feat: FTRS-3063 Add cloudtrail for s3 data events

ri-nhs · ri-nhs · commit 08e93c32666b · 2026-02-25T17:01:47.000Z
diff --git a/infrastructure/account_wide.tfvars b/infrastructure/account_wide.tfvars
@@ -48,3 +48,5 @@ hec_acknowledgment_timeout        = 300
 hec_endpoint_type                 = "Raw"
 retry_duration                    = 300
 s3_backup_mode                    = "FailedEventsOnly"
+
+cloudtrail_log_retention_days = 30
diff --git a/infrastructure/environments/int/account_wide.tfvars b/infrastructure/environments/int/account_wide.tfvars
@@ -24,3 +24,4 @@ single_nat_gateway     = true
 one_nat_gateway_per_az = false
 
 regional_waf_log_group_retention_days = 30
+cloudtrail_log_retention_days         = 90
diff --git a/infrastructure/environments/prod/account_wide.tfvars b/infrastructure/environments/prod/account_wide.tfvars
@@ -25,3 +25,4 @@ single_nat_gateway     = false
 one_nat_gateway_per_az = true
 
 regional_waf_log_group_retention_days = 90
+cloudtrail_log_retention_days         = 365
diff --git a/infrastructure/environments/ref/account_wide.tfvars b/infrastructure/environments/ref/account_wide.tfvars
@@ -24,3 +24,4 @@ single_nat_gateway     = false
 one_nat_gateway_per_az = true
 
 regional_waf_log_group_retention_days = 90
+cloudtrail_log_retention_days         = 180
diff --git a/infrastructure/stacks/account_wide/cloudtrail.tf b/infrastructure/stacks/account_wide/cloudtrail.tf
@@ -0,0 +1,67 @@
+# CloudTrail trail logging S3 object-level data events
+resource "aws_cloudtrail" "s3_data_events" {
+  # checkov:skip=CKV_AWS_252: Justification: No CMK required by design; default SSE-S3 encryption is sufficient.
+  # checkov:skip=CKV2_AWS_10: Justification: CloudWatch Logs integration is not required for this S3 data events trail.
+  name = "${local.resource_prefix}-${var.cloudtrail_trail_name}"
+
+  s3_bucket_name = module.cloudtrail_s3_bucket.s3_bucket_id
+
+  # Regional, non-aggregated trail (same region delivery, no multi-region)
+  is_multi_region_trail         = false
+  include_global_service_events = false
+
+  # Requirement: log file validation
+  enable_log_file_validation = true
+
+  # S3 object-level write events — satisfies [S3.22]
+  advanced_event_selector {
+    name = "Log S3 object-level write events (S3.22)"
+
+    field_selector {
+      field  = "eventCategory"
+      equals = ["Data"]
+    }
+
+    field_selector {
+      field  = "resources.type"
+      equals = ["AWS::S3::Object"]
+    }
+
+    field_selector {
+      field  = "readOnly"
+      equals = ["false"]
+    }
+
+    # Exclude the CloudTrail delivery bucket itself to prevent a feedback loop
+    field_selector {
+      field           = "resources.ARN"
+      not_starts_with = ["${module.cloudtrail_s3_bucket.s3_bucket_arn}/"]
+    }
+  }
+
+  # S3 object-level read events — satisfies [S3.23]
+  advanced_event_selector {
+    name = "Log S3 object-level read events (S3.23)"
+
+    field_selector {
+      field  = "eventCategory"
+      equals = ["Data"]
+    }
+
+    field_selector {
+      field  = "resources.type"
+      equals = ["AWS::S3::Object"]
+    }
+
+    field_selector {
+      field  = "readOnly"
+      equals = ["true"]
+    }
+
+    # Exclude the CloudTrail delivery bucket itself to prevent a feedback loop
+    field_selector {
+      field           = "resources.ARN"
+      not_starts_with = ["${module.cloudtrail_s3_bucket.s3_bucket_arn}/"]
+    }
+  }
+}
diff --git a/infrastructure/stacks/account_wide/data.tf b/infrastructure/stacks/account_wide/data.tf
@@ -66,3 +66,47 @@ data "aws_iam_policy_document" "regional_waf_log_group_policy_document" {
 data "aws_prefix_list" "s3" {
   name = "com.amazonaws.${var.aws_region}.s3"
 }
+
+data "aws_iam_policy_document" "cloudtrail_s3_bucket_policy" {
+  statement {
+    sid = "AWSCloudTrailAclCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["_S3_BUCKET_ARN_"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:cloudtrail:${var.aws_region}:${local.account_id}:trail/${local.resource_prefix}-${var.cloudtrail_trail_name}"]
+    }
+  }
+
+  statement {
+    sid = "AWSCloudTrailWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = ["_S3_BUCKET_ARN_/AWSLogs/${local.account_id}/*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:cloudtrail:${var.aws_region}:${local.account_id}:trail/${local.resource_prefix}-${var.cloudtrail_trail_name}"]
+    }
+  }
+}
diff --git a/infrastructure/stacks/account_wide/s3.tf b/infrastructure/stacks/account_wide/s3.tf
@@ -142,3 +142,28 @@ module "firehose_backup_s3" {
   enable_kms_encryption = var.enable_firehose_s3_kms_encryption
   s3_logging_bucket     = local.s3_logging_bucket
 }
+
+# S3 bucket to receive CloudTrail log deliveries
+module "cloudtrail_s3_bucket" {
+  source        = "../../modules/s3"
+  bucket_name   = "${local.resource_prefix}-${var.cloudtrail_bucket_name}"
+  force_destroy = var.cloudtrail_bucket_force_destroy
+
+  s3_logging_bucket = local.s3_logging_bucket
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.cloudtrail_s3_bucket_policy.json
+
+  lifecycle_rule_inputs = [
+    {
+      id      = "delete_logs_older_than_${var.cloudtrail_log_retention_days}_days"
+      enabled = true
+      filter = {
+        prefix = ""
+      }
+      expiration = {
+        days = var.cloudtrail_log_retention_days
+      }
+    }
+  ]
+}
diff --git a/infrastructure/stacks/account_wide/variables.tf b/infrastructure/stacks/account_wide/variables.tf
@@ -327,3 +327,27 @@ variable "performance_ec2_log_group_retention_days" {
   type        = number
   default     = 30
 }
+
+variable "cloudtrail_trail_name" {
+  description = "The name suffix for the S3 data events CloudTrail trail"
+  type        = string
+  default     = "s3-data-events"
+}
+
+variable "cloudtrail_bucket_name" {
+  description = "The name suffix for the S3 bucket used to store CloudTrail logs"
+  type        = string
+  default     = "cloudtrail-logs"
+}
+
+variable "cloudtrail_log_retention_days" {
+  description = "Number of days to retain CloudTrail logs in S3 before expiry"
+  type        = number
+  default     = 365
+}
+
+variable "cloudtrail_bucket_force_destroy" {
+  description = "Whether to allow force-destroying the CloudTrail S3 bucket on stack deletion"
+  type        = bool
+  default     = false
+}

Original file line number	Diff line number	Diff line change
`@@ -24,3 +24,4 @@ single_nat_gateway = true`
`24`	`24`	`one_nat_gateway_per_az = false`
`25`	`25`
`26`	`26`	`regional_waf_log_group_retention_days = 30`
	`27`	`+cloudtrail_log_retention_days = 90`
Original file line number	Diff line number	Diff line change
`@@ -25,3 +25,4 @@ single_nat_gateway = false`
`25`	`25`	`one_nat_gateway_per_az = true`
`26`	`26`
`27`	`27`	`regional_waf_log_group_retention_days = 90`
	`28`	`+cloudtrail_log_retention_days = 365`