From 06a130e62b7ac40ad4057e43944dace03b83ffbf Mon Sep 17 00:00:00 2001 From: Eesa Mahmood <73350153+eesa456@users.noreply.github.com> Date: Mon, 7 Aug 2023 10:37:40 +0100 Subject: [PATCH] spinecli 906 905 kms key rotation and s3bucket deny non https (#5) ## Description Pen Test Security Fixes: Enable KMS Key Rotation and S3 Deny on non-HTTPS traffic ## Context Pen Test Security Issues Resolved by this ## Type of changes - [x] Refactoring (non-breaking change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [x] I have added tests to cover my changes - [x] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --- modules/cloudfront-logs/kms.tf | 1 + modules/opennext-assets/s3.tf | 16 ++++++++++++++++ modules/opennext-revalidation-queue/kms.tf | 1 + 3 files changed, 18 insertions(+) diff --git a/modules/cloudfront-logs/kms.tf b/modules/cloudfront-logs/kms.tf index d4e1534..25c59b0 100644 --- a/modules/cloudfront-logs/kms.tf +++ b/modules/cloudfront-logs/kms.tf @@ -4,6 +4,7 @@ resource "aws_kms_key" "cloudwatch_logs_key" { description = "KMS Key for ${var.log_group_name} log group" deletion_window_in_days = 10 policy = data.aws_iam_policy_document.cloudwatch_logs_key_policy[0].json + enable_key_rotation = true } data "aws_iam_policy_document" "cloudwatch_logs_key_policy" { diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf index e9cf56f..7c0668d 100644 --- a/modules/opennext-assets/s3.tf +++ b/modules/opennext-assets/s3.tf @@ -165,6 +165,22 @@ data "aws_iam_policy_document" "read_assets_bucket" { identifiers = [var.server_function_role_arn] } } + statement { + effect = "Deny" + actions = ["s3:*"] + resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"] + + condition { + test = "Bool" + values = ["false"] + variable = "aws:SecureTransport" + } + + principals { + type = "*" + identifiers = ["*"] + } + } } # Static Assets diff --git a/modules/opennext-revalidation-queue/kms.tf b/modules/opennext-revalidation-queue/kms.tf index fc566ad..8d6e247 100644 --- a/modules/opennext-revalidation-queue/kms.tf +++ b/modules/opennext-revalidation-queue/kms.tf @@ -10,6 +10,7 @@ resource "aws_kms_key" "revalidation_queue_key" { deletion_window_in_days = 10 policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json + enable_key_rotation = true } data "aws_iam_policy_document" "revalidation_queue_key_policy" {