By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Security Monitoring and Compliance

KMS Events and Compliance Rules

A configuration package to monitor KMS related API activity as well as configuration compliance rules to ensure the security of AWS KMS configuration. The package includes:

Items
14
Size
8.2 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  S3SharedBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      LoggingConfiguration: {}
      AccessControl: "LogDeliveryWrite"
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: "AES256"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  BucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket:
        Ref: "S3SharedBucket"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Principal:
              Service:
                - "cloudtrail.amazonaws.com"
                - "config.amazonaws.com"
            Action:
              - "s3:GetBucketAcl"
            Resource:
              - Fn::GetAtt:
                  - "S3SharedBucket"
                  - "Arn"
            Effect: "Allow"
            Condition: {}
          - Principal:
              Service:
                - "cloudtrail.amazonaws.com"
                - "config.amazonaws.com"
            Action:
              - "s3:PutObject"
            Resource:
              - Fn::Join:
                  - ""
                  -
                    - ""
                    - Fn::GetAtt:
                        - "S3SharedBucket"
                        - "Arn"
                    - "/*"
            Effect: "Allow"
            Condition:
              StringEquals:
                s3:x-amz-acl: "bucket-owner-full-control"
    DependsOn: "S3SharedBucket"
  CloudTrail:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      TrailName: "ManagementEventsTrail"
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: "All"
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: "S3SharedBucket"
      CloudWatchLogsLogGroupArn:
        Fn::GetAtt:
          - "CWLogGroupForCloudTrail"
          - "Arn"
      CloudWatchLogsRoleArn:
        Fn::GetAtt:
          - "IamRoleForCwLogsCloudTrail"
          - "Arn"
    DependsOn:
      - "BucketPolicy"
  IamRoleForCwLogsCloudTrail:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-cw-logs"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "*"
  CWLogGroupForCloudTrail:
    Type: "AWS::Logs::LogGroup"
    Properties:
      LogGroupName: "CloudTrailLogs"
      RetentionInDays: 90
  ConfigurationRecorder:
    Type: "AWS::Config::ConfigurationRecorder"
    Properties:
      RoleARN:
        Fn::GetAtt:
          - "IamRoleForAwsConfig"
          - "Arn"
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
  DeliveryChannel:
    Type: "AWS::Config::DeliveryChannel"
    Properties:
      S3BucketName:
        Ref: "S3SharedBucket"
  IamRoleForAwsConfig:
    Type: "AWS::IAM::Role"
    Properties:
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "config.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-config-s3-bucket"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "s3:PutObject"
                Resource:
                  - Fn::Join:
                      - ""
                      -
                        - Fn::GetAtt:
                            - "S3SharedBucket"
                            - "Arn"
                        - "/*"
                Condition:
                  StringLike:
                    s3:x-amz-acl: "bucket-owner-full-control"
              - Effect: "Allow"
                Action:
                  - "s3:GetBucketAcl"
                Resource:
                  Fn::GetAtt:
                    - "S3SharedBucket"
                    - "Arn"
      RoleName: "iamRoleForAWSConfig"
  SnsTopic1:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "email@example.com"
          Protocol: "email"
      TopicName: "sns-topic"
  ConfigRule1:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "cmk-backing-key-rotation-enabled"
      Scope:
        ComplianceResourceTypes: []
      Description: "A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material."
      Source:
        Owner: "AWS"
        SourceIdentifier: "CMK_BACKING_KEY_ROTATION_ENABLED"
      MaximumExecutionFrequency: "TwentyFour_Hours"
    DependsOn:
      - "ConfigurationRecorder"
  CwEvent1:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-config-rule-compliance-changes"
      Description: "A CloudWatch Event Rule that detects changes to AWS Config Rule compliance status and publishes change events to an SNS topic for notification."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopic1"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "Config Rules Compliance Change"
        source:
          - "aws.config"
  SnsTopicPolicyCwEvent1:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopic1"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopic1"
      Topics:
        - Ref: "SnsTopic1"
  CwAlarm1:
    Type: "AWS::CloudWatch::Alarm"
    Properties:
      AlarmName: "kms_key_operations"
      AlarmDescription: "A CloudWatch Alarm that triggers on changes to customer created CMKs: Key creation, deletion, or enabling/disabling operations, imported key material operations, as well as updates to CMK Key policies."
      MetricName: "KMSCustomerKeyUpdates"
      Namespace: "CloudTrailMetrics"
      Statistic: "Sum"
      Period: "60"
      EvaluationPeriods: "1"
      Threshold: "1"
      ComparisonOperator: "GreaterThanOrEqualToThreshold"
      AlarmActions:
        - Ref: "SnsTopic1"
      TreatMissingData: "notBreaching"
  MetricFilter1:
    Type: "AWS::Logs::MetricFilter"
    Properties:
      LogGroupName:
        Ref: "CWLogGroupForCloudTrail"
      FilterPattern: "{ ($.eventSource = kms.amazonaws.com) &&  (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion) || ($.eventName=CancelKeyDeletion) || ($.eventName=CreateKey) || ($.eventName=CreateAlias) || ($.eventName=EnableKey) || ($.eventName=PutKeyPolicy) || ($.eventName=ImportKeyMaterial) || ($.eventName=DeleteImportedKeyMaterial)) }"
      MetricTransformations:
        - MetricValue: "1"
          MetricNamespace: "CloudTrailMetrics"
          MetricName: "KMSCustomerKeyUpdates"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT