Jeremy Cooper [AFS MBP]
780e3d9967
Updates tfsec/chekov ignores | S3 Enable Logging/Versioning
|
3 lat temu | |
|---|---|---|
| .. | ||
| README.md | 3 lat temu | |
| constants.tf | 3 lat temu | |
| globals.tf | 3 lat temu | |
| iam.tf | 3 lat temu | |
| kms.tf | 3 lat temu | |
| locals.tf | 3 lat temu | |
| outputs.tf | 3 lat temu | |
| s3.tf | 3 lat temu | |
| vars.tf | 3 lat temu | |
README.md
Creates an S3 bucket, KMS key, and a role that can be assumed to access them
Full Bucket and Role Names
The bucket and roles will be prefixed with "xdr-{environment}-". If the splunk_prefix is required, it will need to be passed in as part of the name.
Important Note about Lifecycles
Versioning is enabled in the bucket. The current version and the previous version are always kept. Older versions are expired after 90 days.
All items transition to a intelligent tiering after 30 days.
Testing
For testing, the instance must assume-role first. To do this from the command-line:
aws --region us-gov-east-1 sts assume-role --role-session-name ftd_testing --role-arn [ARN]
# Output will contain AccessKeyId and SecretAcessKeyID
AWS_ACCESS_KEY_ID=[REPLACE] AWS_SECRET_ACCESS_KEY=[REPLACE] AWS_SESSION_TOKEN=[replace] aws --region us-gov-east-1 s3 ls
NOTE: You cannot generate the correct presigned url with older versions of the AWS CLI, such as the one presently (2022-04-19) installed on the portal boxes. You will get the error:
<Error>
<Code>InvalidRequest</Code>
<Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message>
<RequestId>VJF9V2CAQR1XZER6</RequestId>
<HostId>bJ/waruDGO4FC2VQoTRRtwGnehzOScUpu8JbXnCQ7L8vVULm9RGLF8EqAXjSAViM+HdXXDI4rqM=</HostId>
</Error>
Newer boto3 requests will use signature version 4, which works correctly.