AWSTemplateFormatVersion: 2010-09-09 Description: Crea llaves de cifrado para CloudTrail, CloudWatch y SNS # ================= # Recursos # ================= Resources: # ================================== # Llave de encripcion para el trail # ================================== LlaveCloudTrail: DeletionPolicy: Retain UpdateReplacePolicy: Retain Type: AWS::KMS::Key Properties: Description: Llave para encriptar CloudTrail EnableKeyRotation: true KeyPolicy: Version: 2012-10-17 Id: LlaveCloudTrail Statement: - Sid: Habilitar permisos IAM Effect: Allow Principal: AWS: !Join - '' - - 'arn:aws:iam::' - !Ref 'AWS::AccountId' - ':root' Action: 'kms:*' Resource: '*' - Sid: Permitir a CloudTrail encriptar con esta llave Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: 'kms:GenerateDataKey*' Resource: '*' Condition: StringLike: 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*' - Sid: Permitir a CloudTrail desencriptar con esta llave Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: 'kms:Decrypt' Resource: '*' Condition: StringEquals: 'kms:CallerAccount': !Sub '${AWS::AccountId}' StringLike: 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*' - Sid: Permitir a CloudTrail describir esta llave Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: 'kms:DescribeKey' Resource: '*' # ========================================== # Alias de la llave de encripcion del trail # ========================================== AliasLlaveCloudTrail: Type: AWS::KMS::Alias Properties: AliasName: alias/llavecloudtrail TargetKeyId: Ref: LlaveCloudTrail ParametrosLlaveCloudTrail: Type: AWS::SSM::Parameter Properties: Type: String Description: Arn de llave para CloudTrail Name: /seguridad/llaves/LlaveCloudTrail Value: !GetAtt LlaveCloudTrail.Arn # ==================================================== # Llave de encripcion del grupo de logs de CloudWatch # ==================================================== LlaveCloudWatch: DeletionPolicy: Retain UpdateReplacePolicy: Retain Type: AWS::KMS::Key Properties: Description: Llave para encriptar CloudWatch Logs EnableKeyRotation: true KeyPolicy: Version: 2012-10-17 Id: LlaveCloudWatch Statement: - Sid: Habilitar permisos IAM Effect: Allow Principal: AWS: !Join - '' - - 'arn:aws:iam::' - !Ref 'AWS::AccountId' - ':root' Action: 'kms:*' Resource: '*' - Sid: Permitir a CloudWatch utilizar esta llave Effect: Allow Principal: Service: !Sub logs.${AWS::Region}.amazonaws.com Action: - 'kms:Encrypt' - 'kms:Decrypt' - 'kms:ReEncrypt' - 'kms:GenerateDataKey' Resource: '*' Condition: ArnEquals: 'kms:EncryptionContext:aws:logs:arn': !Sub 'arn:aws:logs:*:${AWS::AccountId}:*' # ================================================================== # Alias de la llave de encripcion para el grupo de logs CloudWatch # ================================================================== AliasLlaveCloudWatch: Type: AWS::KMS::Alias Properties: AliasName: alias/llavecloudwatch TargetKeyId: Ref: LlaveCloudWatch # ====================================================================== # Parametro SSM con la llave de encripcion del grupo de logs CloudWatch # ====================================================================== ParametrosLlaveCloudWatch: Type: AWS::SSM::Parameter Properties: Type: String Description: Arn de llave para CloudWatchLogs Name: /seguridad/llaves/LlaveCloudWatch Value: !GetAtt LlaveCloudWatch.Arn # ===================================================== # Llave de encripcion para el topico SNS de alerta CIS # ===================================================== LlaveTopicoAlertaCIS: Type: AWS::KMS::Key Properties: Description: Llave de encripcion para topico SNS de Alertas CIS EnableKeyRotation: true MultiRegion: false KeyPolicy: Version: 2012-10-17 Id: PoliticaDeLlave-TopicoAlertaCIS Statement: - Sid: "Habilitar permisos en IAM" Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: "kms:*" Resource: "*" - Sid: Permitir encrypt/decrypt a SNS Effect: Allow Principal: Service: - sns.amazonaws.com Action: - kms:GenerateDataKey - kms:Decrypt Resource: "*" - Sid: Permitir encrypt/decrypt a alarmas CloudWatch Effect: Allow Principal: Service: - cloudwatch.amazonaws.com Action: - kms:GenerateDataKey - kms:Decrypt Resource: "*" Tags: - Key: Name Value: PoliticaLlave-TopicoAlertaCIS # ==================================================== # Alias de la Llave para el Topico SNS de alertas CIS # ==================================================== AliasLlaveTopicoAlertaCIS: Type: AWS::KMS::Alias Properties: AliasName: alias/LlaveTopicoAlertaCIS TargetKeyId: !Ref LlaveTopicoAlertaCIS # ============================================================= # Parametro SSM con la llave para el topico SNS de Alertas CIS # ============================================================= ParametrosLlaveTopicoAlertaCIS: Type: AWS::SSM::Parameter Properties: Type: String Description: Arn de llave para el topico SNS alerta CIS Name: /seguridad/llaves/LlaveTopicoAlertaCIS Value: !GetAtt LlaveTopicoAlertaCIS.Arn