|
|
@@ -48,10 +48,9 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
|
|
|
}
|
|
|
|
|
|
#S3 Bucket for Kinesis Firehose s3_backup_mode
|
|
|
-#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-block-public-acls
|
|
|
-#tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-no-public-buckets
|
|
|
#Certificate CRLs need to be publicly accessible
|
|
|
-resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" {
|
|
|
+#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-block-public-acls
|
|
|
+resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" { #tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-specify-public-access-block
|
|
|
bucket = var.s3_bucket_name
|
|
|
|
|
|
tags = var.tags
|
|
|
@@ -231,7 +230,7 @@ data "aws_iam_policy_document" "lambda_policy_doc" {
|
|
|
"kms:Decrypt"
|
|
|
]
|
|
|
|
|
|
- resources = [
|
|
|
+ resources = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
|
|
|
"*",
|
|
|
]
|
|
|
|
|
|
@@ -348,7 +347,7 @@ data "aws_iam_policy_document" "kinesis_firehose_policy_document" {
|
|
|
"kms:Decrypt"
|
|
|
]
|
|
|
|
|
|
- resources = [
|
|
|
+ resources = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
|
|
|
"*",
|
|
|
]
|
|
|
|
|
|
@@ -421,7 +420,7 @@ data "aws_iam_policy_document" "cloudwatch_to_fh_access_policy" {
|
|
|
"kms:Decrypt"
|
|
|
]
|
|
|
|
|
|
- resources = [
|
|
|
+ resources = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
|
|
|
"*",
|
|
|
]
|
|
|
|
Jeremy Cooper [AFS MBP]