From e31a3bea0792c44b7faeddd1509f42afe4839b00 Mon Sep 17 00:00:00 2001
From: Federico Barcelona <fede_rico_94@hotmail.com>
Date: Tue, 13 Dec 2022 13:26:42 +0100
Subject: [PATCH 1/5] fix: Require all requests to S3 Bucket to be SSL
 (PCI.S3.5)

---
 modules/infrastructure/cloudtrail/README.md |  1 +
 modules/infrastructure/cloudtrail/s3.tf     | 33 ++++++++++++++++++---
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/modules/infrastructure/cloudtrail/README.md b/modules/infrastructure/cloudtrail/README.md
index 0e021682..9af15d9d 100644
--- a/modules/infrastructure/cloudtrail/README.md
+++ b/modules/infrastructure/cloudtrail/README.md
@@ -30,6 +30,7 @@ No modules.
 | [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_policy.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.allow_cloudtrail_publish](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/modules/infrastructure/cloudtrail/s3.tf b/modules/infrastructure/cloudtrail/s3.tf
index 7ce8a6c6..c56e4846 100644
--- a/modules/infrastructure/cloudtrail/s3.tf
+++ b/modules/infrastructure/cloudtrail/s3.tf
@@ -10,6 +10,15 @@ resource "aws_s3_bucket" "cloudtrail" {
   tags          = var.tags
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
+  bucket = aws_s3_bucket.cloudtrail.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
 resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
   bucket = aws_s3_bucket.cloudtrail.id
 
@@ -43,14 +52,11 @@ resource "aws_s3_bucket_public_access_block" "cloudtrail" {
 }
 
 
-
 resource "aws_s3_bucket_policy" "cloudtrail_s3" {
   bucket = aws_s3_bucket.cloudtrail.id
   policy = data.aws_iam_policy_document.cloudtrail_s3.json
 }
 data "aws_iam_policy_document" "cloudtrail_s3" {
-
-  # begin. required policies as requested in aws_cloudtrail resource documentation
   statement {
     sid    = "AWSCloudTrailAclCheck"
     effect = "Allow"
@@ -77,5 +83,24 @@ data "aws_iam_policy_document" "cloudtrail_s3" {
     }
     resources = ["${aws_s3_bucket.cloudtrail.arn}/AWSLogs/*"]
   }
-  # end
+
+  # S3 buckets should require requests to use Secure Socket Layer
+  # [PCI.S3.5] This AWS control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
+  statement {
+    principals {
+      identifiers = ["*"]
+      type        = "AWS"
+    }
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.cloudtrail.arn,
+      "${aws_s3_bucket.cloudtrail.arn}/*"
+    ]
+    effect = "Deny"
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }

From c6607240204012784bdab19bcc7960a5183eebc1 Mon Sep 17 00:00:00 2001
From: Fede Barcelona <fede_rico_94@hotmail.com>
Date: Thu, 15 Dec 2022 18:35:55 +0100
Subject: [PATCH 2/5] feat: Apply Server Side Encryption with KMS if enabled

---
 .github/workflows/ci-pull-request.yaml  | 1 -
 modules/infrastructure/cloudtrail/s3.tf | 9 ++++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml
index d9d7e77d..0fa4aa37 100644
--- a/.github/workflows/ci-pull-request.yaml
+++ b/.github/workflows/ci-pull-request.yaml
@@ -71,7 +71,6 @@ jobs:
       - name: Install pre-commit dependencies
         run: |
           pip install pre-commit
-          go install github.com/hashicorp/terraform-config-inspect@latest
           make deps
 
