-
Notifications
You must be signed in to change notification settings - Fork 131
/
Copy pathcloudtrail.yml
135 lines (122 loc) · 4.26 KB
/
cloudtrail.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
AWSTemplateFormatVersion: '2010-09-09-OC'
# Include file that contains Organization Section.
# The Organization Section describes Accounts, Organizational Units, etc.
Organization: !Include ../organization.yml
# Any Binding that does not explicitly specify a region will default to this.
# Value can be either string or list
DefaultOrganizationBindingRegion: eu-central-1
# Section that contains a named list of Bindings.
# Bindings determine what resources are deployed where
# These bindings can be !Ref'd from the Resources in the resource section
OrganizationBindings:
# Binding for: S3Bucket, S3BucketPolicy
CloudTrailBucketBinding:
Account: !Ref SharedComplianceAccount
# Binding for: CloudTrail, CloudTrailLogGroup, CloudTrailLogGroupRole
CloudTrailBinding:
Account: '*'
IncludeMasterAccount: true
Parameters:
resourcePrefix:
Type: String
Default: my
logDeletionDays:
Type: Number
Default: 365
Resources:
CloudTrailS3Bucket:
OrganizationBinding: !Ref CloudTrailBucketBinding
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: !Sub '${resourcePrefix}-cloudtrail-${SharedComplianceAccount}'
LifecycleConfiguration:
Rules:
- ExpirationInDays: !Ref logDeletionDays
Id: !Sub '${resourcePrefix}-cloudtrail-bucket-lifecycle-configuration'
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
CloudTrailS3BucketPolicy:
OrganizationBinding: !Ref CloudTrailBucketBinding
Type: AWS::S3::BucketPolicy
DependsOn: CloudTrailS3Bucket
Properties:
Bucket: !Ref CloudTrailS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: 'AWSCloudTrailAclCheck'
Effect: 'Allow'
Principal: { Service: 'cloudtrail.amazonaws.com' }
Action: 's3:GetBucketAcl'
Resource: !Sub 'arn:aws:s3:::${CloudTrailS3Bucket}'
- Sid: 'AWSCloudTrailWrite'
Effect: 'Allow'
Principal: { Service: 'cloudtrail.amazonaws.com' }
Action: 's3:PutObject'
Resource: !Sub 'arn:aws:s3:::${CloudTrailS3Bucket}/AWSLogs/*/*'
Condition:
StringEquals:
s3:x-amz-acl: 'bucket-owner-full-control'
- Sid: 'AWSCloudTrailForceHttps'
Effect: Deny
Principal: "*"
Action: "*"
Resource: !Sub 'arn:aws:s3:::${CloudTrailS3Bucket}/*'
Condition:
Bool:
aws:SecureTransport: False
CloudTrailLogGroup:
OrganizationBinding: !Ref CloudTrailBinding
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: 14
LogGroupName: CloudTrail/audit-log
CloudTrailLogGroupRole:
OrganizationBinding: !Ref CloudTrailBinding
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub ${resourcePrefix}-AWSCloudTrailLogGroupRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRole1
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 'cloudtrail-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailCreateLogStream
Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !GetAtt 'CloudTrailLogGroup.Arn'
CloudTrail:
OrganizationBinding: !Ref CloudTrailBinding
Type: AWS::CloudTrail::Trail
DependsOn:
- CloudTrailS3BucketPolicy
- CloudTrailLogGroup
- CloudTrailLogGroupRole
Properties:
CloudWatchLogsLogGroupArn: !GetAtt 'CloudTrailLogGroup.Arn'
CloudWatchLogsRoleArn: !GetAtt 'CloudTrailLogGroupRole.Arn'
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
S3BucketName: !Ref CloudTrailS3Bucket
TrailName: !Sub '${resourcePrefix}-trail'