Tighten S3 bucket security

terraform-aws-modules / terraform-aws-datadog-forwarders

Terraform module to create resources on AWS to forward logs/metrics to Datadog 🇺🇦

https://registry.terraform.io/modules/terraform-aws-modules/datadog-forwarders/aws

Apache License 2.0

55 stars 41 forks source link

Tighten S3 bucket security #9

Closed IrmantasMarozas closed 2 years ago

IrmantasMarozas commented 2 years ago

tfsec reports the following issues:

_forwarder.this_s3_bucket/main.tf
[aws-s3-block-public-policy][HIGH] - Resource 'module.web_bucket:aws_s3_bucket_public_access_block.this[0]' sets block_public_policy explicitly to false
[aws-s3-enable-bucket-encryption][HIGH] - Resource 'module.web_bucket:aws_s3_bucket.this[0]' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
[aws-s3-ignore-public-acls][HIGH] - Resource 'module.web_bucket:aws_s3_bucket_public_access_block.this[0]' sets ignore_public_acls explicitly to false
[aws-s3-no-public-access-with-acl][CRITICAL] - Resource 'module.web_bucket:aws_s3_bucket.this[0]' has an ACL which allows public access.
[aws-s3-no-public-buckets][HIGH] - Resource 'module.web_bucket:aws_s3_bucket_public_access_block.this[0]' sets restrict_public_buckets explicitly to false

bryantbiggs commented 2 years ago

hi @IrmantasMarozas - I don't think thats showing the log forwarder bucket (it looks to be named web_bucket) - you can see in the source code that all public blocks are enabled, HTTPS transport is enforced by default, and encryption is enabled by default (S3 AES256) https://github.com/clowdhaus/terraform-aws-datadog-forwarders/blob/main/modules/log_forwarder/main.tf#L33-L50

IrmantasMarozas commented 2 years ago

Hey @bryantbiggs, thanks, regarding control block - yes, after checking again it seems to be fine. web_bucket is just the name of the module where I call this module.

encryption is enabled by default (S3 AES256)

Using AWS default encryption key is generally discouraged, best practice is to use customer-managed keys, therefore it would be great if the module would allow specifying a customer-managed key. Ref: https://tfsec.dev/docs/aws/s3/enable-bucket-encryption/

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.