Open rjlupinek opened 4 years ago
Wouldn't this create a feedback loop in the logs, since they are being sent to an S3 bucket?
You are right! I don't know where my wires were crossed.
From what I read Cloud Trail drops a single tar file onto the s3 bucket in that 5 minute ( give or take ) interval. IF you guys are ok with that I can of course help test. It would be an additional entry every 5 minutes - ish.
NOTE I edited the original issue. I had specified that other buckets downstream from this module need the Cloudtrail s3 bucket when they need the access log bucket. My bad.
We are failing some non-CIS checks when running Prowler against a dev environment where object level logging is not enable in CloudTrail.
Warning There is some complexity, chicken vs egg type scenario, around this issue as it needs to be either enabled for all buckets or specified individually within the aws_cloudtrail resource. The complexity comes from the fact that the buckets need the access log bucket part of this module to exist as it is part of their configuration.
One option would be to use a dynamic block for the
event_selector
and treat that section as conditional by setting the value of a new variableenable_object_logging
to an empty list or a list containing a single value based on that same variable's string value. Kinda like the old count conditional but within a section of the resource vs the entire thing.variables.tf append
cloudtrail.tf edit
Note:
The only section of code tested above was the dynamic block for the event selector in a separate test module. The logic works, but needs to be run through dev.
My apologies for the wordy / needy issue.