xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: adjusted bucket permissions

Browse Source
This commit is contained in:
xpk 2021-01-28 09:25:50 +08:00
parent 3ddc62ab64
commit 1a3246f176
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
2 changed files with 563 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

554
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate
View File

@ -1,10 +1,28 @@
{ {
"version": 4, "version": 4,
"terraform_version": "0.14.5", "terraform_version": "0.14.5",
"serial": 86, "serial": 120,
"lineage": "26e4bec8-8ad6-a262-52c6-fbcad6b7a499", "lineage": "26e4bec8-8ad6-a262-52c6-fbcad6b7a499",
"outputs": {}, "outputs": {},
"resources": [ "resources": [
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "573340405480",
"arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93",
"id": "573340405480",
"user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93"
},
"sensitive_attributes": []
}
]
},
{ {
"module": "module.cloudtrail-cwl", "module": "module.cloudtrail-cwl",
"mode": "data", "mode": "data",
@ -17,7 +35,7 @@
"attributes": { "attributes": {
"account_id": "573340405480", "account_id": "573340405480",
"arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93", "arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93",
"id": "2021-01-26 13:37:52.170204471 +0000 UTC", "id": "573340405480",
"user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93" "user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93"
}, },
"sensitive_attributes": [] "sensitive_attributes": []
@ -34,8 +52,8 @@
{ {
"schema_version": 0, "schema_version": 0,
"attributes": { "attributes": {
"id": "995859125", "id": "2147598273",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AWSCloudTrailAclCheck\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"AWSCloudTrailWrite\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\n \"Principal\": {\n \"Service\": [\n \"config.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n }\n ]\n}", "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AWSCloudTrailAclCheck\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"AWSCloudTrailWrite\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\n \"Principal\": {\n \"Service\": [\n \"config.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n },\n {\n \"Sid\": \"ReadAccessForAccountOwner\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:Get*\",\n \"Resource\": [\n \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\n \"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\"\n ],\n \"Principal\": {\n \"AWS\": \"573340405480\"\n }\n }\n ]\n}",
"override_json": null, "override_json": null,
"policy_id": null, "policy_id": null,
"source_json": null, "source_json": null,
@ -58,7 +76,7 @@
} }
], ],
"resources": [ "resources": [
"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480" "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480"
], ],
"sid": "AWSCloudTrailAclCheck" "sid": "AWSCloudTrailAclCheck"
}, },
@ -81,9 +99,128 @@
} }
], ],
"resources": [ "resources": [
"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*" "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*"
], ],
"sid": "AWSCloudTrailWrite" "sid": "AWSCloudTrailWrite"
},
{
"actions": [
"s3:Get*"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"573340405480"
],
"type": "AWS"
}
],
"resources": [
"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480",
"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*"
],
"sid": "ReadAccessForAccountOwner"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ct-role-assumerole-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "3361274866",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"cloudtrail.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ct-role-pdoc",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1046663528",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:CreateLogStream\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:PutLogEvents\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [
{
"actions": [
"logs:CreateLogStream"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*"
],
"sid": ""
},
{
"actions": [
"logs:PutLogEvents"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*"
],
"sid": ""
} }
], ],
"version": "2012-10-17" "version": "2012-10-17"
@ -176,6 +313,291 @@
} }
] ]
}, },
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_cloudtrail",
"name": "default",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:cloudtrail:ap-northeast-1:573340405480:trail/lab-apne1-racken-cleanslate-trail-001",
"cloud_watch_logs_group_arn": "arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:*",
"cloud_watch_logs_role_arn": "arn:aws:iam::573340405480:role/lab-apne1-racken-cleanslate-cwl-role",
"enable_log_file_validation": true,
"enable_logging": true,
"event_selector": [
{
"data_resource": [
{
"type": "AWS::S3::Object",
"values": [
"arn:aws:s3:::"
]
},
{
"type": "AWS::Lambda::Function",
"values": [
"arn:aws:lambda"
]
}
],
"include_management_events": true,
"read_write_type": "All"
}
],
