Guided Walkthroughs
Configuration Packages
Custom Packages
By Implementation
By Service Protected
Reference Guides
Other
Guided Walkthroughs
Configuration Packages
Custom Packages
By Service Protected
By Implementation
Reference Guides
Other
Configuration Packages
AWS Logging Services
A configuration package to enable AWS security logging and activity monitoring services: AWS CloudTrail, AWS Config, and Amazon GuardDuty. The package also includes an S3 bucket to store CloudTrail and Config history logs, as well as an optional CloudWatch log group to receive CloudTrail logs.
A premium subscription is required for this content
Items
9
Size
4.7 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
S3SharedBucket:
Type: "AWS::S3::Bucket"
Properties:
LoggingConfiguration: {}
AccessControl: "LogDeliveryWrite"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: "S3SharedBucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Principal:
Service:
- "cloudtrail.amazonaws.com"
- "config.amazonaws.com"
Action:
- "s3:GetBucketAcl"
Resource:
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
Effect: "Allow"
Condition: {}
- Principal:
Service:
- "cloudtrail.amazonaws.com"
- "config.amazonaws.com"
Action:
- "s3:PutObject"
Resource:
- Fn::Join:
- ""
-
- ""
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
- "/*"
Effect: "Allow"
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
DependsOn: "S3SharedBucket"
CloudTrail:
Type: "AWS::CloudTrail::Trail"
Properties:
TrailName: "ManagementEventsTrail"
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: "All"
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: "S3SharedBucket"
CloudWatchLogsLogGroupArn: "CloudTrailLogs"
CloudWatchLogsRoleArn:
Fn::GetAtt:
- "IamRoleForCwLogsCloudTrail"
- "Arn"
DependsOn:
- "BucketPolicy"
IamRoleForCwLogsCloudTrail:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-cw-logs"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
CWLogGroupForCloudTrail:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: "CloudTrailLogs"
RetentionInDays: 90
ConfigurationRecorder:
Type: "AWS::Config::ConfigurationRecorder"
Properties:
RoleARN:
Fn::GetAtt:
- "IamRoleForAwsConfig"
- "Arn"
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
DeliveryChannel:
Type: "AWS::Config::DeliveryChannel"
Properties:
S3BucketName:
Ref: "S3SharedBucket"
IamRoleForAwsConfig:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "config.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-config-s3-bucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource:
- Fn::Join:
- ""
-
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
- "/*"
Condition:
StringLike:
s3:x-amz-acl: "bucket-owner-full-control"
- Effect: "Allow"
Action:
- "s3:GetBucketAcl"
Resource:
Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
RoleName: "iamRoleForAWSConfig"
GuardDuty:
Type: "AWS::GuardDuty::Detector"
Properties:
Enable: true
DataSources:
S3Logs:
Enable: true
Parameters: {}
Metadata: {}
Conditions: {}