search

cds-snc / cloud-based-sensor

Infrastructure configuration to manage CCCS's Cloud Based Sensor in AWS accounts
https://cyber.gc.ca/en/host-based-sensors
MIT License
0 stars 0 forks source link

Add threat modelling tool AWS account to cloud based sensor #300

Closed sylviamclaughlin closed 9 months ago

sylviamclaughlin commented 9 months ago

Summary | Résumé

Add threat modelling tool AWS account to cloud based sensor.

github-actions[bot] commented 9 months ago

Central account

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 0 to add, 4 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|---------------------------------------------| | update | `aws_iam_policy.log_archive_read` | | | `aws_kms_key.log_archive_encrypt` | | | `aws_s3_bucket_policy.log_archive_bucket` | | | `module.gh_oidc_roles.aws_iam_role.this[0]` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.log_archive_read will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "log_archive_read" { ~ id = "3221625606" -> (known after apply) ~ json = jsonencode( { - Statement = [ - { - Action = [ - "s3:ListBucket", - "s3:GetObject", ] - Effect = "Allow" - Resource = [ - "arn:aws:s3:::cbs-log-archive-871282759583/*", - "arn:aws:s3:::cbs-log-archive-871282759583", ] }, - { - Action = "kms:Decrypt" - Effect = "Allow" - Resource = "arn:aws:kms:ca-central-1:871282759583:key/c4591f87-9445-4840-acb6-a5569e703c93" }, ] - Version = "2012-10-17" } ) -> (known after apply) - version = "2012-10-17" -> null ~ statement { - not_actions = [] -> null - not_resources = [] -> null # (3 unchanged attributes hidden) } ~ statement { - not_actions = [] -> null - not_resources = [] -> null # (3 unchanged attributes hidden) } } # aws_iam_policy.log_archive_read will be updated in-place ~ resource "aws_iam_policy" "log_archive_read" { id = "arn:aws:iam::871282759583:policy/CbsASEAReaderRole" name = "CbsASEAReaderRole" ~ policy = jsonencode( { - Statement = [ - { - Action = [ - "s3:ListBucket", - "s3:GetObject", ] - Effect = "Allow" - Resource = [ - "arn:aws:s3:::cbs-log-archive-871282759583/*", - "arn:aws:s3:::cbs-log-archive-871282759583", ] - Sid = "" }, - { - Action = "kms:Decrypt" - Effect = "Allow" - Resource = "arn:aws:kms:ca-central-1:871282759583:key/c4591f87-9445-4840-acb6-a5569e703c93" - Sid = "" }, ] - Version = "2012-10-17" } ) -> (known after apply) tags = {} # (4 unchanged attributes hidden) } # aws_kms_key.log_archive_encrypt will be updated in-place ~ resource "aws_kms_key" "log_archive_encrypt" { id = "c4591f87-9445-4840-acb6-a5569e703c93" ~ policy = (sensitive) tags = {} # (12 unchanged attributes hidden) } # aws_s3_bucket_policy.log_archive_bucket will be updated in-place ~ resource "aws_s3_bucket_policy" "log_archive_bucket" { id = "cbs-log-archive-871282759583" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Principal = { ~ AWS = [ + "arn:aws:iam::975050085632:role/CbsSatelliteReplicateToLogArchive", "arn:aws:iam::957818836222:role/CbsSatelliteReplicateToLogArchive", # (20 unchanged elements hidden) ] } # (3 unchanged elements hidden) }, ~ { ~ Principal = { ~ AWS = [ + "arn:aws:iam::975050085632:role/CbsSatelliteReplicateToLogArchive", "arn:aws:iam::957818836222:role/CbsSatelliteReplicateToLogArchive", # (20 unchanged elements hidden) ] } # (3 unchanged elements hidden) }, ] # (1 unchanged element hidden) } ) # (1 unchanged attribute hidden) } # module.gh_oidc_roles.aws_iam_role.this[0] will be updated in-place ~ resource "aws_iam_role" "this" { ~ assume_role_policy = jsonencode( ~ { ~ Statement = [ { Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringLike = { token.actions.githubusercontent.com:sub = "repo:cds-snc/cloud-based-sensor:*" } } Effect = "Allow" Principal = { Federated = "arn:aws:iam::871282759583:oidc-provider/token.actions.githubusercontent.com" } }, ~ { ~ Principal = { ~ AWS = [ + "arn:aws:iam::975050085632:role/ConfigTerraformAdminExecutionRole", "arn:aws:iam::957818836222:role/ConfigTerraformAdminExecutionRole", # (19 unchanged elements hidden) ] } # (2 unchanged elements hidden) }, ] # (1 unchanged element hidden) } ) id = "ConfigTerraformAdministratorRole" name = "ConfigTerraformAdministratorRole" tags = { "CostCentre" = "cbs-871282759583" "Terraform" = "true" } # (8 unchanged attributes hidden) # (1 unchanged block hidden) } Plan: 0 to add, 4 to change, 0 to destroy. Warning: Argument is deprecated with module.log_archive_access_bucket.aws_s3_bucket.this, on .terraform/modules/log_archive_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 7 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.log_archive_read"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.log_archive_read"] WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.log_archive_encrypt"] WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.log_archive"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 9 months ago

