Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add s3 bucket #633

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

add s3 bucket #633

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5c7db36
add s3 bucket
tsmithv11 Jul 6, 2022
c4435fa
Update terraform/aws/s3v2.tf
tsmithv11 Jul 6, 2022
ca65d5d
Bridgecrew bot fix for terraform/aws/s3v2.tf
bridgecrew[bot] Sep 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions terraform/aws/s3v2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
resource "aws_s3_bucket" "cargo_bay" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure S3 Bucket has public access blocks
    Resource: aws_s3_bucket.cargo_bay | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL   Check that all resources are tagged with the key - env
    Resource: aws_s3_bucket.cargo_bay | ID: acme_AWS_1614172162021

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL   Ensure retention period for supported resources is higher than 0
    Resource: aws_s3_bucket.cargo_bay | ID: acme_aws_1647782267175

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   PCI check tag exists
    Resource: aws_s3_bucket.cargo_bay | ID: acme_aws_1629787200891

bucket = "cargo-bay-bridgecrew-class-7321"
tags = {
Name = "cargo-bay-bridgecrew-class-7321"
}
}
tsmithv11 marked this conversation as resolved.
Show resolved Hide resolved
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
}
resource "aws_s3_bucket_versioning" "cargo_bay" {
bucket = aws_s3_bucket.cargo_bay.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket" "destination" {
bucket = aws_s3_bucket.cargo_bay.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_iam_role" "replication" {
name = "aws-iam-role"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
resource "aws_s3_bucket_replication_configuration" "cargo_bay" {
depends_on = [aws_s3_bucket_versioning.cargo_bay]
role = aws_iam_role.cargo_bay.arn
bucket = aws_s3_bucket.cargo_bay.id
rule {
id = "foobar"
status = "Enabled"
destination {
bucket = aws_s3_bucket.destination.arn
storage_class = "STANDARD"
}
}
}
LOW   Ensure S3 bucket has cross-region replication enabled
    Resource: aws_s3_bucket.cargo_bay | ID: BC_AWS_GENERAL_72

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "cargo_bay" {
bucket = aws_s3_bucket.cargo_bay.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
LOW   Ensure S3 buckets are encrypted with KMS by default
    Resource: aws_s3_bucket.cargo_bay | ID: BC_AWS_GENERAL_56

Description

TBA

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "cargo_bay" {
bucket = aws_s3_bucket.cargo_bay.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
HIGH   Ensure data stored in the S3 bucket is securely encrypted at rest
    Resource: aws_s3_bucket.cargo_bay | ID: BC_AWS_S3_14

Description

SSE helps prevent unauthorized access to S3 buckets. Encrypting and decrypting data at the S3 bucket level is transparent to users when accessing data.

Benchmarks

  • PCI-DSS V3.2 3
  • NIST-800-53 AC-17, SC-2
  • PCI-DSS V3.2.1 3.4
  • FEDRAMP (MODERATE) SC-28
  • CIS AWS V1.3 2.1.1

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
}
resource "aws_s3_bucket" "cargo_bay_log_bucket" {
bucket = "cargo_bay-log-bucket"
}
resource "aws_s3_bucket_logging" "cargo_bay" {
bucket = aws_s3_bucket.cargo_bay.id
target_bucket = aws_s3_bucket.cargo_bay_log_bucket.id
target_prefix = "log/"
}
LOW   Ensure AWS access logging is enabled on S3 buckets
    Resource: aws_s3_bucket.cargo_bay | ID: BC_AWS_S3_13

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

  • HIPAA 164.312(B) Audit controls