| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 |
- # The centralized bucket for AWS config
- module "xdr_config_logging_bucket" {
- source = "../../thirdparty/terraform-aws-s3logging-bucket"
- bucket_name = "xdr-config-${var.environment}-access-logs"
- lifecycle_rules = list(
- {
- id = "expire-old-logs"
- enabled = true
- prefix = ""
- expiration = 30
- noncurrent_version_expiration = 30
- abort_incomplete_multipart_upload_days = 7
- })
- tags = merge(var.standard_tags, var.tags)
- versioning_enabled = true
- }
- resource "aws_s3_bucket" "xdr_config_bucket" {
- bucket = "xdr-config-${var.environment}"
- acl = "private"
- tags = merge(var.standard_tags, var.tags)
- versioning {
- enabled = true
- }
- logging {
- target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
- target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
- }
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "aws:kms"
- kms_master_key_id = aws_kms_key.config_encryption.arn
- }
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_access" {
- block_public_acls = true
- block_public_policy = true
- bucket = aws_s3_bucket.xdr_config_bucket.id
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- data "aws_iam_policy_document" "awsconfig_bucket_policy" {
- statement {
- sid = "AWSConfigBucketPermissionsCheck"
- effect = "Allow"
- principals {
- type = "Service"
- identifiers = [ "config.amazonaws.com" ]
- }
- actions = [ "s3:GetBucketAcl" ]
- resources = [ aws_s3_bucket.xdr_config_bucket.arn ]
- }
- statement {
- sid = "AWSConfigBucketExistenceCheck"
- effect = "Allow"
- principals {
- type = "Service"
- identifiers = [ "config.amazonaws.com" ]
- }
- actions = [ "s3:ListBucket" ]
- resources = [ aws_s3_bucket.xdr_config_bucket.arn ]
- }
- statement {
- sid = "AWSConfigBucketDelivery"
- effect = "Allow"
- principals {
- type = "Service"
- identifiers = [ "config.amazonaws.com" ]
- }
- actions = [ "s3:PutObject" ]
- resources = [ "${aws_s3_bucket.xdr_config_bucket.arn}/AWSLogs/*" ]
- condition {
- test = "StringEquals"
- variable = "s3:x-amz-acl"
- values = [ "bucket-owner-full-control" ]
- }
- }
- }
- resource "aws_s3_bucket_policy" "awsconfig_bucket_policy" {
- bucket = aws_s3_bucket.xdr_config_bucket.id
- policy = data.aws_iam_policy_document.awsconfig_bucket_policy.json
- }
- resource "aws_kms_key" "config_encryption" {
- description = "This key is used to encrypt AWS config"
- deletion_window_in_days = 30
- policy = data.aws_iam_policy_document.config_encryption_key_policy.json
- enable_key_rotation = true
- tags = merge(var.standard_tags, var.tags)
- }
- resource "aws_kms_alias" "config_encryption" {
- name = "alias/aws_config"
- target_key_id = aws_kms_key.config_encryption.key_id
- }
- data "aws_iam_policy_document" "config_encryption_key_policy" {
- statement {
- actions = ["kms:*"]
- effect = "Allow"
- resources = ["*"]
- principals {
- type = "AWS"
- identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
- }
- }
- statement {
- actions = ["kms:GenerateDataKey*"]
- effect = "Allow"
- resources = ["*"]
- principals {
- type = "Service"
- identifiers = ["config.amazonaws.com"]
- }
- }
- statement {
- actions = [
- "kms:Encrypt*",
- "kms:Decrypt*",
- "kms:ReEncrypt*",
- "kms:GenerateDataKey*",
- "kms:Describe*",
- ]
- effect = "Allow"
- resources = ["*"]
- principals {
- type = "Service"
- identifiers = ["config.amazonaws.com"]
- }
- }
- statement {
- actions = ["kms:Describe*"]
- effect = "Allow"
- resources = ["*"]
- principals {
- type = "Service"
- identifiers = ["config.amazonaws.com"]
- }
- }
- }
|
