ホーム エクスプローラ ヘルプ
サインイン
bat9go
/
Ycsecurity
同期ミラー https://github.com/yandex-cloud/yc-solution-library-for-security
Watch 1
Star 0
Fork 0
ファイル 課題 0 Wiki
ブランチ: add-opensearch-solution
ブランチ タグ
Ycsecurity
/
configuration
/
hardening_bucket
/
README.md

README.md 2.7 KB
パーマリンク 履歴 Raw

Example of a secure configuration for Yandex Cloud Object Storage: Terraform

Solution diagram

Diagram

Description

Terraform script performs the following:

  • :white_check_mark: Creates a Bucket.
  • :white_check_mark: Enables (IAM access control, BucketPolicy) for groups: administrators, read-only, write-only.
  • :white_check_mark: Enables versioning and life cycle to store the current file versions for 365 days, and non-current file versions (deleted or updated) for 150 days.
  • :white_check_mark: Enables logging actions on the Bucket in a separate Bucket.
  • :white_check_mark: Enables Server-Side object encryption in the Bucket.

Terraform details

The solution accepts the following input:

  • A list of administrator accounts: all-access-users.
  • A list of service accounts requiring read rights: read-only-sa.
  • A list of service accounts that require write rights: write-only-sa.

Functionality:

  • Create an SA with Storage Admin rights to create a Bucket.
  • Create a KMS key for encryption.
  • Assign rights to accounts to work with KMS keys.
  • Assign IAM rights to accounts to work with a Bucket.
  • Create a separate Bucket for actions logging.
  • Create the main Bucket.
  • Apply the BucketPolicy.
  • Enable versioning and lifecycle.
  • Enable logging.
  • Enable encryption.

Example of filling out variables:

variable "token" {
  description = "Yandex.Cloud security OAuth token"
  default     = "key.json" # generate yours: https://cloud.yandex.ru/docs/iam/concepts/authorization/OAuth-token
}

variable "folder_id" {
  description = "Yandex.Cloud Folder ID where resources will be created"
  default     = "xxxxxx" # yc config get folder-id
}

variable "cloud_id" {
  description = "Yandex.Cloud ID where resources will be created"
  default     = "xxxxxx" #yc config get cloud-id
}

variable "all-access-users" {
  description = ""
  default = ["federatedUser:ajesnkfkxxxxxxxxxxxx", "federatedUser:ajeurmedxxxxxxxxxxxx"]

}

variable "read-only-sa" {
  description = ""
  default = ["serviceAccount:ajeph8f8xxxxxxxxxxxx", "serviceAccount:aje066slxxxxxxxxxxxx"]

}

variable "write-only-sa" {
  description = "sa"
  default = ["serviceAccount:ajem3ef7xxxxxxxxxxxx", "serviceAccount:aje1ngf4xxxxxxxxxxxx"]

}