Last active
February 8, 2018 18:18
-
-
Save anamorph/939a7bbcdd591631cba787444d1b5fd2 to your computer and use it in GitHub Desktop.
Creates an s3 bucket with a LifecyclePolicy moving files to Glacier after 1 year and deleting them after 5 years. This also creates a BucketPolicy to make sure only CloudTrail can write to the bucket. I use this scenario for log collection and analysis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Description: | |
This template creates an s3 Bucket for CloudTrail logs; it is set up with | |
the appropriate bucket policies defined to receive logs only from CloudTrail. | |
It also includes a LifecyclePolicy moving files to Glacier after 1 year. | |
Parameters: | |
EnvironmentName: | |
Description: | |
An environment name that will be used for tags. | |
Type: String | |
Default: Production | |
AllowedValues: | |
- Production | |
CloudTrailBucket: | |
Description: S3 Bucket where CloudTrail Logs will be sent to. | |
Type: String | |
Default: my-cloudtrail-log | |
Resources: | |
Bucket: | |
Type: AWS::S3::Bucket | |
Properties: | |
BucketName: !Ref CloudTrailBucket | |
LifecycleConfiguration: | |
Rules: | |
- Id: MoveToGlacierIn1YearThenDeleteAfter5Years | |
Status: Enabled | |
Prefix: '' | |
Transitions: | |
- StorageClass: 'Glacier' | |
TransitionInDays: 365 | |
# | |
# Calculating our expiration is as follows: | |
# 1 year expiration from S3 to Glacier | |
# then | |
# 5 years (+2 days for leap years) | |
# | |
# (365 x (5+1)) + 2 = 2192 | |
# | |
ExpirationInDays: 2192 | |
Tags: | |
- Key: Name | |
Value: !Ref EnvironmentName | |
BucketPolicy: | |
Type: "AWS::S3::BucketPolicy" | |
Properties: | |
Bucket: | |
Ref: Bucket | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- | |
# Granting strict permissions to CloudTrail | |
# (the service itself) to the bucket | |
# | |
Sid: "myCloudTrailAclCheck" | |
Effect: "Allow" | |
Principal: | |
Service: "cloudtrail.amazonaws.com" | |
Action: "s3:GetBucketAcl" | |
# Building our Bucket ARN with pseudo variables | |
# | |
Resource: | |
!Sub 'arn:aws:s3:::${CloudTrailBucket}' | |
- | |
# Grant write permissions to CloudTrail to the | |
# s3 Bucket | |
# | |
Sid: "myCloudTrailWrite" | |
Effect: "Allow" | |
Principal: | |
Service: "cloudtrail.amazonaws.com" | |
Action: "s3:PutObject" | |
Resource: | |
# Building the ARN for our logs with pseudo | |
# variables | |
# | |
!Sub 'arn:aws:s3:::${CloudTrailBucket}/AWSLogs/${AWS::AccountId}/*' | |
Condition: | |
StringEquals: | |
s3:x-amz-acl: "bucket-owner-full-control" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment