CloudTrail Log Files S3 Bucket with Logging Disabled
- Query id: ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4
- Query name: CloudTrail Log Files S3 Bucket with Logging Disabled
- Platform: Terraform
- Severity: High
- Category: Observability
- URL: Github
Description¶
CloudTrail Log Files S3 Bucket should have 'logging' enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
data "aws_caller_identity" "current" {}
resource "aws_cloudtrail" "foobar" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.foo.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "foo" {
bucket = "tf-test-trail"
force_destroy = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}
Positive test num. 2 - tf file
module "foo" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "0.0.1"
acl = "private"
bucket = "foo"
force_destroy = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
versioning_inputs = [
{
enabled = true
mfa_delete = null
},
]
}
resource "aws_cloudtrail" "foobar" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.foo.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
Positive test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_cloudtrail" "foobar2" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.bb.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "bb" {
bucket = "my-tf-example-bucket"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
data "aws_caller_identity" "current2" {}
resource "aws_cloudtrail" "foobar2" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.foo2.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "log_bucket" {
bucket = "my-tf-log-bucket"
acl = "log-delivery-write"
}
resource "aws_s3_bucket" "foo2" {
bucket = "my-tf-test-bucket"
acl = "private"
logging {
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "0.0.1"
bucket = "s3-tf-example-versioning"
acl = "private"
logging {
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}
versioning_inputs = [
{
enabled = true
mfa_delete = null
},
]
}
Negative test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_cloudtrail" "foobar2" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.bbb.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "bbb" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_logging" "example" {
bucket = aws_s3_bucket.bbb.id
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}