Skip to content

Commit

Permalink
encrypt *LB access logs if KMS key is specified
Browse files Browse the repository at this point in the history
* only S3-SSE is available for *LB log delivery
  • Loading branch information
ab77 committed Feb 12, 2024
1 parent 7052cc3 commit 69b4be5
Showing 1 changed file with 17 additions and 3 deletions.
20 changes: 17 additions & 3 deletions state/s3.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ Parameters:
Description: 'Access policy of the bucket.'
Type: String
Default: Private
AllowedValues: [Private, PublicRead, PublicWrite, PublicReadAndWrite, CloudFrontRead, CloudFrontAccessLogWrite, ElbAccessLogWrite, S3AccessLogWrite, ConfigWrite, CloudTrailWrite, VpcEndpointRead, FlowLogWrite]
AllowedValues: [Private, PublicRead, PublicWrite, PublicReadAndWrite, CloudFrontRead, CloudFrontAccessLogWrite, ElbAccessLogWrite, ElbAccessLogWriteEncrypted, S3AccessLogWrite, ConfigWrite, CloudTrailWrite, VpcEndpointRead, FlowLogWrite]
Versioning:
Description: 'Enable versioning to keep a backup if objects change.'
Type: String
Expand Down Expand Up @@ -138,7 +138,9 @@ Conditions:
HasPublicWriteAccess: !Or [!Equals [!Ref Access, PublicWrite], !Equals [!Ref Access, PublicReadAndWrite]]
HasCloudFrontReadAccess: !Equals [!Ref Access, CloudFrontRead]
HasCloudFrontAccessLogWrite: !Equals [!Ref Access, CloudFrontAccessLogWrite]
HasElbAccessLogWriteAccess: !Equals [!Ref Access, ElbAccessLogWrite]
HasElbAccessLogWriteAccess: !Or [!Equals [!Ref Access, ElbAccessLogWrite], !Equals [!Ref Access, ElbAccessLogWriteEncrypted]]
# The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3).
HasElbAccessLogWriteEncrypted: !Equals [!Ref Access, ElbAccessLogWriteEncrypted]
HasS3AccessLogWrite: !Equals [!Ref Access, S3AccessLogWrite]
HasConfigWriteAccess: !Equals [!Ref Access, ConfigWrite]
HasCloudTrailWriteAccess: !Equals [!Ref Access, CloudTrailWrite]
Expand Down Expand Up @@ -214,7 +216,9 @@ Resources:
Resource: !Sub '${Bucket.Arn}/*'
Condition:
StringNotEquals:
's3:x-amz-server-side-encryption': ''
's3:x-amz-server-side-encryption'
- 'AES256'

Check failure on line 220 in state/s3.yaml

View workflow job for this annotation

GitHub Actions / lint

220:17 syntax error: expected <block end>, but found '<block sequence start>' (syntax)

Check failure on line 220 in state/s3.yaml

View workflow job for this annotation

GitHub Actions / lint

220:17 syntax error: expected <block end>, but found '<block sequence start>' (syntax)
- 'aws:kms'
's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}

Check failure on line 222 in state/s3.yaml

View workflow job for this annotation

GitHub Actions / lint

222:17 [indentation] wrong indentation: expected 18 but found 16

Check failure on line 222 in state/s3.yaml

View workflow job for this annotation

GitHub Actions / lint

222:17 [indentation] wrong indentation: expected 18 but found 16
- !Ref 'AWS::NoValue'
- !If
Expand Down Expand Up @@ -294,6 +298,16 @@ Resources:
Effect: Allow
Resource: !GetAtt 'Bucket.Arn'
- !Ref 'AWS::NoValue'
- !If
- HasElbAccessLogWriteEncrypted
- Principal: '*'
Action: 's3:PutObject*'
Effect: Deny
Resource: !Sub '${Bucket.Arn}/*'
Condition:
StringNotEquals:
's3:x-amz-server-side-encryption': 'AES256' # https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html
- !Ref 'AWS::NoValue'
- !If
- HasConfigWriteAccess
- Effect: Allow
Expand Down

0 comments on commit 69b4be5

Please sign in to comment.