Skip to content
Jump to bottom

Initial #1

Merged
merged 2 commits into from
Jun 19, 2020
Merged

Initial #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9a18b0e
initial file setup
Jun 19, 2020
448c08a
update, add some text to req
Jun 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 5 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,20 @@ Module for creating Title 26 Compliant S3 Buckets

# Requirements

1. Encryption enforcement on the Bucket Policy 
1. Only Cloud Administrators have bucket delete permissions
1. Permissions tightly controlled with Bucket Policy and IAM role/policy for users, instances, and other services
1. Dedicated KMS CMK key 
1. Encryption enforcement on the Bucket Policy 
1. Dedicated KMS Customer Master Key (CMK) created per S3 bucket
1. MFA enforced API calls – required for all data migrations (Cloud and Data Admins)
1. Object Level Logging enabled with 7 year retention on CloudWatch Log Group
1. Backup logs to BCC (How often?)
* Backup logs to BCC (How often?)
1. Server Access Logging enabled with 7 year retention on CloudWatch Log Group
1. Backup logs to BCC (How often?)
* Backup logs to BCC (How often?)
1. Versioning enabled
1. Monthly Security Audit reviews
* By customer?
* By CSvD Security?
1. IP Address Restriction policy enforced
1. Not publically accessible
1. Customer signature for key deletion(s) during decommissioning(s) and maximum wait period
1. Delete CMK key for Data Sanitization.
1. Delete CMK for Data Sanitization
44 changes: 44 additions & 0 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#---
# s3 bucket
#---
resource "aws_s3_bucket" "this" {
bucket = var.bucket_name
acl = "private"

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = var.kms_key_id
sse_algorithm = "aws:kms"
}
}
}

versioning {
enabled = true
}

lifecycle {
prevent_destroy = true
}

tags = merge(
var.tags,
local.enforced_tags,
map( "Name", var.bucket_name)
)

provisioner "local-exec" {
when = create
command = "sleep 120"
}
}

resource "aws_s3_bucket_object" "this_objects" {
bucket = aws_s3_bucket.this.id
count = length(var.bucket_folders)
key = format("%s/",element(var.bucket_folders,count.index))
source = "/dev/null"

depends_on [aws_s3_bucket.this]
}
16 changes: 16 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
variable "bucket_name" {
description = "AWS Bucket Name"
type = string
}

variable "bucket_folders" {
description = "List of folders (keys) to create after creation of bucket"
type = list(string)
default = [ ]
}

variable "kms_key_id" {
description = "AWS KMS Key ID (one per bucket)"
type = string
default = ""
}