adding each region specifically in perms

cyphronix · cyphronix · commit 8087634d06f9 · 2024-06-19T09:39:28.000-06:00
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml
@@ -73,11 +73,11 @@ Resources:
     # temp retain for troubleshooting
     DeletionPolicy: Retain
     # checkov:skip=CKV_AWS_33:Ensure KMS key policy does not contain wildcard (*) principal
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: F76
-            reason: "Opt-in regions may be used and so conditional policy is required"
+    # Metadata:
+    #   cfn_nag:
+    #     rules_to_suppress:
+    #       - id: F76
+    #         reason: "Opt-in regions may be used and so conditional policy is required"
     Type: AWS::KMS::Key
     Properties:
       Description: SRA GuardDuty Delivery Key
@@ -101,14 +101,14 @@ Resources:
               Service: guardduty.amazonaws.com
 
             # key permissions for potential opt-in regions (conditional)
-          - Sid: Allow opt-in region GuardDuty to encrypt logs
+          - Sid: Allow opt-in GuardDuty to encrypt logs
             Effect: Allow
             Action: kms:GenerateDataKey
             Resource: '*'
-            Principal: '*'
-            Condition:
-              StringLike:
-                aws:PrincipalServiceName: guardduty.*.amazonaws.com
+            Principal:
+              Service: 
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ap-east-1.amazonaws.com
 
           - Sid: Allow alias creation during setup
             Effect: Allow
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml
@@ -91,11 +91,11 @@ Resources:
   rGuardDutyDeliveryS3BucketPolicy:
     # temp retain for troubleshooting
     DeletionPolicy: Retain
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: F16
-            reason: "Opt-in regions may be used and so conditional policy is required"
+    # Metadata:
+    #   cfn_nag:
+    #     rules_to_suppress:
+    #       - id: F16
+    #         reason: "Opt-in regions may be used and so conditional policy is required"
     Type: AWS::S3::BucketPolicy
     Properties:
       Bucket: !Ref rGuardDutyDeliveryS3Bucket
@@ -136,17 +136,17 @@ Resources:
                 - guardduty.amazonaws.com
 
           # Bucket perm/location check allow for potential opt-in regions
-          - Sid: AWSBucketPermissionsCheck
+          - Sid: AWSBucketPermissionsCheckOptinRegions
             Effect: Allow
             Action:
               - s3:GetBucketAcl
               - s3:GetBucketLocation
               - s3:ListBucket
             Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}
-            Principal: '*'
-            Condition:
-              StringLike:
-                aws:PrincipalServiceName: guardduty.*.amazonaws.com
+            Principal:
+              Service:
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ap-east-1.amazonaws.com
 
           - Sid: AWSBucketDelivery
             Effect: Allow
@@ -163,13 +163,14 @@ Resources:
           - Sid: AWSBucketDeliveryOptinRegions
             Effect: Allow
             Action: s3:PutObject
+            # Condition:
+            #   StringEquals:
+            #     s3:x-amz-acl: bucket-owner-full-control
             Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
-            Principal: '*'
-            Condition:
-              StringLike:
-                aws:PrincipalServiceName: guardduty.*.amazonaws.com
-              # StringEquals:
-                # s3:x-amz-acl: bucket-owner-full-control
+            Principal:
+              Service:
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ap-east-1.amazonaws.com
 
           - Sid: DenyUnencryptedObjectUploads
             Effect: Deny
@@ -186,13 +187,14 @@ Resources:
           - Sid: DenyUnencryptedObjectUploadsOptinRegions
             Effect: Deny
             Action: s3:PutObject
-            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
-            Principal: '*'
             Condition:
-              StringLike:
-                aws:PrincipalServiceName: guardduty.*.amazonaws.com
-              # StringNotEquals:
-                # s3:x-amz-server-side-encryption: aws:kms
+              StringNotEquals:
+                s3:x-amz-server-side-encryption: aws:kms
+            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
+            Principal:
+              Service:
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ap-east-1.amazonaws.com
 
           - Sid: DenyIncorrectEncryptionHeader
             Effect: Deny
@@ -209,13 +211,14 @@ Resources:
           - Sid: DenyIncorrectEncryptionHeaderOptinRegions
             Effect: Deny
             Action: s3:PutObject
-            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
-            Principal: '*'
             Condition:
-              StringLike:
-                aws:PrincipalServiceName: guardduty.*.amazonaws.com
-              # StringNotEquals:
-                # s3:x-amz-server-side-encryption-aws-kms-key-id: !Sub ${pGuardDutyOrgDeliveryKMSKeyArn}
+              StringNotEquals:
+                s3:x-amz-server-side-encryption-aws-kms-key-id: !Sub ${pGuardDutyOrgDeliveryKMSKeyArn}
+            Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
+            Principal:
+              Service:
+                - guardduty.ap-southeast-4.amazonaws.com
+                - guardduty.ap-east-1.amazonaws.com
 
 
 Outputs:
