diff --git a/modules/scp/README.md b/modules/scp/README.md index 2f4261c..c2b55f7 100644 --- a/modules/scp/README.md +++ b/modules/scp/README.md @@ -35,6 +35,7 @@ No modules. | [aws_organizations_policy.deny_guardduty_modify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy.deny_member_leaving](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy.deny_s3_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | +| [aws_organizations_policy.deny_s3_unsecure_requests](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy.deny_securityhub_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy.require_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | diff --git a/modules/scp/REFERENCES.txt b/modules/scp/REFERENCES.txt new file mode 100644 index 0000000..c485931 --- /dev/null +++ b/modules/scp/REFERENCES.txt @@ -0,0 +1,3 @@ + +https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html +https://github.com/ScaleSec/terraform_aws_scp diff --git a/modules/scp/files/deny-cloudtrail-tamper.json b/modules/scp/files/deny-cloudtrail-tamper.json index 8823881..a690a5c 100644 --- a/modules/scp/files/deny-cloudtrail-tamper.json +++ b/modules/scp/files/deny-cloudtrail-tamper.json @@ -6,8 +6,8 @@ "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", - "cloudtrail:StopLogging", "cloudtrail:PutEventSelectors", + "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": [ diff --git a/modules/scp/files/deny-config-modify.json b/modules/scp/files/deny-config-modify.json index 5569b97..a3c6746 100644 --- a/modules/scp/files/deny-config-modify.json +++ b/modules/scp/files/deny-config-modify.json @@ -6,8 +6,11 @@ "Effect": "Deny", "Action": [ "config:DeleteConfigRule", + "config:DeleteConfigurationAggregator", "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", + "config:DeleteEvaluationResults", + "config:DeleteRetentionConfiguration", "config:StopConfigurationRecorder" ], "Resource": "*" diff --git a/modules/scp/files/deny-s3-unsecure-requests.json b/modules/scp/files/deny-s3-unsecure-requests.json new file mode 100644 index 0000000..65f4fea --- /dev/null +++ b/modules/scp/files/deny-s3-unsecure-requests.json @@ -0,0 +1,18 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyS3UnsecureRequests", + "Effect": "Deny", + "Action": [ + "s3:*" + ], + "Resource": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + } + } + ] +} diff --git a/modules/scp/files/require-s3-encryption.json b/modules/scp/files/require-s3-encryption.json index c0f885d..c1eb597 100644 --- a/modules/scp/files/require-s3-encryption.json +++ b/modules/scp/files/require-s3-encryption.json @@ -8,7 +8,7 @@ "Resource": "*", "Condition": { "StringNotEquals": { - "s3:x-amz-server-side-encryption": "AES256" + "s3:x-amz-server-side-encryption": ["AES256", "aws:kms"] } } }, diff --git a/modules/scp/main.tf b/modules/scp/main.tf index cde1e77..26f0cab 100644 --- a/modules/scp/main.tf +++ b/modules/scp/main.tf @@ -113,6 +113,14 @@ resource "aws_organizations_policy" "deny_s3_public" { type = "SERVICE_CONTROL_POLICY" content = file("${path.module}/files/deny-s3-public.json") } +resource "aws_organizations_policy" "deny_s3_unsecure_requests" { + count = local.enable && var.enable_s3 ? 1 : 0 + name = "deny_s3_unsecure_requests" + description = "Prevent S3 unsecured requests" + tags = var.tags + type = "SERVICE_CONTROL_POLICY" + content = file("${path.module}/files/deny-s3-unsecure-requests.json") +} resource "aws_organizations_policy" "require_s3_encryption" { count = local.enable && var.enable_s3 ? 1 : 0 name = "require_s3_encryption"