Deny audit-trail tampering (CloudTrail, Config, GuardDuty, SecurityHub, S3, KMS)

[royosherove]

Closes the audit-trail tampering gap: under PowerUserAccess the agent could call cloudtrail:StopLogging, DeleteTrail, etc., blinding the very audit mechanism the design relies on.

What changed

Policy expansion — 11 deny statements, 132 deny actions:

• DenyCloudTrailTampering (14) — Stop/Delete/Update trails, event-data-stores, channels, selectors, resource policies; also Create* to block "stand up a competing trail" evasion
• DenyAuditServiceTampering (30) — Config/GuardDuty/SecurityHub recorders, members, filters, finding triage. Documented as intentional broad deny (triage = human/SOC task)
• DenyTrailStorageTampering (21) — trail S3 bucket: delete, policy/ACL/PAB/ownership, encryption, versioning, logging, lifecycle, replication, object-lock, notification redirect, website, object retention/legal-hold, governance bypass, PutObject (corrupt existing logs)
• DenyTrailKmsTampering (12) — trail CMK: ScheduleKeyDeletion, DisableKey, PutKeyPolicy, grants, alias retargeting, PutResourcePolicy, key-material import
• DenyRoleManagementOutsideAgentPath extended (+4) — iam:TagRole/UntagRole/UpdateRole/UpdateRoleDescription for defense-in-depth parity with DenySelfEscalation
• DenySelfEscalation extended (+6) — closes the self-mutation hole opened by adding path = var.iam_path to the agent role

Terraform module mirrors all 4 new statements via concat() over named locals; conditional inclusion gated on trail_bucket_name / trail_kms_key_arn vars.

Quality gates

• Fail-closed precondition — if both trail vars are null and trail_protection_acknowledged != true, plan/apply errors with a clear message
• Variable validation — full KMS ARN (UUID or MRK) regex; bare S3 bucket-name regex (rejects ARNs, uppercase, underscores, double-dots, IP-format); IAM role/policy name regex; IAM path regex (rejects empty, / root, double-slash); strict KMS ARN format with multi-region key support
• CI workflow (.github/workflows/lint.yml) — JSON parse, substitution round-trip lint, terraform fmt/validate, per-Sid Action/NotAction parity check across all 3 policies (deny-guardrails, iam-scoped, permissions-boundary). Caught real Sid drift during development (AllowInstanceProfileManagement vs AllowInstanceProfileManagementUnderAgentPath).

Repo cleanup

• Moved terraform/example.tf → terraform/examples/downstream-consumer.tf (was causing Duplicate variable declaration and breaking terraform validate)
• Added .gitignore (was missing entirely)
• LICENSE → Apache-2.0 in README (was MIT, mismatch with LICENSE file)
• Replaced 200+ lines of stale inline JSON in policy-design.md with Sid-summary tables linking to canonical sources
• README repo-structure tree updated; placeholder table simplified; substitution helper hardened against ordering footguns

Breaking changes

• aws_iam_role.agent and aws_iam_instance_profile.agent now set path = var.iam_path (default /loki/). Existing deployments will recreate role + profile on apply, changing the role ARN. New deployments are unaffected. Required so the JSON template's role/IAM_PATHAGENT_ROLE_NAME placeholder matches the actual role ARN.

Partition support

Hardcoded to aws (commercial regions). GovCloud / China not supported. TODO marker in terraform/main.tf documents the 3 lock-in sites if/when partition support is added.

Review trail

8 automated review loops + 2 architect reviews + 7 amendments. Final state: zero findings on both reviewers' last pass.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e18b70de79

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Deny administrator-account disassociation APIs

DenyAuditServiceTampering blocks only the deprecated *DisassociateFromMasterAccount actions, but not guardduty:DisassociateFromAdministratorAccount / securityhub:DisassociateFromAdministratorAccount. With PowerUserAccess still attached, the agent can use the newer APIs to detach from delegated administrators and bypass the intended centralized GuardDuty/Security Hub audit controls.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Cover service-linked AWS Config recorder tampering

The Config deny list blocks only customer-managed recorder mutations (DeleteConfigurationRecorder, PutConfigurationRecorder), but omits service-linked recorder APIs like config:DeleteServiceLinkedConfigurationRecorder and config:PutServiceLinkedConfigurationRecorder. In accounts that use service-linked recorders, the agent can still disable or replace recording despite this guardrail.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4d05d4d713

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use valid KMS actions in DenyTrailKmsTampering

DenyTrailKmsTampering includes kms:PutResourcePolicy and kms:DeleteResourcePolicy, but AWS KMS does not define those IAM actions (KMS policy management is kms:PutKeyPolicy). When trail_kms_key_arn is set, this makes the inline IAM policy invalid and aws_iam_role_policy.deny_guardrails creation/update fails with a malformed/invalid action error, so the guardrail cannot be deployed at all.

Useful? React with 👍 / 👎.