975050085632: Satellite bucket

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 12 to add, 0 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|-------------------------------------------------------------------------| | add | `aws_iam_policy.s3_replicate` | | | `aws_iam_role_policy_attachment.s3_replicate` | | | `aws_s3_bucket_ownership_controls.satellite_bucket` | | | `aws_s3_bucket_policy.satellite_bucket` | | | `module.satellite_access_bucket.aws_s3_bucket.this` | | | `module.satellite_access_bucket.aws_s3_bucket_acl.this` | | | `module.satellite_access_bucket.aws_s3_bucket_ownership_controls.this` | | | `module.satellite_access_bucket.aws_s3_bucket_policy.this` | | | `module.satellite_access_bucket.aws_s3_bucket_public_access_block.this` | | | `module.satellite_access_bucket.aws_s3_bucket_versioning.this` | | | `module.satellite_bucket.aws_s3_bucket.this` | | | `module.satellite_bucket.aws_s3_bucket_public_access_block.this` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.cloudtrail_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "cloudtrail_write_logs" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:GetBucketAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "CloudTrailGetAcl" + principals { + identifiers = [ + "cloudtrail.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "CloudTrailPutObject" + condition { + test = "StringEquals" + values = [ + "arn:aws:cloudtrail:ca-central-1:975050085632:trail/CbsSatelliteTrail", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "bucket-owner-full-control", ] + variable = "s3:x-amz-acl" } + principals { + identifiers = [ + "cloudtrail.amazonaws.com", ] + type = "Service" } } } # data.aws_iam_policy_document.combined will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "combined" { + id = (known after apply) + json = (known after apply) + source_policy_documents = [ + (known after apply), + (known after apply), + (known after apply), + (known after apply), ] } # data.aws_iam_policy_document.deny_insecure_transport will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "deny_insecure_transport" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:*", ] + effect = "Deny" + resources = [ + (known after apply), + (known after apply), ] + sid = "denyInsecureTransport" + condition { + test = "Bool" + values = [ + "false", ] + variable = "aws:SecureTransport" } + principals { + identifiers = [ + "*", ] + type = "*" } } } # data.aws_iam_policy_document.load_balancer_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "load_balancer_write_logs" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "ELBLogDeliveryPutObject" + principals { + identifiers = [ + "arn:aws:iam::985666609251:root", ] + type = "AWS" } } } # data.aws_iam_policy_document.log_delivery_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "log_delivery_write_logs" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:GetBucketAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "LogDeliveryGetAcl" + condition { + test = "ArnLike" + values = [ + "arn:aws:logs:ca-central-1:975050085632:*", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "975050085632", ] + variable = "aws:SourceAccount" } + principals { + identifiers = [ + "delivery.logs.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "LogDeliveryPutObject" + condition { + test = "ArnLike" + values = [ + "arn:aws:logs:ca-central-1:975050085632:*", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "975050085632", ] + variable = "aws:SourceAccount" } + condition { + test = "StringEquals" + values = [ + "bucket-owner-full-control", ] + variable = "s3:x-amz-acl" } + principals { + identifiers = [ + "delivery.logs.amazonaws.com", ] + type = "Service" } } } # data.aws_iam_policy_document.s3_replicate will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "s3_replicate" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:GetReplicationConfiguration", + "s3:ListBucket", ] + effect = "Allow" + resources = [ + (known after apply), ] } + statement { + actions = [ + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] } + statement { + actions = [ + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:ReplicateDelete", + "s3:ReplicateObject", ] + effect = "Allow" + resources = [ + "arn:aws:s3:::cbs-log-archive-871282759583/*", ] } } # aws_iam_policy.s3_replicate will be created + resource "aws_iam_policy" "s3_replicate" { + arn = (known