Enabled AWS Audit Manager

* Adds KMS policy to Audit KMS key that allows setting the key via management account * Adds S3 bucket for Audit Manager assessment report Signed-off-by: Stefan Wessels Beljaars <[email protected]>
schubergphilis · Jan 5, 2024 · 8c29d65 · 8c29d65
1 parent 6f37e70
commit 8c29d65
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 0 deletions.
diff --git a/audit_manager.tf b/audit_manager.tf
@@ -0,0 +1,37 @@
+resource "aws_auditmanager_account_registration" "default" {
+  count = var.aws_auditmanager.enabled == true ? 1 : 0
+
+  delegated_admin_account = data.aws_caller_identity.audit.account_id
+  deregister_on_destroy   = true
+  kms_key                 = module.kms_key_audit.arn
+}
+
+module "audit_manager_reports" {
+  count     = var.aws_auditmanager.enabled == true ? 1 : 0
+  providers = { aws = aws.audit }
+
+  source      = "schubergphilis/mcaf-s3/aws"
+  version     = "0.12.1"
+  name_prefix = var.aws_auditmanager.reports_bucket_prefix
+  versioning  = true
+
+  lifecycle_rule = [
+    {
+      id      = "retention"
+      enabled = true
+
+      abort_incomplete_multipart_upload = {
+        days_after_initiation = 7
+      }
+
+      noncurrent_version_expiration = {
+        noncurrent_days = 90
+      }
+
+      noncurrent_version_transition = {
+        noncurrent_days = 30
+        storage_class   = "ONEZONE_IA"
+      }
+    }
+  ]
+}
diff --git a/kms.tf b/kms.tf
@@ -197,6 +197,37 @@ data "aws_iam_policy_document" "kms_key_audit" {
       ]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.aws_auditmanager.enabled ? ["allow_audit_manager"] : []
+
+    content {
+      sid       = "Allow Audit Manager from management to describe and grant"
+      effect    = "Allow"
+      resources = ["arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.audit.account_id}:key/*"]
+
+      actions = [
+        "kms:CreateGrant",
+        "kms:DescribeKey"
+      ]
+
+      principals {
+        type = "AWS"
+        identifiers = [
+          "arn:aws:iam::${data.aws_caller_identity.management.account_id}:root"
+        ]
+      }
+
+      condition {
+        test     = "Bool"
+        variable = "kms:ViaService"
+
+        values = [
+          "auditmanager.amazonaws.com"
+        ]
+      }
+    }
+  }
 }
 
 # Logging Account

diff --git a/variables.tf b/variables.tf
@@ -42,6 +42,18 @@ variable "aws_account_password_policy" {
   description = "AWS account password policy parameters for the audit, logging and master account"
 }
 
+variable "aws_auditmanager" {
+  type = object({
+    enabled               = bool
+    reports_bucket_prefix = string
+  })
+  default = {
+    enabled               = true
+    reports_bucket_prefix = "audit-manager-reports"
+  }
+  description = "AWS Audit Manager config settings"
+}
+
 variable "aws_config" {
   type = object({
     aggregator_account_ids          = optional(list(string), [])