From 9b384d1a9fc1ae6172162cfb801eff26f10080b9 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 1 Nov 2022 07:57:53 -0400 Subject: [PATCH] change encryption to sse-s3 --- s3-flow-logs/README.md | 1 + s3-flow-logs/kms.tf.off | 19 +++++++++++++++++++ s3-flow-logs/main.tf | 14 +++++++++----- s3-flow-logs/policy_data.tf | 24 +++++++++++++++++++++++- s3-flow-logs/variables.tf | 6 ++++++ 5 files changed, 58 insertions(+), 6 deletions(-) create mode 100644 s3-flow-logs/kms.tf.off diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md index f30f5c7..e5be2eb 100644 --- a/s3-flow-logs/README.md +++ b/s3-flow-logs/README.md @@ -81,6 +81,7 @@ No modules. | [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no | ## Outputs diff --git a/s3-flow-logs/kms.tf.off b/s3-flow-logs/kms.tf.off new file mode 100644 index 0000000..90bbbd3 --- /dev/null +++ b/s3-flow-logs/kms.tf.off @@ -0,0 +1,19 @@ +resource "aws_kms_key" "key" { + description = "KMS CMK for flowlogs" + enable_key_rotation = true + policy = data.aws_iam_policy_document.key_policy_combined.json + + tags = merge( + local.base_tags, + var.tags, + { + "boc:aws:region" = local.region + Name = local.name + }, + ) +} + +resource "aws_kms_alias" "key" { + name = "alias/${local.kms_key_name}" + target_key_id = aws_kms_key.key.key_id +} diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf index 6d13251..214a19e 100644 --- a/s3-flow-logs/main.tf +++ b/s3-flow-logs/main.tf @@ -42,10 +42,11 @@ locals { account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id - flowlogs_region = data.aws_region.current.name + regions = [for r in tolist(data.aws_regions.current.names) : r if startswith(r, "us-")] + region = data.aws_region.current.name account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region) + bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region) base_tags = { "Organization" = "census:aditcio:csvd" @@ -112,7 +113,7 @@ resource "null_resource" "policy_delay" { resource "aws_s3_bucket_ownership_controls" "flowlogs" { bucket = aws_s3_bucket.flowlogs.id rule { - object_ownership = "BucketOwnerEnforced" + object_ownership = "BucketOwnerPreferred" } } @@ -127,19 +128,22 @@ resource "aws_s3_bucket_acl" "flowlogs" { ## target_prefix = format("%s/%s/", var.access_log_bucket_prefix, local.bucket_name) ## } +# see docs: https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/ resource "aws_s3_bucket_server_side_encryption_configuration" "flowlogs" { bucket = aws_s3_bucket.flowlogs.id rule { apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" + # sse_algorithm = "aws:kms" + sse_algorithm = "AES256" } + bucket_key_enabled = true } } resource "aws_s3_bucket_versioning" "flowlogs" { bucket = aws_s3_bucket.flowlogs.id versioning_configuration { - status = "Disabled" + status = var.versioning_configuration } } diff --git a/s3-flow-logs/policy_data.tf b/s3-flow-logs/policy_data.tf index c28561d..ff34faf 100644 --- a/s3-flow-logs/policy_data.tf +++ b/s3-flow-logs/policy_data.tf @@ -7,12 +7,23 @@ data "aws_iam_policy_document" "flowlogs_s3" { type = "Service" identifiers = ["delivery.logs.amazonaws.com"] } - resources = ["${aws_s3_bucket.flowlogs.arn}/*"] + resources = [format("%v/*", aws_s3_bucket.flowlogs.arn)] condition { test = "StringEquals" variable = "s3:x-amz-acl" values = ["bucket-owner-full-control"] } + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [local.account_id] + } + condition { + test = "ArnLike" + variable = "aws:SourceArn" + # values = [for r in local.regions : format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, r, local.account_id)] + values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.region, local.account_id)] + } } statement { sid = "AWSLogDeliveryAclCheck" @@ -23,5 +34,16 @@ data "aws_iam_policy_document" "flowlogs_s3" { identifiers = ["delivery.logs.amazonaws.com"] } resources = [aws_s3_bucket.flowlogs.arn] + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [local.account_id] + } + condition { + test = "ArnLike" + variable = "aws:SourceArn" + # values = [for r in local.regions : format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, r, local.account_id)] + values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.region, local.account_id)] + } } } diff --git a/s3-flow-logs/variables.tf b/s3-flow-logs/variables.tf index e27308d..c694051 100644 --- a/s3-flow-logs/variables.tf +++ b/s3-flow-logs/variables.tf @@ -18,3 +18,9 @@ variable "component_tags" { type = map(map(string)) default = { "s3" = {}, "kms" = {}, "ddb" = {} } } + +variable "versioning_configuration" { + description = "S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new" + type = string + default = "Disabled" +}