commit d8b939092833dadaef4879d41768bb014120e44f Author: xpk Date: Tue Jan 26 21:40:02 2021 +0800 NEW: cloudtrail and cwl diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9fc8ee3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +*.tfstate.backup +*.tfstate.lock +.terraform/ +.DS_Store +*.iml diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 0000000..26d3352 --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,3 @@ +# Default ignored files +/shelf/ +/workspace.xml diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf new file mode 100644 index 0000000..e8c6004 --- /dev/null +++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf @@ -0,0 +1,11 @@ +data aws_caller_identity this {} + +module cloudtrail-cwl { + source = "../../../modules/security_identity_compliance/cloudtrail_cwlogs" + application = var.application + environment = var.environment + customer-name = var.customer-name + project = var.project + aws-region-short = var.aws-region-short + default-tags = local.default-tags +} \ No newline at end of file diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/provider.tf b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/provider.tf new file mode 100644 index 0000000..3907b85 --- /dev/null +++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/provider.tf @@ -0,0 +1,12 @@ +provider "aws" { + region = var.aws-region +} + +terraform { + required_version = "> 0.12, < 0.13" + required_providers { + aws = "~> 3.6.0" + } +} + +data "aws_availability_zones" "current" {} \ No newline at end of file diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate new file mode 100644 index 0000000..66a98ff --- /dev/null +++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate @@ -0,0 +1,298 @@ +{ + "version": 4, + "terraform_version": "0.12.29", + "serial": 85, + "lineage": "26e4bec8-8ad6-a262-52c6-fbcad6b7a499", + "outputs": {}, + "resources": [ + { + "module": "module.cloudtrail-cwl", + "mode": "data", + "type": "aws_caller_identity", + "name": "this", + "provider": "provider.aws", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "573340405480", + "arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93", + "id": "2021-01-26 13:37:52.170204471 +0000 UTC", + "user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93" + } + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "cloudtrail_bucket_policy", + "provider": "provider.aws", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "995859125", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AWSCloudTrailAclCheck\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"AWSCloudTrailWrite\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\n \"Principal\": {\n \"Service\": [\n \"config.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n }\n ]\n}", + "override_json": null, + "policy_id": null, + "source_json": null, + "statement": [ + { + "actions": [ + "s3:GetBucketAcl" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "cloudtrail.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480" + ], + "sid": "AWSCloudTrailAclCheck" + }, + { + "actions": [ + "s3:PutObject" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "cloudtrail.amazonaws.com", + "config.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*" + ], + "sid": "AWSCloudTrailWrite" + } + ], + "version": "2012-10-17" + } + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "key-policy", + "provider": "provider.aws", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "3662241047", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"Key usage by aws services\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"*\",\n \"Principal\": {\n \"Service\": [\n \"sqs.amazonaws.com\",\n \"sns.amazonaws.com\",\n \"s3.amazonaws.com\",\n \"logs.amazonaws.com\",\n \"lambda.amazonaws.com\",\n \"guardduty.amazonaws.com\",\n \"events.amazonaws.com\",\n \"eks.amazonaws.com\",\n \"eks-nodegroup.amazonaws.com\",\n \"delivery.logs.amazonaws.com\",\n \"cloudwatch.amazonaws.com\",\n \"cloudtrail.amazonaws.com\",\n \"backup.amazonaws.com\",\n \"autoscaling.amazonaws.com\"\n ]\n }\n },\n {\n \"Sid\": \"Key administrator\",\n \"Effect\": \"Allow\",\n \"Action\": \"kms:*\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": \"573340405480\"\n }\n }\n ]\n}", + "override_json": null, + "policy_id": null, + "source_json": null, + "statement": [ + { + "actions": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "autoscaling.amazonaws.com", + "backup.amazonaws.com", + "cloudtrail.amazonaws.com", + "cloudwatch.amazonaws.com", + "delivery.logs.amazonaws.com", + "eks-nodegroup.amazonaws.com", + "eks.amazonaws.com", + "events.amazonaws.com", + "guardduty.amazonaws.com", + "lambda.amazonaws.com", + "logs.amazonaws.com", + "s3.amazonaws.com", + "sns.amazonaws.com", + "sqs.amazonaws.com" + ], + "type": "Service" + } + ], + "resources": [ + "*" + ], + "sid": "Key usage by aws services" + }, + { + "actions": [ + "kms:*" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "573340405480" + ], + "type": "AWS" + } + ], + "resources": [ + "*" + ], + "sid": "Key administrator" + } + ], + "version": "2012-10-17" + } + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_kms_key", + "name": "ctbucket-key", + "provider": "provider.aws", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274", + "customer_master_key_spec": "SYMMETRIC_DEFAULT", + "deletion_window_in_days": 7, + "description": "", + "enable_key_rotation": false, + "id": "ba826c02-4153-4056-ad75-2614912c6274", + "is_enabled": true, + "key_id": "ba826c02-4153-4056-ad75-2614912c6274", + "key_usage": "ENCRYPT_DECRYPT", + "policy": "{\"Statement\":[{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"eks-nodegroup.amazonaws.com\",\"delivery.logs.amazonaws.com\",\"eks.amazonaws.com\",\"events.amazonaws.com\",\"autoscaling.amazonaws.com\",\"logs.amazonaws.com\",\"sqs.amazonaws.com\",\"backup.amazonaws.com\",\"guardduty.amazonaws.com\",\"cloudtrail.amazonaws.com\",\"lambda.amazonaws.com\",\"cloudwatch.amazonaws.com\",\"sns.amazonaws.com\",\"s3.