Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: s3_key_prefix attribute for cloudtrail #26

Merged
merged 1 commit into from
Nov 9, 2023
Merged

feat: s3_key_prefix attribute for cloudtrail #26

merged 1 commit into from
Nov 9, 2023

Conversation

h1manshu98
Copy link
Member

@h1manshu98 h1manshu98 commented Nov 9, 2023
edited
Loading

s3_key_prefix attribute.
S3 key prefix that follows the name of the bucket you have designated for log file delivery.

@h1manshu98 h1manshu98 requested a review from a team November 9, 2023 15:25
@h1manshu98 h1manshu98 self-assigned this Nov 9, 2023
@h1manshu98 h1manshu98 added the enhancement New feature or request label Nov 9, 2023
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Trail is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:36
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_cloudtrail" "default" {
   ..  
   36  [   kms_key_id                    = join("", aws_kms_key.cloudtrail[*].arn) # aws_kms_key.cloudtrail[0].arn != null ? aws_kms_key.cloudtrail[0].arn : null ("")
   ..  
   70    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudtrail-enable-at-rest-encryption
      Impact Data can be freely read if compromised
  Resolution Enable encryption at rest

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudtrail/enable-at-rest-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #2 MEDIUM Trail is not enabled across all regions. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:32
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_cloudtrail" "default" {
   ..  
   32  [   is_multi_region_trail         = var.is_multi_region_trail (false)
   ..  
   70    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudtrail-enable-all-regions
      Impact Activity could be happening in your account in a different region
  Resolution Enable Cloudtrail in all regions

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudtrail/enable-all-regions/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail
────────────────────────────────────────────────────────────────────────────────


Result #3 LOW Trail does not have CloudWatch logging configured 
────────────────────────────────────────────────────────────────────────────────
  main.tf:24-70
────────────────────────────────────────────────────────────────────────────────
   24resource "aws_cloudtrail" "default" {
   25  │   count = var.enabled_cloudtrail == true ? 1 : 0
   2627  │   name                          = module.labels.id
   28  │   enable_logging                = var.enable_logging
   29  │   s3_bucket_name                = var.s3_bucket_name
   30  │   s3_key_prefix                 = var.s3_key_prefix
   31  │   enable_log_file_validation    = var.enable_log_file_validation
   32  └   is_multi_region_trail         = var.is_multi_region_trail
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudtrail-ensure-cloudwatch-integration
      Impact Realtime log analysis is not available without enabling CloudWatch logging
  Resolution Enable logging to CloudWatch

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudtrail/ensure-cloudwatch-integration/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail
────────────────────────────────────────────────────────────────────────────────


Result #4 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:98
────────────────────────────────────────────────────────────────────────────────
   94    resource "aws_cloudwatch_log_group" "cloudtrail" {
   95      count             = var.enable_cloudwatch && var.enabled_cloudtrail ? 1 : 0
   96      name              = var.cloudwatch_log_group_name
   97      retention_in_days = var.log_retention_days
   98  [   kms_key_id        = join("", aws_kms_key.cloudtrail[*].arn) ("")
   99    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             78.427µs
  parsing              59.196206ms
  adaptation           219.369µs
  checks               6.928047ms
  total                66.422049ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           4

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 1
  medium               1
  low                  2

  4 passed, 4 potential problem(s) detected.

13archit
13archit approved these changes Nov 9, 2023
View reviewed changes
Copy link
Member

@13archit 13archit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

omsharma07
omsharma07 approved these changes Nov 9, 2023
View reviewed changes
Copy link

@omsharma07 omsharma07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@omsharma07 omsharma07 merged commit 4c69281 into master Nov 9, 2023
9 checks passed
@delete-merged-branch delete-merged-branch bot deleted the feat/s3_key_prefix branch November 9, 2023 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@13archit 13archit 13archit approved these changes

@omsharma07 omsharma07 omsharma07 approved these changes

@anmolnagpal anmolnagpal Awaiting requested review from anmolnagpal anmolnagpal is a code owner

@clouddrove-ci clouddrove-ci Awaiting requested review from clouddrove-ci clouddrove-ci is a code owner

Assignees

@h1manshu98 h1manshu98

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@h1manshu98 @clouddrove-ci @omsharma07 @13archit