Data events were recently enabled for cloudtrail which can show granular detils about modifications on DynamoDB or S3. this can greatly help when trying to audit data access and for security insights. the following terraform script demonstrates how to achieve this:
data "aws_dynamodb_table" "credential-store" {
name = "credential-store"
}
resource "aws_cloudwatch_log_group" "infra-audit-data-access" {
name = "infra-audit-data-access"
}
resource "aws_cloudtrail" "infra-audit-data-access" {
name = "infra-audit-data-access"
s3_bucket_name = aws_s3_bucket.infra-audit-data-access.id
enable_log_file_validation = true
cloud_watch_logs_role_arn = aws_iam_role.infra-audit-data-access.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.infra-audit-data-access.arn}:*"
depends_on = [aws_cloudwatch_log_group.infra-audit-data-access]
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::DynamoDB::Table"
values = ["${data.aws_dynamodb_table.credential-store.arn}"]
}
}
}
resource "aws_s3_bucket" "infra-audit-data-access" {
bucket = "infra-audit-data-access"
force_destroy = true
versioning {
enabled = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::infra-audit-data-access"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::infra-audit-data-access/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}
resource "aws_iam_role" "infra-audit-data-access" {
name = "infra-audit-data-access"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "infra-audit-data-access" {
name = "infra-audit-data-access"
role = aws_iam_role.infra-audit-data-access.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream2014110",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"${aws_cloudwatch_log_group.infra-audit-data-access.arn}:*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents20141101",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"${aws_cloudwatch_log_group.infra-audit-data-access.arn}:*"
]
}
]
}
EOF
}