The code provided within this subcomponent will create the AWS resources necessary to configure and enable logging and log storage. The subcomponent also provides a method for configuring a trust relationship with SecOps to allow for the retrieval and analysis of your AWS CloudTrail log data using their Enterprise Logging Platform. The GRACE Logging subcomponent activates AWS CloudTrail and creates a multi-region CloudTrail Trail configured to deliver to both an Amazon S3 bucket and an Amazon CloudWatch Log Group. The required AWS IAM resources are created to allow for the permissions required for CloudTrail's log delivery. The S3 bucket created for log storage is setup with a bucket policy, lifecycle policy, server-side encryption, versioning, and access logging. The GRACE Logging subcomponent also creates a S3 bucket to store the access-log data generated from the CloudTrail log storage bucket.
The GRACE Logging subcomponent will also provide the resources required to create a trust relationship with SecOps. This trust relationship will allow SecOps to pull the CloudTrail log data from the log storage bucket and analyze it using their Enterprise Logging Platform. The integration with SecOps utilizes AWS Security Token Service (STS) to allow the specified SecOps accounts access to assume a role specifically created for the consumption of the log data stored within the S3 log storage bucket.
NOTE: Customers can coordinate with SecOps@gsa.gov to determine the appropriate AWS Account number(s) to configure for the trust policy. The account numbers specify which trusted account members are allowed to assume the role used for log integration with SecOps.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_logging_bucket_acl | (optional) The ACL applied to the access logging bucket | string | "log-delivery-write" |
no |
| access_logging_bucket_backup_days | (optional) The age of an object in number of days before it can be archived to glacier | string | "365" |
no |
| access_logging_bucket_backup_expiration_days | (optional) The age of an object in number of days before it can be safely discarded | string | "900" |
no |
| access_logging_bucket_block_public_acls | (optional) The boolean value enabling (true) or disabling (false) the blocking of public ACL creation for the access logging bucket | bool | true | no |
| access_logging_bucket_block_public_policy | (optional) The boolean value enabling (true) or disabling (false) the blocking of public policy creation for the access logging bucket | bool | true | no |
| access_logging_bucket_destroy | (optional) The boolean value indicating whether Terraform can destroy the bucket with objects still inside | bool | false | no |
| access_logging_bucket_enable_backup | (optional) The boolean value enabling (true) or disabling (false) backups to glacier on the access logging bucket | bool | true | no |
| access_logging_bucket_enable_versioning | (optional) The boolean value enabling (true) or disabling (false) versioning on the access logging bucket | bool | true | no |
| access_logging_bucket_ignore_public_acls | (optional) The boolean value enabling (true) or disabling (false) the ignoring of public ACLs created for the access logging bucket | bool | true | no |
| access_logging_bucket_name | (required) The name given to the access logging bucket | string | n/a | yes |
| access_logging_bucket_restrict_public_buckets | (optional) The boolean value enabling (true) or disabling (false) the blocking of public and cross-account access with the public bucket policy for the access logging bucket | bool | true | no |
| cloudtrail_bucket_prefix | (optional) The prefix used when storing CloudTrail logs in the logging bucket | string | "grace-cloudtrail" |
no |
| cloudtrail_enable_log_validation | (optional) The boolean value indicating whether this CloudTrail should perform log file integrity validation | bool | true | no |
| cloudtrail_include_global_service_events | (optional) The boolean value indicating whether global services are sending events to this CloudTrail (ie: IAM) | bool | true | no |
| cloudtrail_log_retention_days | (optional) The number of days to retain logs in the CloudWatch log group | string | "365" |
no |
| cloudtrail_multi_region | (optional) The boolean value indicating whether this CloudTrail is multi-region | bool | true | no |
| cloudtrail_name | (optional) The name given to the CloudTrail | string | "grace-cloudtrail" |
no |
| flowlogs_bucket_prefix | (optional) The prefix used when storing Flow logs in the logging bucket | string | "grace-flowlogs" |