       - name: Execute generate-terraform-providers for organizational
diff --git a/modules/infrastructure/cloudtrail/s3.tf b/modules/infrastructure/cloudtrail/s3.tf
index c56e4846..3b6aec55 100644
--- a/modules/infrastructure/cloudtrail/s3.tf
+++ b/modules/infrastructure/cloudtrail/s3.tf
@@ -13,8 +13,10 @@ resource "aws_s3_bucket" "cloudtrail" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
   bucket = aws_s3_bucket.cloudtrail.id
   rule {
+
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+      sse_algorithm     = var.cloudtrail_kms_enable ? "aws:kms" : "AES256"
+      kms_master_key_id = var.cloudtrail_kms_enable ? aws_kms_key.cloudtrail_kms[0].id : null
     }
   }
 }
@@ -48,7 +50,8 @@ resource "aws_s3_bucket_public_access_block" "cloudtrail" {
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
-  depends_on              = [aws_s3_bucket_policy.cloudtrail_s3] # https://github.com/hashicorp/terraform-provider-aws/issues/7628
+  depends_on              = [aws_s3_bucket_policy.cloudtrail_s3]
+  # https://github.com/hashicorp/terraform-provider-aws/issues/7628
 }
 
 
@@ -91,7 +94,7 @@ data "aws_iam_policy_document" "cloudtrail_s3" {
       identifiers = ["*"]
       type        = "AWS"
     }
-    actions = ["s3:*"]
+    actions   = ["s3:*"]
     resources = [
       aws_s3_bucket.cloudtrail.arn,
       "${aws_s3_bucket.cloudtrail.arn}/*"

From 75769a07e2725ac2959d5aba6e4850ad5328f802 Mon Sep 17 00:00:00 2001
From: Fede Barcelona <fede_rico_94@hotmail.com>
Date: Thu, 15 Dec 2022 18:47:41 +0100
Subject: [PATCH 3/5] style: Format tf code

---
 modules/infrastructure/cloudtrail/s3.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/infrastructure/cloudtrail/s3.tf b/modules/infrastructure/cloudtrail/s3.tf
index 3b6aec55..62f3fb4e 100644
--- a/modules/infrastructure/cloudtrail/s3.tf
+++ b/modules/infrastructure/cloudtrail/s3.tf
@@ -94,7 +94,7 @@ data "aws_iam_policy_document" "cloudtrail_s3" {
       identifiers = ["*"]
       type        = "AWS"
     }
-    actions   = ["s3:*"]
+    actions = ["s3:*"]
     resources = [
       aws_s3_bucket.cloudtrail.arn,
       "${aws_s3_bucket.cloudtrail.arn}/*"

From 62412122919346a67913edfe673bf77f9a6a1478 Mon Sep 17 00:00:00 2001
From: Federico Barcelona <fede_rico_94@hotmail.com>
Date: Tue, 20 Dec 2022 16:11:20 +0100
Subject: [PATCH 4/5] style: Remove trailing whitespace

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 51a0626a..93857469 100644
--- a/README.md
+++ b/README.md
@@ -340,7 +340,7 @@ A: For Organizational Setup for cloudbench (deployed through management account
 
 ### Q-RuntimeThreat Detection: Getting error 403 `"could not load rule set from Sysdig Secure: ruleprovider#newPartialRuleSet | error loading default-rules: error from Sysdig Secure API: 403`
 
-A: The Sysdig User that deployed the components is a standard user within the Sysdig Platform. Only administrator users are given permissions to read falco rule sets. Once this permission is changed, you should no longer get this error and CSPM Cloud events should start populating. 
+A: The Sysdig User that deployed the components is a standard user within the Sysdig Platform. Only administrator users are given permissions to read falco rule sets. Once this permission is changed, you should no longer get this error and CSPM Cloud events should start populating.
 
 <br/><br/>
 

From 6be571df2dab616b0147f04de5bca9338109061c Mon Sep 17 00:00:00 2001
From: Federico Barcelona <fede_rico_94@hotmail.com>
Date: Tue, 20 Dec 2022 16:16:51 +0100
Subject: [PATCH 5/5] ci: Download pinned version of tfscan

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index bb5611e6..f76e3c76 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 deps:
 	go install github.com/terraform-docs/terraform-docs@v0.16.0
 	go install github.com/hashicorp/terraform-config-inspect@latest
-	curl -L "`curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip"`" -o tflint.zip && \
+	curl -L https://github.com/terraform-linters/tflint/releases/download/v0.43.0/tflint_linux_amd64.zip -o tflint.zip && \
 		unzip tflint.zip && \
 		rm tflint.zip && \
 		mv tflint "`go env GOPATH`/bin"