Merge branch 'master' into 2209-footer-cutting-off-export-users-page

cisagov · Sep 29, 2023 · 8f09d7d · 8f09d7d
2 parents 922d47a + f617390
commit 8f09d7d
Show file tree

Hide file tree

Showing 7 changed files with 230 additions and 45 deletions.
diff --git a/backend/serverless.yml b/backend/serverless.yml
@@ -57,6 +57,18 @@ provider:
             - s3:PutObject
             - s3:PutObjectAcl
           Resource: '*'
+        - Effect: Allow
+          Action:
+            - logs:Describe*
+            - logs:Get*
+            - logs:List*
+            - logs:StartQuery
+            - logs:StopQuery
+            - logs:TestMetricFilter
+            - logs:FilterLogEvents
+            - logs:StartLiveTail
+            - logs:StopLiveTail
+          Resource: '*'
 
 functions:
   - ${file(./src/tasks/functions.yml)}

diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf
@@ -1,6 +1,6 @@
 
 resource "aws_cloudtrail" "all-events" {
-  name                       = "all-events"
+  name                       = var.cloudtrail_name
   s3_bucket_name             = var.cloudtrail_bucket_name
   kms_key_id                 = aws_kms_key.key.arn
   cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
@@ -138,21 +138,4 @@ resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
       Resource = "arn:aws:logs:*"
     }]
   })
-}
-
-resource "aws_iam_role_policy" "cloudtrail_kms_policy" {
-  name_prefix = "crossfeed-cloudtrail-kms-${var.stage}"
-  role        = aws_iam_role.cloudtrail_role.id
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [{
-      Action = [
-        "kms:GenerateDataKey*",
-        "kms:Decrypt*",
-        "kms:DescribeKey"
-      ],
-      Effect   = "Allow",
-      Resource = aws_kms_key.key.arn
-    }]
-  })
 }
diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf
@@ -15,4 +15,36 @@ resource "aws_cloudwatch_log_group" "cloudwatch_bucket" {
     project = var.project
     stage   = var.stage
   }
+}
+
+resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
+  bucket = aws_s3_bucket.cloudwatch_bucket.id
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "Allow Cloudwatch to check bucket permissions",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "logs.amazonaws.com"
+        },
+        "Action" : "s3:GetBucketAcl",
+        "Resource" : "arn:aws:s3:::${var.cloudwatch_bucket_name}"
+      },
+      {
+        "Sid" : "Allow Cloudwatch to write to bucket",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "logs.amazonaws.com"
+        },
+        "Action" : "s3:PutObject",
+        "Resource" : "arn:aws:s3:::${var.cloudwatch_bucket_name}/*",
+        "Condition" : {
+          "StringEquals" : {
+            "s3:x-amz-acl" : "bucket-owner-full-control"
+          }
+        }
+      }
+    ]
+  })
 }
diff --git a/infrastructure/kms.tf b/infrastructure/kms.tf
@@ -2,34 +2,184 @@ resource "aws_kms_key" "key" {
   description             = "KMS key"
   deletion_window_in_days = 10
   enable_key_rotation     = true
-  policy                  = <<EOF
-{
-    "Version": "2012-10-17",
-    "Id": "key-default-1",
-    "Statement": [
-        {
-            "Sid": "Enable IAM User Permissions",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-            },
-            "Action": ["kms:BypassPolicyLockoutSafetyCheck","kms:CallerAccount","kms:CancelKeyDeletion","kms:ConnectCustomKeyStore","kms:CreateAlias","kms:CreateCustomKeyStore","kms:CreateGrant","kms:CreateKey","kms:DataKeyPairSpec","kms:Decrypt","kms:DeleteAlias","kms:DeleteCustomKeyStore","kms:DeleteImportedKeyMaterial","kms:DescribeCustomKeyStores","kms:DescribeKey","kms:DisableKey","kms:DisableKeyRotation","kms:DisconnectCustomKeyStore","kms:EnableKey","kms:EnableKeyRotation","kms:Encrypt","kms:EncryptionAlgorithm","kms:EncryptionContextKeys","kms:ExpirationModel","kms:GenerateDataKey","kms:GenerateDataKeyPair","kms:GenerateDataKeyPairWithoutPlaintext","kms:GenerateDataKeyWithoutPlaintext","kms:GenerateMac","kms:GenerateRandom","kms:GetKeyPolicy","kms:GetKeyRotationStatus","kms:GetParametersForImport","kms:GetPublicKey","kms:GrantConstraintType","kms:GrantIsForAWSResource","kms:GrantOperations","kms:GranteePrincipal","kms:ImportKeyMaterial","kms:KeyOrigin","kms:KeySpec","kms:KeyUsage","kms:ListAliases","kms:ListGrants","kms:ListKeyPolicies","kms:ListKeys","kms:ListResourceTags","kms:ListRetirableGrants","kms:MacAlgorithm","kms:MessageType","kms:MultiRegion","kms:MultiRegionKeyType","kms:PrimaryRegion","kms:PutKeyPolicy","kms:ReEncryptFrom","kms:ReEncryptOnSameKey","kms:ReEncryptTo","kms:ReplicaRegion","kms:ReplicateKey","kms:RequestAlias","kms:ResourceAliases","kms:RetireGrant","kms:RetiringPrincipal","kms:RevokeGrant","kms:ScheduleKeyDeletion","kms:Sign","kms:SigningAlgorithm","kms:TagResource","kms:UntagResource","kms:UpdateAlias","kms:UpdateCustomKeyStore","kms:UpdateKeyDescription","kms:UpdatePrimaryRegion","kms:ValidTo","kms:Verify","kms:VerifyMac","kms:ViaService","kms:WrappingAlgorithm","kms:WrappingKeySpec"],
-            "Resource": "*"
+  policy = jsonencode({
+    Version : "2012-10-17",
+
+    Id : "key-default-1",
+
+    Statement : [
+      {
+        Sid : "Enable IAM User Permissions",
+
+        Effect : "Allow",
+
+        Principal : {
+          AWS : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
         },
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "logs.${data.aws_region.current.name}.amazonaws.com"
-            },
-            "Action": ["kms:Decrypt","kms:DescribeCustomKeyStores","kms:DescribeKey","kms:Encrypt","kms:EncryptionAlgorithm","kms:EncryptionContextKeys","kms:GenerateDataKey","kms:GenerateDataKeyPair","kms:GenerateDataKeyPairWithoutPlaintext","kms:GenerateDataKeyWithoutPlaintext","kms:ReEncryptFrom","kms:ReEncryptOnSameKey","kms:ReEncryptTo"],
-            "Resource": "*",
-            "Condition": {
-                "ArnLike": {
-                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
-                }
-            }
-        } 
+
+        Action : [
+          "kms:BypassPolicyLockoutSafetyCheck",
+          "kms:CallerAccount",
+          "kms:CancelKeyDeletion",
+          "kms:ConnectCustomKeyStore",
+          "kms:CreateAlias",
+          "kms:CreateCustomKeyStore",
+          "kms:CreateGrant",
+          "kms:CreateKey",
+          "kms:DataKeyPairSpec",
+          "kms:Decrypt",
+          "kms:DeleteAlias",
+          "kms:DeleteCustomKeyStore",
+          "kms:DeleteImportedKeyMaterial",
+          "kms:DescribeCustomKeyStores",
+          "kms:DescribeKey",
+          "kms:DisableKey",
+          "kms:DisableKeyRotation",
+          "kms:DisconnectCustomKeyStore",
+          "kms:EnableKey",
+          "kms:EnableKeyRotation",
+          "kms:Encrypt",
+          "kms:EncryptionAlgorithm",
+          "kms:EncryptionContextKeys",
+          "kms:ExpirationModel",
+          "kms:GenerateDataKey",
+          "kms:GenerateDataKeyPair",
+          "kms:GenerateDataKeyPairWithoutPlaintext",
+          "kms:GenerateDataKeyWithoutPlaintext",
+          "kms:GenerateMac",
+          "kms:GenerateRandom",
+          "kms:GetKeyPolicy",
+          "kms:GetKeyRotationStatus",
+          "kms:GetParametersForImport",
+          "kms:GetPublicKey",
+          "kms:GrantConstraintType",
+          "kms:GrantIsForAWSResource",
+          "kms:GrantOperations",
+          "kms:GranteePrincipal",
+          "kms:ImportKeyMaterial",
+          "kms:KeyOrigin",
+          "kms:KeySpec",
+          "kms:KeyUsage",
+          "kms:ListAliases",
+          "kms:ListGrants",
+          "kms:ListKeyPolicies",
+          "kms:ListKeys",
+          "kms:ListResourceTags",
+          "kms:ListRetirableGrants",
+          "kms:MacAlgorithm",
+          "kms:MessageType",
+          "kms:MultiRegion",
+          "kms:MultiRegionKeyType",
+          "kms:PrimaryRegion",
+          "kms:PutKeyPolicy",
+          "kms:ReEncryptFrom",
+          "kms:ReEncryptOnSameKey",
+          "kms:ReEncryptTo",
+          "kms:ReplicaRegion",
+          "kms:ReplicateKey",
+          "kms:RequestAlias",
+          "kms:ResourceAliases",
+          "kms:RetireGrant",
+          "kms:RetiringPrincipal",
+          "kms:RevokeGrant",
+          "kms:ScheduleKeyDeletion",
+          "kms:Sign",
+          "kms:SigningAlgorithm",
+          "kms:TagResource",
+          "kms:UntagResource",
+          "kms:UpdateAlias",
+          "kms:UpdateCustomKeyStore",
+          "kms:UpdateKeyDescription",
