AWSTemplateFormatVersion: 2010-09-09
Description: Logging Buckets for AWS CloudTrail and Config with archiving
Parameters:
pSupportsGlacier:
Description: Determines whether this region supports Glacier (passed in from Main template)
Type: String
Default: true
Conditions:
IsGovCloud: !Equals [ us-gov-west-1, !Ref 'AWS::Region' ]
SupportsGlacier: !Equals [ true, !Ref pSupportsGlacier ]
Resources:
rArchiveLogsBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
AccessControl: LogDeliveryWrite
LifecycleConfiguration:
Rules:
- Id: Transition90daysRetain7yrs
Status: Enabled
ExpirationInDays: 2555
Transition:
TransitionInDays: 90
StorageClass: !If [ SupportsGlacier, GLACIER, STANDARD_IA ]
VersioningConfiguration:
Status: Enabled
rArchiveLogsBucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn: rArchiveLogsBucket
Properties:
Bucket: !Ref rArchiveLogsBucket
PolicyDocument:
Statement:
- Sid: Enforce HTTPS Connections
Action: s3:*
Effect: Deny
Principal: '*'
Resource: !Sub
- arn:${Partition}:s3:::${rArchiveLogsBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
Bool:
aws:SecureTransport: false
- Sid: Restrict Delete* Actions
Action: s3:Delete*
Effect: Deny
Principal: '*'
Resource: !Sub
- arn:${Partition}:s3:::${rArchiveLogsBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
rConfigBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
AccessControl: Private
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
DestinationBucketName: !Ref rArchiveLogsBucket
LogFilePrefix: configlogs
rConfigS3Policy:
Type: AWS::S3::BucketPolicy
DependsOn: rConfigBucket
Properties:
Bucket: !Ref rConfigBucket
PolicyDocument:
Statement:
- Sid: AWSConfigAclCheck20150319
Effect: Allow
Principal:
Service: config.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub
- arn:${Partition}:s3:::${rConfigBucket}
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
- Sid: AWSConfigWrite20150319
Effect: Allow
Principal:
Service: config.amazonaws.com
Action: s3:PutObject
Resource: !Sub
- arn:${Partition}:s3:::${rConfigBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
- Sid: Enforce HTTPS Connections
Action: s3:*
Effect: Deny
Principal: '*'
Resource: !Sub
- arn:${Partition}:s3:::${rConfigBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
Bool:
aws:SecureTransport: false
- Sid: Restrict Delete* Actions
Action: s3:Delete*
Effect: Deny
Principal: '*'
Resource: !Sub
- arn:${Partition}:s3:::${rConfigBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: '*'
Action: s3:PutObject
Resource: !Sub
- arn:${Partition}:s3:::${rConfigBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: AES256
rCloudTrailBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
AccessControl: Private
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
DestinationBucketName: !Ref rArchiveLogsBucket
LogFilePrefix: cloudtraillogs
rCloudTrailS3Policy:
Type: AWS::S3::BucketPolicy
DependsOn: rCloudTrailBucket
Properties:
Bucket: !Ref rCloudTrailBucket
PolicyDocument:
Statement:
- Sid: AWSCloudTrailAclCheck20150319
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub
- arn:${Partition}:s3:::${rCloudTrailBucket}
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
- Sid: AWSCloudTrailWrite20150319
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub
- arn:${Partition}:s3:::${rCloudTrailBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
- Sid: Enforce HTTPS Connections
Action: s3:*
Effect: Deny
Principal: '*'
Resource: !Sub
- arn:${Partition}:s3:::${rCloudTrailBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
Bool:
aws:SecureTransport: false
- Sid: Restrict Delete* Actions
Action: s3:Delete*
Effect: Deny
Principal: '*'
Resource: !Sub
- arn:${Partition}:s3:::${rCloudTrailBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: '*'
Action: s3:PutObject
Resource: !Sub
- arn:${Partition}:s3:::${rCloudTrailBucket}/*
- { Partition: !If [ IsGovCloud, aws-us-gov, aws ] }
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: AES256
Outputs:
rArchiveLogsBucket:
Value: !Ref rArchiveLogsBucket
rConfigBucket:
Value: !Ref rConfigBucket
rCloudTrailBucket:
Value: !Ref rCloudTrailBucket