skip: update cloudtrail

.github/workflows/auto-test.yml

@@ -25,7 +25,7 @@ env:
   TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
   TF_CLI_ARGS: "-no-color"
   AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
-  default_resource_priority_list: '["account", "cloudtrail", "iam", "kafka", "message", "rds"]' #'["ecr"]' 
+  default_resource_priority_list: '["iam"]' #'["ecr"]' 
   RED: '\033[0;31m'
 
 permissions:
@@ -35,6 +35,7 @@ permissions:
 jobs:
 
   deploy_common_resources:
+    name: Deploy common
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
@@ -154,6 +155,7 @@ jobs:
           echo "not_parallel_resources_to_scan=$not_parallel_resources_to_scan" >> "$GITHUB_OUTPUT"
 
   deploy_and_scan_parallel_resources:
+    name: Scan P
     runs-on: ubuntu-22.04
     needs: [ deploy_common_resources, pack_iam_policies_per_resource, create_readonly_role_for_scans, prepare_matrix_resources]
     strategy:
@@ -209,6 +211,7 @@ jobs:
           remote_path: "policy_output/${{ matrix.compliance }}"
 
   deploy_and_scan_not_parallel_resources:
+    name: Scan N/P
     runs-on: ubuntu-22.04
     needs: [ deploy_common_resources, pack_iam_policies_per_resource, create_readonly_role_for_scans, prepare_matrix_resources]
     if: ${{ needs.prepare_matrix_resources.outputs.not_parallel_resources_list != '[]' }}
@@ -294,6 +297,7 @@ jobs:
           fi
 
   destroy_common_resources:
+    name: Destroy common
     runs-on: ubuntu-22.04
     needs: [deploy_common_resources, deploy_and_scan_parallel_resources,deploy_and_scan_not_parallel_resources]
     if: ${{ always() }}

auto_policy_testing/green/iam/user-red.tf

@@ -3,11 +3,10 @@
 # There won't be necessary to wait 4 hour difference to see red user in the report.
 # For policies:
 # ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password
-# ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user
 # ecc-aws-514-inactive_iam_access_keys_are_not_deleted
 
 
-# ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user
+# ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password
 resource "aws_iam_user" "red1" {
   name          = "autotest_iam_user_red-1"
   path          = "/"

auto_policy_testing/red/cloudtrail/cloudtrail.tf

@@ -1,7 +1,7 @@
 resource "aws_cloudtrail" "this1" {
   provider                      = aws.provider2
   name                          = "${module.naming.resource_prefix.trail}-1"
-  s3_bucket_name                = aws_s3_bucket.this.id
+  s3_bucket_name                = aws_s3_bucket.this1.id
   enable_log_file_validation    = false
   include_global_service_events = false
 
@@ -14,15 +14,19 @@ resource "aws_cloudtrail" "this1" {
       values = ["arn:aws:lambda"]
     }
   }
+
+  depends_on = [ aws_s3_bucket_policy.this1 ]
 }
 
 resource "aws_cloudtrail" "this2" {
   name                          = "${module.naming.resource_prefix.trail}-2"
-  s3_bucket_name                = aws_s3_bucket.this.id
+  s3_bucket_name                = aws_s3_bucket.this2.id
   enable_log_file_validation    = false
   include_global_service_events = false
   event_selector {
     include_management_events = true
     read_write_type           = "All"
   }
+
+  depends_on = [ aws_s3_bucket_policy.this2 ]
 }

auto_policy_testing/red/cloudtrail/data.tf

@@ -1,6 +1,6 @@
 data "aws_caller_identity" "this" {}
 
-data "aws_iam_policy_document" "this" {
+data "aws_iam_policy_document" "this1" {
   statement {
     effect = "Allow"
 
@@ -10,7 +10,9 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions   = ["s3:GetBucketAcl"]
-    resources = [aws_s3_bucket.this.arn]
+    resources = [
+      aws_s3_bucket.this1.arn
+    ]
   }
 
   statement {
@@ -22,7 +24,48 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions   = ["s3:PutObject"]
-    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = [
+      "${aws_s3_bucket.this1.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"
+      ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+
+      values = [
+        "bucket-owner-full-control"
+      ]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "this2" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = [
+      aws_s3_bucket.this2.arn
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = [
+      "${aws_s3_bucket.this2.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"
+      ]
 
     condition {
       test     = "StringEquals"
@@ -47,7 +90,7 @@ data "aws_iam_policy_document" "deny" {
     }
 
     actions   = ["s3:GetBucketAcl"]
-    resources = [aws_s3_bucket.this.arn]
+    resources = [aws_s3_bucket.this2.arn]
   }
 
   statement {
@@ -60,6 +103,6 @@ data "aws_iam_policy_document" "deny" {
     }
 
     actions   = ["s3:PutObject"]
-    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this2.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
   }
 }

auto_policy_testing/red/cloudtrail/main.tf

@@ -4,12 +4,12 @@ module "naming" {
   status        = title(basename(dirname(abspath(path.module))))
 }
 
