# s3_bucket_2023 module This module creates s3 bucket, following new terraform standards. If lifecycle policy is enabled, provide the expiration days. Transition days are hard-coded with intelligent-tiering class to simplify administration. ## Example ```hcl module "bucket1" { source = "../../../../whk1-bea-sys-ss-prd-codecommit-sharedmodules/Storage/s3_bucket_2023" bucket_name = var.bucket_name1 bucket_policy_json = jsonencode( { "Version" : "2012-10-17", "Id" : "", "Statement" : [ { "Sid" : "Set permissions for objects", "Effect" : "Allow", "Principal" : { "AWS" : "851239346925" }, "Action" : ["s3:ReplicateObject", "s3:ReplicateDelete"], "Resource" : "arn:aws:s3:::${var.bucket_name1}/*" } ] } ) enable_encryption = true encryption_key_arn = var.encryption_key_arn enable_versioning = false enable_bucket_logging = false enable_bucket_lifecycle = true current_version_expiration_days = 731 noncurrent_version_expiration_days = 731 } ``` ## Note on bucket replication To securely replicate a bucket to a bucket in another aws account, kms key is required. Steps to setup replication are: 1. Create replication iam role on the source account, with an assume role policy trusting s3 ```json { "Effect":"Allow", "Principal":{ "Service":"s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ``` The role needs permissions granted in the role iam policy. For example: ```json { "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration" ], "Effect": "Allow", "Resource": "arn:aws:s3:::whk1-bea-icc-mbk-prd-vpc01-flowlog-s3-accept", "Sid": "" }, { "Action": [ "s3:GetObjectVersionTagging", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": "arn:aws:s3:::whk1-bea-icc-mbk-prd-vpc01-flowlog-s3-accept/*", "Sid": "" }, { "Action": [ "s3:ReplicateTags", "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Resource": "arn:aws:s3:::whk1-bea-icc-log-mbk-prd-vpc01-flowlog-s3-accept/*", "Sid": "" }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:ap-east-1:851239346925:key/708b6ece-05f5-40ed-a91c-dbcf2af46407" ] }, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Encrypt" ], "Resource": [ "arn:aws:kms:ap-east-1:894849410890:key/b555d9d6-d451-4ec8-8ca2-cb6849cadee4" ] } ], "Version": "2012-10-17" } ``` If bucket key is used, then additional permission needs to be granted ```json { "Action":[ "kms:Decrypt" ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.ap-east-1.amazonaws.com", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws:s3:::/*" ] } }, "Resource":[ "arn:aws:kms:ap-east-1::key/" ] }, { "Action":[ "kms:Encrypt" ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.ap-east-1.amazonaws.com", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws:s3:::/*" ] } }, "Resource":[ "arn:aws:kms:ap-east-1::key/" ] } ``` 2. On the destination account, grant access in KMS key policy ```json { "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:::root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:::root", "arn:aws:iam:::root" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:::root", "arn:aws:iam:::root" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "Allow AWS Service to use the key", "Effect": "Allow", "Principal": { "Service": [ "s3.amazonaws.com", "delivery.logs.amazonaws.com", "cloudtrail.amazonaws.com" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } ``` 3. Edit destination bucket policy ```json { "Version": "2012-10-17", "Id": "", "Statement": [ { "Sid": "Set permissions for objects", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:::root" }, "Action": [ "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:ObjectOwnerOverrideToBucketOwner" ], "Resource": "arn:aws:s3:::/*" }, { "Sid": "Set permissions on bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:::root" }, "Action": [ "s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": "arn:aws:s3:::" } ] } ```