+          "kms:UpdatePrimaryRegion",
+          "kms:ValidTo",
+          "kms:Verify",
+          "kms:VerifyMac",
+          "kms:ViaService",
+          "kms:WrappingAlgorithm",
+          "kms:WrappingKeySpec"
+        ],
+        Resource : "*"
+      },
+
+      {
+        Effect : "Allow",
+
+        Principal : {
+          Service : "logs.${data.aws_region.current.name}.amazonaws.com"
+        },
+
+        Action : [
+          "kms:Decrypt",
+          "kms:DescribeCustomKeyStores",
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:EncryptionAlgorithm",
+          "kms:EncryptionContextKeys",
+          "kms:GenerateDataKey",
+          "kms:GenerateDataKeyPair",
+          "kms:GenerateDataKeyPairWithoutPlaintext",
+          "kms:GenerateDataKeyWithoutPlaintext",
+          "kms:ReEncryptFrom",
+          "kms:ReEncryptOnSameKey",
+          "kms:ReEncryptTo"
+        ],
+        Resource : "*",
+
+        Condition : {
+          ArnLike : {
+            "kms:EncryptionContext:aws:logs:arn" : "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+          }
+        }
+      },
+      {
+        Sid : "Allow CloudTrail to encrypt logs",
+        Effect : "Allow",
+        Principal : {
+          Service : "cloudtrail.amazonaws.com"
+        },
+        Action : "kms:GenerateDataKey*",
+        Resource : "*",
+        Condition : {
+          StringEquals : {
+            "aws:SourceArn" : "arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
+          },
+          StringLike : {
+            "kms:EncryptionContext:aws:cloudtrail:arn" : "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
+          }
+        }
+      },
+      {
+        "Sid" : "Allow CloudTrail to decrypt a trail",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudtrail.amazonaws.com"
+        },
+        "Action" : "kms:Decrypt",
+        "Resource" : "*"
+      },
+      {
+        Sid : "Allow CloudTrail access",
+        Effect : "Allow",
+        Principal : {
+          Service : "cloudtrail.amazonaws.com"
+        },
+        Action : "kms:DescribeKey",
+        Resource : "arn:aws:kms:region:${data.aws_caller_identity.current.account_id}:key/*}",
+        Condition : {
+          StringEquals : {
+            "aws:SourceArn" : "arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
+          }
+        }
+      }
     ]
+  })
+  tags = {
+    project = var.project
+    stage   = var.stage
+  }
 }
-  EOF
+
+resource "aws_kms_alias" "key" {
+  target_key_id = aws_kms_key.key.id
+  name          = "alias/${var.stage}-key"
 }
diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars
@@ -42,6 +42,7 @@ worker_ecs_task_definition_family = "crossfeed-prod-worker"
 worker_ecs_log_group_name         = "crossfeed-prod-worker"
 worker_ecs_role_name              = "crossfeed-prod-worker"
 logging_bucket_name               = "cisa-crossfeed-prod-logging"
+cloudtrail_name                   = "crossfeed-prod-all-events"
 cloudtrail_bucket_name            = "cisa-crossfeed-prod-cloudtrail"
 cloudtrail_role_name              = "cisa-crossfeed-prod-cloudtrail"
 cloudtrail_log_group_name         = "cisa-crossfeed-prod-cloudtrail"

diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars
@@ -42,6 +42,7 @@ worker_ecs_task_definition_family = "crossfeed-staging-worker"
 worker_ecs_log_group_name         = "crossfeed-staging-worker"
 worker_ecs_role_name              = "crossfeed-staging-worker"
 logging_bucket_name               = "cisa-crossfeed-staging-logging"
+cloudtrail_name                   = "crossfeed-staging-all-events"
 cloudtrail_bucket_name            = "cisa-crossfeed-staging-cloudtrail"
 cloudtrail_role_name              = "cisa-crossfeed-staging-cloudtrail"
 cloudtrail_log_group_name         = "cisa-crossfeed-staging-cloudtrail"

diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf
@@ -262,6 +262,12 @@ variable "logging_bucket_name" {
   default     = "cisa-crossfeed-staging-logging"
 }
 
+variable "cloudtrail_name" {
+  description = "cloudtrail_name"
+  type        = string
+  default     = "crossfeed-staging-all-events"
+}
+
 variable "cloudtrail_bucket_name" {
   description = "cloudtrail_bucket_name"
   type        = string