final updates to kms+s3 perms

cyphronix · cyphronix · commit 0a4ca7644be1 · 2024-06-19T10:56:29.000-06:00
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml
@@ -70,14 +70,6 @@ Conditions:
 
 Resources:
   rGuardDutyDeliveryKey:
-    # temp retain for troubleshooting
-    DeletionPolicy: Retain
-    # checkov:skip=CKV_AWS_33:Ensure KMS key policy does not contain wildcard (*) principal
-    # Metadata:
-    #   cfn_nag:
-    #     rules_to_suppress:
-    #       - id: F76
-    #         reason: "Opt-in regions may be used and so conditional policy is required"
     Type: AWS::KMS::Key
     Properties:
       Description: SRA GuardDuty Delivery Key
@@ -98,17 +90,20 @@ Resources:
             Action: kms:GenerateDataKey
             Resource: '*'
             Principal:
-              Service: guardduty.amazonaws.com
-
-            # key permissions for potential opt-in regions (conditional)
-          - Sid: Allow opt-in GuardDuty to encrypt logs
-            Effect: Allow
-            Action: kms:GenerateDataKey
-            Resource: '*'
-            Principal:
-              Service: 
-                - guardduty.ap-southeast-4.amazonaws.com
+              Service:
+                - guardduty.amazonaws.com
+                - guardduty.af-south-1.amazonaws.com
                 - guardduty.ap-east-1.amazonaws.com
+                - guardduty.ap-south-2.amazonaws.com
+                - guardduty.ap-southeast-3.amazonaws.com
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ca-west-1.amazonaws.com
+                - guardduty.eu-south-1.amazonaws.com
+                - guardduty.eu-south-2.amazonaws.com
+                - guardduty.eu-central-2.amazonaws.com
+                - guardduty.me-south-1.amazonaws.com
+                - guardduty.me-central-1.amazonaws.com
+                - guardduty.il-central-1.amazonaws.com
 
           - Sid: Allow alias creation during setup
             Effect: Allow
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml
@@ -89,13 +89,6 @@ Resources:
           Value: !Ref pSRASolutionName
 
   rGuardDutyDeliveryS3BucketPolicy:
-    # temp retain for troubleshooting
-    DeletionPolicy: Retain
-    # Metadata:
-    #   cfn_nag:
-    #     rules_to_suppress:
-    #       - id: F16
-    #         reason: "Opt-in regions may be used and so conditional policy is required"
     Type: AWS::S3::BucketPolicy
     Properties:
       Bucket: !Ref rGuardDutyDeliveryS3Bucket
@@ -134,19 +127,18 @@ Resources:
             Principal:
               Service:
                 - guardduty.amazonaws.com
-
-          # Bucket perm/location check allow for potential opt-in regions
-          - Sid: AWSBucketPermissionsCheckOptinRegions
-            Effect: Allow
-            Action:
-              - s3:GetBucketAcl
-              - s3:GetBucketLocation
-              - s3:ListBucket
-            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}
-            Principal:
-              Service:
-                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.af-south-1.amazonaws.com
                 - guardduty.ap-east-1.amazonaws.com
+                - guardduty.ap-south-2.amazonaws.com
+                - guardduty.ap-southeast-3.amazonaws.com
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ca-west-1.amazonaws.com
+                - guardduty.eu-south-1.amazonaws.com
+                - guardduty.eu-south-2.amazonaws.com
+                - guardduty.eu-central-2.amazonaws.com
+                - guardduty.me-south-1.amazonaws.com
+                - guardduty.me-central-1.amazonaws.com
+                - guardduty.il-central-1.amazonaws.com
 
           - Sid: AWSBucketDelivery
             Effect: Allow
@@ -158,19 +150,18 @@ Resources:
             Principal:
               Service:
                 - guardduty.amazonaws.com
-
-          # Bucket delivery allow for potential opt-in regions
-          - Sid: AWSBucketDeliveryOptinRegions
-            Effect: Allow
-            Action: s3:PutObject
-            # Condition:
-            #   StringEquals:
-            #     s3:x-amz-acl: bucket-owner-full-control
-            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
-            Principal:
-              Service:
-                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.af-south-1.amazonaws.com
                 - guardduty.ap-east-1.amazonaws.com
+                - guardduty.ap-south-2.amazonaws.com
+                - guardduty.ap-southeast-3.amazonaws.com
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ca-west-1.amazonaws.com
+                - guardduty.eu-south-1.amazonaws.com
+                - guardduty.eu-south-2.amazonaws.com
+                - guardduty.eu-central-2.amazonaws.com
+                - guardduty.me-south-1.amazonaws.com
+                - guardduty.me-central-1.amazonaws.com
+                - guardduty.il-central-1.amazonaws.com
 
           - Sid: DenyUnencryptedObjectUploads
             Effect: Deny
@@ -182,19 +173,18 @@ Resources:
             Principal:
               Service:
                 - guardduty.amazonaws.com
-
-          # Unencryption object upload deny for potential opt-in regions
-          - Sid: DenyUnencryptedObjectUploadsOptinRegions
-            Effect: Deny
-            Action: s3:PutObject
-            Condition:
-              StringNotEquals:
-                s3:x-amz-server-side-encryption: aws:kms
-            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
-            Principal:
-              Service:
-                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.af-south-1.amazonaws.com
                 - guardduty.ap-east-1.amazonaws.com
+                - guardduty.ap-south-2.amazonaws.com
+                - guardduty.ap-southeast-3.amazonaws.com
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ca-west-1.amazonaws.com
+                - guardduty.eu-south-1.amazonaws.com
+                - guardduty.eu-south-2.amazonaws.com
+                - guardduty.eu-central-2.amazonaws.com
+                - guardduty.me-south-1.amazonaws.com
+                - guardduty.me-central-1.amazonaws.com
+                - guardduty.il-central-1.amazonaws.com
 
           - Sid: DenyIncorrectEncryptionHeader
             Effect: Deny
@@ -206,19 +196,18 @@ Resources:
             Principal:
               Service:
                 - guardduty.amazonaws.com
-
-          # Incorrect encryption header deny for potential opt-in regions
-          - Sid: DenyIncorrectEncryptionHeaderOptinRegions
-            Effect: Deny
-            Action: s3:PutObject
-            Condition:
-              StringNotEquals:
-                s3:x-amz-server-side-encryption-aws-kms-key-id: !Sub ${pGuardDutyOrgDeliveryKMSKeyArn}
-            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
-            Principal:
-              Service:
-                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.af-south-1.amazonaws.com
                 - guardduty.ap-east-1.amazonaws.com
+                - guardduty.ap-south-2.amazonaws.com
+                - guardduty.ap-southeast-3.amazonaws.com
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ca-west-1.amazonaws.com
+                - guardduty.eu-south-1.amazonaws.com
+                - guardduty.eu-south-2.amazonaws.com
+                - guardduty.eu-central-2.amazonaws.com
+                - guardduty.me-south-1.amazonaws.com
+                - guardduty.me-central-1.amazonaws.com
+                - guardduty.il-central-1.amazonaws.com
 
 
 Outputs:
