search

lacework / terraform-aws-cloudtrail

Terraform module for configuring an integration with Lacework and AWS for CloudTrail analysis
6 stars 21 forks source link

feat: CloudTrail log bucket denies HTTP requests #114

Closed TheShahin closed 1 year ago

TheShahin commented 1 year ago

Feature Request

Describe the Feature Request Bucket Policy for CloudTrail log bucket should deny HTTP requests by default.

Is your feature request related to a problem? Please describe The ISO 27001 report that's generated by Lacework complains about Lacework's own access logs bucket allowing HTTP requests, flagging it as a vulnerability of medium severity.

Describe Preferred Solution Add policy to access logs bucket, denying HTTP requests.

Additional Context N/A

TheShahin commented 1 year ago

I think this could easily be fixed by adding the following to main.tf:

data "aws_iam_policy_document" "cloudtrail_log_policy" {
  version = "2012-10-17"

  statement {
    sid     = "ForceSSLOnlyAccess"
    actions = ["s3:*"]
    effect  = "Deny"

    resources = [
      "arn:aws:s3:::${local.log_bucket_name}",
      "arn:aws:s3:::${local.log_bucket_name}/*",
    ]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}

resource "aws_s3_bucket_policy" "cloudtrail_log_bucket_policy" {
  count  = (var.use_existing_cloudtrail || var.use_existing_access_log_bucket) ? 0 : (var.bucket_logs_enabled ? 1 : 0)
  bucket = aws_s3_bucket.cloudtrail_log_bucket[0].id
  policy = data.aws_iam_policy_document.cloudtrail_log_policy.json
}
dmurray-lacework commented 1 year ago

Hey @TheShahin I've created a task for the team to take a look at this. Internal Jira link: https://lacework.atlassian.net/browse/GROW-1523

afiune commented 1 year ago

Closed by https://github.com/lacework/terraform-aws-cloudtrail/pull/120