AWSTemplateFormatVersion: '2010-09-09' Description: Asset Resources # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html Mappings: Region2ELBAccountId: us-east-1: AccountId: '127311923021' us-east-2: AccountId: '033677994240' us-west-1: AccountId: '027434742980' us-west-2: AccountId: '797873946194' af-south-1: AccountId: '098369216593' ca-central-1: AccountId: '985666609251' eu-central-1: AccountId: '054676820928' eu-west-1: AccountId: '156460612806' eu-west-2: AccountId: '652711504416' eu-south-1: AccountId: '635631232127' eu-west-3: AccountId: '009996457667' eu-north-1: AccountId: '897822967062' ap-east-1: AccountId: '754344448648' ap-northeast-1: AccountId: '582318560864' ap-northeast-2: AccountId: '600734575887' ap-northeast-3: AccountId: '383597477331' ap-southeast-1: AccountId: '114774131450' ap-southeast-2: AccountId: '783225319266' ap-southeast-3: AccountId: '589379963580' ap-south-1: AccountId: '718504428378' me-south-1: AccountId: '076674570225' sa-east-1: AccountId: '507241528517' cn-north-1: AccountId: '638102146993' cn-northwest-1: AccountId: '037604701340' Resources: AssetsBucket: Type: AWS::S3::Bucket Properties: AccessControl: 'Private' LoggingConfiguration: DestinationBucketName: !Ref LoggingBucket LogFilePrefix: AssetsBucket-logs Metadata: cfn_nag: rules_to_suppress: - id: W51 reason: policy been defined already - id: W41 reason: video clips encrypted in bucket can't be used for VoD AssestS3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref AssetsBucket PolicyDocument: Statement: - Effect: Allow Action: - 's3:GetObject' - 's3:PutObject' - 's3:DeleteObject' Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: Fn::Join: - '' - - Fn::GetAtt: [ AssetsBucket, Arn ] - '/*' - Effect: Deny Action: - 's3:*' Principal: '*' Resource: - Fn::Join: - '' - - Fn::GetAtt: [ AssetsBucket, Arn ] - '/*' - Fn::Join: - '' - - Fn::GetAtt: [ AssetsBucket, Arn ] Condition: Bool: aws:SecureTransport: false StaticBucket: Type: AWS::S3::Bucket Properties: AccessControl: 'Private' LoggingConfiguration: DestinationBucketName: !Ref LoggingBucket LogFilePrefix: StaticBucket-logs Metadata: cfn_nag: rules_to_suppress: - id: W51 reason: policy been defined already - id: W41 reason: video clips encrypted in bucket can't be used for VoD StaticS3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref StaticBucket PolicyDocument: Statement: - Effect: Allow Action: - 's3:GetObject' - 's3:PutObject' - 's3:DeleteObject' Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: Fn::Join: - '' - - Fn::GetAtt: [ StaticBucket, Arn ] - '/*' LoggingBucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: LogDeliveryWrite OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: avoid for infinite loop in access logging requirement - id: W51 reason: bucket for logging usage only - id: W41 reason: logs encrypted in bucket not actual helping debugging LoggingBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref LoggingBucket PolicyDocument: Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:DeleteObject Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: Fn::Join: - "" - - Fn::GetAtt: [ LoggingBucket, Arn ] - /* # policy for ELB access log - Action: - s3:PutObject - s3:Abort* Effect: Allow Principal: AWS: !FindInMap [Region2ELBAccountId, !Ref 'AWS::Region', AccountId] Resource: Fn::Join: - "" - - Fn::GetAtt: [ LoggingBucket, Arn ] - /* - Action: s3:PutObject Effect: Allow Principal: Service: delivery.logs.amazonaws.com Resource: Fn::Join: - "" - - Fn::GetAtt: [ LoggingBucket, Arn ] - /* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control - Effect: Allow Principal: Service: delivery.logs.amazonaws.com Action: s3:GetBucketAcl Resource: Fn::Join: - "" - - Fn::GetAtt: [ LoggingBucket, Arn ] # - Action: # - s3:PutObject # - s3:Abort* # Effect: Allow # Principal: # AWS: !FindInMap [Region2ELBAccountId, !Ref 'AWS::Region', AccountId] # Resource: # Fn::Join: # - "" # - # - Fn::GetAtt: [ LoggingBucket, Arn ] # - /Web-LoadBalancer-logs/AWSLogs/ # - Ref: AWS::AccountId # - /* # - Action: # - s3:PutObject # - s3:Abort* # Effect: Allow # Principal: # AWS: !FindInMap [Region2ELBAccountId, !Ref 'AWS::Region', AccountId] # Resource: # Fn::Join: # - "" # - # - Fn::GetAtt: [ LoggingBucket, Arn ] # - /Origin-LoadBalancer-logs/AWSLogs/ # - Ref: AWS::AccountId # - /* Outputs: AssetsBucket: Value: !Ref 'AssetsBucket' Export: Name: 'Assets-AssetsBucket' StaticBucket: Value: !Ref 'StaticBucket' Export: Name: 'Static-StaticBucket' LoggingBucket: Value: !Ref 'LoggingBucket' Export: Name: 'Loggin-LoggingBucket'