AWSTemplateFormatVersion: 2010-09-09

Description:  This template deploys an S3 bucket for logging

Resources:
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True
      VersioningConfiguration:
        Status: Enabled
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W35
            reason: This S3 bucket is the logging bucket

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:PutObject'
            Effect: Allow
            Principal:
              Service: logging.s3.amazonaws.com
            Resource: !Join 
              - ''
              - - 'arn:aws:s3:::'
                - !Ref Bucket
                - /*
            Condition:
              ArnLike:
                'aws:SourceArn': !GetAtt 
                  - Bucket
                  - Arn
              StringEquals:
                'aws:SourceAccount': !Sub '${AWS::AccountId}'        
          - Action:
              - 's3:GetObject'
            Effect: Deny
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref Bucket
                - /*
            Principal: '*'
            Condition:
              StringNotEquals:
                'aws:PrincipalAccount': !Ref AWS::AccountId

Outputs:
  BucketName:
    Description: Logging bucket
    Value: !Ref Bucket