diff --git a/iam/All-permissions.json b/iam/All-permissions.json index fcf35dd1e..a9622fae7 100644 --- a/iam/All-permissions.json +++ b/iam/All-permissions.json @@ -12,6 +12,9 @@ "apigateway:GET", "appflow:DescribeFlow", "appflow:ListFlows", + "appsync:ListGraphqlApis", + "appsync:GetGraphqlApi", + "appsync:GetApiCache", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "backup:GetBackupPlan", @@ -105,6 +108,7 @@ "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListClusters", + "elasticmapreduce:DescribeSecurityConfiguration", "es:DescribeDomains", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", @@ -144,6 +148,7 @@ "kafka:ListClusters", "kinesis:DescribeStream", "kinesis:ListStreams", + "kinesisvideo:ListStreams", "kms:DescribeKey", "kms:GetKeyRotationStatus", "kms:ListAliases", @@ -162,8 +167,10 @@ "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBParameters", + "rds:DescribeOptionGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", + "rds:DescribeDBClusterParameters", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", @@ -184,6 +191,9 @@ "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListAllMyBuckets", + "s3:GetBucketLifecycle", + "s3:GetEncryptionConfiguration", + "s3:GetBucketPublicAccessBlock", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeNotebookInstance", diff --git a/policies/ecc-aws-080-bucket_policy_allows_https_requests.yml b/policies/ecc-aws-080-bucket_policy_allows_https_requests.yml new file mode 100644 index 000000000..28e13c6f3 --- /dev/null +++ b/policies/ecc-aws-080-bucket_policy_allows_https_requests.yml @@ -0,0 +1,36 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-080-bucket_policy_allows_https_requests + resource: aws.s3 + description: | + S3 Bucket Policy allows HTTP requests + filters: + - not: + - or: + - type: has-statement + statements: + - Effect: Deny + Action: 's3:*' + Condition: + Bool: + "aws:SecureTransport": "false" + - type: has-statement + statements: + - Effect: Deny + Action: '*' + Condition: + Bool: + "aws:SecureTransport": "false" + - type: has-statement + statements: + - Effect: Deny + Action: 's3:GetObject' + Condition: + Bool: + "aws:SecureTransport": "false" \ No newline at end of file diff --git a/policies/ecc-aws-141-s3_encrypted_using_kms.yml b/policies/ecc-aws-141-s3_encrypted_using_kms.yml new file mode 100644 index 000000000..7ec8ea104 --- /dev/null +++ b/policies/ecc-aws-141-s3_encrypted_using_kms.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-141-s3_encrypted_using_kms + description: | + S3 is not using a KMS key for encryption + resource: s3 + filters: + - type: bucket-encryption + state: false + crypto: aws:kms diff --git a/policies/ecc-aws-162-s3_bucket_lifecycle.yml b/policies/ecc-aws-162-s3_bucket_lifecycle.yml new file mode 100644 index 000000000..427168edc --- /dev/null +++ b/policies/ecc-aws-162-s3_bucket_lifecycle.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-162-s3_bucket_lifecycle + description: | + S3 Bucket life cycle is not configured + resource: s3 + filters: + - type: value + key: Lifecycle + value: null diff --git a/policies/ecc-aws-163-s3_buckets_without_tags.yml b/policies/ecc-aws-163-s3_buckets_without_tags.yml new file mode 100644 index 000000000..60311c395 --- /dev/null +++ b/policies/ecc-aws-163-s3_buckets_without_tags.yml @@ -0,0 +1,17 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-163-s3_buckets_without_tags + description: | + S3 Buckets without tags + resource: s3 + filters: + - not: + - type: value + key: Tags[0] + value: present diff --git a/policies/ecc-aws-216-s3_bucket_cross_region_replication_enabled.yml b/policies/ecc-aws-216-s3_bucket_cross_region_replication_enabled.yml new file mode 100644 index 000000000..3c16522df --- /dev/null +++ b/policies/ecc-aws-216-s3_bucket_cross_region_replication_enabled.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-216-s3_bucket_cross_region_replication_enabled + description: | + S3 bucket cross-region replication is disabled + resource: s3 + filters: + - type: value + key: Replication + value: null diff --git a/policies/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled.yml b/policies/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled.yml new file mode 100644 index 000000000..dd80cb546 --- /dev/null +++ b/policies/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled.yml @@ -0,0 +1,20 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled + description: | + S3 bucket versioning MFA delete is disabled + resource: s3 + filters: + - or: + - type: value + key: Versioning.MFADelete + value: Disabled + - type: value + key: Versioning.MFADelete + value: absent \ No newline at end of file diff --git a/policies/ecc-aws-280-s3_buckets_configured_with_block_public_access.yml b/policies/ecc-aws-280-s3_buckets_configured_with_block_public_access.yml new file mode 100644 index 000000000..314ae93b7 --- /dev/null +++ b/policies/ecc-aws-280-s3_buckets_configured_with_block_public_access.yml @@ -0,0 +1,14 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-280-s3_buckets_configured_with_block_public_access + resource: aws.s3 + description: | + S3 Buckets are not configured with 'Block public access' bucket settings + filters: + - type: check-public-block \ No newline at end of file diff --git a/policies/ecc-aws-290-logging_for_s3_enabled.yml b/policies/ecc-aws-290-logging_for_s3_enabled.yml new file mode 100644 index 000000000..67506e238 --- /dev/null +++ b/policies/ecc-aws-290-logging_for_s3_enabled.yml @@ -0,0 +1,15 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-290-logging_for_s3_enabled + description: | + Logging for S3 bucket is disabled + resource: s3 + filters: + - type: bucket-logging + op: disabled \ No newline at end of file diff --git a/policies/ecc-aws-352-rds_mariadb_logging_enabled.yml b/policies/ecc-aws-352-rds_mariadb_logging_enabled.yml new file mode 100644 index 000000000..31e4b323e --- /dev/null +++ b/policies/ecc-aws-352-rds_mariadb_logging_enabled.yml @@ -0,0 +1,56 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-352-rds_mariadb_logging_enabled + resource: aws.rds + description: | + MariaDB database logging is disabled + filters: + - and: + - type: value + key: Engine + value: mariadb + - or: + - not: + - type: db-option-groups + key: length(Options[].OptionSettings[?Name == 'SERVER_AUDIT_EVENTS' && Value == `CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL`].Value[]) + op: eq + value: 1 + - not: + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: audit + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: error + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: general + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: slowquery + - type: db-parameter + key: general_log + op: eq + value: 1 + - type: db-parameter + key: slow_query_log + op: eq + value: 1 + - type: db-parameter + key: log_output + op: eq + value: FILE \ No newline at end of file diff --git a/policies/ecc-aws-421-documentdb_logging_enabled.yml b/policies/ecc-aws-421-documentdb_logging_enabled.yml new file mode 100644 index 000000000..e82911e32 --- /dev/null +++ b/policies/ecc-aws-421-documentdb_logging_enabled.yml @@ -0,0 +1,35 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-421-documentdb_logging_enabled + resource: aws.rds-cluster + description: | + DocumentDB logging is not enabled + filters: + - and: + - type: value + key: Engine + value: 'docdb' + - not: + - and: + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: audit + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: profiler + - type: db-cluster-parameter + key: audit_logs + value: enabled + - type: db-cluster-parameter + key: profiler + value: enabled \ No newline at end of file diff --git a/policies/ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled.yml b/policies/ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled.yml new file mode 100644 index 000000000..f9b2f793f --- /dev/null +++ b/policies/ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled.yml @@ -0,0 +1,48 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled + resource: aws.rds-cluster + description: | + Aurora-MySQL cluster logging is disabled + filters: + - and: + - type: value + key: Engine + value: aurora-mysql + - not: + - and: + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: audit + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: error + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: general + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: slowquery + - type: db-cluster-parameter + key: general_log + value: 1 + - type: db-cluster-parameter + key: slow_query_log + value: 1 + - type: db-cluster-parameter + key: log_output + value: FILE \ No newline at end of file diff --git a/policies/ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled.yml b/policies/ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled.yml new file mode 100644 index 000000000..d407d456b --- /dev/null +++ b/policies/ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled.yml @@ -0,0 +1,33 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled + resource: aws.rds-cluster + description: | + Aurora-PostgreSQL cluster logging is disabled + filters: + - and: + - type: value + key: Engine + value: aurora-postgresql + - or: + - type: db-cluster-parameter + key: log_min_duration_statement + value: absent + - type: db-cluster-parameter + key: log_min_duration_statement + value: -1 + - not: + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: postgresql + - type: db-cluster-parameter + key: log_statement + value: all \ No newline at end of file diff --git a/policies/ecc-aws-614-kinesis_video_stream_without_tag_information.yml b/policies/ecc-aws-614-kinesis_video_stream_without_tag_information.yml new file mode 100644 index 000000000..5e295d75e --- /dev/null +++ b/policies/ecc-aws-614-kinesis_video_stream_without_tag_information.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-614-kinesis_video_stream_without_tag_information + description: | + Amazon Kinesis video stream without tag information + resource: kinesis-video + filters: + - type: value + key: Tags + value: empty \ No newline at end of file diff --git a/policies/ecc-aws-646-appsync_logging_enabled.yml b/policies/ecc-aws-646-appsync_logging_enabled.yml new file mode 100644 index 000000000..ad3900c31 --- /dev/null +++ b/policies/ecc-aws-646-appsync_logging_enabled.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-646-appsync_logging_enabled + description: | + Appsync logging disabled + resource: aws.graphql-api + filters: + - type: value + key: logConfig + value: absent diff --git a/policies/ecc-aws-649-appsync_cache_encrypted_at_rest.yml b/policies/ecc-aws-649-appsync_cache_encrypted_at_rest.yml new file mode 100644 index 000000000..0706da186 --- /dev/null +++ b/policies/ecc-aws-649-appsync_cache_encrypted_at_rest.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-649-appsync_cache_encrypted_at_rest + description: | + Appsync cache is not encrypted at rest + resource: aws.graphql-api + filters: + - type: api-cache + key: 'atRestEncryptionEnabled' + value: false \ No newline at end of file diff --git a/policies/ecc-aws-650-appsync_cache_encrypted_in_transit.yml b/policies/ecc-aws-650-appsync_cache_encrypted_in_transit.yml new file mode 100644 index 000000000..799881243 --- /dev/null +++ b/policies/ecc-aws-650-appsync_cache_encrypted_in_transit.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-650-appsync_cache_encrypted_in_transit + description: | + Appsync cache is not encrypted in transit + resource: aws.graphql-api + filters: + - type: api-cache + key: 'transitEncryptionEnabled' + value: false \ No newline at end of file diff --git a/policies/ecc-aws-651-appsync_protected_by_waf.yml b/policies/ecc-aws-651-appsync_protected_by_waf.yml new file mode 100644 index 000000000..d79b0187d --- /dev/null +++ b/policies/ecc-aws-651-appsync_protected_by_waf.yml @@ -0,0 +1,15 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-651-appsync_protected_by_waf + description: | + Appsync is not protected by WAF + resource: graphql-api + filters: + - type: wafv2-enabled + state: false \ No newline at end of file diff --git a/policies/ecc-aws-670-emr_imdsv1_disabled.yml b/policies/ecc-aws-670-emr_imdsv1_disabled.yml new file mode 100644 index 000000000..e6aedff35 --- /dev/null +++ b/policies/ecc-aws-670-emr_imdsv1_disabled.yml @@ -0,0 +1,22 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-670-emr_imdsv1_disabled + description: | + EMR clusters imdsv1 enabled + resource: aws.emr + filters: + - type: value + key: Status.State + op: in + value: [RUNNING, WAITING] + - not: + - type: security-configuration + key: InstanceMetadataServiceConfiguration.MinimumInstanceMetadataServiceVersion + op: eq + value: 2 diff --git a/policies/ecc-aws-689-bucket_not_dns_compliant.yml b/policies/ecc-aws-689-bucket_not_dns_compliant.yml new file mode 100644 index 000000000..ecbbf6f37 --- /dev/null +++ b/policies/ecc-aws-689-bucket_not_dns_compliant.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-689-bucket_not_dns_compliant + description: | + S3 bucket is not DNS compliant + resource: s3 + filters: + - not: + - type: value + key: Name + op: regex + value: '^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$' diff --git a/policies/ecc-aws-900-s3_bucket_acl_prohibited.yml b/policies/ecc-aws-900-s3_bucket_acl_prohibited.yml new file mode 100644 index 000000000..defc60f9c --- /dev/null +++ b/policies/ecc-aws-900-s3_bucket_acl_prohibited.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-900-s3_bucket_acl_prohibited + description: | + S3 access control lists (ACLs) are used to manage user access to buckets + resource: aws.s3 + filters: + - not: + - type: ownership + value: BucketOwnerEnforced diff --git a/policies/ecc-aws-901-s3_version_lifecycle_policy_check.yml b/policies/ecc-aws-901-s3_version_lifecycle_policy_check.yml new file mode 100644 index 000000000..eeec8ad84 --- /dev/null +++ b/policies/ecc-aws-901-s3_version_lifecycle_policy_check.yml @@ -0,0 +1,19 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-901-s3_version_lifecycle_policy_check + description: | + S3 buckets with versioning enabled do not have lifecycle policies configured + resource: aws.s3 + filters: + - type: value + key: Versioning.Status + value: Enabled + - type: value + key: Lifecycle + value: null diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/provider.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/provider.tf new file mode 100644 index 000000000..f28924692 --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-080-bucket_policy_allows_https_requests" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf new file mode 100644 index 000000000..841eba4a4 --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf @@ -0,0 +1,32 @@ +resource "aws_s3_bucket" "this" { + bucket = "080-bucket-green" + force_destroy = true + +} + +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + policy = data.aws_iam_policy_document.this.json +} + +data "aws_iam_policy_document" "this" { + statement { + effect = "Deny" + + principals { + type = "*" + identifiers = ["*"] + } + + actions = ["s3:*"] + resources = ["arn:aws:s3:::080-bucket-green/*"] + condition { + test = "Bool" + variable = "aws:SecureTransport" + + values = [ + "false" + ] + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/terraform.tfvars b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/variables.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/iam/080-policy.json b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/iam/080-policy.json new file mode 100644 index 000000000..8a94428b5 --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/iam/080-policy.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketTagging", + "s3:GetBucketWebsite", + "s3:GetBucketNotification", + "s3:GetBucketVersioning", + "s3:GetBucketLifecycle", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:GetBucketPolicy" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/provider.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/provider.tf new file mode 100644 index 000000000..7fdc48149 --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-080-bucket_policy_allows_https_requests" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf new file mode 100644 index 000000000..60320e8eb --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf @@ -0,0 +1,4 @@ +resource "aws_s3_bucket" "this" { + bucket = "080-bucket-red" + force_destroy = true +} \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/terraform.tfvars b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/variables.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/encryption.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/encryption.tf new file mode 100644 index 000000000..0014738bc --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/encryption.tf @@ -0,0 +1,24 @@ +resource "aws_kms_key" "this" { + description = "Key to encrypt and decrypt secret parameters" + key_usage = "ENCRYPT_DECRYPT" + policy = data.aws_iam_policy_document.this.json + deletion_window_in_days = 7 + is_enabled = true + enable_key_rotation = true +} + +resource "aws_kms_alias" "this" { + name = "alias/k-141" + target_key_id = "${aws_kms_key.this.key_id}" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "this" { + bucket = aws_s3_bucket.this.bucket + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = "${aws_kms_key.this.arn}" + sse_algorithm = "aws:kms" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/provider.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/provider.tf new file mode 100644 index 000000000..8e373c5a5 --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-141-s3_encrypted_using_kms" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf new file mode 100644 index 000000000..48f67314a --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf @@ -0,0 +1,33 @@ +resource "aws_s3_bucket" "this" { + bucket = "141-bucket-green" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + +data "aws_caller_identity" "this" {} + +data "aws_iam_policy_document" "this" { + statement { + effect = "Allow" + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"] + } + + actions = ["kms:*"] + resources = ["*"] + } +} diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/terraform.tfvars b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/variables.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/iam/141-policy.json b/terraform/ecc-aws-141-s3_encrypted_using_kms/iam/141-policy.json new file mode 100644 index 000000000..53a7390fd --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/iam/141-policy.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketTagging", + "s3:GetBucketWebsite", + "s3:GetBucketNotification", + "s3:GetBucketVersioning", + "s3:GetBucketLifecycle", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:GetBucketPolicy", + "s3:GetEncryptionConfiguration" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/provider.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/provider.tf new file mode 100644 index 000000000..a0bea1be6 --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-141-s3_encrypted_using_kms" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf new file mode 100644 index 000000000..48b483f91 --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf @@ -0,0 +1,17 @@ +resource "aws_s3_bucket" "this" { + bucket = "141-bucket-red" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/terraform.tfvars b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/variables.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/provider.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/provider.tf new file mode 100644 index 000000000..a897628cc --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-162-s3_bucket_lifecycle" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf new file mode 100644 index 000000000..31ae037de --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf @@ -0,0 +1,48 @@ +resource "aws_s3_bucket" "this" { + bucket = "162-bucket-green" + force_destroy = "true" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + +resource "aws_s3_bucket_lifecycle_configuration" "this" { + bucket = aws_s3_bucket.this.bucket + + rule { + id = "log" + + expiration { + days = 90 + } + + filter { + and { + prefix = "log/" + + tags = { + CustodianRule = "ecc-aws-162-s3_bucket_lifecycle" + ComplianceStatus = "Green" + } + } + } + + status = "Enabled" + + transition { + days = 60 + storage_class = "GLACIER" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/terraform.tfvars b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/variables.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/iam/162-policy.json b/terraform/ecc-aws-162-s3_bucket_lifecycle/iam/162-policy.json new file mode 100644 index 000000000..53a7390fd --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/iam/162-policy.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketTagging", + "s3:GetBucketWebsite", + "s3:GetBucketNotification", + "s3:GetBucketVersioning", + "s3:GetBucketLifecycle", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:GetBucketPolicy", + "s3:GetEncryptionConfiguration" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/provider.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/provider.tf new file mode 100644 index 000000000..20cfdb5ee --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-162-s3_bucket_lifecycle" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf new file mode 100644 index 000000000..edb5135ca --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf @@ -0,0 +1,18 @@ +resource "aws_s3_bucket" "this" { + bucket = "162-bucket-red" + force_destroy = "true" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/terraform.tfvars b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/variables.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/provider.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/green/provider.tf new file mode 100644 index 000000000..66b7fc433 --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-163-s3_buckets_without_tags" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf new file mode 100644 index 000000000..466fe39eb --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf @@ -0,0 +1,17 @@ +resource "aws_s3_bucket" "this" { + bucket = "163-bucket-green" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/terraform.tfvars b/terraform/ecc-aws-163-s3_buckets_without_tags/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/variables.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/iam/163-policy.json b/terraform/ecc-aws-163-s3_buckets_without_tags/iam/163-policy.json new file mode 100644 index 000000000..53a7390fd --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/iam/163-policy.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketTagging", + "s3:GetBucketWebsite", + "s3:GetBucketNotification", + "s3:GetBucketVersioning", + "s3:GetBucketLifecycle", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:GetBucketPolicy", + "s3:GetEncryptionConfiguration" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/provider.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/red/provider.tf new file mode 100644 index 000000000..b48e90293 --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/red/provider.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf new file mode 100644 index 000000000..171ef2534 --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf @@ -0,0 +1,17 @@ +resource "aws_s3_bucket" "this" { + bucket = "163-bucket-red" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/terraform.tfvars b/terraform/ecc-aws-163-s3_buckets_without_tags/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/variables.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/provider.tf b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/provider.tf new file mode 100644 index 000000000..1b586c6a4 --- /dev/null +++ b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-216-s3_bucket_cross_region_replication_enabled" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf new file mode 100644 index 000000000..ec5f6939f --- /dev/null +++ b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf @@ -0,0 +1,89 @@ +resource "aws_s3_bucket" "bucket1" { + bucket = "bucket1-216-green" + force_destroy = true +} + +resource "aws_s3_bucket_versioning" "bucket1" { + bucket = aws_s3_bucket.bucket1.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_replication_configuration" "bucket1" { + depends_on = [aws_s3_bucket_versioning.bucket1] + + role = aws_iam_role.this.arn + bucket = aws_s3_bucket.bucket1.id + + rule { + status = "Enabled" + + destination { + bucket = aws_s3_bucket.bucket2.arn + storage_class = "STANDARD" + } + } +} + +resource "aws_s3_bucket" "bucket2" { + bucket = "bucket2-216-green" + force_destroy = true +} + +resource "aws_s3_bucket_versioning" "bucket2" { + bucket = aws_s3_bucket.bucket2.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_iam_role" "this" { + name = "216_role_green" + + assume_role_policy = <