add s3_key_prefix variable #48
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test all |
|
This pull request is now in conflict. Could you fix it @niraj8? 🙏 |
|
Hello, I'm interested in having this option in the official module, any chances of merging this? cc @Gowiem |
# Conflicts: # README.md # docs/terraform.md
| @@ -12,7 +12,7 @@ resource "aws_cloudtrail" "default" { | |||
| tags = module.this.tags | |||
| kms_key_id = var.kms_key_arn | |||
| is_organization_trail = var.is_organization_trail | |||
|
|
|||
| s3_key_prefix = var.s3_key_prefix | |||
There was a problem hiding this comment.
Ensure CloudTrail trail is integrated with CloudWatch Log
Resource: aws_cloudtrail.default | ID: BC_AWS_LOGGING_27
How to Fix
resource "aws_cloudtrail" "aws_cloudtrail_ok" {
name = "tf-trail-foobar"
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*"
}Description
AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch logs log group. It is recommended that CloudTrail logs be sent to CloudWatch logs.| @@ -12,7 +12,7 @@ resource "aws_cloudtrail" "default" { | |||
| tags = module.this.tags | |||
| kms_key_id = var.kms_key_arn | |||
| is_organization_trail = var.is_organization_trail | |||
|
|
|||
| s3_key_prefix = var.s3_key_prefix | |||
There was a problem hiding this comment.
Ensure AWS CloudTrail logs are encrypted using CMKs
Resource: aws_cloudtrail.default | ID: BC_AWS_LOGGING_7
Error in referred variable: variable "kms_key_arn"
How to Fix
Resources:
myTrail:
Type: AWS::CloudTrail::Trail
Properties:
...
+ KMSKeyId: alias/MyAliasNameDescription
AWS CloudTrail is a web service that records AWS API calls for an account, and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.We recommend that CloudTrail logs are configured to use SSE-KMS, providing additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.
Benchmarks
- SOC2 CC6.3.3
- PCI-DSS V3.2 3, 10
- HIPAA 164.312(D) Person or entity authentication
- NIST-800-53 AC-17
- ISO27001 A.12.4.2
- CIS AWS V1.2 2.7
- PCI-DSS V3.2.1 10.5.1
- FEDRAMP (MODERATE) AU-9, SC-28
- CIS AWS V1.3 3.7
There was a problem hiding this comment.
Change details
-
Error ID Change Path Resource BC_AWS_LOGGING_7 Added /main.tf aws_cloudtrail.default BC_AWS_LOGGING_27 Added /main.tf aws_cloudtrail.default
| @@ -12,7 +12,7 @@ resource "aws_cloudtrail" "default" { | |||
| tags = module.this.tags | |||
| kms_key_id = var.kms_key_arn | |||
| is_organization_trail = var.is_organization_trail | |||
|
|
|||
| s3_key_prefix = var.s3_key_prefix | |||
There was a problem hiding this comment.
Ensure AWS CloudTrail logs are encrypted using CMKs
Resource: aws_cloudtrail.default | ID: BC_AWS_LOGGING_7
Error in referred variable: variable "kms_key_arn"
How to Fix
Resources:
myTrail:
Type: AWS::CloudTrail::Trail
Properties:
...
+ KMSKeyId: alias/MyAliasNameDescription
AWS CloudTrail is a web service that records AWS API calls for an account, and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.We recommend that CloudTrail logs are configured to use SSE-KMS, providing additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.
Benchmarks
- SOC2 CC6.3.3
- PCI-DSS V3.2 3, 10
- HIPAA 164.312(D) Person or entity authentication
- NIST-800-53 AC-17
- ISO27001 A.12.4.2
- CIS AWS V1.2 2.7
- PCI-DSS V3.2.1 10.5.1
- FEDRAMP (MODERATE) AU-9, SC-28
- CIS AWS V1.3 3.7
| @@ -12,7 +12,7 @@ resource "aws_cloudtrail" "default" { | |||
| tags = module.this.tags | |||
| kms_key_id = var.kms_key_arn | |||
| is_organization_trail = var.is_organization_trail | |||
|
|
|||
| s3_key_prefix = var.s3_key_prefix | |||
There was a problem hiding this comment.
Ensure CloudTrail trail is integrated with CloudWatch Log
Resource: aws_cloudtrail.default | ID: BC_AWS_LOGGING_27
How to Fix
resource "aws_cloudtrail" "aws_cloudtrail_ok" {
name = "tf-trail-foobar"
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*"
}Description
AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch logs log group. It is recommended that CloudTrail logs be sent to CloudWatch logs.There was a problem hiding this comment.
Change details
-
Error ID Change Path Resource BC_AWS_LOGGING_7 Added /main.tf aws_cloudtrail.default BC_AWS_LOGGING_27 Added /main.tf aws_cloudtrail.default
|
@Gowiem Let me know if these need to be fixed. |
|
/test all |
Gowiem
approved these changes
Nov 29, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what
s3_key_prefixvariablewhy