after apply) + id = (known after apply) + name = "CbsSatelliteReplicateToLogArchive" + name_prefix = (known after apply) + path = "/" + policy = (known after apply) + policy_id = (known after apply) + tags_all = (known after apply) } # aws_iam_role_policy_attachment.s3_replicate will be created + resource "aws_iam_role_policy_attachment" "s3_replicate" { + id = (known after apply) + policy_arn = (known after apply) + role = "CbsSatelliteReplicateToLogArchive" } # aws_s3_bucket_ownership_controls.satellite_bucket will be created + resource "aws_s3_bucket_ownership_controls" "satellite_bucket" { + bucket = (known after apply) + id = (known after apply) + rule { + object_ownership = "ObjectWriter" } } # aws_s3_bucket_policy.satellite_bucket will be created + resource "aws_s3_bucket_policy" "satellite_bucket" { + bucket = (known after apply) + id = (known after apply) + policy = (known after apply) } # module.satellite_access_bucket.data.aws_iam_policy_document.combined will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "combined" { + id = (known after apply) + json = (known after apply) + source_policy_documents = (known after apply) } # module.satellite_access_bucket.data.aws_iam_policy_document.deny_insecure_transport will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "deny_insecure_transport" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:*", ] + effect = "Deny" + resources = [ + (known after apply), + (known after apply), ] + sid = "denyInsecureTransport" + condition { + test = "Bool" + values = [ + "false", ] + variable = "aws:SecureTransport" } + principals { + identifiers = [ + "*", ] + type = "*" } } } # module.satellite_access_bucket.aws_s3_bucket.this will be created + resource "aws_s3_bucket" "this" { + acceleration_status = (known after apply) + acl = (known after apply) + arn = (known after apply) + bucket = "cbs-satellite-975050085632-access" + bucket_domain_name = (known after apply) + bucket_prefix = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = true + hosted_zone_id = (known after apply) + id = (known after apply) + object_lock_enabled = (known after apply) + policy = (known after apply) + region = (known after apply) + request_payer = (known after apply) + tags = { + "CostCentre" = "cbs-975050085632" + "Critical" = "true" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "cbs-975050085632" + "Critical" = "true" + "Terraform" = "true" } + website_domain = (known after apply) + website_endpoint = (known after apply) + cors_rule { + allowed_headers = (known after apply) + allowed_methods = (known after apply) + allowed_origins = (known after apply) + expose_headers = (known after apply) + max_age_seconds = (known after apply) } + grant { + id = (known after apply) + permissions = (known after apply) + type = (known after apply) + uri = (known after apply) } + lifecycle_rule { + enabled = true + id = "delete-old-objects" + expiration { + days = 90 } } + logging { + target_bucket = (known after apply) + target_prefix = (known after apply) } + object_lock_configuration { + object_lock_enabled = (known after apply) + rule { + default_retention { + days = (known after apply) + mode = (known after apply) + years = (known after apply) } } } + replication_configuration { + role = (known after apply) + rules { + delete_marker_replication_status = (known after apply) + id = (known after apply) + prefix = (known after apply) + priority = (known after apply) + status = (known after apply) + destination { + account_id = (known after apply) + bucket = (known after apply) + replica_kms_key_id = (known after apply) + storage_class = (known after apply) + access_control_translation { + owner = (known after apply) } + metrics { + minutes = (known after apply) + status = (known after apply) } + replication_time { + minutes = (known after apply) + status = (known after apply) } } + filter { + prefix = (known after apply) + tags = (known after apply) } + source_selection_criteria { + sse_kms_encrypted_objects { + enabled = (known after apply) } } } } + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" } } } + versioning { + enabled = (known after apply) + mfa_delete = (known after apply) } + website { + error_document = (known after apply) + index_document = (known after apply) + redirect_all_requests_to = (known after apply) + routing_rules = (known after apply) } } # module.satellite_access_bucket.aws_s3_bucket_acl.this