AWSTemplateFormatVersion: 2010-09-09
Parameters:
PrmExampleAccessLogBucket:
Type: String
Resources:
ResCloudTrailBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "cloudtrail-${AWS::AccountId}"
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
ExpirationInDays: 180
NoncurrentVersionExpirationInDays: 1
Status: Enabled
AccessControl: LogDeliveryWrite
LoggingConfiguration:
DestinationBucketName: !Ref PrmExampleAccessLogBucket
LogFilePrefix: !Sub "ExamplePrefix/"
ResCloudTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ResCloudTrailBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
ResCloudTrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrail
RetentionInDays: 90
ResCloudTrailCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: CloudTrailLogsRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
ResCloudTrailCloudWatchLogsRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CloudTrailAllowPutLogs
Roles:
- !Ref ResCloudTrailCloudWatchLogsRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailCreateLogStream
Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
- Sid: AllowPutLogEvents
Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
ResCloudTrailKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
EnableKeyRotation: true
MultiRegion: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
Condition:
StringEquals:
'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
ResCloudTrailKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/CloudTrailKey
TargetKeyId: !Ref ResCloudTrailKey
ResCloudTrail:
Type: 'AWS::CloudTrail::Trail'
DependsOn:
- ResCloudTrailBucketPolicy
- ResCloudTrailLogGroup
- ResCloudTrailCloudWatchLogsRolePolicy
Properties:
TrailName: CloudTrail
IsLogging: true
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
S3BucketName: !Ref ResCloudTrailBucket
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
EventSelectors:
- DataResources:
- Type: 'AWS::S3::Object'
Values:
- 'arn:aws:s3'
- Type: 'AWS::Lambda::Function'
Values:
- 'arn:aws:lambda'
- Type: 'AWS::DynamoDB::Table'
Values:
- 'arn:aws:dynamodb'
IncludeManagementEvents: true
ReadWriteType: All
KMSKeyId: !Ref ResCloudTrailKey
[CIS 2.2] CloudTrailのログファイル検証が有効になっていることを確認します
[CloudTrail.3] CloudTrailログファイルの検証を有効にする必要があります
[CloudTrail.4] CloudTrail ログファイルの検証が有効であることを確認する
EnableLogFileValidation: true
[CIS 2.7] CloudTrail ログは保管時に、を使用して暗号化されていることを確認しますAWS KMS keys
[PCI.CloudTrail.1] CloudTrailログは、保存時に暗号化する必要がありますAWS KMS keys
[CloudTrail.2] CloudTrail は保管時の暗号化を有効にする必要があります
KMSKeyId: !Ref ResCloudTrailKey
[CIS 2.4] CloudTrail がAmazon CloudWatch Logs と統合されていることを確認します
[PCI.CloudTrail.4] CloudTrail 証跡は CloudWatch Logs と統合する必要があります
[CloudTrail.5] CloudTrail が Amazon CloudWatch Logs と統合されていることを確認します。
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
[CIS 2.1] すべてのリージョンで CloudTrail が有効になっていることを確認します
[PCI.CloudTrail.2] CloudTrail を有効にする必要があります
[CloudTrail.1] CloudTrail を有効にし、読み取り管理イベントと書き込み管理イベントを含む少なくとも 1 つのマルチリージョンの証跡で設定する必要があります。
[IsMultiRegionTrail: true]で、全リージョンのログを特定リージョンのS3及びCloudWatchLogsに集約可能
全リージョンで、CloudTrailを有効にしたい場合は、下記テンプレートを全リージョンで実行する
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrail:
Type: 'AWS::CloudTrail::Trail'
DependsOn:
- ResCloudTrailBucketPolicy
- ResCloudTrailLogGroup
- ResCloudTrailCloudWatchLogsRole
Properties:
TrailName: CloudTrail
IsLogging: true
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
S3BucketName: !Ref ResCloudTrailBucket
CloudWatchLogsLogGroupArn: !GetAtt ResCloudTrailLogGroup.Arn
CloudWatchLogsRoleArn: !GetAtt ResCloudTrailCloudWatchLogsRole.Arn
EventSelectors:
- DataResources:
- Type: 'AWS::S3::Object'
Values:
- 'arn:aws:s3'
- Type: 'AWS::Lambda::Function'
Values:
- 'arn:aws:lambda'
- Type: 'AWS::DynamoDB::Table'
Values:
- 'arn:aws:dynamodb'
IncludeManagementEvents: true
ReadWriteType: All
KMSKeyId: !Ref ResCloudTrailKey
AWSTemplateFormatVersion: 2010-09-09
Parameters:
PrmExampleAccessLogBucket:
Type: String
Resources:
ResCloudTrailBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "cloudtrail-${AWS::AccountId}"
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
IgnorePublicAcls: true
BlockPublicPolicy: true
BlockPublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- Id: !Sub "cloudtrail-${AWS::AccountId}-lifecycle01"
ExpirationInDays: 180
NoncurrentVersionExpirationInDays: 1
Status: Enabled
AccessControl: LogDeliveryWrite
LoggingConfiguration:
DestinationBucketName: !Ref PrmExampleAccessLogBucket
LogFilePrefix: !Sub "ExamplePrefix/"
ResCloudTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ResCloudTrailBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}"
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub "arn:aws:s3:::${ResCloudTrailBucket}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: CloudTrail
RetentionInDays: 90
ResCloudTrailCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: CloudTrailLogsRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
ResCloudTrailCloudWatchLogsRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CloudTrailAllowPutLogs
Roles:
- !Ref ResCloudTrailCloudWatchLogsRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailCreateLogStream
Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
- Sid: AllowPutLogEvents
Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ResCloudTrailLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*"
AWSTemplateFormatVersion: 2010-09-09
Resources:
ResCloudTrailKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
EnableKeyRotation: true
MultiRegion: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action:
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
Condition:
StringEquals:
'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
# - Sid: Allow CloudTrail to encrypt logs
# Effect: Allow
# Principal:
# Service: cloudtrail.amazonaws.com
# Action: 'kms:GenerateDataKey*'
# Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
# Condition:
# StringLike:
# 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub "arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*"
# StringEquals:
# 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
# - Sid: Allow CloudTrail to describe key
# Effect: Allow
# Principal:
# Service: cloudtrail.amazonaws.com
# Action:'kms:DescribeKey'
# Resource: "*"
# Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
# Condition:
# StringEquals:
# 'aws:SourceArn': !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/CloudTrail"
ResCloudTrailKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/CloudTrailKey
TargetKeyId: !Ref ResCloudTrailKey