S3 changes

[jluevan13]

No description provided.

[prisma-cloud-devsecops]

Prisma Cloud has found errors in this PR ⬇️

[prisma-cloud-devsecops]

  Weibeler - Public S3 Buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1668813444422

[prisma-cloud-devsecops]

  Weib Test S3
    Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1673630255979

Description

Remove public access

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	# test
	bucket = "${local.resource_prefix.value}-data"
	force_destroy = true
	tags = merge({
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}, {
	git_commit = "4d57f83ca4d3a78a44fb36d1dcf0d23983fa44f5"
	git_file = "terraform/aws/s3.tf"
	git_last_modified_at = "2022-05-18 07:08:06"
	git_last_modified_by = "nimrod@bridgecrew.io"
	git_modifiers = "34870196+LironElbaz/nimrod/nimrodkor"
	git_org = "bridgecrewio"
	git_repo = "terragoat"
	yor_trace = "0874007d-903a-4b4c-945f-c9c233e13243"
	})
	}
	resource "aws_s3_bucket_versioning" "data" {
	bucket = aws_s3_bucket.data.id
	versioning_configuration {
	status = "Enabled"
	}
	}

  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_16 | Checkov ID: CKV_AWS_21

How to Fix

resource "aws_s3_bucket" "state_bucket" {
  bucket        = "${data.aws_caller_identity.current.account_id}-terraform-state"
  acl           = var.acl
  force_destroy = var.force_destroy

+  versioning {
+    enabled    = true
+  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = var.sse_algorithm
      }
    }
  }

  tags = var.common_tags
}

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

• PCI-DSS V3.2.1 10.5.3
• FEDRAMP (MODERATE) CP-10, SI-12

🪄 Smart Fix -

Fix based on 100% past actions in this repository

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	# test
	bucket = "${local.resource_prefix.value}-data"
	force_destroy = true
	tags = merge({
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}, {
	git_commit = "4d57f83ca4d3a78a44fb36d1dcf0d23983fa44f5"
	git_file = "terraform/aws/s3.tf"
	git_last_modified_at = "2022-05-18 07:08:06"
	git_last_modified_by = "nimrod@bridgecrew.io"
	git_modifiers = "34870196+LironElbaz/nimrod/nimrodkor"
	git_org = "bridgecrewio"
	git_repo = "terragoat"
	yor_trace = "0874007d-903a-4b4c-945f-c9c233e13243"
	})
	}
	resource "aws_s3_bucket" "data_log_bucket" {
	bucket = "data-log-bucket"
	}
	resource "aws_s3_bucket_logging" "data" {
	bucket = aws_s3_bucket.data.id
	target_bucket = aws_s3_bucket.data_log_bucket.id
	target_prefix = "log/"
	}

  AWS Access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_13 | Checkov ID: CKV_AWS_18

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

• HIPAA 164.312(B) Audit controls

🪄 Smart Fix -

Fix based on 100% past actions in this repository