terraform-aws-cloudfront-s3-cdn
terraform-aws-cloudfront-s3-cdn copied to clipboard
cloudposse
Unable to set a Block SSL Policy on the logs bucket
Describe the Bug
Amazon states that S3 buckets should require requests to use Secure Socket Layer: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation
Even though the original bucket has the right policy, the log bucket created with the module has no policy attached to it. There seems to be no variable giving the log bucket id & arn in outputs.tf
So, I tried adding the bucket policy myself but I was unable to.
Here's an example of how not possible it is to use the module's output.
resource "aws_s3_bucket_policy" "logs-policy" {
# logs doesn't offer access to the s3 bucket here
bucket = module.cdn.logs.s3_bucket
# logs doesn't offer access to the s3 bucket arn in the Resource block
policy = jsonencode({
Version = "2012-10-17"
Id = "BUCKET-POLICY"
Statement = [
{
Sid = "EnforceTls"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
"${module.cdn.logs.s3_bucket_arn}/*",
"${module.cdn.logs.s3_bucket_arn}",
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
NumericLessThan = {
"s3:TlsVersion": 1.2
}
}
},
]
})
}
Expected Behavior
The log bucket should either follow the same policy the S3 content bucket has or at least provide a way to set it.
Steps to Reproduce
Steps to reproduce the behavior:
- Go to https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn
- Copy the example '"cloudposse/cloudfront-s3-cdn/aws"'
- Terraform apply
- You'll see the log policy is empty.
Screenshots
The content bucket policy is OK:
The log bucket policy is empty:
Environment (please complete the following information):
Anything that will help us triage the bug will help. Here are some ideas:
- OS: OSX BigSur
- Version 11.6.1
Additional Context
N/A