no |
| logging_access_logging_prefix | (optional) The prefix used when storing access logs for the logging bucket | string | "grace-logging" |
no |
| logging_bucket_acl | (optional) The ACL applied to the primary logging bucket | string | "log-delivery-write" |
no |
| logging_bucket_backup_days | (optional) The age of an object in number of days before it can be archived to glacier | string | "365" |
no |
| logging_bucket_backup_expiration_days | (optional) The age of an object in number of days before it can be safely discarded | string | "900" |
no |
| logging_bucket_block_public_acls | (optional) The boolean value enabling (true) or disabling (false) the blocking of public ACL creation for the logging bucket | bool | true | no |
| logging_bucket_block_public_policy | (optional) The boolean value enabling (true) or disabling (false) the blocking of public policy creation for the logging bucket | bool | true | no |
| logging_bucket_enable_backup | (optional) The boolean value enabling (true) or disabling (false) backups to glacier on the logging bucket | bool | true | no |
| logging_bucket_enable_versioning | (optional) The boolean value enabling (true) or disabling (false) versioning on the logging bucket | bool | true | no |
| logging_bucket_ignore_public_acls | (optional) The boolean value enabling (true) or disabling (false) the ignoring of public ACLs created for the logging bucket | bool | true | no |
| logging_bucket_name | (required) The name given to the primary logging bucket | string | n/a | yes |
| logging_bucket_restrict_public_buckets | (optional) The boolean value enabling (true) or disabling (false) the blocking of public and cross-account access with the public bucket policy for the logging bucket | bool | true | no |
| secops_accounts | (optional) A comma delimited string containing the Account IDs of accounts that should access to your log buckets, if empty no external accounts will be allowed to read the logs | string | "" |
no |
| secops_role_name | (optional) The name given to the SecOps read only access to the logging bucket | string | "grace-secops-read" |
no |
| Name | Description |
|---|---|
| access_bucket_arn | The ARN of the access log bucket. |
| access_bucket_id | The name of the access log bucket. |
| cloudtrail_arn | The Amazon Resource Name of the trail. |
| cloudtrail_id | The name of the trail. |
| cloudtrail_kms_key_arn | The Amazon Resource Name (ARN) of the CloudTrail KMS key. |
| cloudtrail_kms_key_id | The globally unique identifier for the CloudTrail KMS key. |
| cloudtrail_log_group_arn | The Amazon Resource Name (ARN) specifying the CloudTrail log group |
| cloudtrail_log_group_name | The name of the CloudTrail log group |
| cloudtrail_policy_id | The ID of the CloudTrail policy. |
| cloudtrail_role_arn | The Amazon Resource Name (ARN) specifying the CloudTrail role. |
| cloudtrail_role_id | The name of the CloudTrail role. |
| logging_bucket_arn | The ARN of the logging bucket. |
| logging_bucket_id | The name of the logging bucket. |
| logging_bucket_policy | The policy text applied to the logging bucket |
| secops_policy_id | The ID of the SecOps read only policy. |
| secops_role_arn | The Amazon Resource Name (ARN) specifying the SecOps read only role. |
| secops_role_id | The name of the SecOps read only role. |
-
Dependencies
- Terraform (minimum version v0.12.x; recommend v0.12.6 or greater)
- provider.aws ~v2.38.0
- provider.template ~v2.1.2
- Terraform (minimum version v0.12.x; recommend v0.12.6 or greater)
-
Usage
Include the module in your Terraform project. See the above inputs and outputs for more details. Basic example:
module "logging" {
source = "github.com/GSA/grace-logging?ref=v0.0.5"
access_logging_bucket_name = "example-access-logs"
cloudtrail_name = "example-trail"
logging_bucket_name = "example-logs"
}
Use terraform init to download and install module and providers
The GRACE Logging subcomponent provides various levels of coverage for several NIST Special Publication 800-53 (Rev. 4) Security Controls. These security controls are designated for FIPS 199 Moderate Impact Systems. Additional information regarding the implementation method utilized can be found within the GRACE Component Control Coverage Repository.
Subcomponent approval status: Pending Assessment
Relevant controls:
| Control Description | Control ID |
|---|---|
| Access Controls | AC-2, AC-6(9) |
| Audit and Accountability | AU-2, AU-6(1), AU-9 |
| System and Information Integrity | SI-4, SI-4(2), SI-12 |
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.