/
control-tower-storage-bucket.yml
158 lines (148 loc) · 4.83 KB
/
control-tower-storage-bucket.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
AWSTemplateFormatVersion: 2010-09-09
Description: Create a S3 storage bucket to store soruce code.
Parameters:
OrganizationId:
Type: 'String'
Description: ID of the AWS Organization of the Landing Zone
Default: 'o-'
SSEAlgorithm:
Type: 'String'
Default: 'AES256'
Description: S3 bucket SSE Algorithm.
AllowedValues:
- 'AES256'
- 'aws:kms'
KMSMasterKeyID:
Type: 'String'
Description: 'KMS key ID required if SSE algorithm is aws:kms.'
Conditions:
UseKMS: !Equals
- !Ref SSEAlgorithm
- 'aws:kms'
UseAES256: !Equals
- !Ref SSEAlgorithm
- 'AES256'
Resources:
# Create buckets using KMS keys for default encryption
S3KmsUploadBucket:
Condition: UseKMS
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub control-tower-storage-${AWS::AccountId}-${AWS::Region}
LoggingConfiguration:
DestinationBucketName: !Ref UploadBucketS3AccessLogsBucket
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Ref KMSMasterKeyID
SSEAlgorithm: !Ref SSEAlgorithm
S3KmsUploadBucketPolicy:
Metadata:
cfn_nag:
rules_to_suppress:
- id: F16
reason: "We can allow * for the Principal as we are limiting access to the Org."
Type: AWS::S3::BucketPolicy
Condition: UseKMS
Properties:
Bucket: !Ref S3KmsUploadBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowOrganizationRead
Effect: Allow
Principal: "*"
Action:
- s3:GetObject
Resource:
- !Sub "arn:aws:s3:::${S3KmsUploadBucket}/*"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref OrganizationId
# Create buckets using S3-SSE keys for default encryption
S3UploadBucket:
Condition: UseAES256
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub control-tower-storage-${AWS::AccountId}-${AWS::Region}
LoggingConfiguration:
DestinationBucketName: !Ref UploadBucketS3AccessLogsBucket
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: !Ref SSEAlgorithm
S3UploadBucketPolicy:
Metadata:
cfn_nag:
rules_to_suppress:
- id: F16
reason: "We can allow * for the Principal as we are limiting access to the Org."
#It goes at the same level as Type: and Properties:, so directly under your resource.
Type: AWS::S3::BucketPolicy
Condition: UseAES256
Properties:
Bucket: !Ref S3UploadBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowOrganizationRead
Effect: Allow
Principal: "*"
Action:
- s3:GetObject
Resource:
- !Sub "arn:aws:s3:::${S3UploadBucket}/*"
Condition:
StringEquals:
aws:PrincipalOrgID: !Ref OrganizationId
# Create buckets using S3-SSE keys for default encryption
UploadBucketS3AccessLogsBucket:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::S3::Bucket
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: "This S3 bucket is used as the destination for 'S3UploadBucket'"
Properties:
AccessControl: LogDeliveryWrite
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
UploadBucketS3AccessLogsBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref UploadBucketS3AccessLogsBucket
PolicyDocument:
Statement:
- Sid: DenyDeleteBucket
Effect: Deny
Principal: "*"
Action: s3:DeleteBucket
Resource: !Sub arn:${AWS::Partition}:s3:::${UploadBucketS3AccessLogsBucket}
- Action: s3:*
Effect: Deny
Principal: "*"
Resource: !Sub arn:${AWS::Partition}:s3:::${UploadBucketS3AccessLogsBucket}
- !Sub arn:${AWS::Partition}:s3:::${UploadBucketS3AccessLogsBucket}
- !Sub arn:${AWS::Partition}:s3:::${UploadBucketS3AccessLogsBucket}/*
Condition:
Bool:
aws:SecureTransport: false
Outputs:
BucketName:
Description: AWS Control Tower Upload bucket name
Value: !If [UseAES256, !Ref S3UploadBucket, !Ref S3KmsUploadBucket]