Add policy to require SSL for CloudWatch and CloudTrail buckets; add …

…permission for CloudWatch to write logs to the root directory of it's S3 bucket; use more descriptive Sids for CloudTrail policies.
cisagov · Sep 30, 2023 · c614a35 · c614a35
1 parent f617390
commit c614a35
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl
@@ -2,7 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "AWSCloudTrailAclCheck20150319",
+      "Sid": "Get CloudTrail Bucket ACL",
       "Effect": "Allow",
       "Principal": {
         "Service": "cloudtrail.amazonaws.com"
@@ -11,18 +11,34 @@
       "Resource": ["arn:aws:s3:::${bucketName}"]
     },
     {
-      "Sid": "AWSCloudTrailWrite20150319",
+      "Sid": "Grant CloudTrail Permission to Write Logs",
       "Effect": "Allow",
       "Principal": {
         "Service": "cloudtrail.amazonaws.com"
       },
       "Action": ["s3:PutObject"],
-      "Resource": ["arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*"],
+      "Resource": [
+        "arn:aws:s3:::${bucketName}/AWSLogs/${accountId}",
+        "arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*"
+      ],
       "Condition": {
         "StringEquals": {
           "s3:x-amz-acl": "bucket-owner-full-control"
         }
       }
+    },
+    {
+      "Sid": "Require SSL for Requests",
+      "Effect": "Deny",
+      "Resource": [
+        "arn:aws:s3:::${bucketName}",
+        "arn:aws:s3:::${bucketName}/*"
+      ],
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
     }
   ]
 }
diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf
@@ -38,12 +38,28 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
           "Service" : "logs.amazonaws.com"
         },
         "Action" : "s3:PutObject",
-        "Resource" : "arn:aws:s3:::${var.cloudwatch_bucket_name}/*",
+        "Resource" : [
+          "arn:aws:s3:::${var.cloudwatch_bucket_name}",
+          "arn:aws:s3:::${var.cloudwatch_bucket_name}/*"
+        ],
         "Condition" : {
           "StringEquals" : {
             "s3:x-amz-acl" : "bucket-owner-full-control"
           }
         }
+      },
+      {
+        "Sid" : "Require SSL for requests",
+        "Effect" : "Deny",
+        "Resource" : [
+          "arn:aws:s3:::${var.cloudwatch_bucket_name}",
+          "arn:aws:s3:::${var.cloudwatch_bucket_name}/*"
+        ],
+        "Condition" : {
+          "Bool" : {
+            "aws:SecureTransport" : "false"
+          }
+        },
       }
     ]
   })