CloudTrail Improvements to avoid prowler alerts

[bcarranza]

What does this do?

• Point to managedkube fork cloudtrail s3 bucket

  kubernetes-ops/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf

  Lines 4 to 15 in bdd3682

  	module "cloudtrail_s3_bucket" {
  	source = "github.com/ManagedKube/terraform-aws-cloudtrail-s3-bucket.git//?ref=0.24.0"
  	#version = "master"
  	force_destroy = var.force_destroy
  	versioning_enabled = var.versioning_enabled
  	access_log_bucket_name = var.access_log_bucket_name
  	allow_ssl_requests_only= var.allow_ssl_requests_only
  	acl = var.acl
  	s3_object_ownership = var.s3_object_ownership
  	sse_algorithm = "aws:kms"
  	context = module.this.context
  	}

  • Cloudposse' issue: New input variable s3_object_ownership cloudposse/terraform-aws-cloudtrail-s3-bucket#62
  • Cloudposse' pr: add input var s3_object_ownership cloudposse/terraform-aws-cloudtrail-s3-bucket#63
  • Implements fields that were already in the cloudposse module.
  • The main reason for the fork is the use of the next field:

    kubernetes-ops/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf

    Line 12 in a6c0f77

    s3_object_ownership = var.s3_object_ownership

    .
  • s3_object_ownership helps us to avoid the deprecated use of acl and use bucket policies, this solves the prowler alert: [extra7172] Check if S3 buckets have ACLs enabled | us-west-2: Bucket x2-ops-cloudtrail-cloudwatch-alarms has bucket ACLs disabled!

• Increase retention to 365 days in order to this alerts.: us-west-2: x2-ops-cloudtrail-cloudwatch-alarms Log Group does not have 365 days retention period!.

  • kubernetes-ops/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf

    Line 20 in a6c0f77

    retention_in_days = 365

  • note: This solves a vulnerability in prowler, however when running prowler again despite having 365 days of retention it behaved differently, we have created an issue in prowler: [Bug]: extra7162 error in filter retentionInDays = 365  prowler-cloud/prowler#1229
    they have given us a good follow up and are about to integrate the pr.

• New inputs vars to make secure s3 bucket
  

  kubernetes-ops/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/variables.tf

  Lines 30 to 72 in a6c0f77

  	#Buckets input vars
  	variable "versioning_enabled" {
  	type = bool
  	description = "A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket"
  	default = false
  	}
  	variable "access_log_bucket_name" {
  	type = string
  	default = ""
  	description = "Name of the S3 bucket where s3 access log will be sent to"
  	}
  	variable "allow_ssl_requests_only" {
  	type = bool
  	default = true
  	description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
  	}
  	variable "s3_object_ownership" {
  	type = string
  	default = "BucketOwnerPreferred"
  	description = "Specifies the S3 object ownership control. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'."
  	}
  	variable "acl" {
  	type = string
  	description = "The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services"
  	default = "log-delivery-write"
  	}
  	variable "is_multi_region_trail" {
  	type = bool
  	default = true
  	description = "Specifies whether the trail is created in the current region or in all regions"
  	}
  	variable "restrict_public_buckets" {
  	type = bool
  	default = true
  	description = "Set to `false` to disable the restricting of making the bucket public"
  	}

[sekka1]

Should this be enabled by default? Doesnt prowler want this as well?

[sekka1]

lgtm