pulumi / pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
https://www.pulumi.com
Apache License 2.0
36 stars 7 forks source link

s3-bucket-logging-enabled rule can't easily be satisfied #36

Open justinvp opened 4 years ago

justinvp commented 4 years ago

The s3-bucket-logging-enabled rule checks all buckets to see if they have loggings specified.

So the following would be in violation of the policy:

const bucket = new aws.s3.Bucket("b");

To address this, I'd ensure my bucket has logging enabled by adding a log bucket:

const logBucket = new aws.s3.Bucket("logBucket", {
    acl: "log-delivery-write",
});

const bucket = new aws.s3.Bucket("b", {
    loggings: [{
        targetBucket: logBucket.id,
        targetPrefix: "log/",
    }],
});

However, now the log bucket doesn't have loggings specified, which means I'm still in violation of the policy.

The workaround would be to provision the log bucket outside of the Pulumi program, but I do not want to do that.

I think we need to modify this policy to ensure all buckets have loggings unless the id is being used as the targetBucket of another bucket's loggings. This necessitates modifying this policy to be a stack policy rather than a resource policy.

chrsmith commented 4 years ago

Having a StackPolicy to check the relationship between a "bucket" and its "logs bucket" is probably the best call here.

But as a potential workaround, you can have a bucket write its logs into itself. That satisfies the rule, but perhaps not the spirit of the policy:

const accessLogsBucket = new aws.s3.Bucket("accessLogs", {
    bucket: testBucketName,
    loggings: [{
        targetBucket: testBucketName,  // Write access logs into itself.
    }],
});
justinvp commented 4 years ago

I haven't looked in detail yet, but this may be blocked on https://github.com/pulumi/pulumi-policy/issues/153