By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubNetwork FirewallAmazon MacieBilling and Cost ManagementS3 Bucket PoliciesCloudWatch Alarms and Event RulesLogging & Monitoring ConfigurationsAWS WAFBackups & DRAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Custom VPC TemplateAWS Logging ServicesAWS Threat Detection ServicesSecurity Monitoring and ComplianceAWS Auto Remediation Rule PackageEC2 Patch ManagementCommon SCP PackagePCI DSS Compliance Monitoring with Security HubCIS AWS Benchmark Monitoring PackageCanada GC Cloud Guardrails

Strategy Guides

AWS Logging Services

A configuration package to enable AWS security logging and activity monitoring services: AWS CloudTrail, AWS Config, and Amazon GuardDuty. The package also includes an S3 bucket to store CloudTrail and Config history logs, as well as an optional CloudWatch log group to receive CloudTrail logs.

Items
9
Size
4.8 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  S3SharedBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      LoggingConfiguration: {}
      AccessControl: "LogDeliveryWrite"
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: "AES256"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  BucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket:
        Ref: "S3SharedBucket"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Principal:
              Service:
                - "cloudtrail.amazonaws.com"
                - "config.amazonaws.com"
            Action:
              - "s3:GetBucketAcl"
            Resource:
              - Fn::GetAtt:
                  - "S3SharedBucket"
                  - "Arn"
            Effect: "Allow"
            Condition: {}
          - Principal:
              Service:
                - "cloudtrail.amazonaws.com"
                - "config.amazonaws.com"
            Action:
              - "s3:PutObject"
            Resource:
              - Fn::Join:
                  - ""
                  -
                    - ""
                    - Fn::GetAtt:
                        - "S3SharedBucket"
                        - "Arn"
                    - "/*"
            Effect: "Allow"
            Condition:
              StringEquals:
                s3:x-amz-acl: "bucket-owner-full-control"
    DependsOn: "S3SharedBucket"
  CloudTrail:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      TrailName: "ManagementEventsTrail"
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: "All"
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: "S3SharedBucket"
      CloudWatchLogsLogGroupArn:
        Fn::GetAtt:
          - "CWLogGroupForCloudTrail"
          - "Arn"
      CloudWatchLogsRoleArn:
        Fn::GetAtt:
          - "IamRoleForCwLogsCloudTrail"
          - "Arn"
    DependsOn:
      - "BucketPolicy"
  IamRoleForCwLogsCloudTrail:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-cw-logs"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "*"
  CWLogGroupForCloudTrail:
    Type: "AWS::Logs::LogGroup"
    Properties:
      LogGroupName: "CloudTrailLogs"
      RetentionInDays: 90
  ConfigurationRecorder:
    Type: "AWS::Config::ConfigurationRecorder"
    Properties:
      RoleARN:
        Fn::GetAtt:
          - "IamRoleForAwsConfig"
          - "Arn"
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
  DeliveryChannel:
    Type: "AWS::Config::DeliveryChannel"
    Properties:
      S3BucketName:
        Ref: "S3SharedBucket"
  IamRoleForAwsConfig:
    Type: "AWS::IAM::Role"
    Properties:
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "config.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-config-s3-bucket"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "s3:PutObject"
                Resource:
                  - Fn::Join:
                      - ""
                      -
                        - Fn::GetAtt:
                            - "S3SharedBucket"
                            - "Arn"
                        - "/*"
                Condition:
                  StringLike:
                    s3:x-amz-acl: "bucket-owner-full-control"
              - Effect: "Allow"
                Action:
                  - "s3:GetBucketAcl"
                Resource:
                  Fn::GetAtt:
                    - "S3SharedBucket"
                    - "Arn"
      RoleName: "iamRoleForAWSConfig"
  GuardDuty:
    Type: "AWS::GuardDuty::Detector"
    Properties:
      Enable: true
      DataSources:
        S3Logs:
          Enable: true
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT