From d9d6b662be8cd6c2a44e12af55985e562d159c86 Mon Sep 17 00:00:00 2001 From: Stefan Wessels Beljaars Date: Thu, 14 Dec 2023 14:31:15 +0100 Subject: [PATCH 1/4] Bumps MCAF KMS module to v0.3.0 Signed-off-by: Stefan Wessels Beljaars --- kms.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kms.tf b/kms.tf index 9dd763a8..0a58fb15 100644 --- a/kms.tf +++ b/kms.tf @@ -1,6 +1,6 @@ # Management Account module "kms_key" { - source = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.2.0" + source = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.3.0" name = "inception" description = "KMS key used in the master account" enable_key_rotation = true @@ -84,7 +84,7 @@ data "aws_iam_policy_document" "kms_key" { module "kms_key_audit" { providers = { aws = aws.audit } - source = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.2.0" + source = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.3.0" name = "audit" description = "KMS key used for encrypting audit-related data" enable_key_rotation = true @@ -203,7 +203,7 @@ data "aws_iam_policy_document" "kms_key_audit" { module "kms_key_logging" { providers = { aws = aws.logging } - source = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.2.0" + source = "github.com/schubergphilis/terraform-aws-mcaf-kms?ref=v0.3.0" name = "logging" description = "KMS key to use with logging account" enable_key_rotation = true From 6f37e703296487ec70cc66dfb3acd0fc4bdf9591 Mon Sep 17 00:00:00 2001 From: Stefan Wessels Beljaars Date: Wed, 3 Jan 2024 11:58:37 +0100 Subject: [PATCH 2/4] Removes duplicate condition on check for 'null' value in 'policy = var.aws_service_control_policies.allowed_regions' Signed-off-by: Stefan Wessels Beljaars --- organizations_policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/organizations_policy.tf b/organizations_policy.tf index eaea5b56..8f9a7cb1 100644 --- a/organizations_policy.tf +++ b/organizations_policy.tf @@ -2,7 +2,7 @@ locals { enabled_root_policies = { allowed_regions = { enable = var.aws_service_control_policies.allowed_regions != null ? true : false - policy = var.aws_service_control_policies.allowed_regions != null != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", { + policy = var.aws_service_control_policies.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", { allowed = var.aws_service_control_policies.allowed_regions != null ? var.aws_service_control_policies.allowed_regions : [] exceptions = var.aws_service_control_policies.principal_exceptions != null ? var.aws_service_control_policies.principal_exceptions : [] }) : null From 8c29d65b43b477bd714d00109361aad6a39454d2 Mon Sep 17 00:00:00 2001 From: Stefan Wessels Beljaars Date: Thu, 14 Dec 2023 14:30:46 +0100 Subject: [PATCH 3/4] Enabled AWS Audit Manager * Adds KMS policy to Audit KMS key that allows setting the key via management account * Adds S3 bucket for Audit Manager assessment report Signed-off-by: Stefan Wessels Beljaars --- audit_manager.tf | 37 +++++++++++++++++++++++++++++++++++++ kms.tf | 31 +++++++++++++++++++++++++++++++ variables.tf | 12 ++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 audit_manager.tf diff --git a/audit_manager.tf b/audit_manager.tf new file mode 100644 index 00000000..81ca9f32 --- /dev/null +++ b/audit_manager.tf @@ -0,0 +1,37 @@ +resource "aws_auditmanager_account_registration" "default" { + count = var.aws_auditmanager.enabled == true ? 1 : 0 + + delegated_admin_account = data.aws_caller_identity.audit.account_id + deregister_on_destroy = true + kms_key = module.kms_key_audit.arn +} + +module "audit_manager_reports" { + count = var.aws_auditmanager.enabled == true ? 1 : 0 + providers = { aws = aws.audit } + + source = "schubergphilis/mcaf-s3/aws" + version = "0.12.1" + name_prefix = var.aws_auditmanager.reports_bucket_prefix + versioning = true + + lifecycle_rule = [ + { + id = "retention" + enabled = true + + abort_incomplete_multipart_upload = { + days_after_initiation = 7 + } + + noncurrent_version_expiration = { + noncurrent_days = 90 + } + + noncurrent_version_transition = { + noncurrent_days = 30 + storage_class = "ONEZONE_IA" + } + } + ] +} diff --git a/kms.tf b/kms.tf index 0a58fb15..451fa185 100644 --- a/kms.tf +++ b/kms.tf @@ -197,6 +197,37 @@ data "aws_iam_policy_document" "kms_key_audit" { ] } } + + dynamic "statement" { + for_each = var.aws_auditmanager.enabled ? ["allow_audit_manager"] : [] + + content { + sid = "Allow Audit Manager from management to describe and grant" + effect = "Allow" + resources = ["arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.audit.account_id}:key/*"] + + actions = [ + "kms:CreateGrant", + "kms:DescribeKey" + ] + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.management.account_id}:root" + ] + } + + condition { + test = "Bool" + variable = "kms:ViaService" + + values = [ + "auditmanager.amazonaws.com" + ] + } + } + } } # Logging Account diff --git a/variables.tf b/variables.tf index ed8dbaad..561c0d7d 100644 --- a/variables.tf +++ b/variables.tf @@ -42,6 +42,18 @@ variable "aws_account_password_policy" { description = "AWS account password policy parameters for the audit, logging and master account" } +variable "aws_auditmanager" { + type = object({ + enabled = bool + reports_bucket_prefix = string + }) + default = { + enabled = true + reports_bucket_prefix = "audit-manager-reports" + } + description = "AWS Audit Manager config settings" +} + variable "aws_config" { type = object({ aggregator_account_ids = optional(list(string), []) From eaa72de6010dce850c1807d59210aeeb7f220e5b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 5 Jan 2024 10:06:19 +0000 Subject: [PATCH 4/4] docs(readme): update module usage --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 05444e24..25c83264 100644 --- a/README.md +++ b/README.md @@ -440,14 +440,15 @@ module "landing_zone" { | Name | Source | Version | |------|--------|---------| +| [audit\_manager\_reports](#module\_audit\_manager\_reports) | schubergphilis/mcaf-s3/aws | 0.12.1 | | [aws\_config\_s3](#module\_aws\_config\_s3) | github.com/schubergphilis/terraform-aws-mcaf-s3 | v0.8.0 | | [aws\_sso\_permission\_sets](#module\_aws\_sso\_permission\_sets) | ./modules/permission-set | n/a | | [datadog\_audit](#module\_datadog\_audit) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.3.12 | | [datadog\_logging](#module\_datadog\_logging) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.3.12 | | [datadog\_master](#module\_datadog\_master) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.3.12 | -| [kms\_key](#module\_kms\_key) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.2.0 | -| [kms\_key\_audit](#module\_kms\_key\_audit) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.2.0 | -| [kms\_key\_logging](#module\_kms\_key\_logging) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.2.0 | +| [kms\_key](#module\_kms\_key) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 | +| [kms\_key\_audit](#module\_kms\_key\_audit) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 | +| [kms\_key\_logging](#module\_kms\_key\_logging) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 | | [ses-root-accounts-mail-alias](#module\_ses-root-accounts-mail-alias) | github.com/schubergphilis/terraform-aws-mcaf-ses | v0.1.3 | | [ses-root-accounts-mail-forward](#module\_ses-root-accounts-mail-forward) | github.com/schubergphilis/terraform-aws-mcaf-ses-forwarder | v0.2.5 | | [tag\_policy\_assignment](#module\_tag\_policy\_assignment) | ./modules/tag-policy-assignment | n/a | @@ -456,6 +457,7 @@ module "landing_zone" { | Name | Type | |------|------| +| [aws_auditmanager_account_registration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/auditmanager_account_registration) | resource | | [aws_cloudtrail.additional_auditing_trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | | [aws_cloudwatch_event_rule.security_hub_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_target.security_hub_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | @@ -536,6 +538,7 @@ module "landing_zone" { | [tags](#input\_tags) | Map of tags | `map(string)` | n/a | yes | | [additional\_auditing\_trail](#input\_additional\_auditing\_trail) | CloudTrail configuration for additional auditing trail | 
object({
    name       = string
    bucket     = string
    kms_key_id = string

    event_selector = optional(object({
      data_resource = optional(object({
        type   = string
        values = list(string)
      }))
      exclude_management_event_sources = optional(set(string), null)
      include_management_events        = optional(bool, true)
      read_write_type                  = optional(string, "All")
    }))
  })
| `null` | no | | [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | AWS account password policy parameters for the audit, logging and master account | 
object({
    allow_users_to_change        = bool
    max_age                      = number
    minimum_length               = number
    require_lowercase_characters = bool
    require_numbers              = bool
    require_symbols              = bool
    require_uppercase_characters = bool
    reuse_prevention_history     = number
  })
| 
{
  "allow_users_to_change": true,
  "max_age": 90,
  "minimum_length": 14,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true,
  "reuse_prevention_history": 24
}
| no | +| [aws\_auditmanager](#input\_aws\_auditmanager) | AWS Audit Manager config settings | 
object({
    enabled               = bool
    reports_bucket_prefix = string
  })
| 
{
  "enabled": true,
  "reports_bucket_prefix": "audit-manager-reports"
}
| no | | [aws\_config](#input\_aws\_config) | AWS Config settings | 
object({
    aggregator_account_ids          = optional(list(string), [])
    aggregator_regions              = optional(list(string), [])
    delivery_channel_s3_bucket_name = optional(string, null)
    delivery_channel_s3_key_prefix  = optional(string, null)
    delivery_frequency              = optional(string, "TwentyFour_Hours")
    rule_identifiers                = optional(list(string), [])
  })
| 
{
  "aggregator_account_ids": [],
  "aggregator_regions": [],
  "delivery_channel_s3_bucket_name": null,
  "delivery_channel_s3_key_prefix": null,
  "delivery_frequency": "TwentyFour_Hours",
  "rule_identifiers": []
}
| no | | [aws\_config\_sns\_subscription](#input\_aws\_config\_sns\_subscription) | Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic | 
map(object({
    endpoint = string
    protocol = string
  }))
| `{}` | no | | [aws\_ebs\_encryption\_by\_default](#input\_aws\_ebs\_encryption\_by\_default) | Set to true to enable AWS Elastic Block Store encryption by default | `bool` | `true` | no |