AWSTemplateFormatVersion: "2010-09-09"
Description: >
  This Template creates an encrypted non-public S3 bucket to store Cassis CloudTrail and
  VPC Flow Logs. The S3 Bucket Policy is also deployed with the template.

Parameters:

  EnvironmentName:
    Description: An environment name that is prefixed to resource names
    Type: String
    Default: Dev

Resources:

  Bucket:
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W35
            reason: "Supressing requirement for logging warning for testing purposes"
    Type: AWS::S3::Bucket
    DeletionPolicy: Delete
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
      Tags:
        - Key: EnvironmentName
          Value: !Ref EnvironmentName

  BucketPolicyElbAccessLogWrite:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        -
#          Sid: "AWSLogDeliveryWrite"
          Effect: Allow
          Principal:
            Service: 'delivery.logs.amazonaws.com'
          Action: 's3:PutObject'
          Resource: !Sub '${Bucket.Arn}/*'
          Condition:
            StringEquals:
              's3:x-amz-acl': 'bucket-owner-full-control'
        -
#          Sid: "AWSLogDeliveryAclCheck"
          Effect: Allow
          Principal:
            Service: 'delivery.logs.amazonaws.com'
          Action: 's3:GetBucketAcl'
          Resource: !GetAtt 'Bucket.Arn'
        -
#          Sid: "AWSCloudTrailAclCheck"
          Effect: Allow
          Principal:
            Service: "cloudtrail.amazonaws.com"
          Action: "s3:GetBucketAcl"
          Resource: !GetAtt 'Bucket.Arn'
        -
#          Sid: "AWSCloudTrailWrite"
          Effect: Allow
          Principal:
            Service: "cloudtrail.amazonaws.com"
          Action: "s3:PutObject"
          Resource:
            !Sub |-
              arn:aws:s3:::${Bucket}/audit/*
          Condition:
            StringEquals:
              s3:x-amz-acl: "bucket-owner-full-control"
        - 
          Action:
            - 's3:*'
          Effect: Deny
          Resource:
            - !GetAtt 'Bucket.Arn'
            - !Sub '${Bucket.Arn}/*'
          Principal: '*'
          Condition:
            Bool:
              'aws:SecureTransport':
                - 'false'

Outputs:
  S3BucketArn:
    Description: S3 Bucket ARN
    Value: !GetAtt Bucket.Arn
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-logs-bucket-arn"

  S3BucketName:
    Description: S3 Bucket Name
    Value: !Ref Bucket
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-logs-bucket-name"