Skip to content

Commit f8d787f

Browse files
ab77ab77
authored
[Improvement] state/s3 - Add Access type ElbAccessLogWriteEncrypted for encrypted ELB logs (#737)
1 parent 7052cc3 commit f8d787f

File tree

1 file changed

+17
-3
lines changed

1 file changed

+17
-3
lines changed

state/s3.yaml

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ Parameters:
7272
Description: 'Access policy of the bucket.'
7373
Type: String
7474
Default: Private
75-
AllowedValues: [Private, PublicRead, PublicWrite, PublicReadAndWrite, CloudFrontRead, CloudFrontAccessLogWrite, ElbAccessLogWrite, S3AccessLogWrite, ConfigWrite, CloudTrailWrite, VpcEndpointRead, FlowLogWrite]
75+
AllowedValues: [Private, PublicRead, PublicWrite, PublicReadAndWrite, CloudFrontRead, CloudFrontAccessLogWrite, ElbAccessLogWrite, ElbAccessLogWriteEncrypted, S3AccessLogWrite, ConfigWrite, CloudTrailWrite, VpcEndpointRead, FlowLogWrite]
7676
Versioning:
7777
Description: 'Enable versioning to keep a backup if objects change.'
7878
Type: String
@@ -138,7 +138,9 @@ Conditions:
138138
HasPublicWriteAccess: !Or [!Equals [!Ref Access, PublicWrite], !Equals [!Ref Access, PublicReadAndWrite]]
139139
HasCloudFrontReadAccess: !Equals [!Ref Access, CloudFrontRead]
140140
HasCloudFrontAccessLogWrite: !Equals [!Ref Access, CloudFrontAccessLogWrite]
141-
HasElbAccessLogWriteAccess: !Equals [!Ref Access, ElbAccessLogWrite]
141+
HasElbAccessLogWriteAccess: !Or [!Equals [!Ref Access, ElbAccessLogWrite], !Equals [!Ref Access, ElbAccessLogWriteEncrypted]]
142+
# The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3).
143+
HasElbAccessLogWriteEncrypted: !Equals [!Ref Access, ElbAccessLogWriteEncrypted]
142144
HasS3AccessLogWrite: !Equals [!Ref Access, S3AccessLogWrite]
143145
HasConfigWriteAccess: !Equals [!Ref Access, ConfigWrite]
144146
HasCloudTrailWriteAccess: !Equals [!Ref Access, CloudTrailWrite]
@@ -214,7 +216,9 @@ Resources:
214216
Resource: !Sub '${Bucket.Arn}/*'
215217
Condition:
216218
StringNotEquals:
217-
's3:x-amz-server-side-encryption': ''
219+
's3:x-amz-server-side-encryption':
220+
- 'AES256'
221+
- 'aws:kms'
218222
's3:x-amz-server-side-encryption-aws-kms-key-id': {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
219223
- !Ref 'AWS::NoValue'
220224
- !If
@@ -294,6 +298,16 @@ Resources:
294298
Effect: Allow
295299
Resource: !GetAtt 'Bucket.Arn'
296300
- !Ref 'AWS::NoValue'
301+
- !If
302+
- HasElbAccessLogWriteEncrypted
303+
- Principal: '*'
304+
Action: 's3:PutObject*'
305+
Effect: Deny
306+
Resource: !Sub '${Bucket.Arn}/*'
307+
Condition:
308+
StringNotEquals:
309+
's3:x-amz-server-side-encryption': 'AES256' # https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html
310+
- !Ref 'AWS::NoValue'
297311
- !If
298312
- HasConfigWriteAccess
299313
- Effect: Allow

0 commit comments

Comments
 (0)