Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket remediation automation using AWS Config and AWS Service Manager
Parameters:
Versioning:
Type: String
AllowedValues: [ "true", "false" ]
Default: "true"
Logging:
Type: String
AllowedValues: [ "true", "false" ]
Default: "true"
NoPublicRW:
Type: String
AllowedValues: [ "true", "false" ]
Default: "true"
SSE:
Type: String
AllowedValues: [ "true", "false" ]
Default: "true"
Conditions:
EnsureVersioning: !Equals [ !Ref Versioning, "true" ]
EnsureLogging: !Equals [ !Ref Logging, "true" ]
EnsureNoPublicRW: !Equals [ !Ref NoPublicRW, "true" ]
EnsureSSE: !Equals [ !Ref SSE, "true" ]
Resources:
#
# S3 bucket used by AWS Config Recorder to record resources state
#
RecorderBucket:
Type: AWS::S3::Bucket
#
# S3 bucket used to log other S3 buckets access
#
LoggingBucket:
Type: AWS::S3::Bucket
Condition: EnsureLogging
Properties:
AccessControl: LogDeliveryWrite
#
# Service role for AWS Config
#
ServiceRole:
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: config.amazonaws.com
#
# IAM role for AWS Config Recorder to interact with the S3 recorder bucket
#
RecorderRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWS_ConfigRole
Policies:
- PolicyName: S3Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource: !Sub
- ${BucketArn}/AWSLogs/${AccountId}/Config/*
- BucketArn: !GetAtt [ RecorderBucket, Arn ]
AccountId: !Ref AWS::AccountId
- Effect: Allow
Action:
- s3:GetBucketAcl
Resource: !GetAtt [ RecorderBucket, Arn ]
#
# IAM role used by AWS Config auto-remediation to change configuration on S3 buckets
#
RemediationRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ssm.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
- arn:aws:iam::aws:policy/AmazonS3FullAccess
#
# AWS Config Recorder configuration, recording changes only on S3 buckets
#
RecorderConfiguration:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: S3BucketRecorderConfig
RecordingGroup:
AllSupported: false
IncludeGlobalResourceTypes: false
ResourceTypes:
- AWS::S3::Bucket
RoleARN: !GetAtt [ RecorderRole, Arn ]
#
# AWS Config rule for bucket versioning
#
BucketVersioningRule:
Type: AWS::Config::ConfigRule
Condition: EnsureVersioning
DependsOn: RecorderConfiguration
Properties:
ConfigRuleName: BucketVersioningRule
Description: "Rule to enable versioning on S3 buckets"
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
#
# AWS Config auto-remediation for bucket versioning
#
BucketVersioningRemediation:
Type: AWS::Config::RemediationConfiguration
Condition: EnsureVersioning
Properties:
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 30
ConfigRuleName: !Ref BucketVersioningRule
TargetId: AWS-ConfigureS3BucketVersioning
TargetType: SSM_DOCUMENT
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !GetAtt [ RemediationRole, Arn ]
BucketName:
ResourceValue:
Value: RESOURCE_ID
VersioningState:
StaticValue:
Values:
- Enabled
#
# AWS Config rule for bucket logging
#
BucketLoggingRule:
Type: AWS::Config::ConfigRule
Condition: EnsureLogging
DependsOn: RecorderConfiguration
Properties:
ConfigRuleName: BucketLoggingRule
Description: "Rule to enable logging on S3 buckets"
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
#
# AWS Config auto-remediation for bucket logging
#
BucketLoggingRemediation:
Type: AWS::Config::RemediationConfiguration
Condition: EnsureLogging
Properties:
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 30
ConfigRuleName: !Ref BucketLoggingRule
TargetId: AWS-ConfigureS3BucketLogging
TargetType: SSM_DOCUMENT
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !GetAtt [ RemediationRole, Arn ]
BucketName:
ResourceValue:
Value: RESOURCE_ID
GrantedPermission:
StaticValue:
Values:
- FULL_CONTROL
GranteeType:
StaticValue:
Values:
- Group
GranteeUri:
StaticValue:
Values:
- http://acs.amazonaws.com/groups/s3/LogDelivery
TargetBucket:
StaticValue:
Values:
- !Ref LoggingBucket
#
# AWS Config rule for blocking public read
#
BucketPublicReadProhibitedRule:
Type: AWS::Config::ConfigRule
Condition: EnsureNoPublicRW
DependsOn: RecorderConfiguration
Properties:
ConfigRuleName: BucketPublicReadProhibitedRule
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
#
# AWS Config auto-remediation for bucket public-read access
#
BucketPublicReadRemediation:
Type: AWS::Config::RemediationConfiguration
Condition: EnsureNoPublicRW
Properties:
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 30
ConfigRuleName: !Ref BucketPublicReadProhibitedRule
TargetId: AWS-DisableS3BucketPublicReadWrite
TargetType: SSM_DOCUMENT
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !GetAtt [ RemediationRole, Arn ]
S3BucketName:
ResourceValue:
Value: RESOURCE_ID
#
# AWS Config rule for blocking public write
#
BucketPublicWriteProhibitedRule:
Type: AWS::Config::ConfigRule
Condition: EnsureNoPublicRW
DependsOn: RecorderConfiguration
Properties:
ConfigRuleName: BucketPublicWriteProhibitedRule
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
#
# AWS Config auto-remediation for bucket public-write access
#
BucketPublicWriteRemediation:
Type: AWS::Config::RemediationConfiguration
Condition: EnsureNoPublicRW
Properties:
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 30
ConfigRuleName: !Ref BucketPublicWriteProhibitedRule
TargetId: AWS-DisableS3BucketPublicReadWrite
TargetType: SSM_DOCUMENT
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !GetAtt [ RemediationRole, Arn ]
S3BucketName:
ResourceValue:
Value: RESOURCE_ID
#
# AWS Config rule for server-side encryption
#
BucketSSERule:
Type: AWS::Config::ConfigRule
Condition: EnsureSSE
DependsOn: RecorderConfiguration
Properties:
ConfigRuleName: BucketSSERule
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
#
# AWS Config auto-remediation for bucket server-side encryption
#
BucketSSERemediation:
Type: AWS::Config::RemediationConfiguration
Condition: EnsureSSE
Properties:
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 30
ConfigRuleName: !Ref BucketSSERule
TargetId: AWS-EnableS3BucketEncryption
TargetType: SSM_DOCUMENT
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- !GetAtt [ RemediationRole, Arn ]
BucketName:
ResourceValue:
Value: RESOURCE_ID
SSEAlgorithm:
StaticValue:
Values:
- AES256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment