AWSTemplateFormatVersion: 2010-09-09 Description: Logging Buckets for AWS CloudTrail and Config with archiving Parameters: pSupportsGlacier: Description: Determines whether this region supports Glacier (passed in from Main template) Type: String Default: true Conditions: IsGovCloud: !Equals [ us-gov-west-1, !Ref 'AWS::Region' ] SupportsGlacier: !Equals [ true, !Ref pSupportsGlacier ] Resources: rArchiveLogsBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: AccessControl: LogDeliveryWrite LifecycleConfiguration: Rules: - Id: Transition90daysRetain7yrs Status: Enabled ExpirationInDays: 2555 Transition: TransitionInDays: 90 StorageClass: !If [ SupportsGlacier, GLACIER, STANDARD_IA ] VersioningConfiguration: Status: Enabled rArchiveLogsBucketPolicy: Type: AWS::S3::BucketPolicy DependsOn: rArchiveLogsBucket Properties: Bucket: !Ref rArchiveLogsBucket PolicyDocument: Statement: - Sid: Enforce HTTPS Connections Action: s3:* Effect: Deny Principal: '*' Resource: !Sub - arn:${Partition}:s3:::${rArchiveLogsBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: Bool: aws:SecureTransport: false - Sid: Restrict Delete* Actions Action: s3:Delete* Effect: Deny Principal: '*' Resource: !Sub - arn:${Partition}:s3:::${rArchiveLogsBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } rConfigBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: AccessControl: Private VersioningConfiguration: Status: Enabled LoggingConfiguration: DestinationBucketName: !Ref rArchiveLogsBucket LogFilePrefix: configlogs rConfigS3Policy: Type: AWS::S3::BucketPolicy DependsOn: rConfigBucket Properties: Bucket: !Ref rConfigBucket PolicyDocument: Statement: - Sid: AWSConfigAclCheck20150319 Effect: Allow Principal: Service: config.amazonaws.com Action: s3:GetBucketAcl Resource: !Sub - arn:${Partition}:s3:::${rConfigBucket} - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } - Sid: AWSConfigWrite20150319 Effect: Allow Principal: Service: config.amazonaws.com Action: s3:PutObject Resource: !Sub - arn:${Partition}:s3:::${rConfigBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control - Sid: Enforce HTTPS Connections Action: s3:* Effect: Deny Principal: '*' Resource: !Sub - arn:${Partition}:s3:::${rConfigBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: Bool: aws:SecureTransport: false - Sid: Restrict Delete* Actions Action: s3:Delete* Effect: Deny Principal: '*' Resource: !Sub - arn:${Partition}:s3:::${rConfigBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } - Sid: DenyUnEncryptedObjectUploads Effect: Deny Principal: '*' Action: s3:PutObject Resource: !Sub - arn:${Partition}:s3:::${rConfigBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: StringNotEquals: s3:x-amz-server-side-encryption: AES256 rCloudTrailBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: AccessControl: Private VersioningConfiguration: Status: Enabled LoggingConfiguration: DestinationBucketName: !Ref rArchiveLogsBucket LogFilePrefix: cloudtraillogs rCloudTrailS3Policy: Type: AWS::S3::BucketPolicy DependsOn: rCloudTrailBucket Properties: Bucket: !Ref rCloudTrailBucket PolicyDocument: Statement: - Sid: AWSCloudTrailAclCheck20150319 Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: !Sub - arn:${Partition}:s3:::${rCloudTrailBucket} - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } - Sid: AWSCloudTrailWrite20150319 Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: !Sub - arn:${Partition}:s3:::${rCloudTrailBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control - Sid: Enforce HTTPS Connections Action: s3:* Effect: Deny Principal: '*' Resource: !Sub - arn:${Partition}:s3:::${rCloudTrailBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: Bool: aws:SecureTransport: false - Sid: Restrict Delete* Actions Action: s3:Delete* Effect: Deny Principal: '*' Resource: !Sub - arn:${Partition}:s3:::${rCloudTrailBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } - Sid: DenyUnEncryptedObjectUploads Effect: Deny Principal: '*' Action: s3:PutObject Resource: !Sub - arn:${Partition}:s3:::${rCloudTrailBucket}/* - { Partition: !If [ IsGovCloud, aws-us-gov, aws ] } Condition: StringNotEquals: s3:x-amz-server-side-encryption: AES256 Outputs: rArchiveLogsBucket: Value: !Ref rArchiveLogsBucket rConfigBucket: Value: !Ref rConfigBucket rCloudTrailBucket: Value: !Ref rCloudTrailBucket