From 86b85e610cc1b037fa8b726679ae573e74facaf2 Mon Sep 17 00:00:00 2001 From: Nestor Carvantes Date: Tue, 16 Mar 2021 19:09:18 -0700 Subject: [PATCH 1/2] chore: add encryption, https-only, access logging to all buckets --- cloudformation/bulkExport.yaml | 53 ++++++++++++++++++++++++++++++++++ serverless.yaml | 22 ++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/cloudformation/bulkExport.yaml b/cloudformation/bulkExport.yaml index 69b6eb29..0708a2e0 100644 --- a/cloudformation/bulkExport.yaml +++ b/cloudformation/bulkExport.yaml @@ -42,6 +42,33 @@ Resources: GlueScriptsBucket: Type: AWS::S3::Bucket + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + LoggingConfiguration: + DestinationBucketName: !Ref FHIRLogsBucket + LogFilePrefix: 'GlueScriptsBucket' + + GlueScriptsBucketHttpsOnlyPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref GlueScriptsBucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowSSLRequestsOnly + Effect: Deny + Principal: '*' + Action: + - s3:* + Resource: + - !GetAtt GlueScriptsBucket.Arn + - !Join ['', [!GetAtt GlueScriptsBucket.Arn, '/*']] + Condition: + Bool: + 'aws:SecureTransport': false BulkExportResultsBucket: Type: AWS::S3::Bucket @@ -51,6 +78,32 @@ Resources: - Id: ExpirationRule Status: Enabled ExpirationInDays: '3' + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + LoggingConfiguration: + DestinationBucketName: !Ref FHIRLogsBucket + LogFilePrefix: 'BulkExportResultsBucket' + + BulkExportResultsBucketHttpsOnlyPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref BulkExportResultsBucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowSSLRequestsOnly + Effect: Deny + Principal: '*' + Action: + - s3:* + Resource: + - !GetAtt BulkExportResultsBucket.Arn + - !Join ['', [!GetAtt BulkExportResultsBucket.Arn, '/*']] + Condition: + Bool: + 'aws:SecureTransport': false GlueJobRole: Type: AWS::IAM::Role diff --git a/serverless.yaml b/serverless.yaml index 41640c1a..08d1fcd2 100644 --- a/serverless.yaml +++ b/serverless.yaml @@ -311,6 +311,10 @@ resources: UpdateReplacePolicy: Retain Properties: AccessControl: LogDeliveryWrite + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 FHIRBinaryBucketHttpsOnlyPolicy: Type: AWS::S3::BucketPolicy Properties: @@ -329,6 +333,24 @@ resources: Condition: Bool: 'aws:SecureTransport': false + FHIRLogsBucketHttpsOnlyPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref FHIRLogsBucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowSSLRequestsOnly + Effect: Deny + Principal: '*' + Action: + - s3:* + Resource: + - !GetAtt FHIRLogsBucket.Arn + - !Join ['', [!GetAtt FHIRLogsBucket.Arn, '/*']] + Condition: + Bool: + 'aws:SecureTransport': false FhirServerLambdaRole: Type: AWS::IAM::Role Properties: From 26ea218c1b0cf4e2056cac96d53bf4a78bfaf502 Mon Sep 17 00:00:00 2001 From: Nestor Carvantes Date: Tue, 16 Mar 2021 23:34:12 -0700 Subject: [PATCH 2/2] rerun gh actions