A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
S3SharedBucket:
Type: "AWS::S3::Bucket"
Properties:
LoggingConfiguration: {}
AccessControl: "LogDeliveryWrite"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: "S3SharedBucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Principal:
Service:
- "cloudtrail.amazonaws.com"
- "config.amazonaws.com"
Action:
- "s3:GetBucketAcl"
Resource:
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
Effect: "Allow"
Condition: {}
- Principal:
Service:
- "cloudtrail.amazonaws.com"
- "config.amazonaws.com"
Action:
- "s3:PutObject"
Resource:
- Fn::Join:
- ""
-
- ""
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
- "/*"
Effect: "Allow"
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
DependsOn: "S3SharedBucket"
CloudTrail:
Type: "AWS::CloudTrail::Trail"
Properties:
TrailName: "ManagementEventsTrail"
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: "All"
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: "S3SharedBucket"
CloudWatchLogsLogGroupArn: "CloudTrailLogs"
CloudWatchLogsRoleArn:
Fn::GetAtt:
- "IamRoleForCwLogsCloudTrail"
- "Arn"
DependsOn:
- "BucketPolicy"
IamRoleForCwLogsCloudTrail:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-cw-logs"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
CWLogGroupForCloudTrail:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: "CloudTrailLogs"
RetentionInDays: 90
ConfigurationRecorder:
Type: "AWS::Config::ConfigurationRecorder"
Properties:
RoleARN:
Fn::GetAtt:
- "IamRoleForAwsConfig"
- "Arn"
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
DeliveryChannel:
Type: "AWS::Config::DeliveryChannel"
Properties:
S3BucketName:
Ref: "S3SharedBucket"
IamRoleForAwsConfig:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "config.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-config-s3-bucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource:
- Fn::Join:
- ""
-
- Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
- "/*"
Condition:
StringLike:
s3:x-amz-acl: "bucket-owner-full-control"
- Effect: "Allow"
Action:
- "s3:GetBucketAcl"
Resource:
Fn::GetAtt:
- "S3SharedBucket"
- "Arn"
RoleName: "iamRoleForAWSConfig"
SnsTopic1:
Type: "AWS::SNS::Topic"
Properties:
Subscription:
- Endpoint: "email@example.com"
Protocol: "email"
TopicName: "sns-topic"
ConfigRule1:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-ssl-requests-only"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SSL_REQUESTS_ONLY"
DependsOn:
- "ConfigurationRecorder"
ConfigRule3:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-public-read-prohibited"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_PUBLIC_READ_PROHIBITED"
DependsOn:
- "ConfigurationRecorder"
ConfigRule4:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-public-write-prohibited"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
DependsOn:
- "ConfigurationRecorder"
ConfigRule5:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "s3-bucket-server-side-encryption-enabled"
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Description: "A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption."
Source:
Owner: "AWS"
SourceIdentifier: "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
DependsOn:
- "ConfigurationRecorder"
CwAlarm1:
Type: "AWS::CloudWatch::Alarm"
Properties:
AlarmName: "s3_creation_deletion"
AlarmDescription: "A CloudWatch Alarm that triggers when an S3 Bucket is created or deleted."
MetricName: "S3BucketActivityEventCount"
Namespace: "CloudTrailMetrics"
Statistic: "Sum"
Period: "300"
EvaluationPeriods: "1"
Threshold: "1"
ComparisonOperator: "GreaterThanOrEqualToThreshold"
AlarmActions:
- Ref: "SnsTopic1"
TreatMissingData: "notBreaching"
MetricFilter1:
Type: "AWS::Logs::MetricFilter"
Properties:
LogGroupName:
Ref: "CWLogGroupForCloudTrail"
FilterPattern: "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = DeleteBucket) || ($.eventName = CreateBucket)) }"
MetricTransformations:
- MetricValue: "1"
MetricNamespace: "CloudTrailMetrics"
MetricName: "S3BucketActivityEventCount"
CwAlarm2:
Type: "AWS::CloudWatch::Alarm"
Properties:
AlarmName: "s3_changes"
AlarmDescription: "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
MetricName: "S3BucketActivityEventCount"
Namespace: "CloudTrailMetrics"
Statistic: "Sum"
Period: "300"
EvaluationPeriods: "1"
Threshold: "1"
ComparisonOperator: "GreaterThanOrEqualToThreshold"
AlarmActions:
- Ref: "SnsTopic1"
TreatMissingData: "notBreaching"
MetricFilter2:
Type: "AWS::Logs::MetricFilter"
Properties:
LogGroupName:
Ref: "CWLogGroupForCloudTrail"
FilterPattern: "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
MetricTransformations:
- MetricValue: "1"
MetricNamespace: "CloudTrailMetrics"
MetricName: "S3BucketActivityEventCount"
CwEvent1:
Type: "AWS::Events::Rule"
Properties:
Name: "detect-config-rule-compliance-changes"
Description: "A CloudWatch Event Rule that detects changes to AWS Config Rule compliance status and publishes change events to an SNS topic for notification."
State: "ENABLED"
Targets:
- Arn:
Ref: "SnsTopic1"
Id: "target-id1"
EventPattern:
detail-type:
- "Config Rules Compliance Change"
source:
- "aws.config"
SnsTopicPolicyCwEvent1:
Type: "AWS::SNS::TopicPolicy"
Properties:
PolicyDocument:
Statement:
- Sid: "__default_statement_ID"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "SNS:GetTopicAttributes"
- "SNS:SetTopicAttributes"
- "SNS:AddPermission"
- "SNS:RemovePermission"
- "SNS:DeleteTopic"
- "SNS:Subscribe"
- "SNS:ListSubscriptionsByTopic"
- "SNS:Publish"
- "SNS:Receive"
Resource:
Ref: "SnsTopic1"
Condition:
StringEquals:
AWS:SourceOwner:
Ref: "AWS::AccountId"
- Sid: "TrustCWEToPublishEventsToMyTopic"
Effect: "Allow"
Principal:
Service: "events.amazonaws.com"
Action: "sns:Publish"
Resource:
Ref: "SnsTopic1"
Topics:
- Ref: "SnsTopic1"
Parameters: {}
Metadata: {}
Conditions: {}