# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: Set up roles, logs destination, kinesis and delivery stream for centralizing logs to S3 in centralized logging account Parameters: LoggingS3Bucket: Description: ARN of the S3 Logging bucket to write to. MaxLength: 250 MinLength: 1 Type: String Resources: # IAM Roles CWLtoFirehoseRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: - logs.eu-north-1.amazonaws.com - logs.ap-south-1.amazonaws.com - logs.eu-west-3.amazonaws.com - logs.eu-west-2.amazonaws.com - logs.eu-west-1.amazonaws.com - logs.ap-northeast-3.amazonaws.com - logs.ap-northeast-2.amazonaws.com - logs.ap-northeast-1.amazonaws.com - logs.sa-east-1.amazonaws.com - logs.ca-central-1.amazonaws.com - logs.ap-southeast-1.amazonaws.com - logs.ap-southeast-2.amazonaws.com - logs.eu-central-1.amazonaws.com - logs.us-east-1.amazonaws.com - logs.us-east-2.amazonaws.com - logs.us-west-1.amazonaws.com - logs.us-west-2.amazonaws.com Action: 'sts:AssumeRole' Path: '/' CWLtoFirehosePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: CWL_to_Kinesis_Policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'firehose:PutRecord' Resource: - !GetAtt 'FirehoseLoggingDeliveryStream.Arn' - Effect: Allow Action: - 'iam:PassRole' Resource: - !GetAtt 'CWLtoFirehoseRole.Arn' Roles: - !Ref CWLtoFirehoseRole FirehoseDeliveryRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: firehose.amazonaws.com Action: 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref 'AWS::AccountId' FirehoseDeliveryPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: Firehose_Delivery_Policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:AbortMultipartUpload' - 's3:GetBucketLocation' - 's3:GetObject' - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:PutObject' Resource: - !Ref LoggingS3Bucket - !Join - '' - - !Ref LoggingS3Bucket - '*' Roles: - !Ref FirehoseDeliveryRole # Log Destination LogDestination: Type: AWS::Logs::Destination DependsOn: - FirehoseLoggingDeliveryStream - CWLtoFirehoseRole - CWLtoFirehosePolicy Properties: DestinationName: CentralLogDestination RoleArn: !GetAtt 'CWLtoFirehoseRole.Arn' TargetArn: !GetAtt 'FirehoseLoggingDeliveryStream.Arn' DestinationPolicy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"\",\"\",\"\",\"\",\"\"]},\"Action\":\"logs:PutSubscriptionFilter\",\"Resource\":\"arn:aws:logs:::destination:CentralLogDestination\"}]}" # Firehose FirehoseLoggingDeliveryStream: Type: 'AWS::KinesisFirehose::DeliveryStream' DependsOn: - FirehoseDeliveryRole - FirehoseDeliveryPolicy Properties: DeliveryStreamName: 'Centralized-Logging-Delivery-Stream' DeliveryStreamType: DirectPut S3DestinationConfiguration: BucketARN: !Ref LoggingS3Bucket BufferingHints: IntervalInSeconds: '300' SizeInMBs: '50' CompressionFormat: UNCOMPRESSED Prefix: 'CentralizedAccountLogs/' RoleARN: !GetAtt 'FirehoseDeliveryRole.Arn' Outputs: DestinationArnExport: Description: ARN for the LogDestination Export: Name: LogDestinationArn Value: !GetAtt 'LogDestination.Arn'