AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CustomConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: cloudtrail_s3_access_logging
      Scope:
        ComplianceResourceTypes:
          - 'AWS::CloudTrail::Trail'
          - 'AWS::S3::Bucket'
      Description: A config rule that evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible.
      Source:
        Owner: CUSTOM_LAMBDA
        SourceIdentifier:
          'Fn::GetAtt':
            - LambdaFunctionCustomConfigRule
            - Arn
        SourceDetails:
          - EventSource: aws.config
            MessageType: ConfigurationItemChangeNotification
          - EventSource: aws.config
            MessageType: OversizedConfigurationItemChangeNotification
    DependsOn: LambdaInvokePermissionsCustomConfigRule
  LambdaInvokePermissionsCustomConfigRule:
    Type: 'AWS::Lambda::Permission'
    Properties:
      FunctionName:
        'Fn::GetAtt':
          - LambdaFunctionCustomConfigRule
          - Arn
      Action: 'lambda:InvokeFunction'
      Principal: config.amazonaws.com
  LambdaFunctionCustomConfigRule:
    Type: 'AWS::Lambda::Function'
    Properties:
      FunctionName: LambdaForcloudtrail_s3_access_logging
      Handler: index.lambda_handler
      Role:
        'Fn::GetAtt':
          - LambdaIamRoleCustomConfigRule
          - Arn
      Runtime: python2.7
      Code:
        ZipFile:
          'Fn::Join':
            - |+

            - - ''
              - import json
              - import boto3
              - import datetime
              - import time
              - from botocore.exceptions import ClientError
              - 'def lambda_handler(event, context):'
              - '  # get the trail for the current region'
              - '  client_ct = boto3.client(''cloudtrail'')'
              - '  for trail in client_ct.describe_trails(includeShadowTrails = False)[''trailList'']:'
              - '    annotation = '''''
              - '    is_publicly_accessible = False'
              - '    s3_bucket_name = '''''
              - '    is_compliant = True'
              - '    # check if the cloudtrail s3 bucket is publicly accessible and logged'
              - '    if trail[''S3BucketName'']:'
              - '      s3_bucket_name = trail[''S3BucketName'']'
              - '      client_s=boto3.client(''s3'')'
              - '      try:'
              - '        for grant in client_s.get_bucket_acl(Bucket = s3_bucket_name)[''Grants'']:'
              - '          # verify cloudtrail s3 bucket ACL'
              - '          if grant[''Permission''] in [''READ'',''FULL_CONTROL''] and (''URI'' in grant[''Grantee''] and (''AuthenticatedUsers'' in grant[''Grantee''][''URI''] or ''AllUsers'' in grant[''Grantee''][''URI''])):'
              - '            is_publicly_accessible = True'
              - '        if is_publicly_accessible:'
              - '          is_compliant = False'
              - '          annotation = annotation + '' The CloudTrail S3 bucket ''{}'' is publicly accessible.''.format(s3_bucket_name)'
              - '        # verify cloudtrail s3 bucket logging'
              - '        response = client_s.get_bucket_logging(Bucket = s3_bucket_name)'
              - '        if ''LoggingEnabled'' not in response:'
              - '          is_compliant=False'
              - '          annotation = annotation + '' The CloudTrail S3 bucket ''{}'' does not have logging enabled.''.format(s3_bucket_name)'
              - '      except Exception as ex:'
              - '        print ex'
              - '        is_compliant = False'
              - '        annotation = annotation + '' There was an error looking up CloudTrail S3 bucket ''{}''.''.format(s3_bucket_name)'
              - '    else:'
              - '      annotation = annotation + '' CloudTrail is not integrated with S3.'''
              - '    result_token = ''No token found.'''
              - '    if ''resultToken'' in event: result_token = event[''resultToken'']'
              - '    evaluations = ['
              - '      {'
              - '        ''ComplianceResourceType'': ''AWS::S3::Bucket'','
              - '        ''ComplianceResourceId'': s3_bucket_name,'
              - '        ''ComplianceType'': ''COMPLIANT'' if is_compliant else ''NON_COMPLIANT'','
              - '        ''OrderingTimestamp'': datetime.datetime.now()'
              - '      }'
              - '    ]'
              - '    if is_compliant: annotation = ''Acces logging is enabled on the CloudTrail S3 bucket ''{}'' and the S3 bucket is not publicly accessible''.format(s3_bucket_name)'
              - '    if annotation: evaluations[0][''Annotation''] = annotation'
              - '    config = boto3.client(''config'')'
              - '    config.put_evaluations('
              - '      Evaluations = evaluations,'
              - '      ResultToken = result_token'
              - '    )'
              - ''
      Timeout: 300
    DependsOn: LambdaIamRoleCustomConfigRule
  LambdaIamRoleCustomConfigRule:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: IAMRoleForcloudtrail_s3_access_loggingHMI
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Parameters: {}
Metadata: {}
Conditions: {}