[WIP]Fix: Added Documentation, S3 Versioning, enforce https (#796)

* chore: enforceHttps on openSearch * chore: scoutsuite * chore: resolve scoutsuite * chore: add best practices for cloudtrail and mfa delete * chore: remove unnecessary import Co-authored-by: sevu1 <112517151+sevu1@users.noreply.github.com>
awslabs · Jan 23, 2023 · 9861f00 · 9861f00
1 parent b48c3fe
commit 9861f00
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -127,7 +127,11 @@ For more information about SMART on FHIR Works, see [SMART on FHIR Works FAQ](/S
 
 We recommend configuring your IdP to set token expiration within 15-30 minutes, or less, of when issued.
 
+**Is multi-factor authentication (MFA) delete recommended on S3 buckets?**
+Yes, adding MFA delete adds an additional layer of security to your S3 buckets. After enabling [MFA delete](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html) for your S3 buckets, bucket owners will be required to provide two forms of authentication in requests to delete a bucket version or change its versioning state. To add this extra security layer, refer to [Configuring MFA delete](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html). 
 
+**What is recommended to configure data-event logging?**
+[AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) is recommended for logging FWoA data events. To configure data-event logging, [create a “trail”](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) for your AWS account. Be sure to follow [CloudTrail security best practices](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html) when doing so.
 ### Development
 
 [Instructions for making local code changes](./DEVELOPMENT.md)

diff --git a/lib/bulkExport.ts b/lib/bulkExport.ts
@@ -105,6 +105,8 @@ export default class BulkExportResources {
             serverAccessLogsBucket: fhirLogsBucket,
             serverAccessLogsPrefix: 'GlueScriptsBucket',
             blockPublicAccess,
+            enforceSSL: true,
+            versioned: true,
         });
 
         this.glueScriptsBucketHttpsOnlyPolicy = new BucketPolicy(scope, 'glueScriptsBucketHttpsOnlyPolicy', {
@@ -129,6 +131,8 @@ export default class BulkExportResources {
             ],
             serverAccessLogsPrefix: 'BulkExportResultsBucket',
             blockPublicAccess,
+            enforceSSL: true,
+            versioned: true,
         });
 
         this.bulkExportResultsBucketHttpsOnlyPolicy = new BucketPolicy(

diff --git a/lib/cdk-infra-stack.ts b/lib/cdk-infra-stack.ts
@@ -126,6 +126,8 @@ export default class FhirWorksStack extends Stack {
                 ignorePublicAcls: true,
                 restrictPublicBuckets: true,
             },
+            enforceSSL: true,
+            versioned: true,
         });
         NagSuppressions.addResourceSuppressions(fhirLogsBucket, [
             {
@@ -245,6 +247,7 @@ export default class FhirWorksStack extends Stack {
                 ignorePublicAcls: true,
                 restrictPublicBuckets: true,
             },
+            enforceSSL: true,
         });
 
         fhirBinaryBucket.addToResourcePolicy(

diff --git a/lib/elasticsearch.ts b/lib/elasticsearch.ts
@@ -323,6 +323,7 @@ export default class ElasticSearchResources {
                 slowIndexLogEnabled: true,
                 slowIndexLogGroup: this.searchLogs,
             },
+            enforceHttps: true,
         });
         this.elasticSearchDomain.node.addDependency(this.searchLogsResourcePolicy);
         NagSuppressions.addResourceSuppressions(this.elasticSearchDomain, [