racken-cleanslate-ctbucket-573340405480.s3.ap-northeast-1.amazonaws.com", "cors_rule": [], "force_destroy": false, "grant": [], "hosted_zone_id": "Z2M4EHUR26P7ZW", - "id": "lab-apne1-kf-lime-ctbucket-573340405480", + "id": "lab-apne1-racken-cleanslate-ctbucket-573340405480", "lifecycle_rule": [ { "abort_incomplete_multipart_upload_days": 0, - "enabled": false, + "enabled": true, "expiration": [ { "date": "", @@ -243,7 +672,7 @@ "expired_object_delete_marker": false } ], - "id": "tf-s3-lifecycle-20210126114512193400000001", + "id": "lab-apne1-racken-cleanslate-ctbucket-lifecycle-rule", "noncurrent_version_expiration": [], "noncurrent_version_transition": [], "prefix": "", @@ -259,7 +688,7 @@ ], "logging": [], "object_lock_configuration": [], - "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\"Sid\":\"AWSCloudTrailAclCheck\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"config.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\"Sid\":\"AWSCloudTrailWrite\"}],\"Version\":\"2012-10-17\"}", + "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\",\"Sid\":\"AWSCloudTrailAclCheck\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cloudtrail.amazonaws.com\",\"config.amazonaws.com\"]},\"Resource\":\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\"Sid\":\"AWSCloudTrailWrite\"},{\"Action\":\"s3:Get*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":[\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\"],\"Sid\":\"ReadAccessForAccountOwner\"}],\"Version\":\"2012-10-17\"}", "region": "ap-northeast-1", "replication_configuration": [], "request_payer": "BucketOwner", @@ -269,7 +698,7 @@ { "apply_server_side_encryption_by_default": [ { - "kms_master_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274", + "kms_master_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f", "sse_algorithm": "aws:kms" } ] @@ -279,10 +708,12 @@ ], "tags": { "Application": "infra", - "BuildDate": "20210126", + "BuildDate": "20210128", + "CreatedBy": "racker-ken2-eade1d93", "Environment": "lab", - "Project": "lime", - "ServiceProvider": "Rackspace", + "Project": "cleanslate", + "ServiceProvider": "RackspaceTechnology", + "TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs", "TerraformMode": "managed" }, "versioning": [ @@ -295,7 +726,76 @@ "website_domain": null, "website_endpoint": null }, - "sensitive_attributes": [] + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.cloudtrail_bucket_policy", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_s3_bucket_ownership_controls", + "name": "ctbucket-ownership-setting", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "bucket": "lab-apne1-racken-cleanslate-ctbucket-573340405480", + "id": "lab-apne1-racken-cleanslate-ctbucket-573340405480", + "rule": [ + { + "object_ownership": "BucketOwnerPreferred" + } + ] + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.aws_s3_bucket.ct-bucket", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.cloudtrail_bucket_policy", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_s3_bucket_public_access_block", + "name": "s3-public-access-settings", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "block_public_acls": true, + "block_public_policy": true, + "bucket": "lab-apne1-racken-cleanslate-ctbucket-573340405480", + "id": "lab-apne1-racken-cleanslate-ctbucket-573340405480", + "ignore_public_acls": true, + "restrict_public_buckets": true + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.this", + "module.cloudtrail-cwl.aws_kms_key.ctbucket-key", + "module.cloudtrail-cwl.aws_s3_bucket.ct-bucket", + "module.cloudtrail-cwl.data.aws_caller_identity.this", + "module.cloudtrail-cwl.data.aws_iam_policy_document.cloudtrail_bucket_policy", + "module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy" + ] } ] } diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf index 271ca16..2892258 100644 --- a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf @@ -27,22 +27,43 @@ data "aws_iam_policy_document" "cloudtrail_bucket_policy" { } actions = [ - "s3:PutObject", + "s3:PutObject" ] resources = [ - "arn:aws:s3:::${local.ct-bucket-name}/*", + "arn:aws:s3:::${local.ct-bucket-name}/*" ] } + + statement { + sid = "ReadAccessForAccountOwner" + + principals { + type = "AWS" + identifiers = [data.aws_caller_identity.this.account_id] + } + + actions = [ + "s3:Get*" + ] + + resources = [ + "arn:aws:s3:::${local.ct-bucket-name}", + "arn:aws:s3:::${local.ct-bucket-name}/*" + ] + } + } resource "aws_s3_bucket" "ct-bucket" { bucket = local.ct-bucket-name - policy = join("", data.aws_iam_policy_document.cloudtrail_bucket_policy.*.json) + policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json + versioning { enabled = false } + server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -54,11 +75,14 @@ resource "aws_s3_bucket" "ct-bucket" { tags = var.default-tags lifecycle_rule { - enabled = false + id = "${local.resource-prefix}-ctbucket-lifecycle-rule" + enabled = true + transition { days = 30 storage_class = "INTELLIGENT_TIERING" } + expiration { days = var.cloudtrail-retain-days } @@ -73,4 +97,12 @@ resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true +} + +resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" { + bucket = aws_s3_bucket.ct-bucket.id + + rule { + object_ownership = "BucketOwnerPreferred" + } } \ No newline at end of file