Policy Packs

guardrails-samples

This section contains recommendations for configuring logging related options.

AWS CIS v3.0.0 - Section 3 - Logging

main

aws_audit_trail

Configure the Turbot CloudTrail stack.&#92;n&#92;nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to&#92;nrecord an audit trail of API calls to your AWS accounts.&#92;n

auditTrail

AWS > Turbot > Audit Trail

aws_cloudtrail_trail_encryption_at_rest

Define the Encryption at Rest settings required for `AWS &gt; CloudTrail &gt; Trail`.&#92;n&#92;nEncryption at Rest refers specifically to the encryption of data when written&#92;nto an underlying storage system. This control determines whether the resource&#92;nis encrypted at rest, and sets encryption to your desired level.&#92;n&#92;nThe [Encryption at Rest](https://turbot.com/guardrails/docs/concepts/guardrails/encryption-at-rest)&#92;ncontrol compares the encryption settings against the encryption policies for the resource&#92;n(`AWS &gt; CloudTrail &gt; Trail &gt; Encryption at Rest  &gt; *`),&#92;nraises an alarm, and takes the defined enforcement action&#92;n

trailEncryptionAtRest

AWS > CloudTrail > Trail > Encryption at Rest

aws_cloudtrail_trail_encryption_at_rest_customer_managed_key

Define the KMS key ID for encryption at rest.&#92;n&#92;nEncryption at Rest refers specifically to the encryption of data when written&#92;nto an underlying storage system. This control determines whether the resource&#92;nis encrypted at rest, and sets encryption to your desired level.&#92;n&#92;nThe [Encryption at Rest](https://turbot.com/guardrails/docs/concepts/guardrails/encryption-at-rest)&#92;ncontrol compares the encryption settings against the encryption policies for the resource&#92;n(`AWS &gt; CloudTrail &gt; Trail &gt; Encryption at Rest  &gt; *`),&#92;nraises an alarm, and takes the defined enforcement action&#92;n&#92;nPlease make sure the key defined in the template has required permissions.&#92;n&#92;n```&#92;nexample:&#92;n  alias/aws/ebs&#92;n  ddc06e04-ce5f-4995-c758-c2b6c510e8fd&#92;n  arn:aws:kms:us-east-1:123456789012:key/ddc06e04-ce5f-4995-c758-c2b6c510e8fd&#92;n  arn:aws:kms:us-east-1:123456789012:alias/aws/ebs&#92;n```&#92;n

trailEncryptionAtRestCustomerManagedKey

AWS > CloudTrail > Trail > Encryption at Rest > Customer Managed Key

aws_cloudtrail_trail_log_file_validation

Configure whether Log File Validation is enabled for the CloudTrail trail.

trailLogFileValidation

AWS > CloudTrail > Trail > Log File Validation

aws_config_configuration_recording

Configure Configuration Recording in AWS Config.&#92;nThe AWS Config **Configuration Recording** features allows you to continually monitor&#92;nand record changes resources. The Configuration Recorder provides a complete change&#92;nhistory for monitored resources. The Configuration Recording stack can be used to make sure recording is enabled and&#92;nconfiguration history is being delivered to S3, and optionally SNS.&#92;n

configurationRecording

AWS > Config > Configuration Recording

aws_kms_key_rotation

Set customer master key policies for automatic key rotation by AWS. Guardrails recommends setting this option to Enforce: Enabled, ensuring that KMS keys are rotated annually.

keyRotation

AWS > KMS > Key > Rotation

aws_logging_bucket

Configure the Guardrails Logging Bucket stack.&#92;n&#92;nThis stack configures an AWS S3 Bucket for use as a destination&#92;nfor logs from other AWS services.&#92;n

loggingBucket

AWS > Turbot > Logging > Bucket

aws_logging_bucket_encryption_in_transit

Configure Encryption in Transit on the AWS S3 Bucket.&#92;n&#92;nThis stack configures an AWS S3 Bucket for use as a destination for logs from other AWS services.&#92;nIf Encryption in Transit is set to `Enabled`, the below statement will be applied to the S3 Bucket.&#92;n```&#92;n{&#92;n  Sid: &quot;MustBeEncryptedInTransit&quot;,&#92;n  Effect: &quot;Deny&quot;,&#92;n  Principal: &quot;*&quot;,&#92;n  Action: &quot;s3:*&quot;,&#92;n  Resource: [&#39;arn:${partition}:s3:::${bucketName}&#39;, &#39;arn:${partition}:s3:::${bucketName}/*&#39;],&#92;n  Condition: {&#92;n    Bool: {&#92;n      &quot;aws:SecureTransport&quot;: &quot;false&quot;&#92;n    }&#92;n  }&#92;n}&#92;n```&#92;n

loggingBucketEncryptionInTransit

AWS > Turbot > Logging > Bucket > Encryption in Transit

aws_s3_bucket_access_logging

Define the Access Logging settings required for `AWS &gt; S3 &gt; Bucket`.&#92;n&#92;n`AWS &gt; S3 &gt; Bucket` provides access logs that capture detailed information&#92;nabout requests sent to your bucket. Each log contains information such as&#92;nthe time the request was received, the client&#39;s IP address, latencies,&#92;nrequest paths, and server responses. You can use these access logs to&#92;nanalyze traffic patterns and troubleshoot issues.&#92;n

bucketAccessLogging

AWS > S3 > Bucket > Access Logging

aws_s3_bucket_access_logging_bucket

The name of an S3 Bucket to which the Bucket&#92;naccess logs will be delivered.&#92;n&#92;nThe S3 Bucket must already exist and the S3 service must be allowed write access.&#92;nThe bucket should reside in same account and same region as of the Bucket.&#92;n&#92;nexample:&#92;n```&#92;n  testbucket&#92;n  turbotbucket&#92;n```&#92;n

bucketAccessLoggingBucket

AWS > S3 > Bucket > Access Logging > Bucket

aws_trail_bucket

The name of an S3 bucket to which the Guardrails Trail will be delivered.&#92;n&#92;nCloudTrail must write to S3, thus this policy is required.  The S3 bucket&#92;nmust already exist (the stack will not create it) and the CloudTrail&#92;nservice must be allowed write access. The bucket can reside in any&#92;nregion of any account.&#92;n

trailBucket

AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket

aws_trail_encryption_key

The KMS key ID that encrypts the logs delivered by CloudTrail. The value is a&#92;nfully specified ARN to a KMS key in the format:&#92;n    `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`&#92;n&#92;nIf a key is specified in this policy, SSE-KMS encryption will be enabled with this key.  If the `Encryption Key` policy is blank, the default (SSE-S3) encryption will be used.&#92;n&#92;nThe key will not be created in this stack - it must already exist and CloudTrail&#92;nmust have the correct permissions to use the key. Guardrails will not modify the key policy.&#92;n

trailEncryptionKey

AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key

aws_trail_event_selectors

An event selector that specifies which events to log in the Guardrails Trail.  If&#92;nno event selector is specified, the trail will log all read and write&#92;nmanagement events, and no data events&#92;n&#92;nThe `Event Selectors` policy allows you to specify up to 5 CloudTrail [event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html)&#92;nto further specify the management and S3 and/or lambda data event settings for the trail.&#92;n&#92;nBy default, trails created without specific event selectors will be configured to log&#92;nall read and write management events, and no data events&#92;n&#92;nThe format of this policy is the native terraform hcl for [event selectors](https://www.terraform.io/docs/providers/aws/r/cloudtrail.html#event_selector)&#92;n

trailEventSelectors

AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors

aws_trail_global_region

The region in that will host the Guardrails Trail when configured to use a&#92;nmulti-region trail.&#92;n&#92;nThe Guardrails Audit Trail provides a mechanism for configuring a CloudTrail to&#92;nrecord an audit trail of API calls to your AWS accounts.&#92;n

trailGlobalRegion

AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region

aws_trail_type

The type of CloudTrail deployment to use with Guardrails Audit Trail.&#92;n&#92;nCloudTrail has options for multi-region or single region trails, as well as a new option for&#92;nOrganization trails (for customers that leverage AWS Organizations). This provides&#92;nflexibility in implementation (as well as backwards compatibility - neither multi-region nor&#92;norganization trails were options when the service launched).&#92;n&#92;nNote that Guardrails must manage your Organization Master account in order to use an Organization&#92;ntrail - this can only be configured from the Organization master account.&#92;n

trailType

AWS > Turbot > Audit Trail > CloudTrail > Trail > Type

aws_vpc_core_vpc_flow_logging

Configure VPC Flow logging for the VPC.&#92;n&#92;nVPC Flow Logs is a feature that enables you to capture information about&#92;nthe IP traffic going to and from network interfaces in your VPC. Flow log&#92;ndata can be published to Amazon CloudWatch Logs and Amazon S3.&#92;n

vpcFlowLogging

AWS > VPC > VPC > Flow Logging

The name of an S3 bucket to which the CloudTrail will deliver the logs. To be used for controls 3.1 and 3.4.

logging_bucket

The alias of the KMS key that encrypts the logs delivered by CloudTrail. To be used for control 3.1.

Policy	Setting	Note
AWS > CloudTrail > Trail > Encryption at Rest	Check: Encryption at Rest > Customer Managed Key	AWS CIS v3.0.0 - Controls: 3.5
AWS > CloudTrail > Trail > Encryption at Rest > Customer Managed Key	alias/turbot/default	AWS CIS v3.0.0 - Controls: 3.5
AWS > CloudTrail > Trail > Log File Validation	Check: Enabled	AWS CIS v3.0.0 - Controls: 3.2
AWS > Config > Configuration Recording	Check: Configured	AWS CIS v3.0.0 - Controls: 3.3
AWS > KMS > Key > Rotation	Check: Enabled	AWS CIS v3.0.0 - Controls: 3.6
AWS > S3 > Bucket > Access Logging	Check: Enabled to Access Logging > Bucket	AWS CIS v3.0.0 - Controls: 3.4
AWS > S3 > Bucket > Access Logging > Bucket	Calculated	AWS CIS v3.0.0 - Controls: 3.4
AWS > Turbot > Audit Trail	Check: Configured	AWS CIS v3.0.0 - Controls: 3.1
AWS > Turbot > Audit Trail > CloudTrail > Trail > Encryption Key	Calculated	AWS CIS v3.0.0 - Controls: 3.1
AWS > Turbot > Audit Trail > CloudTrail > Trail > Event Selectors	event_selector { read_write_type = "All" include_management_events = true data_resource { type = "AWS::S3::Object" values = ["arn:aws:s3"] } }	AWS CIS v3.0.0 - Controls: 3.1 & 3.8 & 3.9
AWS > Turbot > Audit Trail > CloudTrail > Trail > Global Region	us-east-1	AWS CIS v3.0.0 - Controls: 3.1
AWS > Turbot > Audit Trail > CloudTrail > Trail > S3 Bucket	Calculated	AWS CIS v3.0.0 - Controls: 3.1
AWS > Turbot > Audit Trail > CloudTrail > Trail > Type	A multi-region trail in the `Trail > Global Region` in each account	AWS CIS v3.0.0 - Controls: 3.1
AWS > Turbot > Logging > Bucket	Check: Configured	AWS CIS v3.0.0 - Controls: 3.1
AWS > Turbot > Logging > Bucket > Encryption in Transit	Enabled	AWS CIS v3.0.0 - Controls: 3.1
AWS > VPC > VPC > Flow Logging	Check: Configured per `Flow Logging > *`	AWS CIS v3.0.0 - Controls: 3.7

Policy Settings