anamorph/CreateCloudTrailLogBucket.yaml

## CreateCloudTrailLogBucket.yaml
Description:
    This template creates an s3 Bucket for CloudTrail logs; it is set up with
    the appropriate bucket policies defined to receive logs only from CloudTrail.

    It also includes a LifecyclePolicy moving files to Glacier after 1 year.

Parameters:
    EnvironmentName:
        Description:
            An environment name that will be used for tags.
        Type: String
        Default: Production
        AllowedValues:
            - Production
    CloudTrailBucket:
        Description: S3 Bucket where CloudTrail Logs will be sent to.
        Type: String
        Default: my-cloudtrail-log
Resources:
    Bucket:
        Type: AWS::S3::Bucket
        Properties:
            BucketName: !Ref CloudTrailBucket
            LifecycleConfiguration:
                Rules:
                    - Id: MoveToGlacierIn1YearThenDeleteAfter5Years
                      Status: Enabled
                      Prefix: ''
                      Transitions:
                        - StorageClass: 'Glacier'
                          TransitionInDays: 365
                      #
                      # Calculating our expiration is as follows:
                      # 1 year expiration from S3 to Glacier
                      # then
                      # 5 years (+2 days for leap years)
                      #
                      # (365 x (5+1)) + 2 = 2192
                      #
                      ExpirationInDays: 2192
            Tags:
                - Key: Name
                  Value: !Ref EnvironmentName
    BucketPolicy:
        Type: "AWS::S3::BucketPolicy"
        Properties:
            Bucket:
                Ref: Bucket
            PolicyDocument:
                Version: '2012-10-17'
                Statement:
                    -
                    # Granting strict permissions to CloudTrail
                    # (the service itself) to the bucket
                    #
                    Sid: "myCloudTrailAclCheck"
                    Effect: "Allow"
                    Principal:
                        Service: "cloudtrail.amazonaws.com"
                    Action: "s3:GetBucketAcl"
                    # Building our Bucket ARN with pseudo variables
                    #
                    Resource:
                        !Sub 'arn:aws:s3:::${CloudTrailBucket}'
                    -
                    # Grant write permissions to CloudTrail to the
                    # s3 Bucket
                    #
                    Sid: "myCloudTrailWrite"
                    Effect: "Allow"
                    Principal:
                        Service: "cloudtrail.amazonaws.com"
                    Action: "s3:PutObject"
                    Resource:
                        # Building the ARN for our logs with pseudo
                        # variables
                        #
                        !Sub 'arn:aws:s3:::${CloudTrailBucket}/AWSLogs/${AWS::AccountId}/*'
                    Condition:
                        StringEquals:
                            s3:x-amz-acl: "bucket-owner-full-control"
	Description:
	This template creates an s3 Bucket for CloudTrail logs; it is set up with
	the appropriate bucket policies defined to receive logs only from CloudTrail.

	It also includes a LifecyclePolicy moving files to Glacier after 1 year.

	Parameters:
	EnvironmentName:
	Description:
	An environment name that will be used for tags.
	Type: String
	Default: Production
	AllowedValues:
	- Production
	CloudTrailBucket:
	Description: S3 Bucket where CloudTrail Logs will be sent to.
	Type: String
	Default: my-cloudtrail-log
	Resources:
	Bucket:
	Type: AWS::S3::Bucket
	Properties:
	BucketName: !Ref CloudTrailBucket
	LifecycleConfiguration:
	Rules:
	- Id: MoveToGlacierIn1YearThenDeleteAfter5Years
	Status: Enabled
	Prefix: ''
	Transitions:
	- StorageClass: 'Glacier'
	TransitionInDays: 365
	#
	# Calculating our expiration is as follows:
	# 1 year expiration from S3 to Glacier
	# then
	# 5 years (+2 days for leap years)
	#
	# (365 x (5+1)) + 2 = 2192
	#
	ExpirationInDays: 2192
	Tags:
	- Key: Name
	Value: !Ref EnvironmentName
	BucketPolicy:
	Type: "AWS::S3::BucketPolicy"
	Properties:
	Bucket:
	Ref: Bucket
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	-
	# Granting strict permissions to CloudTrail
	# (the service itself) to the bucket
	#
	Sid: "myCloudTrailAclCheck"
	Effect: "Allow"
	Principal:
	Service: "cloudtrail.amazonaws.com"
	Action: "s3:GetBucketAcl"
	# Building our Bucket ARN with pseudo variables
	#
	Resource:
	!Sub 'arn:aws:s3:::${CloudTrailBucket}'
	-
	# Grant write permissions to CloudTrail to the
	# s3 Bucket
	#
	Sid: "myCloudTrailWrite"
	Effect: "Allow"
	Principal:
	Service: "cloudtrail.amazonaws.com"
	Action: "s3:PutObject"
	Resource:
	# Building the ARN for our logs with pseudo
	# variables
	#
	!Sub 'arn:aws:s3:::${CloudTrailBucket}/AWSLogs/${AWS::AccountId}/*'
	Condition:
	StringEquals:
	s3:x-amz-acl: "bucket-owner-full-control"