chore: add encryption, https-only, access logging to all buckets (#253)

awslabs · Mar 18, 2021 · d27c114 · d27c114
1 parent f24ffe7
commit d27c114
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 0 deletions.
diff --git a/cloudformation/bulkExport.yaml b/cloudformation/bulkExport.yaml
@@ -42,6 +42,33 @@ Resources:
 
   GlueScriptsBucket:
     Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      LoggingConfiguration:
+        DestinationBucketName: !Ref FHIRLogsBucket
+        LogFilePrefix: 'GlueScriptsBucket'
+
+  GlueScriptsBucketHttpsOnlyPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref GlueScriptsBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowSSLRequestsOnly
+            Effect: Deny
+            Principal: '*'
+            Action:
+              - s3:*
+            Resource:
+              - !GetAtt GlueScriptsBucket.Arn
+              - !Join ['', [!GetAtt GlueScriptsBucket.Arn, '/*']]
+            Condition:
+              Bool:
+                'aws:SecureTransport': false
 
   BulkExportResultsBucket:
     Type: AWS::S3::Bucket
@@ -51,6 +78,32 @@ Resources:
           - Id: ExpirationRule
             Status: Enabled
             ExpirationInDays: '3'
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      LoggingConfiguration:
+        DestinationBucketName: !Ref FHIRLogsBucket
+        LogFilePrefix: 'BulkExportResultsBucket'
+
+  BulkExportResultsBucketHttpsOnlyPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref BulkExportResultsBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowSSLRequestsOnly
+            Effect: Deny
+            Principal: '*'
+            Action:
+              - s3:*
+            Resource:
+              - !GetAtt BulkExportResultsBucket.Arn
+              - !Join ['', [!GetAtt BulkExportResultsBucket.Arn, '/*']]
+            Condition:
+              Bool:
+                'aws:SecureTransport': false
 
   GlueJobRole:
     Type: AWS::IAM::Role

diff --git a/serverless.yaml b/serverless.yaml
@@ -311,6 +311,10 @@ resources:
         UpdateReplacePolicy: Retain
         Properties:
           AccessControl: LogDeliveryWrite
+          BucketEncryption:
+            ServerSideEncryptionConfiguration:
+              - ServerSideEncryptionByDefault:
+                  SSEAlgorithm: AES256
       FHIRBinaryBucketHttpsOnlyPolicy:
         Type: AWS::S3::BucketPolicy
         Properties:
@@ -329,6 +333,24 @@ resources:
                 Condition:
                   Bool:
                     'aws:SecureTransport': false
+      FHIRLogsBucketHttpsOnlyPolicy:
+        Type: AWS::S3::BucketPolicy
+        Properties:
+          Bucket: !Ref FHIRLogsBucket
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: AllowSSLRequestsOnly
+                Effect: Deny
+                Principal: '*'
+                Action:
+                  - s3:*
+                Resource:
+                  - !GetAtt FHIRLogsBucket.Arn
+                  - !Join ['', [!GetAtt FHIRLogsBucket.Arn, '/*']]
+                Condition:
+                  Bool:
+                    'aws:SecureTransport': false
       FhirServerLambdaRole:
         Type: AWS::IAM::Role
         Properties: