diff --git a/modules/integrations/cloud-logs/README.md b/modules/integrations/cloud-logs/README.md
index be29c42..59ff540 100644
--- a/modules/integrations/cloud-logs/README.md
+++ b/modules/integrations/cloud-logs/README.md
@@ -11,21 +11,22 @@ The following resources will be created in each instrumented account:
If instrumenting an AWS Gov account/organization, resources will be created in `aws-us-gov` region.
-
## Requirements
-| Name | Version |
-|---------------------------------------------------------------------------|-----------|
-| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 5.60.0 |
-| [sysdig](#requirement\_sysdig) | ~>1.39 |
-| [random](#requirement\_random) | >= 3.1 |
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0.0 |
+| [aws](#requirement\_aws) | >= 5.60.0 |
+| [random](#requirement\_random) | >= 3.1 |
+| [sysdig](#requirement\_sysdig) | ~> 1.44 |
## Providers
-| Name | Version |
-|---------------------------------------------------|-----------|
+| Name | Version |
+|------|---------|
| [aws](#provider\_aws) | >= 5.60.0 |
+| [random](#provider\_random) | >= 3.1 |
+| [sysdig](#provider\_sysdig) | ~> 1.44 |
## Modules
@@ -33,35 +34,45 @@ No modules.
## Resources
-| Name | Type |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
-| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
-| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
+| Name | Type |
+|------|------|
+| [aws_iam_role.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.cloudlogs_s3_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_sns_topic.cloudtrail_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.cloudtrail_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.cloudtrail_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [sysdig_secure_cloud_auth_account_component.aws_cloud_logs](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [sysdig_secure_cloud_ingestion_assets.assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets) | data source |
+| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source |
+| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------|:--------:|
-| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
-| [folder\_arn](#input\_folder\_arn) | (Required) The ARN of your CloudTrail Bucket Folder | `string` | n/a | yes |
-| [tags](#input\_tags) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
-| [name](#input\_name) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `string` | sysdig-secure-cloudlogs | no |
-| [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
-| [is\_gov\_cloud](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [bucket\_arn](#input\_bucket\_arn) | (Required) The ARN of your CloudTrail Bucket | `string` | n/a | yes |
+| [create\_topic](#input\_create\_topic) | true/false whether terraform should create the SNS Topic | `bool` | `false` | no |
+| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no |
+| [is\_log\_file\_kms\_encryption\_enabled](#input\_is\_log\_file\_kms\_encryption\_enabled) | needed only if cloudtrail s3 bucket is located in different account. true/false whether log file encryption is enabled | `bool` | `false` | no |
+| [is\_s3\_bucket\_in\_different\_account](#input\_is\_s3\_bucket\_in\_different\_account) | true/false whether cloudtrail s3 bucket is located in different account | `bool` | `false` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key ARN that is used to encrypt log files in s3 bucket | `string` | `""` | no |
+| [name](#input\_name) | (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sysdig-secure-cloudlogs"` | no |
+| [regions](#input\_regions) | (Optional) The list of AWS regions we want to scrape data from | `set(string)` | `[]` | no |
+| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) | `string` | n/a | yes |
+| [tags](#input\_tags) | (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
+| [topic\_arn](#input\_topic\_arn) | SNS Topic ARN that will forward CloudTrail notifications to Sysdig Secure | `string` | n/a | yes |
## Outputs
-| Name | Description |
-|-----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| Name | Description |
+|------|-------------|
| [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id) | Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
-
+| [extra\_permissions\_kms\_key](#output\_extra\_permissions\_kms\_key) | Extra permissions to add to KMS key policy |
+| [extra\_permissions\_s3\_bucket](#output\_extra\_permissions\_s3\_bucket) | Extra permissions to add to s3 bucket |
## Authors
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index 4c821a2..d0ce366 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -119,6 +119,23 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {
"${var.bucket_arn}/*"
]
}
+
+ dynamic "statement" {
+ for_each = var.is_s3_bucket_in_different_account && var.is_log_file_kms_encryption_enabled ? [1] : []
+ content {
+ sid = "AllowDecryptWithCrossAccountKey"
+
+ effect = "Allow"
+
+ actions = [
+ "kms:Decrypt"
+ ]
+
+ resources = [
+ var.kms_key_arn
+ ]
+ }
+ }
}
#-----------------------------------------------------------------------------------------------------------------------
diff --git a/modules/integrations/cloud-logs/outputs.tf b/modules/integrations/cloud-logs/outputs.tf
index 35b6b1e..b2e609e 100644
--- a/modules/integrations/cloud-logs/outputs.tf
+++ b/modules/integrations/cloud-logs/outputs.tf
@@ -3,3 +3,53 @@ output "cloud_logs_component_id" {
description = "Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion"
depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
}
+
+output "extra_permissions_s3_bucket" {
+ value = ( var.is_s3_bucket_in_different_account
+ ? <<-EOT
+
+ Please add following extra permissions to cloudtrail S3 bucket:
+
+ {
+ "Sid": "Sysdig-Get",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "${aws_iam_role.cloudlogs_s3_access.arn}"
+ },
+ "Action": "s3:GetObject",
+ "Resource": "${var.bucket_arn}/*"
+ }
+ EOT
+ : null )
+ description = "Extra permissions to add to s3 bucket"
+ depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
+}
+
+output "extra_permissions_kms_key" {
+ value = ( var.is_log_file_kms_encryption_enabled
+ ? <<-EOT
+
+ Please add following extra permissions to KMS key policy:
+
+ {
+ "Sid": "Sysdig-Decrypt",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "${aws_iam_role.cloudlogs_s3_access.arn}"
+ },
+ "Action": "kms:Decrypt",
+ "Resource": "*",
+ "Condition": {
+ "StringEquals": {
+ "kms:ViaService": "s3.${regex("^arn:aws:kms:([^:]+):\\d+:key/.*$", var.kms_key_arn)[0]}.amazonaws.com"
+ },
+ "StringLike": {
+ "kms:EncryptionContext:aws:s3:arn": "${var.bucket_arn}/*"
+ }
+ }
+ }
+ EOT
+ : null )
+ description = "Extra permissions to add to KMS key policy"
+ depends_on = [ sysdig_secure_cloud_auth_account_component.aws_cloud_logs ]
+}
\ No newline at end of file
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 7f9a22a..cbe286f 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -35,6 +35,24 @@ variable "is_gov_cloud_onboarding" {
description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not"
}
+variable "is_s3_bucket_in_different_account" {
+ type = bool
+ default = false
+ description = "true/false whether cloudtrail s3 bucket is located in different account"
+}
+
+variable "is_log_file_kms_encryption_enabled" {
+ type = bool
+ default = false
+ description = "needed only if cloudtrail s3 bucket is located in different account. true/false whether log file encryption is enabled"
+}
+
+variable "kms_key_arn" {
+ type = string
+ description = "KMS key ARN that is used to encrypt log files in s3 bucket"
+ default = ""
+}
+
variable "topic_arn" {
type = string
description = "SNS Topic ARN that will forward CloudTrail notifications to Sysdig Secure"