terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Shared bucket policy not implementing documented security best practice

Open michael-mcguinness opened this issue 2 years ago • 3 comments

Describe the outcome you'd like

I would like for the policy applied to the central logging bucket at

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/dc3eb7ce8ceb6e71d935431b164805b9facf270d/modules/aft-feature-options/s3/bucket-policies/aft_logging_bucket.tpl#L38

to implement AWS best practise for cross account logging buckets as described here

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-set-bucket-policy-for-multiple-accounts.html

where constraints are applied to ensure that only AFT managed accounts are able to access the bucket.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

We are evaluating AFT for future usage but would be unlikely to adopt if AWS best practise were not implemented or some manual, post account creation action were required.

michael-mcguinness avatar Dec 29 '22 09:12 michael-mcguinness

Hi @michael-mcguinness,

Thanks for reaching out.

The referenced bucket only allows AWS Service Principals to PutObject, so you shouldn't have concerns that non-AWS principals could tamper with AFT logging data.

I've created a backlog item for us to explore additional controls on that bucket, such as the enumerated-accounts style you linked or using the aws:PrincipalOrgID allow-listing used for bucket reads.

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/

stumins avatar Jan 06 '23 22:01 stumins

Thanks for getting back to me. We tried aws:PrincipalOrgId (which is what I think you meant) but that didn't work. My understanding from the documentation is that this is the expected behaviour as the CloudTrail service is not part of my organisation.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html image

michael-mcguinness avatar Jan 12 '23 16:01 michael-mcguinness

Yep, thanks for catching that typo - I've edited my original post.

We haven't yet evaluated this work, but it sounds like you're working ahead - you might look at the https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalisawsservice condition for authorizing service principals.

stumins avatar Jan 12 '23 21:01 stumins