Merge pull request #55 from mdr-engineering/feature/ftd_MSOCI-1314_log_the_logging

Enabled Logging on S3 Logging Bucket

thirdparty/terraform-aws-s3logging-bucket/main.tf

@@ -14,8 +14,6 @@ locals {
   region = data.aws_region.current.name
 }
 
-# Ignore logging requirement - access logging for a logging bucket is a little meta
-#tfsec:ignore:AWS002
 resource "aws_s3_bucket" "this" {
   bucket = local.bucket_name
   acl    = "log-delivery-write"
@@ -56,6 +54,18 @@ resource "aws_s3_bucket" "this" {
   lifecycle {
     ignore_changes = [versioning[0].mfa_delete]
   }
+
+  # Conformance Pack for CIS requires access logs on all S3 buckets and is a best
+  # practice.
+  #
+  # Logging to the bucket itself is allowed, but if we ingest into splunk, make 
+  # sure we don't set up a feedback loop (splunk accesses s3 bucket to get a log
+  # which creates a log which leads to splunk accessing the s3 bucket)
+  logging {
+    target_bucket = local.bucket_name
+    target_prefix = "{data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}-${local.bucket_name}"
+  }
+
 }
 
 resource "aws_s3_bucket_public_access_block" "this" {