fix: enable bucket-enforce-ssl on all buckets (aws-samples#47)

* refactor "Force SSL settings" in the L2 Constructs property
* fix: missing SSL setting leaked in the bucket

README.md

@@ -254,9 +254,9 @@ In addition to setting up a governance base, AWS provides several operational ba
 
 ##### a. Enabling Inspector and Detecting Vaulnerability
 
-Inspector automatically checks vulnerability. You can detect software vulnerability and unintended network exposure with continuous scanning by Inspector. You can view the detected vulnerabilities on your dashboard and prioritize them based on your calculated risk score, giving you greater visibility into your results. When enabled in conjunction with Security Hub, it would be automatically integrated and send the results to Security Hub.
+Inspector checks workload vulnerabilities. It detects software vulnerabilities and unintended network exposure with continuous scanning EC2 and ECR. Detected vulnerabilities are prioritized and displayed based on a calculated risk score, giving you high visibility into the results. It could be automatically integrated with Security Hub and viewed the results centrally.
 
-See: [https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html]
+Setup steps: [https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html]
 
 ##### b. Perform AWS Systems Manager Quick Setup for EC2 Management
 

README_ja.md

@@ -252,7 +252,7 @@ npx cdk deploy --all -c environment=dev --profile prof_dev
 
 ##### a. Inspector を有効化
 
-Inspector は、脆弱性を管理します。EC2 とECR を継続的にスキャンして、ソフトウェアの脆弱性や意図しないネットワークのエクスポージャーをを検出します。検出された脆弱性は、算出されたリスクスコアに基づく優先順位により表示され、可視性高く結果を取得することができます。また、Scurity Hub と組み合わせて有効にすることで、自動で統合され Security Hub へ結果を送信します。
+Inspector は、ワークロードをスキャンして、脆弱性を管理します。EC2 とECR を継続的にスキャンすることで、ソフトウェアの脆弱性や意図しないネットワークのエクスポージャーを検出します。検出された脆弱性は、算出されたリスクスコアに基づき優先順位づけされて表示されるため、可視性高く結果を取得できます。また、Scurity Hub とは自動で統合され、一元的に検出結果を確認できます。
 
 セットアップ手順：[https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html]
 

doc/DeployToControlTower.md

@@ -66,7 +66,7 @@ See: [https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html]
 #### 1-4. Set up Inspector
 
 Designating a delegated administrator
-- [https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html#delegated-admin-proc]
+- [https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html]
 
 Enabling scans for member accounts
 - [https://docs.aws.amazon.com/inspector/latest/user/adding-member-accounts.html]
@@ -415,7 +415,13 @@ The following settings that were set up in the Standalone version are configured
 Besides setting up on a governance basis
 AWS provides several operational baseline services. Set up these services as needed.
 
-##### a. Perform AWS Systems Manager Quick Setup for EC2 Management
+##### a. Enabling Inspector and Detecting Vaulnerability
+
+Inspector checks workload vulnerabilities. It detects software vulnerabilities and unintended network exposure with continuous scanning EC2 and ECR. Detected vulnerabilities are prioritized and displayed based on a calculated risk score, giving you high visibility into the results. It could be automatically integrated with Security Hub and viewed the results centrally.
+
+Setup steps: [https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html]
+
+##### b. Perform AWS Systems Manager Quick Setup for EC2 Management
 
 If you use EC2, we recommend that you use SystemsManager to manage it. You can use AWS Systems Manager Quick Setup to automate the basic setup required to manage EC2.
 Setup steps: [https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-host-management.html]
@@ -429,7 +435,7 @@ Quick Setup provides the following features:
 - Installing and configuring Amazon CloudWatch Agent for the first time only
 - Monthly automatic updates of the CloudWatch agent
 
-##### b. Trusted Advisor Detection Results Report
+##### c. Trusted Advisor Detection Results Report
 
 TrustedAdvisor provides advice for following AWS best practices. It is possible to receive the contents of the report regularly by e-mail. Please refer to the following document for details.
 

doc/DeployToControlTower_ja.md

@@ -66,7 +66,8 @@ See: [https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html]
 #### 1-4. Inspector のセットアップ
 
