Bug | Fix *vpc flow logs* S3 bucket policy to allow logs and make it private

[exequielrafaela]

What?

• Fix vpc flow logs bucket policy to allow logs to be written in the corresponding buckets.
• Correct the policies to make the bucket private (consider updating our binbashar/terraform-aws-vpc-flowlogs module if needed)
• If possible consider to upgrade the binbashar/terraform-aws-vpc-flowlogs module, since it lacks customization for some basic things like type of traffic to capture.
  • The resource for which to create the flow log
  • The type of traffic to capture (accepted traffic, rejected traffic, or all traffic)
  • The destinations to which you want to publish the flow log data

Why?

• The vpc flow logs are not being published in the organization accounts S3 buckets.
• The bucket created by the module is not completely private

References

VPC flow logs

VPC flow logs empty bucket

VPC flow logs bucket not fully private

How?

In order to block public access and grant the necessary permissions to let vpc flow logs write the logs (delivery.logs.amazonaws.com) to the corresponding S3 bucket, please consider extending our vpc flow logs module with the code below

module "vpc_flow_logs" {
  source = "github.com/binbashar/terraform-aws-vpc-flowlogs.git?ref=v1.0.9"

  vpc_id             = module.vpc.vpc_id
  bucket_name_prefix = "${var.project}-${var.environment}"
  tags               = local.tags
}

resource "aws_s3_bucket_public_access_block" "default" {

  bucket                  = "${var.project}-${var.environment}-vpc-flowlogs"
  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_policy" "vpc-flowlogs" {
  bucket = "${var.project}-${var.environment}-vpc-flowlogs"

  policy = <<POLICY
{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::${var.project}-${var.environment}-vpc-flowlogs/AWSLogs/*",
            "Condition": {
            "StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::${var.project}-${var.environment}-vpc-flowlogs"
        },
        {
            "Sid": "EnforceSSlRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::${var.project}-${var.environment}-vpc-flowlogs/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
POLICY
}

[exequielrafaela]

https://github.com/binbashar/terraform-aws-vpc-flowlogs/pull/10