Enable logging to S3 not working properly

[JaseKoonce]

Description

When enabling Logging to S3 it creates the access and sessions bucket, but from what I can tell nothing is actually sent to either bucket. Previously this was accomplished by adding a CloudTrail and an S3 policy that allowed the Cloudtrail to put logs into the session logs bucket:

# Create a cloudtrail and event rule to monitor bastion access over ssh
resource "aws_cloudtrail" "ssh-access" {
  # checkov:skip=CKV_AWS_252: SNS not currently needed
  # checkov:skip=CKV2_AWS_10: Cloudwatch logs already being used with cloudtrail
  name                       = "ssh-access"
  s3_bucket_name             = var.access_log_bucket_name
  kms_key_id                 = aws_kms_key.ssmkey.arn
  is_multi_region_trail      = true
  enable_log_file_validation = true
  event_selector {
    read_write_type           = "All"
    include_management_events = true
  }
  depends_on = [
    aws_s3_bucket_policy.cloudwatch-s3-policy,
    aws_kms_key.ssmkey,
    aws_cloudwatch_log_group.ssh-access-log-group
  ]
}

data "aws_iam_policy_document" "cloudwatch-policy" {

  statement {
    sid    = "AWSCloudTrailAclCheck"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      "arn:aws:s3:::${var.access_log_bucket_name}",
    ]

    condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"

      values = [
        "arn:aws:cloudtrail:${var.aws_region}:${data.aws_caller_identity.current.account_id}:trail/ssh-access",
      ]
    }
  }

  statement {
    sid    = "AWSCloudTrailWrite"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.access_log_bucket_name}/*",
    ]

    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"

      values = [
        "bucket-owner-full-control",
      ]
    }

    condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"

      values = [
        "arn:aws:cloudtrail:${var.aws_region}:${data.aws_caller_identity.current.account_id}:trail/ssh-access",
      ]
    }
  }
}

resource "aws_s3_bucket_policy" "cloudwatch-s3-policy" {
  bucket = aws_s3_bucket.access_log_bucket.bucket
  policy = data.aws_iam_policy_document.cloudwatch-policy.json

}

From what I can tell this has not been replaced by another method of logging and I believe that is why nothing is being logged to the Session logs bucket.

Impact

No logs in the Session logs bucket

Completion

Completion of this issue would mean that logs regarding the Bastions established session being sent to the Session logs bucket and whenever the Session logs bucket is accessed a log is sent to the access logging bucket. In addition to this an automated test to validate that there are any items (logs) in the Session logs bucket could be very helpful.

• The change has been peer reviewed
• Automated tests have been written and/or updated, and are passing
• Documentation has been written and/or updated -->