forked from aws-samples/amazon-cloudwatch-auto-alarms
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CloudWatchAutoAlarms-S3.yaml
executable file
·105 lines (102 loc) · 3.33 KB
/
CloudWatchAutoAlarms-S3.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
---
Description: S3 Bucket for Cross-Account deployment of amazon-cloudwatch-auto-alarms Lambda function
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
OrganizationID:
Description: Provide read access to all accounts in the organization. Leave blank for single account S3 bucket permissions.
Type: String
Default: ""
Conditions:
OrgEnabledAccess: !Not [!Equals ["", !Ref OrganizationID]]
Resources:
LambdaDeploymentBucket:
Type: "AWS::S3::Bucket"
Properties:
# BucketEncryption:
# ServerSideEncryptionConfiguration:
# - ServerSideEncryptionByDefault:
# SSEAlgorithm: aws:kms
# KMSMasterKeyID:
# Fn::ImportValue: <S3 CMK KMS Encryption Key>
VersioningConfiguration:
Status: Enabled
# LoggingConfiguration:
# DestinationBucketName:
# Fn::ImportValue: !Sub <Destination Log Bucket>
# LogFilePrefix: <Logfile Prefix>
LifecycleConfiguration:
Rules:
- Id: DeleteRule
Status: Enabled
ExpirationInDays: '90'
LambdaDeploymentBucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref LambdaDeploymentBucket
PolicyDocument:
Version: '2012-10-17'
Id: SSEAndSSLPolicy
Statement:
- Sid: DenyInsecureConnections
Effect: Deny
Principal: "*"
Action: s3:*
Resource:
- !Join
- ''
- - Fn::GetAtt: [LambdaDeploymentBucket, Arn]
- '/*'
Condition:
Bool:
aws:SecureTransport: 'false'
- Sid: DenyS3PublicObjectACL
Effect: Deny
Principal: "*"
Action: s3:PutObjectAcl
Resource:
- !Join
- ''
- - Fn::GetAtt: [LambdaDeploymentBucket, Arn]
- '/*'
Condition:
StringEqualsIgnoreCaseIfExists:
s3:x-amz-acl:
- public-read
- public-read-write
- authenticated-read
- !If
- OrgEnabledAccess
- Sid: ''
Effect: Allow
Principal: "*"
Action:
- s3:ListBucket
Resource: !GetAtt LambdaDeploymentBucket.Arn
Condition:
ForAnyValue:StringLike:
aws:PrincipalOrgPaths:
- !Sub "${OrganizationID}/*"
- !Ref 'AWS::NoValue'
- !If
- OrgEnabledAccess
- Sid: ''
Effect: Allow
Principal: "*"
Action:
- s3:Get*
Resource:
- !Join
- ''
- - Fn::GetAtt: [LambdaDeploymentBucket, Arn]
- '/*'
Condition:
ForAnyValue:StringLike:
aws:PrincipalOrgPaths:
- !Sub "${OrganizationID}/*"
- !Ref 'AWS::NoValue'
Outputs:
LambdaDeploymentBucketName:
Value: !Ref LambdaDeploymentBucket
Description: "Lambda S3 deployment bucket name for deployment support of amazon-cloudwatch-auto-alarms lambda function"
Export:
Name: !Sub "amazon-cloudwatch-auto-alarms-bucket-name"