Overview
A configuration package to monitor Root Account activity as well as configuration compliance rules to ensure the Root Account's security configuration. The package includes:
- AWS Logging Services: AWS CloudTrail, AWS Config, AWS CloudWatch Log Group to receive CloudTrail logs, and an S3 Bucket to store logs from AWS Config and AWS CloudTrail
- SNS Topic for email notifications.
- AWS Config Rules to ensure the security of the Root Account's configuration: Root MFA Enabled, Root MFA Hardware, No Root Access Key,
- CloudWatch Alarms to send email notifications when the Root account is used in an AWS environment: Root Login Alarm,
Configure & Deploy
Configuration Presets
Configuration Template
Items
13
Size
6.3 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
S3SharedBucket:
Type: 'AWS::S3::Bucket'
Properties:
LoggingConfiguration: {}
AccessControl: LogDeliveryWrite
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket:
Ref: S3SharedBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Action:
- 's3:GetBucketAcl'
Resource:
- 'Fn::GetAtt':
- S3SharedBucket
- Arn
Effect: Allow
Condition: {}
- Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Action:
- 's3:PutObject'
Resource:
- 'Fn::Join':
- ''
- - ''
- 'Fn::GetAtt':
- S3SharedBucket
- Arn
- /*
Effect: Allow
Condition:
StringEquals:
's3:x-amz-acl': bucket-owner-full-control
DependsOn: S3SharedBucket
CloudTrail:
Type: 'AWS::CloudTrail::Trail'
Properties:
TrailName: ManagementEventsTrail
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: All
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: S3SharedBucket
CloudWatchLogsLogGroupArn:
'Fn::GetAtt':
- CWLogGroupForCloudTrail
- Arn
CloudWatchLogsRoleArn:
'Fn::GetAtt':
- IamRoleForCwLogs
- Arn
DependsOn:
- BucketPolicy
IamRoleForCwLogs:
Type: 'AWS::IAM::Role'
Properties:
RoleName: iamRoleCloudTrailToCloudWatchLogs
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: allow-access-to-cw-logs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
CWLogGroupForCloudTrail:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrailLogs
RetentionInDays: 90
ConfigurationRecorder:
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
RoleARN:
'Fn::GetAtt':
- IamRoleForAwsConfig
- Arn
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
DeliveryChannel:
Type: 'AWS::Config::DeliveryChannel'
Properties:
S3BucketName:
Ref: S3SharedBucket
IamRoleForAwsConfig:
Type: 'AWS::IAM::Role'
Properties:
RoleName: iamRoleForAWSConfig
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: config.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: allow-access-to-config-s3-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
Resource:
- 'arn:aws:s3:::/prefix/AWSLogs/*'
Condition:
StringLike:
's3:x-amz-acl': bucket-owner-full-control
- Effect: Allow
Action:
- 's3:GetBucketAcl'
Resource: 'arn:aws:s3:::'
SnsTopic1:
Type: 'AWS::SNS::Topic'
Properties:
Subscription:
- Endpoint: email@example.com
Protocol: email
TopicName: sns-topic
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-mfa-enabled
Description: >-
A Config rule that checks whether users of your AWS account require a
multi-factor authentication (MFA) device to sign in with root
credentials.
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
DependsOn:
- ConfigurationRecorder
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-root-access-key-check
Description: >-
A config rule that checks whether the root user access key is available.
The rule is COMPLIANT if the user access key does not exist.
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
DependsOn:
- ConfigurationRecorder
CwAlarm1:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmName: root_account_login
AlarmDescription: A CloudWatch Alarm that triggers if a root user uses the account.
MetricName: RootUserEventCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: '60'
EvaluationPeriods: '1'
Threshold: '1'
ComparisonOperator: GreaterThanOrEqualToThreshold
AlarmActions:
- Ref: SnsTopic1
TreatMissingData: notBreaching
MetricFilter1:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName:
Ref: CWLogGroupForCloudTrail
FilterPattern: >-
{ ($.userIdentity.type = "Root") && ($.userIdentity.invokedBy NOT
EXISTS) && ($.eventType != "AwsServiceEvent") }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: RootUserEventCount
Parameters: {}
Metadata: {}
Conditions: {}