ministryofjustice / staff-device-shared-services-infrastructure

Staff Device AWS Infrastructure for build pipelines
https://ministryofjustice.github.io/cloud-operations/#cloud-operations
MIT License
2 stars 1 forks source link

S3 Bucket Versioning Audit #88

Closed smjmoj closed 1 year ago

smjmoj commented 1 year ago

Created a script to write a simple report.

S3 Bucket Versioning Status for AWS Account ID 683290208331
  at 2023-09-27T14-00-34

cf-templates-skso50gjtnxv-eu-west-2 
codepipeline-eu-west-2-705977068512 
config-bucket-683290208331 
globalprotect-artifacts20200615163910810600000001 
globalprotect-asg-artifacts20210130013841941700000001 
globalprotect-bootstrap-20200702001921878300000002 
globalprotect-bootstrap20200702001921875700000001 
moj-prod-tf-state20200612152454709000000001 {
    "Status": "Enabled",
    "MFADelete": "Disabled"
}
mojo-aws-github-oidc-provider-core-tf-state 
mojo-bootstrap-nac-infrastructure-terraform-remote-state {
    "Status": "Enabled",
    "MFADelete": "Disabled"
}
mojo-ci-staff-external-dynamic-list-core-tf-state 
mojo-pki-aws-infrastructure-terraform-state 
panorama-artifacts20200612171650651000000001 
panorama-policy-as-code-artifacts20200721172455648900000001 
panorama-policyascode-prod-artifacts20220325115722122700000001 
psn-access-artifacts20201123110212494700000001 
pttp-ci-infrastructure-admin-build-artifact-bucket 
pttp-ci-infrastructure-admin-client-core-tf-state 
pttp-ci-infrastructure-build-artifact-bucket 
pttp-ci-infrastructure-client-core-tf-state 
pttp-ci-infrastructure-cloudtrail-bucket 
pttp-ci-infrastructure-dns-dhcp-build-artifact-bucket 
pttp-ci-infrastructure-dns-dhcp-client-core-tf-state 
pttp-ci-infrastructure-dns-server-build-artifact-bucket 
pttp-ci-infrastructure-dns-server-client-core-tf-state 
pttp-ci-infrastructure-kea-server-build-artifact-bucket 
pttp-ci-infrastructure-kea-server-client-core-tf-state 
pttp-ci-infrastructure-log-syslog-build-artifact-bucket 
pttp-ci-infrastructure-log-syslog-client-core-tf-state 
pttp-ci-infrastructure-nac-admin-build-artifact-bucket 
pttp-ci-infrastructure-nac-admin-client-core-tf-state 
pttp-ci-infrastructure-nac-build-artifact-bucket 
pttp-ci-infrastructure-nac-client-core-tf-state 
pttp-ci-infrastructure-nac-server-build-artifact-bucket 
pttp-ci-infrastructure-nac-server-client-core-tf-state 
pttp-ci-infrastructure-net-svcs-build-artifact-bucket 
pttp-ci-infrastructure-net-svcs-client-core-tf-state 
pttp-ci-infrastructure-pvt-dns-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-smtp-relay-build-artifact-bucket 
pttp-ci-infrastructure-smtp-relay-client-core-tf-state 
pttp-client-codebuild-logging-pre-prod-tf-state 
pttp-global-bootstrap-pttp-infrastructure-tf-remote-state {
    "Status": "Enabled",
    "MFADelete": "Disabled"
}
sop-oci-access-artifacts20200709123747779600000001 
staff-device-ci-private-dns-zone-core-tf-state 
staff-external-dynamic-list-development 
staff-external-dynamic-list-pre-production 
staff-external-dynamic-list-production 
staff-external-dynamic-list-touhid 
staff-infrastructure-monitoring-cluster-tf-state 
staff-technology-services-github-teams-core-tf-state 
tgw-artifacts20200616120736440900000001 
this-is-a-bad-framwwork-23233254235 
smjmoj commented 1 year ago

Following application of this change https://github.com/ministryofjustice/staff-device-shared-services-infrastructure/pull/91 11 buckets have now had versioning enabled.

diff 2023-09-28T10-28-26_id-683290208331_s3_versioning.txt 2023-09-28T10-47-05_id-683290208331_s3_versioning.txt -y --suppress-common-lines
  at 2023-09-28T10-28-26                                      |   at 2023-09-28T10-47-05
pttp-ci-infrastructure-admin-client-core-tf-state             | pttp-ci-infrastructure-admin-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-client-core-tf-state                | pttp-ci-infrastructure-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-dns-dhcp-client-core-tf-state               | pttp-ci-infrastructure-dns-dhcp-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-dns-server-client-core-tf-state             | pttp-ci-infrastructure-dns-server-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-kea-server-client-core-tf-state             | pttp-ci-infrastructure-kea-server-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-log-syslog-client-core-tf-state             | pttp-ci-infrastructure-log-syslog-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-nac-admin-client-core-tf-state              | pttp-ci-infrastructure-nac-admin-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-nac-client-core-tf-state            | pttp-ci-infrastructure-nac-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-nac-server-client-core-tf-state             | pttp-ci-infrastructure-nac-server-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-net-svcs-client-core-tf-state               | pttp-ci-infrastructure-net-svcs-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
pttp-ci-infrastructure-smtp-relay-client-core-tf-state             | pttp-ci-infrastructure-smtp-relay-client-core-tf-state {
                                                          >     "Status": "Enabled"
                                                       > }
smjmoj commented 1 year ago
  S3 Bucket Versioning Status for AWS Account ID 683290208331
  at 2023-09-28T10-47-05

cf-templates-skso50gjtnxv-eu-west-2 
codepipeline-eu-west-2-705977068512 
config-bucket-683290208331 
globalprotect-artifacts20200615163910810600000001 
globalprotect-asg-artifacts20210130013841941700000001 
globalprotect-bootstrap-20200702001921878300000002 
globalprotect-bootstrap20200702001921875700000001 
moj-prod-tf-state20200612152454709000000001 {
    "Status": "Enabled",
    "MFADelete": "Disabled"
}
mojo-aws-github-oidc-provider-core-tf-state 
mojo-bootstrap-nac-infrastructure-terraform-remote-state {
    "Status": "Enabled",
    "MFADelete": "Disabled"
}
mojo-ci-staff-external-dynamic-list-core-tf-state 
mojo-pki-aws-infrastructure-terraform-state 
panorama-artifacts20200612171650651000000001 
panorama-policy-as-code-artifacts20200721172455648900000001 
panorama-policyascode-prod-artifacts20220325115722122700000001 
psn-access-artifacts20201123110212494700000001 
pttp-ci-infrastructure-admin-build-artifact-bucket 
pttp-ci-infrastructure-admin-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-build-artifact-bucket 
pttp-ci-infrastructure-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-cloudtrail-bucket 
pttp-ci-infrastructure-dns-dhcp-build-artifact-bucket 
pttp-ci-infrastructure-dns-dhcp-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-dns-server-build-artifact-bucket 
pttp-ci-infrastructure-dns-server-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-kea-server-build-artifact-bucket 
pttp-ci-infrastructure-kea-server-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-log-syslog-build-artifact-bucket 
pttp-ci-infrastructure-log-syslog-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-nac-admin-build-artifact-bucket 
pttp-ci-infrastructure-nac-admin-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-nac-build-artifact-bucket 
pttp-ci-infrastructure-nac-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-nac-server-build-artifact-bucket 
pttp-ci-infrastructure-nac-server-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-net-svcs-build-artifact-bucket 
pttp-ci-infrastructure-net-svcs-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-pvt-dns-client-core-tf-state {
    "Status": "Enabled"
}
pttp-ci-infrastructure-smtp-relay-build-artifact-bucket 
pttp-ci-infrastructure-smtp-relay-client-core-tf-state {
    "Status": "Enabled"
}
pttp-client-codebuild-logging-pre-prod-tf-state 
pttp-global-bootstrap-pttp-infrastructure-tf-remote-state {
    "Status": "Enabled",
    "MFADelete": "Disabled"
}
sop-oci-access-artifacts20200709123747779600000001 
staff-device-ci-private-dns-zone-core-tf-state 
staff-external-dynamic-list-development 
staff-external-dynamic-list-pre-production 
staff-external-dynamic-list-production 
staff-external-dynamic-list-touhid 
staff-infrastructure-monitoring-cluster-tf-state 
staff-technology-services-github-teams-core-tf-state 
tgw-artifacts20200616120736440900000001 
this-is-a-bad-framwwork-23233254235 
jamesgreen-moj commented 1 year ago

There are still S3 buckets with the name "-tf-state" , without versioning applied. These buckets are not managed in the staff-device-shared-services-infrastructure repo.

smjmoj commented 1 year ago

With reference to S3 Bucket "staff-device-ci-private-dns-zone-core-tf-state" - the following ticket has been created after inspection.

https://app.zenhub.com/workspaces/nvvs-devops-622a0b371800e400133bb924/issues/gh/ministryofjustice/nvvs-devops/461

jamesgreen-moj commented 1 year ago

New ticket to add versioning to missing buckets: https://app.zenhub.com/workspaces/nvvs-devops-622a0b371800e400133bb924/issues/gh/ministryofjustice/nvvs-devops/462