Closed TheShahin closed 1 year ago
I think this could easily be fixed by adding the following to main.tf
:
data "aws_iam_policy_document" "cloudtrail_log_policy" {
version = "2012-10-17"
statement {
sid = "ForceSSLOnlyAccess"
actions = ["s3:*"]
effect = "Deny"
resources = [
"arn:aws:s3:::${local.log_bucket_name}",
"arn:aws:s3:::${local.log_bucket_name}/*",
]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}
resource "aws_s3_bucket_policy" "cloudtrail_log_bucket_policy" {
count = (var.use_existing_cloudtrail || var.use_existing_access_log_bucket) ? 0 : (var.bucket_logs_enabled ? 1 : 0)
bucket = aws_s3_bucket.cloudtrail_log_bucket[0].id
policy = data.aws_iam_policy_document.cloudtrail_log_policy.json
}
Hey @TheShahin I've created a task for the team to take a look at this. Internal Jira link: https://lacework.atlassian.net/browse/GROW-1523
Feature Request
Describe the Feature Request Bucket Policy for CloudTrail log bucket should deny HTTP requests by default.
Is your feature request related to a problem? Please describe The ISO 27001 report that's generated by Lacework complains about Lacework's own access logs bucket allowing HTTP requests, flagging it as a vulnerability of medium severity.
Describe Preferred Solution Add policy to access logs bucket, denying HTTP requests.
Additional Context N/A