search

GSA / grace-logging

Other
1 stars 2 forks source link

Make object level logging an option #34

Open rjlupinek opened 4 years ago

rjlupinek commented 4 years ago

We are failing some non-CIS checks when running Prowler against a dev environment where object level logging is not enable in CloudTrail.

Warning There is some complexity, chicken vs egg type scenario, around this issue as it needs to be either enabled for all buckets or specified individually within the aws_cloudtrail resource. The complexity comes from the fact that the buckets need the access log bucket part of this module to exist as it is part of their configuration.

One option would be to use a dynamic block for the event_selector and treat that section as conditional by setting the value of a new variable enable_object_logging to an empty list or a list containing a single value based on that same variable's string value. Kinda like the old count conditional but within a section of the resource vs the entire thing.

variables.tf append

variable enable_object_logging {
  description = "Enable object level logging on all buckets logging to CloudTrail.  Set to true to enable or false to disable"
  default = "true"
}

cloudtrail.tf edit

# Setup CloudTrail
resource "aws_cloudtrail" "cloudtrail" {
  name                          = var.cloudtrail_name
  s3_bucket_name                = aws_s3_bucket.logging.bucket
  s3_key_prefix                 = var.cloudtrail_bucket_prefix
  include_global_service_events = var.cloudtrail_include_global_service_events
  is_multi_region_trail         = var.cloudtrail_multi_region
  enable_log_file_validation    = var.cloudtrail_enable_log_validation
  kms_key_id                    = aws_kms_key.cloudtrail.arn
  cloud_watch_logs_group_arn    = aws_cloudwatch_log_group.cloudtrail.arn
  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail.arn

  dynamic "event_selector" {
    for_each = var.enable_object_logging == "true" ? ["true"] : []
    content {
      read_write_type           = "All"
      include_management_events = true
      data_resource {
        type   = "AWS::S3::Object"
        values = ["arn:aws:s3:::"]
      }
    }
  }

  depends_on = [aws_s3_bucket_policy.logging]
}

Note:

The only section of code tested above was the dynamic block for the event selector in a separate test module. The logic works, but needs to be run through dev.

My apologies for the wordy / needy issue.

briankfitzwater commented 4 years ago

[GSA/grace-logging] Make logging object level logging an option (Issue #34)

briankfitzwater commented 4 years ago

Wouldn't this create a feedback loop in the logs, since they are being sent to an S3 bucket?

rjlupinek commented 4 years ago

You are right! I don't know where my wires were crossed.

From what I read Cloud Trail drops a single tar file onto the s3 bucket in that 5 minute ( give or take ) interval. IF you guys are ok with that I can of course help test. It would be an additional entry every 5 minutes - ish.

NOTE I edited the original issue. I had specified that other buckets downstream from this module need the Cloudtrail s3 bucket when they need the access log bucket. My bad.