2118 au 05 audit process migrate logs to s3 buckets (#2213)

* Testing alternate bucket config.
cisagov · Sep 1, 2023 · ca8182e · ca8182e
1 parent 1898f34
commit ca8182e
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 29 deletions.
diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf
@@ -42,25 +42,9 @@ resource "aws_cloudwatch_log_group" "cloudtrail" {
   }
 }
 
-resource "aws_s3_bucket_ownership_controls" "cloudtrail_bucket" {
-  bucket = aws_s3_bucket.cloudtrail_bucket.id
-  rule {
-    object_ownership = "ObjectWriter"
-  }
-}
-
 resource "aws_s3_bucket_acl" "cloudtrail_bucket" {
-  depends_on = [aws_s3_bucket_ownership_controls.cloudtrail_bucket]
-  bucket     = aws_s3_bucket.cloudtrail_bucket.id
-  acl        = "private"
-}
-
-resource "aws_s3_bucket_public_access_block" "cloudtrail_bucket" {
-  bucket                  = aws_s3_bucket.cloudtrail_bucket.id
-  block_public_acls       = false
-  block_public_policy     = false
-  ignore_public_acls      = false
-  restrict_public_buckets = false
+  bucket = aws_s3_bucket.cloudtrail_bucket.id
+  acl    = "private"
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket" {
@@ -103,6 +87,8 @@ data "template_file" "cloudtrail_bucket_policy" {
   template = file("cloudtrail_bucket_policy.tpl")
   vars = {
     bucketName = var.cloudtrail_bucket_name
+    region     = var.aws_region
+    trailName  = aws_cloudtrail.all-events.name
     accountId  = data.aws_caller_identity.current.account_id
   }
 }
diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl
@@ -7,20 +7,26 @@
       "Principal": {
         "Service": "cloudtrail.amazonaws.com"
       },
-      "Action": "s3:GetBucketAcl",
-      "Resource": "arn:aws:s3:::${bucketName}"
+      "Action": ["s3:GetBucketAcl"],
+      "Resource": ["arn:aws:s3:::${bucketName}"],
+      "Condition": {
+        "StringEquals": {
+          "aws:SourceArn": "arn:aws:cloudtrail:${region}:${accountId}:trail/${trailName}"
+        }
+      }
     },
     {
       "Sid": "AWSCloudTrailWrite20150319",
       "Effect": "Allow",
       "Principal": {
         "Service": "cloudtrail.amazonaws.com"
       },
-      "Action": "s3:PutObject",
-      "Resource": "arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*",
+      "Action": ["s3:PutObject"],
+      "Resource": ["arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*"],
       "Condition": {
         "StringEquals": {
-          "s3:x-amz-acl": "bucket-owner-full-control"
+          "s3:x-amz-acl": "bucket-owner-full-control",
+          "aws:SourceArn": "arn:aws:cloudtrail:${region}:${accountId}:trail/${trailName}"
         }
       }
     }

diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars
@@ -42,9 +42,9 @@ worker_ecs_task_definition_family = "crossfeed-staging-worker"
 worker_ecs_log_group_name         = "crossfeed-staging-worker"
 worker_ecs_role_name              = "crossfeed-staging-worker"
 logging_bucket_name               = "cisa-crossfeed-staging-logging"
-cloudtrail_bucket_name            = "cisa-crossfeed-staging-cloudtrail"
-cloudtrail_role_name              = "cisa-crossfeed-staging-cloudtrail"
-cloudtrail_log_group_name         = "cisa-crossfeed-staging-cloudtrail"
+cloudtrail_bucket_name            = "cisa-crossfeed-staging-cloudtrails"
+cloudtrail_role_name              = "cisa-crossfeed-staging-cloudtrails"
+cloudtrail_log_group_name         = "cisa-crossfeed-staging-cloudtrails"
 export_bucket_name                = "cisa-crossfeed-staging-exports"
 reports_bucket_name               = "cisa-crossfeed-staging-reports"
 pe_db_backups_bucket_name         = "cisa-crossfeed-staging-pe-db-backups"

diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf
@@ -265,19 +265,19 @@ variable "logging_bucket_name" {
 variable "cloudtrail_bucket_name" {
   description = "cloudtrail_bucket_name"
   type        = string
-  default     = "cisa-crossfeed-staging-cloudtrail"
+  default     = "cisa-crossfeed-staging-cloudtrails"
 }
 
 variable "cloudtrail_role_name" {
   description = "cloudtrail_role_name"
   type        = string
-  default     = "crossfeed-staging-cloudtrail-role"
+  default     = "crossfeed-staging-cloudtrails-role"
 }
 
 variable "cloudtrail_log_group_name" {
   description = "cloudtrail_log_group_name"
   type        = string
-  default     = "crossfeed-staging-cloudtrail-logs"
+  default     = "crossfeed-staging-cloudtrails-logs"
 }
 
 variable "export_bucket_name" {