From bfa4a1fe1254f8b7e9986d1ae65fab4e40857f22 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 20 Sep 2024 11:05:11 +0100
Subject: [PATCH 1/2] updated bucket policies for cortex buckets to allow logs
 from AWS log service

---
 terraform/environments/core-logging/cortex.tf | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index 63fef99a4..f3de4f456 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -35,6 +35,52 @@ data "aws_iam_policy_document" "logging-bucket" {
       values   = ["arn:aws:iam::*:role/firehose-to-s3*"]
     }
   }
+  statement {
+    sid    = "AWSLogDeliveryWrite"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.logging[each.key].arn}/*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgPaths"
+      values = [
+        "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
+      ]
+    }
+  }
+  statement {
+    sid    = "AWSLogDeliveryCheck"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = [aws_s3_bucket.logging[each.key].arn]
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgPaths"
+      values = [
+        "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
+      ]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "logging-sqs" {

From 22b0d5b39c45addb48aace25228816eccfff625c Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 20 Sep 2024 11:07:07 +0100
Subject: [PATCH 2/2] added statement to enforce TLS1.2 or above

---
 terraform/environments/core-logging/cortex.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index f3de4f456..688209b25 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -81,6 +81,24 @@ data "aws_iam_policy_document" "logging-bucket" {
       ]
     }
   }
+  statement {
+    sid     = "EnforceTLSv12orHigher"
+    effect  = "Deny"
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.logging[each.key].arn,
+      "${aws_s3_bucket.logging[each.key].arn}/*"
+    ]
+    principals {
+      identifiers = ["*"]
+      type        = "AWS"
+    }
+    condition {
+      test     = "NumericLessThan"
+      variable = "s3:TlsVersion"
+      values   = [1.2]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "logging-sqs" {