forked from reireias/rails-on-ecs-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paths3_logs.tf
106 lines (95 loc) · 2.74 KB
/
s3_logs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# NOTE: ignore logging warning because this is logging bucket.
# tfsec:ignore:AWS002
resource "aws_s3_bucket" "logs" {
bucket = "${local.name}.logs"
grant {
id = data.aws_canonical_user_id.current.id
permissions = ["FULL_CONTROL"]
type = "CanonicalUser"
}
grant {
# Grant CloudFront logs access to your Amazon S3 Bucket
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership
id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
permissions = ["FULL_CONTROL"]
type = "CanonicalUser"
}
grant {
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
permissions = [
"READ_ACP",
"WRITE",
]
type = "Group"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
versioning {
enabled = true
}
force_destroy = true
}
resource "aws_s3_bucket_policy" "logs" {
bucket = aws_s3_bucket.logs.id
policy = data.aws_iam_policy_document.logs.json
}
data "aws_iam_policy_document" "logs" {
# see: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
statement {
sid = "AWSLogDeliveryWrite"
principals {
type = "Service"
identifiers = ["delivery.logs.amazonaws.com"]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.logs.arn}/AWSLogs/${local.account_id}/*"]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
statement {
sid = "AWSLogDeliveryAclCheck"
principals {
type = "Service"
identifiers = ["delivery.logs.amazonaws.com"]
}
actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.logs.arn]
}
# see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
statement {
sid = "ALBLogPut"
principals {
type = "AWS"
identifiers = [data.aws_elb_service_account.main.arn]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.logs.arn}/AWSLogs/${local.account_id}/*"]
}
# see: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5
statement {
sid = "AllowSSLRequestsOnly"
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = ["s3:*"]
resources = [
aws_s3_bucket.logs.arn,
"${aws_s3_bucket.logs.arn}/*",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}