"home_region": "ap-northeast-1",
"id": "lab-apne1-racken-cleanslate-trail-001",
"include_global_service_events": true,
"insight_selector": [],
"is_multi_region_trail": true,
"is_organization_trail": false,
"kms_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f",
"name": "lab-apne1-racken-cleanslate-trail-001",
"s3_bucket_name": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {
"Application": "infra",
"BuildDate": "20210128",
"CreatedBy": "racker-ken2-eade1d93",
"Environment": "lab",
"Project": "cleanslate",
"ServiceProvider": "RackspaceTechnology",
"TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_cloudwatch_log_group.ct-cwl",
"module.cloudtrail-cwl.aws_iam_role.iam_cloudtrial_cloudwatch_role",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-assumerole-policy",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_cloudwatch_log_group",
"name": "ct-cwl",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001",
"id": "lab-apne1-racken-cleanslate-cwl-001",
"kms_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f",
"name": "lab-apne1-racken-cleanslate-cwl-001",
"name_prefix": null,
"retention_in_days": 90,
"tags": {
"Application": "infra",
"BuildDate": "20210128",
"CreatedBy": "racker-ken2-eade1d93",
"Environment": "lab",
"Project": "cleanslate",
"ServiceProvider": "RackspaceTechnology",
"TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_cloudwatch_log_metric_filter",
"name": "cwl-metric-filter-cis11",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "cis11-rootaccess-filter",
"log_group_name": "lab-apne1-racken-cleanslate-cwl-001",
"metric_transformation": [
{
"default_value": "",
"name": "cis11-rootaccess-metric",
"namespace": "LogMetrics",
"value": "1"
}
],
"name": "cis11-rootaccess-filter",
"pattern": "{$.userIdentity.type=\"Root\" \u0026\u0026 $.userIdentity.invokedBy NOT EXISTS \u0026\u0026 $.eventType !=\"AwsServiceEvent\"}"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_cloudwatch_log_group.ct-cwl",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "cis11-rootaccess-alarm",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"actions_enabled": true,
"alarm_actions": [],
"alarm_description": "Root access is detected from cloudtrail",
"alarm_name": "cis11-rootaccess-alarm",
"arn": "arn:aws:cloudwatch:ap-northeast-1:573340405480:alarm:cis11-rootaccess-alarm",
"comparison_operator": "GreaterThanOrEqualToThreshold",
"datapoints_to_alarm": 0,
"dimensions": {},
"evaluate_low_sample_count_percentiles": "",
"evaluation_periods": 1,
"extended_statistic": "",
"id": "cis11-rootaccess-alarm",
"insufficient_data_actions": [],
"metric_name": "cis11-rootaccess-metric",
"metric_query": [],
"namespace": "LogMetrics",
"ok_actions": [],
"period": 300,
"statistic": "Average",
"tags": {},
"threshold": 1,
"threshold_metric_id": "",
"treat_missing_data": "notBreaching",
"unit": ""
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_iam_role",
"name": "iam_cloudtrial_cloudwatch_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::573340405480:role/lab-apne1-racken-cleanslate-cwl-role",
"assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}",
"create_date": "2021-01-28T01:08:17Z",
"description": "Enables AWS CloudTrail to deliver log to CloudWatch log",
"force_detach_policies": false,
"id": "lab-apne1-racken-cleanslate-cwl-role",
"max_session_duration": 3600,
"name": "lab-apne1-racken-cleanslate-cwl-role",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": {
"Application": "infra",
"BuildDate": "20210128",
"CreatedBy": "racker-ken2-eade1d93",
"Environment": "lab",
"Project": "cleanslate",
"ServiceProvider": "RackspaceTechnology",
"TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs",
"TerraformMode": "managed"
},
"unique_id": "AROAYK7OAJ3ULYJS5RX3N"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-assumerole-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "iam_cloudtrial_cloudwatach_role_policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "lab-apne1-racken-cleanslate-cwl-role:lab-apne1-racken-cleanslate-cwl-role-policy",
"name": "lab-apne1-racken-cleanslate-cwl-role-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:CreateLogStream\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:PutLogEvents\",\n \"Resource\": \"arn:aws:logs:ap-northeast-1:573340405480:log-group:lab-apne1-racken-cleanslate-cwl-001:log-stream:*\"\n }\n ]\n}",
"role": "lab-apne1-racken-cleanslate-cwl-role"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_cloudwatch_log_group.ct-cwl",
"module.cloudtrail-cwl.aws_iam_role.iam_cloudtrial_cloudwatch_role",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-assumerole-policy",
"module.cloudtrail-cwl.data.aws_iam_policy_document.ct-role-pdoc",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_kms_alias",
"name": "ctbucket-key-aliaas",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-1:573340405480:alias/lab-apne1-racken-cleanslate-ctkey-alias",
"id": "alias/lab-apne1-racken-cleanslate-ctkey-alias",
"name": "alias/lab-apne1-racken-cleanslate-ctkey-alias",
"name_prefix": null,
"target_key_arn": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f",
"target_key_id": "1f740a00-6039-4914-91b5-e2f5ba475f5f"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{ {
"module": "module.cloudtrail-cwl", "module": "module.cloudtrail-cwl",
"mode": "managed", "mode": "managed",
@ -186,27 +608,34 @@
{ {
"schema_version": 0, "schema_version": 0,
"attributes": { "attributes": {
"arn": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274", "arn": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f",
"customer_master_key_spec": "SYMMETRIC_DEFAULT", "customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 7, "deletion_window_in_days": 7,
"description": "", "description": "",
"enable_key_rotation": false, "enable_key_rotation": false,
"id": "ba826c02-4153-4056-ad75-2614912c6274", "id": "1f740a00-6039-4914-91b5-e2f5ba475f5f",
"is_enabled": true, "is_enabled": true,
"key_id": "ba826c02-4153-4056-ad75-2614912c6274", "key_id": "1f740a00-6039-4914-91b5-e2f5ba475f5f",
"key_usage": "ENCRYPT_DECRYPT", "key_usage": "ENCRYPT_DECRYPT",
"policy": "{\"Statement\":[{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"eks-nodegroup.amazonaws.com\",\"delivery.logs.amazonaws.com\",\"eks.amazonaws.com\",\"events.amazonaws.com\",\"autoscaling.amazonaws.com\",\"logs.amazonaws.com\",\"sqs.amazonaws.com\",\"backup.amazonaws.com\",\"guardduty.amazonaws.com\",\"cloudtrail.amazonaws.com\",\"lambda.amazonaws.com\",\"cloudwatch.amazonaws.com\",\"sns.amazonaws.com\",\"s3.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Key usage by aws services\"},{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":\"*\",\"Sid\":\"Key administrator\"}],\"Version\":\"2012-10-17\"}", "policy": "{\"Statement\":[{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"logs.amazonaws.com\",\"lambda.amazonaws.com\",\"eks.amazonaws.com\",\"cloudtrail.amazonaws.com\",\"s3.amazonaws.com\",\"backup.amazonaws.com\",\"guardduty.amazonaws.com\",\"events.amazonaws.com\",\"autoscaling.amazonaws.com\",\"sqs.amazonaws.com\",\"delivery.logs.amazonaws.com\",\"sns.amazonaws.com\",\"eks-nodegroup.amazonaws.com\",\"cloudwatch.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Key usage by aws services\"},{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":\"*\",\"Sid\":\"Key administrator\"}],\"Version\":\"2012-10-17\"}",
"tags": { "tags": {
"Application": "infra", "Application": "infra",
"BuildDate": "20210126", "BuildDate": "20210128",
"CreatedBy": "racker-ken2-eade1d93",
"Environment": "lab", "Environment": "lab",
"Project": "lime", "Project": "cleanslate",
"ServiceProvider": "Rackspace", "ServiceProvider": "RackspaceTechnology",
"TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs",
"TerraformMode": "managed" "TerraformMode": "managed"
} }
}, },
"sensitive_attributes": [], "sensitive_attributes": [],
"private": "bnVsbA==" "private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
} }
] ]
}, },
@ -222,20 +651,20 @@
"attributes": { "attributes": {
"acceleration_status": "", "acceleration_status": "",
"acl": "private", "acl": "private",
"arn": "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480", "arn": "arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480",
"bucket": "lab-apne1-kf-lime-ctbucket-573340405480", "bucket": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"bucket_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.amazonaws.com", "bucket_domain_name": "lab-apne1-racken-cleanslate-ctbucket-573340405480.s3.amazonaws.com",
"bucket_prefix": null, "bucket_prefix": null,
"bucket_regional_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.ap-northeast-1.amazonaws.com", "bucket_regional_domain_name": "lab-apne1-racken-cleanslate-ctbucket-573340405480.s3.ap-northeast-1.amazonaws.com",
"cors_rule": [], "cors_rule": [],
"force_destroy": false, "force_destroy": false,
"grant": [], "grant": [],
"hosted_zone_id": "Z2M4EHUR26P7ZW", "hosted_zone_id": "Z2M4EHUR26P7ZW",
"id": "lab-apne1-kf-lime-ctbucket-573340405480", "id": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"lifecycle_rule": [ "lifecycle_rule": [
{ {
"abort_incomplete_multipart_upload_days": 0, "abort_incomplete_multipart_upload_days": 0,
"enabled": false, "enabled": true,
"expiration": [ "expiration": [
{ {
"date": "", "date": "",
@ -243,7 +672,7 @@
"expired_object_delete_marker": false "expired_object_delete_marker": false
} }
], ],
"id": "tf-s3-lifecycle-20210126114512193400000001", "id": "lab-apne1-racken-cleanslate-ctbucket-lifecycle-rule",
"noncurrent_version_expiration": [], "noncurrent_version_expiration": [],
"noncurrent_version_transition": [], "noncurrent_version_transition": [],
"prefix": "", "prefix": "",
@ -259,7 +688,7 @@
], ],
"logging": [], "logging": [],
"object_lock_configuration": [], "object_lock_configuration": [],
"policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\"Sid\":\"AWSCloudTrailAclCheck\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"config.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\"Sid\":\"AWSCloudTrailWrite\"}],\"Version\":\"2012-10-17\"}", "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\",\"Sid\":\"AWSCloudTrailAclCheck\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cloudtrail.amazonaws.com\",\"config.amazonaws.com\"]},\"Resource\":\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\"Sid\":\"AWSCloudTrailWrite\"},{\"Action\":\"s3:Get*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":[\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480/*\",\"arn:aws:s3:::lab-apne1-racken-cleanslate-ctbucket-573340405480\"],\"Sid\":\"ReadAccessForAccountOwner\"}],\"Version\":\"2012-10-17\"}",
"region": "ap-northeast-1", "region": "ap-northeast-1",
"replication_configuration": [], "replication_configuration": [],
"request_payer": "BucketOwner", "request_payer": "BucketOwner",
@ -269,7 +698,7 @@
{ {
"apply_server_side_encryption_by_default": [ "apply_server_side_encryption_by_default": [
{ {
"kms_master_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274", "kms_master_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/1f740a00-6039-4914-91b5-e2f5ba475f5f",
"sse_algorithm": "aws:kms" "sse_algorithm": "aws:kms"
} }
] ]
@ -279,10 +708,12 @@
], ],
"tags": { "tags": {
"Application": "infra", "Application": "infra",
"BuildDate": "20210126", "BuildDate": "20210128",
"CreatedBy": "racker-ken2-eade1d93",
"Environment": "lab", "Environment": "lab",
"Project": "lime", "Project": "cleanslate",
"ServiceProvider": "Rackspace", "ServiceProvider": "RackspaceTechnology",
"TerraformDir": "aws-baseline-infra/layers/security_identity_compliance/cloudtrail_cloudwatchlogs",
"TerraformMode": "managed" "TerraformMode": "managed"
}, },
"versioning": [ "versioning": [
@ -295,7 +726,76 @@
"website_domain": null, "website_domain": null,
"website_endpoint": null "website_endpoint": null
}, },
"sensitive_attributes": [] "sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.cloudtrail_bucket_policy",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_s3_bucket_ownership_controls",
"name": "ctbucket-ownership-setting",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"bucket": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"id": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"rule": [
{
"object_ownership": "BucketOwnerPreferred"
}
]
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.aws_s3_bucket.ct-bucket",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.cloudtrail_bucket_policy",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_s3_bucket_public_access_block",
"name": "s3-public-access-settings",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"block_public_acls": true,
"block_public_policy": true,
"bucket": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"id": "lab-apne1-racken-cleanslate-ctbucket-573340405480",
"ignore_public_acls": true,
"restrict_public_buckets": true
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.cloudtrail-cwl.aws_kms_key.ctbucket-key",
"module.cloudtrail-cwl.aws_s3_bucket.ct-bucket",
"module.cloudtrail-cwl.data.aws_caller_identity.this",
"module.cloudtrail-cwl.data.aws_iam_policy_document.cloudtrail_bucket_policy",
"module.cloudtrail-cwl.data.aws_iam_policy_document.key-policy"
]
} }
] ]
} }

40
modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
View File

@ -27,22 +27,43 @@ data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
} }
actions = [ actions = [
"s3:PutObject", "s3:PutObject"
] ]
resources = [ resources = [
"arn:aws:s3:::${local.ct-bucket-name}/*", "arn:aws:s3:::${local.ct-bucket-name}/*"
] ]
} }
statement {
sid = "ReadAccessForAccountOwner"
principals {
type = "AWS"
identifiers = [data.aws_caller_identity.this.account_id]
}
actions = [
"s3:Get*"
]
resources = [
"arn:aws:s3:::${local.ct-bucket-name}",
"arn:aws:s3:::${local.ct-bucket-name}/*"
]
}
} }
resource "aws_s3_bucket" "ct-bucket" { resource "aws_s3_bucket" "ct-bucket" {
bucket = local.ct-bucket-name bucket = local.ct-bucket-name
policy = join("", data.aws_iam_policy_document.cloudtrail_bucket_policy.*.json) policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
versioning { versioning {
enabled = false enabled = false
} }
server_side_encryption_configuration { server_side_encryption_configuration {
rule { rule {
apply_server_side_encryption_by_default { apply_server_side_encryption_by_default {
@ -54,11 +75,14 @@ resource "aws_s3_bucket" "ct-bucket" {
tags = var.default-tags tags = var.default-tags
lifecycle_rule { lifecycle_rule {
enabled = false id = "${local.resource-prefix}-ctbucket-lifecycle-rule"
enabled = true
transition { transition {
days = 30 days = 30
storage_class = "INTELLIGENT_TIERING" storage_class = "INTELLIGENT_TIERING"
} }
expiration { expiration {
days = var.cloudtrail-retain-days days = var.cloudtrail-retain-days
} }
@ -73,4 +97,12 @@ resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
block_public_policy = true block_public_policy = true
ignore_public_acls = true ignore_public_acls = true
restrict_public_buckets = true restrict_public_buckets = true
}
resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" {
bucket = aws_s3_bucket.ct-bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
} }