By Implementation
By Service Protected
Configuration Packages
Strategy Guides
Other
By Service Protected
By Implementation
Configuration Packages
Custom VPC Template
AWS Logging Services
AWS Threat Detection Services
Security Monitoring and Compliance
AWS Auto Remediation Rule Package
EC2 Patch Management
Common SCP Package
PCI DSS Compliance Monitoring with Security Hub
CIS AWS Benchmark Monitoring Package
Canada GC Cloud GuardrailsStrategy Guides
Other
Security Monitoring and Compliance
S3 Events and Compliance Rules
A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes:
Items
19
Size
10.5 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
S3SharedBucket:
Type: "AWS::S3::Bucket"
Properties:
LoggingConfiguration: {}
AccessControl: "LogDeliveryWrite"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: "S3SharedBucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Principal:
Service:
- "cloudtrail.amazonaws.com"
- "config.amazonaws.com"
Action:
- "s3:GetBucketAcl"
Resource:
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
Effect: "Allow"
Condition: {}
- Principal:
Service:
- "cloudtrail.amazonaws.com"
- "config.amazonaws.com"
Action:
- "s3:PutObject"
Resource:
- Fn::Join:
- ""
-
- ""
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
- "/*"
Effect: "Allow"
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
DependsOn: "S3SharedBucket"
CloudTrail:
Type: "AWS::CloudTrail::Trail"
Properties:
TrailName: "ManagementEventsTrail"
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: "All"
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: "S3SharedBucket"
CloudWatchLogsLogGroupArn:
Fn::GetAtt:
- "CWLogGroupForCloudTrail"
- "Arn"
CloudWatchLogsRoleArn:
Fn::GetAtt:
- "IamRoleForCwLogsCloudTrail"
- "Arn"
DependsOn:
- "BucketPolicy"
IamRoleForCwLogsCloudTrail:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-cw-logs"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
CWLogGroupForCloudTrail:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: "CloudTrailLogs"
RetentionInDays: 90
ConfigurationRecorder:
Type: "AWS::Config::ConfigurationRecorder"
Properties:
RoleARN:
Fn::GetAtt:
- "IamRoleForAwsConfig"
- "Arn"
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
DeliveryChannel:
Type: "AWS::Config::DeliveryChannel"
Properties:
S3BucketName:
Ref: "S3SharedBucket"
IamRoleForAwsConfig:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "config.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-config-s3-bucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource:
- Fn::Join:
- ""
-
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
- "/*"
Condition:
StringLike:
s3:x-amz-acl: "bucket-owner-full-control"
- Effect: "Allow"
Action:
- "s3:GetBucketAcl"
Resource:
Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
RoleName: "iamRoleForAWSConfig"
SnsTopic1:
Type: "AWS::SNS::Topic"
Properties:
Subscription:
- Endpoint: "email@example.com"
Protocol: "email"
TopicName: "sns-topic"
ConfigRule1:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-ssl-requests-only"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SSL_REQUESTS_ONLY"
DependsOn:
- "ConfigurationRecorder"
ConfigRule3:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-public-read-prohibited"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_PUBLIC_READ_PROHIBITED"
DependsOn:
- "ConfigurationRecorder"
ConfigRule4:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-public-write-prohibited"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
DependsOn:
- "ConfigurationRecorder"
ConfigRule5:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
DependsOn:
- "ConfigurationRecorder"
CwAlarm1:
Type: "AWS::CloudWatch::Alarm"
Properties:
AlarmName: "s3_creation_deletion"
AlarmDescription: "A CloudWatch Alarm that triggers when an S3 Bucket is created or deleted."
MetricName: "S3BucketActivityEventCount"
Namespace: "CloudTrailMetrics"
Statistic: "Sum"
Period: "300"
EvaluationPeriods: "1"
Threshold: "1"
ComparisonOperator: "GreaterThanOrEqualToThreshold"
AlarmActions:
- Ref: "SnsTopic1"
TreatMissingData: "notBreaching"
MetricFilter1:
Type: "AWS::Logs::MetricFilter"
Properties:
LogGroupName:
Ref: "CWLogGroupForCloudTrail"
FilterPattern: "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = DeleteBucket) || ($.eventName = CreateBucket)) }"
MetricTransformations:
- MetricValue: "1"
MetricNamespace: "CloudTrailMetrics"
MetricName: "S3BucketActivityEventCount"
CwAlarm2:
Type: "AWS::CloudWatch::Alarm"
Properties:
AlarmName: "s3_changes"
AlarmDescription: "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
MetricName: "S3BucketActivityEventCount"
Namespace: "CloudTrailMetrics"
Statistic: "Sum"
Period: "300"
EvaluationPeriods: "1"
Threshold: "1"
ComparisonOperator: "GreaterThanOrEqualToThreshold"
AlarmActions:
- Ref: "SnsTopic1"
TreatMissingData: "notBreaching"
MetricFilter2:
Type: "AWS::Logs::MetricFilter"
Properties:
LogGroupName:
Ref: "CWLogGroupForCloudTrail"
FilterPattern: "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
MetricTransformations:
- MetricValue: "1"
MetricNamespace: "CloudTrailMetrics"
MetricName: "S3BucketActivityEventCount"
CwEvent1:
Type: "AWS::Events::Rule"
Properties:
Name: "detect-config-rule-compliance-changes"
Description: "A CloudWatch Event Rule that detects changes to AWS Config Rule compliance status and publishes change events to an SNS topic for notification."
State: "ENABLED"
Targets:
- Arn:
Ref: "SnsTopic1"
Id: "target-id1"
EventPattern:
detail-type:
- "Config Rules Compliance Change"
source:
- "aws.config"
SnsTopicPolicyCwEvent1:
Type: "AWS::SNS::TopicPolicy"
Properties:
PolicyDocument:
Statement:
- Sid: "__default_statement_ID"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "SNS:GetTopicAttributes"
- "SNS:SetTopicAttributes"
- "SNS:AddPermission"
- "SNS:RemovePermission"
- "SNS:DeleteTopic"
- "SNS:Subscribe"
- "SNS:ListSubscriptionsByTopic"
- "SNS:Publish"
- "SNS:Receive"
Resource:
Ref: "SnsTopic1"
Condition:
StringEquals:
AWS:SourceOwner:
Ref: "AWS::AccountId"
- Sid: "TrustCWEToPublishEventsToMyTopic"
Effect: "Allow"
Principal:
Service: "events.amazonaws.com"
Action: "sns:Publish"
Resource:
Ref: "SnsTopic1"
Topics:
- Ref: "SnsTopic1"
Parameters: {}
Metadata: {}
Conditions: {}