 委任された管理者権限の指定
-- [https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html#delegated-admin-proc]
+- [https://docs.aws.amazon.com/ja_jp/inspector/latest/user/designating-admin.html]
+
 メンバーアカウントでの有効化
 - [https://docs.aws.amazon.com/inspector/latest/user/adding-member-accounts.html]
 
@@ -223,6 +224,11 @@ AWS Chatbot のセットアップのみマネジメントコンソールで行
 >
 > AWS Config の通知が不要である場合はこのベースラインは設定しなくても構いません。他のアカウントの挙動には影響しません。
 
+> NOTE:
+>
+> Amazon Inspector の検出結果は Slack に通知されません。AWS Security Hub から結果を確認できます。
+
+
 #### 5-1. AWS Chatbot 用の Slack セットアップ
 
 Audit account にマネジメントコンソールでログインして、 AWS Chatbot に Slack Workspace をセットアップします。ここでは Aggregation 用の 1 つだけを作成します。以下の手順を参照してください。
@@ -412,7 +418,13 @@ Standalone 版でセットアップされていた以下の内容は ControlTowe
 ガバナンスベースでセットアップする他に
 AWS はいくつかの運用上のベースラインサービスを提供しています。必要に応じてこれらのサービスのセットアップを行なってください。
 
-##### a. EC2 管理のため AWS Systems Manager Quick Setup を実施する
+##### a. Inspector を有効化
+
+Inspector は、ワークロードをスキャンして、脆弱性を管理します。EC2 とECR を継続的にスキャンすることで、ソフトウェアの脆弱性や意図しないネットワークのエクスポージャーを検出します。検出された脆弱性は、算出されたリスクスコアに基づき優先順位づけされて表示されるため、可視性高く結果を取得できます。また、Scurity Hub とは自動で統合され、一元的に検出結果を確認できます。
+
+セットアップ手順：[https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html]
+
+##### b. EC2 管理のため AWS Systems Manager Quick Setup を実施する
 
 EC2 を利用する場合は SystemsManager を利用して管理することをお勧めします。AWS Systems Manager Quick Setup を使うことで、EC2 の管理に必要な基本的なセットアップを自動化できます。
 セットアップ手順: [https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-host-management.html]
@@ -426,7 +438,7 @@ Quick Setup は以下の機能を提供します:
 - 初回のみの、Amazon CloudWatch agent のインストールと設定
 - CloudWatch agent の月次自動アップデート
 
-##### b. Trusted Advisor の検知結果レポート
+##### c. Trusted Advisor の検知結果レポート
 
 TrustedAdvisor は AWS のベストプラクティスをフォローするためのアドバイスを提供します。レポート内容を定期的にメールで受け取ることが可能です。詳細は下記ドキュメントを参照してください。
 

usecases/base-standalone/lib/blea-config-stack.ts

@@ -27,6 +27,7 @@ export class BLEAConfigStack extends cdk.Stack {
       versioned: true,
       removalPolicy: cdk.RemovalPolicy.RETAIN,
       encryption: s3.BucketEncryption.S3_MANAGED,
+      enforceSSL: true,
     });
 
     // Attaches the AWSConfigBucketPermissionsCheck policy statement.

usecases/base-standalone/lib/blea-trail-stack.ts

@@ -19,6 +19,7 @@ export class BLEATrailStack extends cdk.Stack {
       versioned: true,
       encryption: s3.BucketEncryption.S3_MANAGED,
       removalPolicy: cdk.RemovalPolicy.RETAIN,
+      enforceSSL: true,
       lifecycleRules: [
         {
           enabled: true,
@@ -42,6 +43,7 @@ export class BLEATrailStack extends cdk.Stack {
       serverAccessLogsBucket: archiveLogsBucket,
       serverAccessLogsPrefix: 'cloudtraillogs',
       removalPolicy: cdk.RemovalPolicy.RETAIN,
+      enforceSSL: true,
     });
     this.addBaseBucketPolicy(cloudTrailBucket);
 
@@ -118,21 +120,6 @@ export class BLEATrailStack extends cdk.Stack {
 
   // Add base BucketPolicy for CloudTrail
   addBaseBucketPolicy(bucket: s3.Bucket): void {
-    bucket.addToResourcePolicy(
-      new iam.PolicyStatement({
-        sid: 'Enforce HTTPS Connections',
-        effect: iam.Effect.DENY,
-        actions: ['s3:*'],
-        principals: [new iam.AnyPrincipal()],
-        resources: [bucket.arnForObjects('*')],
-        conditions: {
-          Bool: {
-            'aws:SecureTransport': false,
-          },
-        },
-      }),
-    );
-
     bucket.addToResourcePolicy(
       new iam.PolicyStatement({
         sid: 'Restrict Delete* Actions',

usecases/base-standalone/test/__snapshots__/blea-base-sa.test.ts.snap

@@ -168,28 +168,35 @@ Object {
               "Action": "s3:*",
               "Condition": Object {
                 "Bool": Object {
-                  "aws:SecureTransport": false,
+                  "aws:SecureTransport": "false",
                 },
               },
               "Effect": "Deny",
               "Principal": Object {
                 "AWS": "*",
               },
-              "Resource": Object {
-                "Fn::Join": Array [
-                  "",
-                  Array [
-                    Object {
-                      "Fn::GetAtt": Array [
-                        "ArchiveLogsBucketBC7EE643",
-                        "Arn",
-                      ],
-                    },
-                    "/*",
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "ArchiveLogsBucketBC7EE643",
+                    "Arn",
                   ],
-                ],
-              },
-              "Sid": "Enforce HTTPS Connections",
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      Object {
+                        "Fn::GetAtt": Array [
+                          "ArchiveLogsBucketBC7EE643",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
             },
             Object {
               "Action": "s3:Delete*",
@@ -289,28 +296,35 @@ Object {
               "Action": "s3:*",
               "Condition": Object {
                 "Bool": Object {
-                  "aws:SecureTransport": false,
+                  "aws:SecureTransport": "false",
                 },
               },
               "Effect": "Deny",
               "Principal": Object {
                 "AWS": "*",
               },
-              "Resource": Object {
-                "Fn::Join": Array [
-                  "",
-                  Array [
-                    Object {
-                      "Fn::GetAtt": Array [
-                        "CloudTrailBucket98B0BFE1",
-                        "Arn",
-                      ],
-                    },
-                    "/*",
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "CloudTrailBucket98B0BFE1",
+                    "Arn",
                   ],
-                ],
-              },
-              "Sid": "Enforce HTTPS Connections",
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      Object {
+                        "Fn::GetAtt": Array [
+                          "CloudTrailBucket98B0BFE1",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
             },
             Object {
               "Action": "s3:Delete*",
@@ -1123,6 +1137,40 @@ Object {
         },
         "PolicyDocument": Object {
           "Statement": Array [
+            Object {
+              "Action": "s3:*",
+              "Condition": Object {
+                "Bool": Object {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": Object {
+                "AWS": "*",
+              },
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "ConfigBucket2112C5EC",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      Object {
+                        "Fn::GetAtt": Array [
+                          "ConfigBucket2112C5EC",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
+            },
             Object {
               "Action": "s3:GetBucketAcl",
               "Effect": "Allow",

usecases/guest-webapp-sample/lib/blea-vpc-stack.ts

@@ -63,6 +63,7 @@ export class BLEAVpcStack extends cdk.Stack {
       encryption: s3.BucketEncryption.KMS,
       blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
       removalPolicy: cdk.RemovalPolicy.RETAIN,
+      enforceSSL: true,
     });
 
     myVpc.addFlowLog('FlowLogs', {

usecases/guest-webapp-sample/test/__snapshots__/blea-guest-asgapp-sample.test.ts.snap

@@ -419,6 +419,53 @@ Object {
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "FlowLogBucketPolicyD22C263C": Object {
+      "Properties": Object {
+        "Bucket": Object {
+          "Ref": "FlowLogBucket0863ACCA",
+        },
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "s3:*",
+              "Condition": Object {
+                "Bool": Object {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": Object {
+                "AWS": "*",
+              },
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "FlowLogBucket0863ACCA",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      Object {
+                        "Fn::GetAtt": Array [
+                          "FlowLogBucket0863ACCA",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "Key961B73FD": Object {
       "DeletionPolicy": "Retain",
       "Properties": Object {