in packages/constructs/L3/governance/audit-l3-construct/lib/audit-l3-construct.ts [93:195]
private createAuditResources(auditKmsKey: MdaaKmsKey) {
const auditBucket = new MdaaBucket(this, 'bucket', {
encryptionKey: auditKmsKey,
naming: this.props.naming,
enforceExclusiveKmsKeys: false, // Cloudtrail cannot currently create trails if the DENY statements resulting from enforceExclusiveKmsKeys are present in the bucket policy
});
const cloudTrailACLStatement = new PolicyStatement({
sid: 'AWSCloudTrailAclCheck20150319',
effect: Effect.ALLOW,
resources: [auditBucket.bucketArn],
actions: ['s3:GetBucketAcl'],
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
});
auditBucket.addToResourcePolicy(cloudTrailACLStatement);
const readRolePermissions = new RestrictObjectPrefixToRoles({
s3Bucket: auditBucket,
s3Prefix: '/',
readRoleIds: this.readRoleIds,
});
readRolePermissions.statements().forEach(statement => auditBucket.addToResourcePolicy(statement));
this.auditSourceAccounts.forEach(srcAccount => {
const cloudTrailACLStatement = new PolicyStatement({
sid: `AWSCloudTrailWrite20150319-${srcAccount}`,
effect: Effect.ALLOW,
resources: [`${auditBucket.bucketArn}/AWSLogs/${srcAccount}/*`],
actions: ['s3:PutObject'],
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
},
StringLike: {
'aws:SourceArn': `arn:${this.partition}:cloudtrail:*:${srcAccount}:trail/*`,
},
},
});
auditBucket.addToResourcePolicy(cloudTrailACLStatement);
const inventoryStatement = InventoryHelper.createInventoryBucketPolicyStatement(
auditBucket.bucketArn,
srcAccount,
undefined,
this.props.inventoryPrefix,
);
auditBucket.addToResourcePolicy(inventoryStatement);
});
MdaaNagSuppressions.addCodeResourceSuppressions(
auditBucket,
[
{
id: 'AwsSolutions-S1',
reason:
'1. Audit bucket is target of cloudtrail audit logs. 2. Server access logs do not support KMS on targets.',
},
{
id: 'NIST.800.53.R5-S3BucketLoggingEnabled',
reason:
'1. Audit bucket is target for data lake cloudtrail audit logs. 2. Server access logs do not support KMS on targets.',
},
{ id: 'NIST.800.53.R5-S3BucketReplicationEnabled', reason: 'MDAA Data Lake does not use bucket replication.' },
{
id: 'HIPAA.Security-S3BucketLoggingEnabled',
reason:
'1. Audit bucket is target for data lake cloudtrail audit logs. 2. Server access logs do not support KMS on targets.',
},
{
id: 'PCI.DSS.321-S3BucketLoggingEnabled',
reason:
'1. Audit bucket is target for data lake cloudtrail audit logs. 2. Server access logs do not support KMS on targets.',
},
{ id: 'HIPAA.Security-S3BucketReplicationEnabled', reason: 'MDAA Data Lake does not use bucket replication.' },
{ id: 'PCI.DSS.321-S3BucketReplicationEnabled', reason: 'MDAA Data Lake does not use bucket replication.' },
],
true,
);
//Create a Glue Database to contain audit tables
const glueUtilDatabase = new Database(this, 'database', {
databaseName: this.props.naming.resourceName().replace(/-/gi, '_'),
});
AuditHelper.createGlueAuditTable(
this,
auditBucket,
glueUtilDatabase,
this.auditSourceAccounts,
this.auditSourceRegions,
);
if (this.props.bucketInventories) {
InventoryHelper.createGlueInvTable(
this,
this.account,
'audit',
glueUtilDatabase,
auditBucket.bucketName,
this.props.bucketInventories,
this.props.inventoryPrefix,
);
}
}