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Key usage by aws services\"},{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":\"*\",\"Sid\":\"Key administrator\"}],\"Version\":\"2012-10-17\"}", + "tags": { + "Application": "infra", + "BuildDate": "20210126", + "Environment": "lab", + "Project": "lime", + "ServiceProvider": "Rackspace", + "TerraformMode": "managed" + } + }, + "private": "bnVsbA==" + } + ] + }, + { + "module": "module.cloudtrail-cwl", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "ct-bucket", + "provider": "provider.aws", + "instances": [ + { + "schema_version": 0, + "attributes": { + "acceleration_status": "", + "acl": "private", + "arn": "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480", + "bucket": "lab-apne1-kf-lime-ctbucket-573340405480", + "bucket_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.amazonaws.com", + "bucket_prefix": null, + "bucket_regional_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.ap-northeast-1.amazonaws.com", + "cors_rule": [], + "force_destroy": false, + "grant": [], + "hosted_zone_id": "Z2M4EHUR26P7ZW", + "id": "lab-apne1-kf-lime-ctbucket-573340405480", + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": false, + "expiration": [ + { + "date": "", + "days": 90, + "expired_object_delete_marker": false + } + ], + "id": "tf-s3-lifecycle-20210126114512193400000001", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "", + "tags": {}, + "transition": [ + { + "date": "", + "days": 30, + "storage_class": "INTELLIGENT_TIERING" + } + ] + } + ], + "logging": [], + "object_lock_configuration": [], + "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\"Sid\":\"AWSCloudTrailAclCheck\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"config.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\"Sid\":\"AWSCloudTrailWrite\"}],\"Version\":\"2012-10-17\"}", + "region": "ap-northeast-1", + "replication_configuration": [], + "request_payer": "BucketOwner", + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274", + "sse_algorithm": "aws:kms" + } + ] + } + ] + } + ], + "tags": { + "Application": "infra", + "BuildDate": "20210126", + "Environment": "lab", + "Project": "lime", + "ServiceProvider": "Rackspace", + "TerraformMode": "managed" + }, + "versioning": [ + { + "enabled": false, + "mfa_delete": false + } + ], + "website": [], + "website_domain": null, + "website_endpoint": null + } + } + ] + } + ] +} diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfvars b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfvars new file mode 100644 index 0000000..4335dc9 --- /dev/null +++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfvars @@ -0,0 +1,6 @@ +aws-region = "ap-northeast-1" +aws-region-short = "apne1" +customer-name = "kf" +environment = "lab" +project = "lime" +application = "infra" \ No newline at end of file diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf new file mode 100644 index 0000000..a521e9f --- /dev/null +++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf @@ -0,0 +1,20 @@ +variable "aws-region" {} +variable "aws-region-short" {} +variable "customer-name" {} +variable "environment" {} +variable "project" {} +variable "application" {} + +locals { + default-tags = { + ServiceProvider = "Rackspace" + Environment = var.environment + Project = var.project + Application = var.application + TerraformMode = "managed" + BuildDate = formatdate("YYYYMMDD", timestamp()) + } + ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}" + resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}" +} + diff --git a/modules/global-variables/README.md b/modules/global-variables/README.md new file mode 100644 index 0000000..5b36d91 --- /dev/null +++ b/modules/global-variables/README.md @@ -0,0 +1,27 @@ +# global-variables module +This module provides global variables that can be used in all layers + + +## Basic Usage +Variables are stored in a map in outputs.tf + +```hcl +module "global-variables" { + source = "../../../../../../../../../terraform_modules_shared/global-variables" +} + +// then retrieve global variable from the module. for example: +sys-sec-account = module.global-variables.vars.prod.sys-sec-acc +``` + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| + +## Outputs + +| Name | Description | +|------|-------------| +| vars | map of variables | + diff --git a/modules/global-variables/outputs.tf b/modules/global-variables/outputs.tf new file mode 100644 index 0000000..053f9f5 --- /dev/null +++ b/modules/global-variables/outputs.tf @@ -0,0 +1,18 @@ +output vars { + value = { + "prod" = { + sys-log-acc = "174677273835" + sys-ss-acc = "827262612707" + stm-acc = "205233139210" + sys-sec-acc = "033205333431" + mp-acc = "616302076454" + } + "plike" = { + sys-log-acc = "870377016556" + sys-ss-acc = "022321612404" + stm-acc = "313794563353" + sys-sec-acc = "240016403383" + mp-acc = "684740086263" + } + } +} \ No newline at end of file diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf new file mode 100644 index 0000000..049ef54 --- /dev/null +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf @@ -0,0 +1,80 @@ +resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" { + name = "${local.resource-prefix}-cwl-role" + assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json + description = "Enables AWS CloudTrail to deliver log to CloudWatch log" + tags = var.default-tags +} + +resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" { + name = "${local.resource-prefix}-cwl-role-policy" + role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id + policy = data.aws_iam_policy_document.ct-role-pdoc.json +} + +data "aws_iam_policy_document" "ct-role-assumerole-policy" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + } +} + +data "aws_iam_policy_document" "ct-role-pdoc" { + statement { + effect = "Allow" + actions = ["logs:CreateLogStream"] + + resources = [ + "${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*", + ] + } + + statement { + effect = "Allow" + actions = ["logs:PutLogEvents"] + + resources = [ + "${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*", + ] + } +} + + + +resource "aws_cloudtrail" "default" { + name = "${local.resource-prefix}-trail-001" + enable_logging = true + s3_bucket_name = local.ct-bucket-name + enable_log_file_validation = true + is_multi_region_trail = true + include_global_service_events = true + cloud_watch_logs_role_arn = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn + cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct-cwl.arn}:*" + tags = var.default-tags + kms_key_id = aws_kms_key.ctbucket-key.arn + is_organization_trail = false + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["arn:aws:s3:::"] + } + + data_resource { + type = "AWS::Lambda::Function" + values = ["arn:aws:lambda"] + } + } + + #insight_selector { + # insight_type = "ApiCallRateInsight" + #} +} + diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf new file mode 100644 index 0000000..305eb40 --- /dev/null +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf @@ -0,0 +1,68 @@ +resource "aws_kms_key" "ctbucket-key" { + deletion_window_in_days = 7 + tags = var.default-tags + policy = data.aws_iam_policy_document.key-policy.json +} + +resource "aws_kms_alias" ctbucket-key-aliaas { + name = "alias/${local.resource-prefix}-ctkey-alias" + target_key_id = aws_kms_key.ctbucket-key.key_id +} + +# https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22 +data "aws_iam_policy_document" "key-policy" { + statement { + sid = "Key usage by aws services" + principals { + identifiers = [ + "autoscaling.amazonaws.com", + "cloudtrail.amazonaws.com", + "eks.amazonaws.com", + "eks-nodegroup.amazonaws.com", + "guardduty.amazonaws.com", + "delivery.logs.amazonaws.com", + "sns.amazonaws.com", + "sqs.amazonaws.com", + "lambda.amazonaws.com", + "backup.amazonaws.com", + "events.amazonaws.com", + "cloudwatch.amazonaws.com", + "s3.amazonaws.com", + "logs.amazonaws.com" + ] + type = "Service" + } + + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + + resources = [ + "*" + ] + + effect = "Allow" + } + + statement { + sid = "Key administrator" + actions = [ + "kms:*" + ] + + resources = [ + "*" + ] + + principals { + type = "AWS" + identifiers = [data.aws_caller_identity.this.account_id] + } + + effect = "Allow" + } +} diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf new file mode 100644 index 0000000..41820ff --- /dev/null +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf @@ -0,0 +1,76 @@ + + +data "aws_iam_policy_document" "cloudtrail_bucket_policy" { + statement { + sid = "AWSCloudTrailAclCheck" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:GetBucketAcl", + ] + + resources = [ + "arn:aws:s3:::${local.ct-bucket-name}", + ] + } + + statement { + sid = "AWSCloudTrailWrite" + + principals { + type = "Service" + identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:PutObject", + ] + + resources = [ + "arn:aws:s3:::${local.ct-bucket-name}/*", + ] + } +} + + +resource "aws_s3_bucket" "ct-bucket" { + bucket = local.ct-bucket-name + policy = join("", data.aws_iam_policy_document.cloudtrail_bucket_policy.*.json) + versioning { + enabled = false + } + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.ctbucket-key.arn + sse_algorithm = "aws:kms" + } + } + } + tags = var.default-tags + + lifecycle_rule { + enabled = false + transition { + days = 30 + storage_class = "INTELLIGENT_TIERING" + } + expiration { + days = 90 + } + } +} + + +resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" { + bucket = aws_s3_bucket.ct-bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} \ No newline at end of file diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf new file mode 100644 index 0000000..f8a6764 --- /dev/null +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf @@ -0,0 +1,35 @@ +resource "aws_cloudwatch_log_group" "ct-cwl" { + name = "${local.resource-prefix}-cwl-001" + retention_in_days = 90 + kms_key_id = aws_kms_key.ctbucket-key.arn + tags = var.default-tags +} + +resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" { + name = "cis11-rootaccess-filter" + pattern = <