2118 au 05 audit process migrate logs to s3 buckets (#2225)

* Remove ACL resource from cloudtrail bucket; remove sourceArn condtitions from cloudtrail bucket policy. * Remove depends_on statement from cloudtrail resource. * Remove unused variables from template_file.
cisagov · Sep 7, 2023 · 9570393 · 9570393
1 parent dab8e93
commit 9570393
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 16 deletions.
diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf
@@ -25,7 +25,8 @@ resource "aws_cloudtrail" "all-events" {
 }
 
 resource "aws_s3_bucket" "cloudtrail_bucket" {
-  bucket = var.cloudtrail_bucket_name
+  bucket        = var.cloudtrail_bucket_name
+  force_destroy = true
   tags = {
     Project = var.project
     Stage   = var.stage
@@ -42,11 +43,6 @@ resource "aws_cloudwatch_log_group" "cloudtrail" {
   }
 }
 
-resource "aws_s3_bucket_acl" "cloudtrail_bucket" {
-  bucket = aws_s3_bucket.cloudtrail_bucket.id
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket" {
   bucket = aws_s3_bucket.cloudtrail_bucket.id
   rule {
@@ -87,8 +83,6 @@ data "template_file" "cloudtrail_bucket_policy" {
   template = file("cloudtrail_bucket_policy.tpl")
   vars = {
     bucketName = var.cloudtrail_bucket_name
-    region     = var.aws_region
-    trailName  = aws_cloudtrail.all-events.name
     accountId  = data.aws_caller_identity.current.account_id
   }
 }
diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl
@@ -8,12 +8,7 @@
         "Service": "cloudtrail.amazonaws.com"
       },
       "Action": ["s3:GetBucketAcl"],
-      "Resource": ["arn:aws:s3:::${bucketName}"],
-      "Condition": {
-        "StringEquals": {
-          "aws:SourceArn": "arn:aws:cloudtrail:${region}:${accountId}:trail/${trailName}"
-        }
-      }
+      "Resource": ["arn:aws:s3:::${bucketName}"]
     },
     {
       "Sid": "AWSCloudTrailWrite20150319",
@@ -25,8 +20,7 @@
       "Resource": ["arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*"],
       "Condition": {
         "StringEquals": {
-          "s3:x-amz-acl": "bucket-owner-full-control",
-          "aws:SourceArn": "arn:aws:cloudtrail:${region}:${accountId}:trail/${trailName}"
+          "s3:x-amz-acl": "bucket-owner-full-control"
         }
       }
     }