AWSTemplateFormatVersion: '2010-09-09' Description: VPC Flow & Instance Logs Baseline Mappings: FilterPatternLookup: CloudTrail: Pattern: '' Common: Pattern: '[host, ident, authuser, date, request, status, bytes, referrer, agent]' FlowLogs: Pattern: '[version, account_id, interface_id, srcaddr != "-", dstaddr != "-", srcport != "-", dstport != "-", protocol, packets, bytes, start, end, action, log_status]' Lambda: Pattern: '[timestamp=*Z, request_id="*-*", event]' Other: Pattern: '' SpaceDelimited: Pattern: '[]' Outputs: InstanceLogGroup: Description: Instance CloudWatch Log Group Value: Ref: InstanceLogGroup InstanceLogRole: Description: Instance Log Role Value: Ref: InstanceLogRole VPCFlowLogsLogGroup: Description: VPC Flow Log Group Value: Ref: VPCFlowLogsLogGroup 2ndVPCFlowLogsLogGroup: Condition: 2VPCCondition Description: 2nd VPC Flow Log Group Value: Ref: VPCFlowLogs2ndLogGroup 3rdVPCFlowLogsLogGroup: Condition: 3VPCCondition Description: 3rd VPC Flow Log Group Value: Ref: VPCFlowLogs3rdLogGroup 4thVPCFlowLogsLogGroup: Condition: 4VPCCondition Description: 4th VPC Flow Log Group Value: Ref: VPCFlowLogs4thLogGroup Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Mandatory Configuration Parameters: - Endpoint - MainVPCId - Label: default: Optional Configuration Parameters: - 2ndVPCID - 3rdVPCID - 4thVPCID ParameterLabels: Endpoint: default: ElasticSearch Endpoint Address MainVPCId: default: Main VPC ID 2ndVPCID: default: 2nd VPC ID 3rdVPCID: default: 3rd VPC ID 4thVPCID: default: 4th VPC ID Parameters: Endpoint: Description: Existing AWS ElasticSearch Domain Endpoint in the central account Type: String MinLength: 40 MainVPCId: Description: Select the VPC to which VPC Flow logs needs to be enabled Type: AWS::EC2::VPC::Id 2ndVPCID: Description: "Optional: Enter the ID of 2nd VPC to which VPC Flow logs needs to be enabled" Type: String 3rdVPCID: Description: "Optional: Enter the ID of 3rd VPC to which VPC Flow logs needs to be enabled" Type: String 4thVPCID: Description: "Optional: Enter the ID of 4th VPC to which VPC Flow logs needs to be enabled" Type: String Conditions: 2VPCCondition: Fn::Not: - Fn::Equals: - Ref: 2ndVPCID - '' 3VPCCondition: Fn::Not: - Fn::Equals: - Ref: 3rdVPCID - '' 4VPCCondition: Fn::Not: - Fn::Equals: - Ref: 4thVPCID - '' Resources: InstanceLogGroup: Properties: RetentionInDays: 7 Type: AWS::Logs::LogGroup InstanceLogRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Action: - logs:Create* - logs:PutLogEvents - s3:GetObject Effect: Allow Resource: - arn:aws:logs:*:*:* - arn:aws:s3:::* Version: '2012-10-17' PolicyName: LogRolePolicy Type: AWS::IAM::Role InstanceLogRoleInstanceProfile: Properties: Path: / Roles: - Ref: InstanceLogRole Type: AWS::IAM::InstanceProfile LambdaInvokePermission: Properties: Action: lambda:InvokeFunction FunctionName: Ref: LogStreamer Principal: Fn::Join: - '' - - logs. - Ref: AWS::Region - .amazonaws.com SourceAccount: Ref: AWS::AccountId Type: AWS::Lambda::Permission LogGrouptoLambdaMappingCloudwatchAgent: DependsOn: LambdaInvokePermission Properties: DestinationArn: Fn::GetAtt: - LogStreamer - Arn FilterPattern: Fn::FindInMap: - FilterPatternLookup - Common - Pattern LogGroupName: Ref: InstanceLogGroup Type: AWS::Logs::SubscriptionFilter LogGrouptoLambdaMappingFlowLogs: DependsOn: LambdaInvokePermission Properties: DestinationArn: Fn::GetAtt: - LogStreamer - Arn FilterPattern: Fn::FindInMap: - FilterPatternLookup - FlowLogs - Pattern LogGroupName: Ref: VPCFlowLogsLogGroup Type: AWS::Logs::SubscriptionFilter LogGrouptoLambdaMappingFlowLogs2: Condition: 2VPCCondition DependsOn: LambdaInvokePermission Properties: DestinationArn: Fn::GetAtt: - LogStreamer - Arn FilterPattern: Fn::FindInMap: - FilterPatternLookup - FlowLogs - Pattern LogGroupName: Ref: VPCFlowLogs2ndLogGroup Type: AWS::Logs::SubscriptionFilter LogGrouptoLambdaMappingFlowLogs3: Condition: 3VPCCondition DependsOn: LambdaInvokePermission Properties: DestinationArn: Fn::GetAtt: - LogStreamer - Arn FilterPattern: Fn::FindInMap: - FilterPatternLookup - FlowLogs - Pattern LogGroupName: Ref: VPCFlowLogs3rdLogGroup Type: AWS::Logs::SubscriptionFilter LogGrouptoLambdaMappingFlowLogs4: Condition: 4VPCCondition DependsOn: LambdaInvokePermission Properties: DestinationArn: Fn::GetAtt: - LogStreamer - Arn FilterPattern: Fn::FindInMap: - FilterPatternLookup - FlowLogs - Pattern LogGroupName: Ref: VPCFlowLogs4thLogGroup Type: AWS::Logs::SubscriptionFilter LogStreamer: Properties: Code: S3Bucket: Fn::Join: - '' - - rualda-solutions-dev- - Ref: AWS::Region S3Key: landing-zone/LogStreamer.zip Description: Lambda function for moving log data to AES. Environment: Variables: ENDPOINT: Ref: Endpoint Handler: index.handler Role: Fn::GetAtt: - LogStreamerRole - Arn Runtime: nodejs4.3 Timeout: '300' Type: AWS::Lambda::Function LogStreamerRole: Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::Join: - '' - - 'arn:aws:logs:' - Ref: AWS::Region - ':' - Ref: AWS::AccountId - :log-group:/aws/lambda/* - Action: - es:ESHttpPost Effect: Allow Resource: arn:aws:es:*:*:* - Action: - cloudformation:DescribeStacks - Cloudformation:ListStackResources Effect: Allow Resource: Fn::Join: - '' - - 'arn:aws:cloudformation:' - Ref: AWS::Region - ':' - Ref: AWS::AccountId - '*' - '' Version: '2012-10-17' PolicyName: My_Lambda_Function_Permissions RoleName: LogStreamerRole Type: AWS::IAM::Role VPCFlowLog: Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VPCFlowLogsRole - Arn LogGroupName: Ref: VPCFlowLogsLogGroup ResourceId: Ref: MainVPCId ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog 2VPCFlowLog: Condition: 2VPCCondition Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VPCFlowLogsRole - Arn LogGroupName: Ref: VPCFlowLogs2ndLogGroup ResourceId: Ref: 2ndVPCID ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog 3VPCFlowLog: Condition: 3VPCCondition Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VPCFlowLogsRole - Arn LogGroupName: Ref: VPCFlowLogs3rdLogGroup ResourceId: Ref: 3rdVPCID ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog 4VPCFlowLog: Condition: 4VPCCondition Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VPCFlowLogsRole - Arn LogGroupName: Ref: VPCFlowLogs4thLogGroup ResourceId: Ref: 4thVPCID ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog VPCFlowLogsLogGroup: Properties: RetentionInDays: 7 Type: AWS::Logs::LogGroup VPCFlowLogs2ndLogGroup: Condition: 2VPCCondition Properties: RetentionInDays: 7 Type: AWS::Logs::LogGroup VPCFlowLogs3rdLogGroup: Condition: 3VPCCondition Properties: RetentionInDays: 7 Type: AWS::Logs::LogGroup VPCFlowLogs4thLogGroup: Condition: 4VPCCondition Properties: RetentionInDays: 7 Type: AWS::Logs::LogGroup VPCFlowLogsRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - vpc-flow-logs.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutLogEvents Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: LogRolePolicy Type: AWS::IAM::Role