AWSTemplateFormatVersion: 2010-09-09
Description: Logging Buckets for AWS CloudTrail and Config with archiving
Parameters:
    pSupportsGlacier:
        Description: Determines whether this region supports Glacier (passed in from Main template)
        Type: String
        Default: true
Conditions:
    IsGovCloud: !Equals [ us-gov-west-1, !Ref 'AWS::Region' ]
    SupportsGlacier: !Equals [ true, !Ref pSupportsGlacier ]
Resources:
    rArchiveLogsBucket:
        Type: AWS::S3::Bucket
        DeletionPolicy: Retain
        Properties:
            AccessControl: LogDeliveryWrite
            LifecycleConfiguration:
                Rules:
                  - Id: Transition90daysRetain7yrs
                    Status: Enabled
                    ExpirationInDays: 2555
                    Transition:
                        TransitionInDays: 90
                        StorageClass: !If [ SupportsGlacier, GLACIER, STANDARD_IA ]
            VersioningConfiguration:
                Status: Enabled
    rArchiveLogsBucketPolicy:
        Type: AWS::S3::BucketPolicy
        DependsOn: rArchiveLogsBucket
        Properties:
            Bucket: !Ref rArchiveLogsBucket
            PolicyDocument:
                Statement:
                  - Sid: Enforce HTTPS Connections
                    Action: s3:*
                    Effect: Deny
                    Principal: '*'
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rArchiveLogsBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        Bool:
                            aws:SecureTransport: false
                  - Sid: Restrict Delete* Actions
                    Action: s3:Delete*
                    Effect: Deny
                    Principal: '*'
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rArchiveLogsBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
    rConfigBucket:
        Type: AWS::S3::Bucket
        DeletionPolicy: Retain
        Properties:
            AccessControl: Private
            VersioningConfiguration:
                Status: Enabled
            LoggingConfiguration:
                DestinationBucketName: !Ref rArchiveLogsBucket
                LogFilePrefix: configlogs
    rConfigS3Policy:
        Type: AWS::S3::BucketPolicy
        DependsOn: rConfigBucket
        Properties:
            Bucket: !Ref rConfigBucket
            PolicyDocument:
                Statement:
                  - Sid: AWSConfigAclCheck20150319
                    Effect: Allow
                    Principal:
                        Service: config.amazonaws.com
                    Action: s3:GetBucketAcl
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rConfigBucket}
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                  - Sid: AWSConfigWrite20150319
                    Effect: Allow
                    Principal:
                        Service: config.amazonaws.com
                    Action: s3:PutObject
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rConfigBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        StringEquals:
                            s3:x-amz-acl: bucket-owner-full-control
                  - Sid: Enforce HTTPS Connections
                    Action: s3:*
                    Effect: Deny
                    Principal: '*'
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rConfigBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        Bool:
                            aws:SecureTransport: false
                  - Sid: Restrict Delete* Actions
                    Action: s3:Delete*
                    Effect: Deny
                    Principal: '*'
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rConfigBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                  - Sid: DenyUnEncryptedObjectUploads
                    Effect: Deny
                    Principal: '*'
                    Action: s3:PutObject
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rConfigBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        StringNotEquals:
                            s3:x-amz-server-side-encryption: AES256
    rCloudTrailBucket:
        Type: AWS::S3::Bucket
        DeletionPolicy: Retain
        Properties:
            AccessControl: Private
            VersioningConfiguration:
                Status: Enabled
            LoggingConfiguration:
                DestinationBucketName: !Ref rArchiveLogsBucket
                LogFilePrefix: cloudtraillogs
    rCloudTrailS3Policy:
        Type: AWS::S3::BucketPolicy
        DependsOn: rCloudTrailBucket
        Properties:
            Bucket: !Ref rCloudTrailBucket
            PolicyDocument:
                Statement:
                  - Sid: AWSCloudTrailAclCheck20150319
                    Effect: Allow
                    Principal:
                        Service: cloudtrail.amazonaws.com
                    Action: s3:GetBucketAcl
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rCloudTrailBucket}
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                  - Sid: AWSCloudTrailWrite20150319
                    Effect: Allow
                    Principal:
                        Service: cloudtrail.amazonaws.com
                    Action: s3:PutObject
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rCloudTrailBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        StringEquals:
                            s3:x-amz-acl: bucket-owner-full-control
                  - Sid: Enforce HTTPS Connections
                    Action: s3:*
                    Effect: Deny
                    Principal: '*'
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rCloudTrailBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        Bool:
                            aws:SecureTransport: false
                  - Sid: Restrict Delete* Actions
                    Action: s3:Delete*
                    Effect: Deny
                    Principal: '*'
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rCloudTrailBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                  - Sid: DenyUnEncryptedObjectUploads
                    Effect: Deny
                    Principal: '*'
                    Action: s3:PutObject
                    Resource: !Sub
                      - arn:${Partition}:s3:::${rCloudTrailBucket}/*
                      - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
                    Condition:
                        StringNotEquals:
                            s3:x-amz-server-side-encryption: AES256
Outputs:
    rArchiveLogsBucket:
        Value: !Ref rArchiveLogsBucket
    rConfigBucket:
        Value: !Ref rConfigBucket
    rCloudTrailBucket:
        Value: !Ref rCloudTrailBucket