will be created + resource "aws_s3_bucket_acl" "this" { + acl = "log-delivery-write" + bucket = (known after apply) + id = (known after apply) + access_control_policy { + grant { + permission = (known after apply) + grantee { + display_name = (known after apply) + email_address = (known after apply) + id = (known after apply) + type = (known after apply) + uri = (known after apply) } } + owner { + display_name = (known after apply) + id = (known after apply) } } } # module.satellite_access_bucket.aws_s3_bucket_ownership_controls.this will be created + resource "aws_s3_bucket_ownership_controls" "this" { + bucket = (known after apply) + id = (known after apply) + rule { + object_ownership = "BucketOwnerPreferred" } } # module.satellite_access_bucket.aws_s3_bucket_policy.this will be created + resource "aws_s3_bucket_policy" "this" { + bucket = (known after apply) + id = (known after apply) + policy = (known after apply) } # module.satellite_access_bucket.aws_s3_bucket_public_access_block.this will be created + resource "aws_s3_bucket_public_access_block" "this" { + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } # module.satellite_access_bucket.aws_s3_bucket_versioning.this will be created + resource "aws_s3_bucket_versioning" "this" { + bucket = (known after apply) + id = (known after apply) + versioning_configuration { + mfa_delete = (known after apply) + status = "Disabled" } } # module.satellite_bucket.aws_s3_bucket.this will be created + resource "aws_s3_bucket" "this" { + acceleration_status = (known after apply) + acl = "private" + arn = (known after apply) + bucket = "cbs-satellite-975050085632" + bucket_domain_name = (known after apply) + bucket_prefix = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = false + hosted_zone_id = (known after apply) + id = (known after apply) + object_lock_enabled = (known after apply) + policy = (known after apply) + region = (known after apply) + request_payer = (known after apply) + tags = { + "CostCentre" = "cbs-975050085632" + "Critical" = "false" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "cbs-975050085632" + "Critical" = "false" + "Terraform" = "true" } + website_domain = (known after apply) + website_endpoint = (known after apply) + cors_rule { + allowed_headers = (known after apply) + allowed_methods = (known after apply) + allowed_origins = (known after apply) + expose_headers = (known after apply) + max_age_seconds = (known after apply) } + grant { + id = (known after apply) + permissions = (known after apply) + type = (known after apply) + uri = (known after apply) } + lifecycle_rule { + enabled = true + id = "delete-old-objects" + expiration { + days = 14 } } + logging { + target_bucket = (known after apply) } + object_lock_configuration { + object_lock_enabled = (known after apply) + rule { + default_retention { + days = (known after apply) + mode = (known after apply) + years = (known after apply) } } } + replication_configuration { + role = "arn:aws:iam::975050085632:role/CbsSatelliteReplicateToLogArchive" + rules { + id = "cbs-log-archive" + priority = 100 + status = "Enabled" + destination { + account_id = "871282759583" + bucket = "arn:aws:s3:::cbs-log-archive-871282759583" + replica_kms_key_id = "arn:aws:kms:ca-central-1:871282759583:key/c4591f87-9445-4840-acb6-a5569e703c93" + access_control_translation { + owner = "Destination" } } + filter {} + source_selection_criteria { + sse_kms_encrypted_objects { + enabled = true } } } } + server_side_encryption_configuration { + rule { + bucket_key_enabled = false + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" } } } + versioning { + enabled = true + mfa_delete = false } + website { + error_document = (known after apply) + index_document = (known after apply) + redirect_all_requests_to = (known after apply) + routing_rules = (known after apply) } } # module.satellite_bucket.aws_s3_bucket_public_access_block.this will be created + resource "aws_s3_bucket_public_access_block" "this" { + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } Plan: 12 to add, 0 to change, 0 to destroy. Warning: Argument is deprecated with module.satellite_access_bucket.aws_s3_bucket.this, on .terraform/modules/satellite_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 8 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.s3_replicate"] 20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions ```