From 8b80c513895e4e2268c91c6fb957dcbf39d39e16 Mon Sep 17 00:00:00 2001 From: Edd Almond <102675624+eddalmond1@users.noreply.github.com> Date: Wed, 6 Aug 2025 17:17:13 +0100 Subject: [PATCH] eli-388 adding access log permissions for audit buckets --- infrastructure/modules/s3/s3.tf | 45 ++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/s3/s3.tf b/infrastructure/modules/s3/s3.tf index e0138c065..8dc3c8744 100644 --- a/infrastructure/modules/s3/s3.tf +++ b/infrastructure/modules/s3/s3.tf @@ -105,6 +105,49 @@ data "aws_iam_policy_document" "access_logs_s3_bucket_policy" { variable = "aws:SecureTransport" } } + + # Allow S3 Log Delivery service to write access logs + statement { + sid = "S3ServerAccessLogsPolicy" + effect = "Allow" + principals { + type = "Service" + identifiers = ["logging.s3.amazonaws.com"] + } + actions = [ + "s3:PutObject" + ] + resources = [ + "${aws_s3_bucket.storage_bucket_access_logs.arn}/*" + ] + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [aws_s3_bucket.storage_bucket.arn] + } + } + + # Allow S3 Log Delivery service to check bucket location and get bucket ACL + statement { + sid = "S3ServerAccessLogsDeliveryRootAccess" + effect = "Allow" + principals { + type = "Service" + identifiers = ["logging.s3.amazonaws.com"] + } + actions = [ + "s3:GetBucketAcl", + "s3:ListBucket" + ] + resources = [ + aws_s3_bucket.storage_bucket_access_logs.arn + ] + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [aws_s3_bucket.storage_bucket.arn] + } + } } resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_access_logs_server_side_encryption_config" { @@ -112,7 +155,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_ac rule { apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" + sse_algorithm = "aws:kms" kms_master_key_id = aws_kms_key.storage_bucket_cmk.arn } }