-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paths3-extra-sec.tf
67 lines (60 loc) · 2.11 KB
/
s3-extra-sec.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
locals {
buckets_to_secure = merge(
{ for k, v in module.psoxy.bulk_connector_instances : "${k}_input" => v.input_bucket },
{ for k, v in module.psoxy.bulk_connector_instances : "${k}_sanitized" => v.sanitized_bucket },
module.psoxy.lookup_output_buckets,
)
}
## concisely set S3 logging for all buckets
# enabling bucket logging is a recommended best practice for security and compliance; many scanners
# will flag its absence as a security risk.
# TODO: to enable, uncomment block below and replace 'my-log-bucket' with ID of bucket you want to log to
#resource "aws_s3_bucket_logging" "all_buckets" {
# for_each = local.buckets_to_secure
#
# bucket = each.value
# target_bucket = "my-log-bucket"
# target_prefix = "${var.environment_name}/${each.key}/"
#}
## concisely set S3 versioning for all buckets
# enabling bucket versioning is a recommended best practice for security and compliance; many
# scanners will flag its absence as a security risk; although for proxy use-case, there's little
# need - neither -input or -sanitized buckets are the primary store of the data in question, nor
# are they intended for any kind of a backup purpose.
# to enable, uncomment block below
#resource "aws_s3_bucket_versioning" "all_buckets" {
# for_each = local.buckets_to_secure
#
# bucket = each.value
#
# versioning_configuration {
# status = "Enabled"
# }
#}
## concisely set secure transport bucket policy for all buckets
# - not done by default to avoid complexity, but uncomment lines below to enable
# resource "aws_s3_bucket_policy" "deny_s3_nonsecure_transport" {
# for_each = local.buckets_to_secure
#
# bucket = each.value
# policy = jsonencode({
# Version = "2012-10-17"
# Statement = [
# {
# Sid = "DenyNonSecureTransport"
# Effect = "Deny"
# Action = ["s3:*"]
# Principal = "*"
# Resource = [
# "arn:aws:s3:::${each.value}",
# "arn:aws:s3:::${each.value}/*"
# ]
# Condition = {
# Bool = {
# "aws:SecureTransport" = false
# }
# }
# }
# ]
# })
# }