-data "terraform_remote_state" "common" {
-  backend = "s3"
+# data "terraform_remote_state" "common" {
+#   backend = "s3"
 
-  config = {
-    bucket = var.remote_state_bucket
-    key = var.remote_state_key
-    region = var.remote_state_region
-  }
-}
+#   config = {
+#     bucket = var.remote_state_bucket
+#     key = var.remote_state_key
+#     region = var.remote_state_region
+#   }
+# }

auto_policy_testing/red/cloudtrail/s3.tf

@@ -1,5 +1,5 @@
-resource "aws_s3_bucket" "this" {
-  bucket        = "${module.naming.resource_prefix.s3_bucket}-${random_integer.this.result}"
+resource "aws_s3_bucket" "this1" {
+  bucket        = "${module.naming.resource_prefix.s3_bucket}-${random_integer.this.result}-1"
   force_destroy = true
 }
 
@@ -8,33 +8,41 @@ resource "random_integer" "this" {
   max = 10000000
 }
 
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
+resource "aws_s3_bucket_policy" "this1" {
+  bucket = aws_s3_bucket.this1.id
+  policy = data.aws_iam_policy_document.this1.json
+}
+
+
+
+resource "aws_s3_bucket" "this2" {
+  bucket        = "${module.naming.resource_prefix.s3_bucket}-${random_integer.this.result}-2"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "this2" {
+  bucket = aws_s3_bucket.this2.id
+  policy = data.aws_iam_policy_document.this2.json
 }
 
 resource "aws_s3_bucket_policy" "deny" {
-  bucket = aws_s3_bucket.this.id
+  bucket = aws_s3_bucket.this2.id
   policy = data.aws_iam_policy_document.deny.json
 
   depends_on = [
-    aws_s3_bucket_policy.this,
-    aws_s3_bucket.this,
-    aws_cloudtrail.this1,
+    aws_s3_bucket_policy.this2,
+    aws_s3_bucket.this2,
     aws_cloudtrail.this2
   ]
 }
 
 resource "null_resource" "this" {
   depends_on = [
-    aws_s3_bucket_policy.this,
     aws_s3_bucket_policy.deny,
-    aws_s3_bucket.this,
-    aws_cloudtrail.this1,
     aws_cloudtrail.this2
   ]
   triggers = {
-    s3_name = aws_s3_bucket.this.id
+    s3_name = aws_s3_bucket.this2.id
   }
   provisioner "local-exec" {
     interpreter = ["/bin/bash", "-c"]

auto_policy_testing/red/iam/user-red.tf

@@ -1,4 +1,3 @@
-# ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user
 resource "aws_iam_user" "red1" {
   provider      = aws.provider2
   name          = "autotest_iam_user_red-1"

auto_policy_testing/scripts/exception_rules.py

@@ -21,9 +21,9 @@
     ],
     "red": [
         "ecc-aws-002-ensure_access_keys_are_rotated_every_90_days",
-        "ecc-aws-017-credentials_unused_for_45_days",
+        "ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account",  
+        "ecc-aws-017-credentials_unused_for_45_days",      
         "ecc-aws-022-ebs_volumes_too_old_snapshots",
-        "ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account",
         "ecc-aws-046-ensure_no_root_account_access_key_exists",
         "ecc-aws-059-config_enabled_all_regions",
         "ecc-aws-115-expired_certificates_are_removed_from_acm",
@@ -63,9 +63,11 @@
         "iam",
         "cloudtrail"
     ],
-    "sleep_before_scan": [
+    "sleep_before_scan_3min": [
         "account",
-        "ecr",
+        "ecr"
+    ],
+    "sleep_before_scan_5min": [
         "iam"
     ]
 }

auto_policy_testing/scripts/scan.py

@@ -64,8 +64,10 @@ def custodian_run(policy_execution_outputs: dict,
         print('Please use --regions param or setup the AWS_DEFAULT_REGION environment variable')
         sys.exit(1)
     regions = REGIONS.split(';')
-    if resource in getattr(exception_rules, cloud).get("sleep_before_scan", []):
+    if resource in getattr(exception_rules, cloud).get("sleep_before_scan_3min", []):
         time.sleep(180)
+    elif resource in getattr(exception_rules, cloud).get("sleep_before_scan_5min", []):
+        time.sleep(300)
     for region in regions:
         region_param = '--region=' + region if region != "default" else ""
         for policy in policies: