Overview
A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes:
- AWS Logging Services: AWS CloudTrail, AWS Config, AWS CloudWatch Log Group to receive CloudTrail logs, and an S3 Bucket to store logs from AWS Config and AWS CloudTrail
- SNS Topic for email notifications.
- AWS Config Rules to monitor IAM configurations and ensure security of the configuration: SSL Requests Only, Bucket Logging Enabled, S3 Public Read Prohibited, S3 Public Write Prohibited, Server Side Encryption Enabled, Bucket Versioning Enabled, Bucket Replication Enabled
- Email notification for Config Rule compliance status changes using a CloudWatch Event Rule
- CloudWatch Alarms to send email notifications when S3 related changes occur in an AWS account: S3 Bucket Creation/Deletion, S3 Bucket Changes
- CloudWatch Event Rules to stream S3 related changes details in an AWS account: S3 Bucket Policy changes
Configure & Deploy
Configuration Presets
Configuration Template
Items
19
Size
10.4 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
S3SharedBucket:
Type: 'AWS::S3::Bucket'
Properties:
LoggingConfiguration: {}
AccessControl: LogDeliveryWrite
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket:
Ref: S3SharedBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Action:
- 's3:GetBucketAcl'
Resource:
- 'Fn::GetAtt':
- S3SharedBucket
- Arn
Effect: Allow
Condition: {}
- Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Action:
- 's3:PutObject'
Resource:
- 'Fn::Join':
- ''
- - ''
- 'Fn::GetAtt':
- S3SharedBucket
- Arn
- /*
Effect: Allow
Condition:
StringEquals:
's3:x-amz-acl': bucket-owner-full-control
DependsOn: S3SharedBucket
CloudTrail:
Type: 'AWS::CloudTrail::Trail'
Properties:
TrailName: ManagementEventsTrail
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: All
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: S3SharedBucket
CloudWatchLogsLogGroupArn:
'Fn::GetAtt':
- CWLogGroupForCloudTrail
- Arn
CloudWatchLogsRoleArn:
'Fn::GetAtt':
- IamRoleForCwLogs
- Arn
DependsOn:
- BucketPolicy
IamRoleForCwLogs:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: allow-access-to-cw-logs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
CWLogGroupForCloudTrail:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrailLogs
RetentionInDays: 90
ConfigurationRecorder:
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
RoleARN:
'Fn::GetAtt':
- IamRoleForAwsConfig
- Arn
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
DeliveryChannel:
Type: 'AWS::Config::DeliveryChannel'
Properties:
S3BucketName:
Ref: S3SharedBucket
IamRoleForAwsConfig:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: config.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: allow-access-to-config-s3-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
Resource:
- 'Fn::Join':
- ''
- - 'Fn::GetAtt':
- S3SharedBucket
- Arn
- /*
Condition:
StringLike:
's3:x-amz-acl': bucket-owner-full-control
- Effect: Allow
Action:
- 's3:GetBucketAcl'
Resource:
'Fn::GetAtt':
- S3SharedBucket
- Arn
RoleName: iamRoleForAWSConfig
SnsTopic1:
Type: 'AWS::SNS::Topic'
Properties:
Subscription:
- Endpoint: email@example.com
Protocol: email
TopicName: sns-topic
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-ssl-requests-only
Description: >-
A Config rule that checks whether S3 buckets have policies that require
requests to use Secure Socket Layer (SSL).
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
DependsOn:
- ConfigurationRecorder
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Description: >-
A Config rule that checks that your Amazon S3 buckets do not allow
public read access. If an Amazon S3 bucket policy or bucket ACL allows
public read access, the bucket is noncompliant.
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
DependsOn:
- ConfigurationRecorder
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Description: >-
A Config rule that checks that your Amazon S3 buckets do not allow
public write access. If an Amazon S3 bucket policy or bucket ACL allows
public write access, the bucket is noncompliant.
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
DependsOn:
- ConfigurationRecorder
ConfigRule5:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Description: >-
A Config rule that checks that your Amazon S3 bucket either has Amazon
S3 default encryption enabled or that the S3 bucket policy explicitly
denies put-object requests without server side encryption.
Scope:
ComplianceResourceTypes:
- 'AWS::S3::Bucket'
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
DependsOn:
- ConfigurationRecorder
CwAlarm1:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmName: s3_creation_deletion
AlarmDescription: >-
A CloudWatch Alarm that triggers when an S3 Bucket is created or
deleted.
MetricName: S3BucketActivityEventCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: '300'
EvaluationPeriods: '1'
Threshold: '1'
ComparisonOperator: GreaterThanOrEqualToThreshold
AlarmActions:
- Ref: SnsTopic1
TreatMissingData: notBreaching
MetricFilter1:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName:
Ref: CWLogGroupForCloudTrail
FilterPattern: >-
{ ($.eventSource = s3.amazonaws.com) && (($.eventName = DeleteBucket) ||
($.eventName = CreateBucket)) }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: S3BucketActivityEventCount
CwAlarm2:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmName: s3_changes
AlarmDescription: A CloudWatch Alarm that triggers when changes are made to an S3 Bucket.
MetricName: S3BucketActivityEventCount
Namespace: CloudTrailMetrics
Statistic: Sum
Period: '300'
EvaluationPeriods: '1'
Threshold: '1'
ComparisonOperator: GreaterThanOrEqualToThreshold
AlarmActions:
- Ref: SnsTopic1
TreatMissingData: notBreaching
MetricFilter2:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName:
Ref: CWLogGroupForCloudTrail
FilterPattern: >-
{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) ||
($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) ||
($.eventName = PutBucketLifecycle) || ($.eventName =
PutBucketReplication) || ($.eventName = DeleteBucketPolicy) ||
($.eventName = DeleteBucketCors) || ($.eventName =
DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: S3BucketActivityEventCount
CwEvent1:
Type: 'AWS::Events::Rule'
Properties:
Name: detect-config-rule-compliance-changes
Description: >-
A CloudWatch Event Rule that detects changes to AWS Config Rule
compliance status and publishes change events to an SNS topic for
notification.
State: ENABLED
Targets:
- Arn:
Ref: SnsTopic1
Id: target-id1
EventPattern:
detail-type:
- Config Rules Compliance Change
source:
- aws.config
SnsTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: '*'
Action:
- 'SNS:GetTopicAttributes'
- 'SNS:SetTopicAttributes'
- 'SNS:AddPermission'
- 'SNS:RemovePermission'
- 'SNS:DeleteTopic'
- 'SNS:Subscribe'
- 'SNS:ListSubscriptionsByTopic'
- 'SNS:Publish'
- 'SNS:Receive'
Resource:
Ref: SnsTopic1
Condition:
StringEquals:
'AWS:SourceOwner':
Ref: 'AWS::AccountId'
- Sid: TrustCWEToPublishEventsToMyTopic
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource:
Ref: SnsTopic1
Topics:
- Ref: SnsTopic1
Parameters: {}
Metadata: {}
Conditions: {}