Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
204 lines (190 sloc) 6.14 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy The Basic CloudTrail Resources required to monitor the account
Parameters:
pLoggingBucketName:
Description: Name of the Bucket to Create for CloudTrail Logs
Type: String
pTagApplication:
Type: String
pTagCreatedBy:
Type: String
pCloudTrailLogGroupName:
Type: String
Description: CloudTrail/DefaultLogGroup
pCreateBucket:
Type: String
Description: Boolean to create bucket or use existing one
- true
- false
pCreateTopic:
Type: String
Description: Boolean to create topic or use existing one
AllowedValues:
- true
- false
Conditions:
CreateBucket: !Equals [!Ref 'pCreateBucket', 'true']
CreateTopic: !Equals [!Ref 'pCreateTopic', 'true']
Resources:
# FIXME - Need to automate the adding of LogDelivery to the Bucket
LoggingS3Bucket:
DeletionPolicy: Retain
Condition: CreateBucket
Type: AWS::S3::Bucket
Properties:
AccessControl: LogDeliveryWrite
BucketName: !Ref 'pLoggingBucketName'
VersioningConfiguration:
Status: Enabled
Tags:
- Key: Name
Value: !Ref 'pLoggingBucketName'
- Key: creator
Value: !Ref 'pTagCreatedBy'
- Key: application
Value: !Ref 'pTagApplication'
LoggingBucketPolicy:
Type: AWS::S3::BucketPolicy
Condition: CreateBucket
Properties:
Bucket: !Ref 'pLoggingBucketName'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Join ['', ['arn:aws:s3:::', !Ref 'pLoggingBucketName']]
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Join ['', ['arn:aws:s3:::', !Ref 'pLoggingBucketName', /AWSLogs/, !Ref 'AWS::AccountId', /*]]
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
# Define an SNS Topic for Logfile delivery
CloudTrailTopic:
Condition: CreateTopic
Type: AWS::SNS::Topic
Properties:
DisplayName: CloudTrail Notification Topic
CloudTrailTopicPolicy:
Type: AWS::SNS::TopicPolicy
Condition: CreateTopic
Properties:
Topics: [!Ref 'CloudTrailTopic']
PolicyDocument:
Version: '2008-10-17'
Statement:
- Sid: AWSCloudTrailSNSPolicy
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Resource: '*'
Action: SNS:Publish
# Define an KMS Key to Encrypt the CloudTrail Logs with
CloudTrailKMSKey:
Type: AWS::KMS::Key
Properties:
Description: CloudTrail KMS Key
Enabled: 'true'
EnableKeyRotation: 'true'
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: ['kms:Create*', 'kms:Describe*', 'kms:Enable*', 'kms:List*', 'kms:Put*',
'kms:Update*', 'kms:Revoke*', 'kms:Disable*', 'kms:Get*', 'kms:Delete*',
'kms:ScheduleKeyDeletion', 'kms:CancelKeyDeletion']
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey']
Resource: '*'
CloudtrailKMSKeyAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: !Sub "alias/${AWS::StackName}KMSKey"
TargetKeyId: !Ref CloudTrailKMSKey
# Define a Log Group to Send the Cloudtrail Events to CloudWatch Logs
CloudTrailToCloudWatchLogsRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "cloudtrail.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: SendtoCloudWatchLogs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailCreateLogStream2014110
Effect: Allow
Action: logs:CreateLogStream
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${pCloudTrailLogGroupName}:log-stream:*
- Sid: AWSCloudTrailPutLogEvents20141101
Effect: Allow
Action: logs:PutLogEvents
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${pCloudTrailLogGroupName}:log-stream:*
CloudTrailLogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Ref pCloudTrailLogGroupName
RetentionInDays: 365
# And Define the CloudTrail. Make it Global and for all regions
CloudTrail:
DependsOn:
- LoggingBucketPolicy
# - CloudTrailTopicPolicy
# - Fn::If:
# - CreateTopic
# - CloudTrailTopicPolicy
# - !Ref AWS::NoValue
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName: !Ref 'pLoggingBucketName'
SnsTopicName:
Fn::If:
- CreateTopic
- !GetAtt CloudTrailTopic.TopicName
- !Ref AWS::NoValue
IsLogging: true
KMSKeyId: !Ref 'CloudTrailKMSKey'
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
CloudWatchLogsRoleArn: !GetAtt CloudTrailToCloudWatchLogsRole.Arn
CloudWatchLogsLogGroupArn: !GetAtt CloudTrailLogGroup.Arn
Tags:
- Key: Name
Value: !Ref 'AWS::StackName'
- Key: contact-email
Value: !Ref 'pTagCreatedBy'
- Key: application
Value: !Ref 'pTagApplication'
Outputs:
CloudTrailTopicArn:
Condition: CreateTopic
Value: !Ref 'CloudTrailTopic'
CloudTrailLogGroup:
Value: !Ref pCloudTrailLogGroupName
CloudTrailLogGroupArn:
Value: !GetAtt CloudTrailLogGroup.Arn