AWSTemplateFormatVersion: 2010-09-09 Description: Construye los buckets para seguridad Parameters: AbreviaturaCuenta: Type: AWS::SSM::Parameter::Value Description: Parametro con la abreviatura del nombre de la cuenta Default: /cuenta/prefijo Resources: # =========== # # S3 Buckets # # =========== # # ---------------------------- # # S3 Bucket for access logging # # ---------------------------- # AccessLogsBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: BucketName: !Join - "-" - - !Ref AbreviaturaCuenta - 's3accesslogs' - !Ref AWS::AccountId BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'AES256' PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true IntelligentTieringConfigurations: - Id: tier1-90d Status: Enabled Tierings: - AccessTier: ARCHIVE_ACCESS Days: 90 OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: "Este es el bucket de access logs" # --------------------------------------- # # S3 Bucket policy for Access Logs Bucket # # --------------------------------------- # PoliticaAccessLogsBucket: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref AccessLogsBucket PolicyDocument: Version: '2012-10-17' Statement: - Sid: Forzar SSL Effect: Deny Principal: "*" Action: "s3:*" Resource: - !Sub "arn:aws:s3:::${AccessLogsBucket}" - !Sub "arn:aws:s3:::${AccessLogsBucket}/*" Condition: Bool: "aws:SecureTransport": false - Sid: ServerAccessLogsPolicy Effect: Allow Principal: Service: logging.s3.amazonaws.com Action: s3:PutObject Resource: !Sub arn:aws:s3:::${AccessLogsBucket}/cloudtrailbucket* Condition: ArnLike: aws:SourceArn: !Sub "arn:aws::s3:::${BucketCloudTrail}" StringEquals: aws:SourceAccount: !Sub ${AWS::AccountId} # ------------------------ # # S3 Bucket for AWS Config # # ------------------------ # BucketConfig: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: BucketName: !Join - "-" - - !Ref AbreviaturaCuenta - 'awsconfig' - !Ref AWS::AccountId BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'AES256' VersioningConfiguration: Status: Enabled PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true IntelligentTieringConfigurations: - Id: tier1-90d Status: Enabled Tierings: - AccessTier: ARCHIVE_ACCESS Days: 90 LoggingConfiguration: DestinationBucketName: !Ref AccessLogsBucket LogFilePrefix: configbucket OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: "No se configura access logging para evitar costos" # ------------------------------- # # S3 Bucket policy for AWS Config # # ------------------------------- # PoliticaBucketConfig: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref BucketConfig PolicyDocument: Version: '2012-10-17' Statement: - Sid: Forzar SSL Effect: Deny Principal: "*" Action: "s3:*" Resource: - !Sub "arn:aws:s3:::${BucketConfig}" - !Sub "arn:aws:s3:::${BucketConfig}/*" Condition: Bool: "aws:SecureTransport": false - Sid: Permitir a AWS Config confirmar permisos en el bucket Effect: Allow Principal: Service: config.amazonaws.com Action: s3:GetBucketAcl Resource: !Sub arn:aws:s3:::${BucketConfig} Condition: StringEquals: AWS:SourceAccount: !Sub ${AWS::AccountId} - Sid: Permitir a AWS Config listar el bucket Effect: Allow Principal: Service: config.amazonaws.com Action: s3:ListBucket Resource: !Sub arn:aws:s3:::${BucketConfig} Condition: StringEquals: AWS:SourceAccount: !Sub ${AWS::AccountId} - Sid: Permitir a AWS Config escribir en el bucket Effect: Allow Principal: Service: config.amazonaws.com Action: s3:PutObject Resource: !Sub arn:aws:s3:::${BucketConfig}/AWSLogs/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control AWS:SourceAccount: !Sub ${AWS::AccountId} # ------------------------------- # # S3 Bucket for AWS CloudTrail # # ------------------------------- # BucketCloudTrail: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: BucketName: !Join - "-" - - !Ref AbreviaturaCuenta - 'awscloudtrail' - !Ref AWS::AccountId BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'AES256' VersioningConfiguration: Status: Enabled PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true IntelligentTieringConfigurations: - Id: tier1-90d Status: Enabled Tierings: - AccessTier: ARCHIVE_ACCESS Days: 90 LoggingConfiguration: DestinationBucketName: !Ref AccessLogsBucket LogFilePrefix: cloudtrailbucket OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred # ----------------------------------- # # S3 Bucket policy for AWS CloudTrail # # ----------------------------------- # PoliticaBucketCloudTrail: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref BucketCloudTrail PolicyDocument: Version: '2012-10-17' Statement: - Sid: Forzar SSL Effect: Deny Principal: "*" Action: "s3:*" Resource: - !Sub "arn:aws:s3:::${BucketCloudTrail}" - !Sub "arn:aws:s3:::${BucketCloudTrail}/*" Condition: Bool: "aws:SecureTransport": false - Sid: Permitir a AWS CloudTrail consultar permisos en el bucket Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: !Sub arn:aws:s3:::${BucketCloudTrail} Condition: StringEquals: aws:SourceArn: !Sub arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/${AbreviaturaCuenta}-cloudtrail - Sid: Permitir a AWS CloudTrail escribir eventos Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: s3:PutObject Resource: !Sub arn:aws:s3:::${BucketCloudTrail}/AWSLogs/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control aws:SourceArn: !Sub arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/${AbreviaturaCuenta}-cloudtrail #-----------------------------# # Parametros # #-----------------------------# ParametroBucketConfig: Type: AWS::SSM::Parameter Properties: Description: Nombre del bucket para AWS Config Name: /seguridad/buckets/bucket-config Type: String Value: !Ref BucketConfig ParametroBucketCloudTrail: Type: AWS::SSM::Parameter Properties: Description: Nombre del bucket para AWS CloudTrail Name: /seguridad/buckets/bucket-cloudtrail Type: String Value: !Ref BucketCloudTrail