Skip to content

Instantly share code, notes, and snippets.

@farhad-taran

farhad-taran/README.md

Last active March 9, 2023 20:53
Show Gist options
  • Save farhad-taran/c48b303377a9d87fc264c67935e1cfa9 to your computer and use it in GitHub Desktop.
Save farhad-taran/c48b303377a9d87fc264c67935e1cfa9 to your computer and use it in GitHub Desktop.
Download ZIP
Enabling data event access cloudtrail audits on dynamoDB or S3
Raw
README.md

Data events were recently enabled for cloudtrail which can show granular detils about modifications on DynamoDB or S3. this can greatly help when trying to audit data access and for security insights. the following terraform script demonstrates how to achieve this:

data "aws_dynamodb_table" "credential-store" {
  name = "credential-store"
}

resource "aws_cloudwatch_log_group" "infra-audit-data-access" {
  name = "infra-audit-data-access"
}

resource "aws_cloudtrail" "infra-audit-data-access" {
  name = "infra-audit-data-access"

  s3_bucket_name = aws_s3_bucket.infra-audit-data-access.id
  enable_log_file_validation = true
  cloud_watch_logs_role_arn     = aws_iam_role.infra-audit-data-access.arn
  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.infra-audit-data-access.arn}:*"

  depends_on = [aws_cloudwatch_log_group.infra-audit-data-access]


  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::DynamoDB::Table"
      values = ["${data.aws_dynamodb_table.credential-store.arn}"]
    }
  }
}

resource "aws_s3_bucket" "infra-audit-data-access" {
  bucket        = "infra-audit-data-access"
  force_destroy = true

  versioning {
    enabled = true
  }

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::infra-audit-data-access"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::infra-audit-data-access/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_iam_role" "infra-audit-data-access" {
  name = "infra-audit-data-access"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "infra-audit-data-access" {
  name = "infra-audit-data-access"
  role = aws_iam_role.infra-audit-data-access.id

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream2014110",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "${aws_cloudwatch_log_group.infra-audit-data-access.arn}:*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents20141101",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "${aws_cloudwatch_log_group.infra-audit-data-access.arn}:*"
            ]
        }
    ]
}
EOF
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment