From ba782e24e83091cbcdf8ad3c7d74bd27c6d01c34 Mon Sep 17 00:00:00 2001 From: Rgee92 Date: Tue, 1 Feb 2022 17:04:15 -0800 Subject: [PATCH 1/5] wip s3 access logging --- aws/s3/s3_access_log/README.md | 26 ++++++++++ aws/s3/s3_access_log/s3_access_log.yaml | 64 +++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 aws/s3/s3_access_log/README.md create mode 100644 aws/s3/s3_access_log/s3_access_log.yaml diff --git a/aws/s3/s3_access_log/README.md b/aws/s3/s3_access_log/README.md new file mode 100644 index 00000000..16fd795b --- /dev/null +++ b/aws/s3/s3_access_log/README.md @@ -0,0 +1,26 @@ +# Set Required Variables + +``` +environment=test +export AWS_PROFILE='cloudavail' +``` + +# Validate CloudFormation + +`aws cloudformation validate-template --template-body file://s3_access_log.yaml` + +# Create a S3 Stack + +`aws cloudformation create-stack --stack-name s3-buckets-$environment --capabilities CAPABILITY_IAM --parameters ParameterKey=Environment,ParameterValue=$environment --template-body file://s3_access_log.yaml` + +# Update a S3 Stack with a Change-Set + +`aws cloudformation create-change-set --stack-name s3-buckets-$environment --change-set-name s3-buckets-$environment-change-set-$(date +%s) --capabilities CAPABILITY_IAM --parameters ParameterKey=Environment,ParameterValue=$environment --template-body file://s3_access_log.yaml` + +# Update a S3 Stack + +`aws cloudformation update-stack --stack-name s3-buckets-$environment --capabilities CAPABILITY_IAM --parameters ParameterKey=Environment,ParameterValue=$environment --template-body file://s3_access_log.yaml` + +# Delete a S3 Stack + +`aws cloudformation delete-stack --stack-name s3-buckets-$environment` diff --git a/aws/s3/s3_access_log/s3_access_log.yaml b/aws/s3/s3_access_log/s3_access_log.yaml new file mode 100644 index 00000000..439414e9 --- /dev/null +++ b/aws/s3/s3_access_log/s3_access_log.yaml @@ -0,0 +1,64 @@ +--- + +AWSTemplateFormatVersion: 2010-09-09 + +Description: AWS CloudFormation Stack for S3 buckets and Server Access Logging + +Parameters: + + Environment: + Type: String + Description: Environment + AllowedValues: + - dev + - prod + - stage + - test + +Resources: + + SourceBucketAccessLogPolicy: + Type: AWS::S3::BucketPolicy + DependsOn: + - SourceBucket + Properties: + Bucket: !Ref SourceBucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: S3ServerAccessLogsPolicy + Effect: Allow + Principal: + Service: logging.s3.amazonaws.com + Action: + - s3:PutObject + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref LogBucket + - /* + Condition: + ArnLike: + aws:SourceArn: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref SourceBucket + - /* + StringEquals: + aws:SourceAccount: 187376578462 + + SourceBucket: + Type: AWS::S3::Bucket + Properties: + AccessControl: Private + BucketName: !Sub cloudavail-source-bucket-${Environment} + LoggingConfiguration: + DestinationBucketName: !Ref LogBucket + LogFilePrefix: test-logs + + LogBucket: + Type: AWS::S3::Bucket + Properties: + AccessControl: LogDeliveryWrite + BucketName: !Sub cloudavail-log-bucket-${Environment} + From 44ba3a981977cd5b3e6d89a0ae044996563b6850 Mon Sep 17 00:00:00 2001 From: Rgee92 Date: Wed, 2 Feb 2022 09:28:27 -0800 Subject: [PATCH 2/5] bucket policy for taget bucket --- aws/s3/s3_access_log/s3_access_log.yaml | 38 ++++++++++++------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/aws/s3/s3_access_log/s3_access_log.yaml b/aws/s3/s3_access_log/s3_access_log.yaml index 439414e9..8c71e33c 100644 --- a/aws/s3/s3_access_log/s3_access_log.yaml +++ b/aws/s3/s3_access_log/s3_access_log.yaml @@ -17,12 +17,26 @@ Parameters: Resources: - SourceBucketAccessLogPolicy: + SourceBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub cloudavail-source-bucket-${Environment} + LoggingConfiguration: + DestinationBucketName: !Ref TargetBucket + LogFilePrefix: test-logs + + TargetBucket: + Type: AWS::S3::Bucket + Properties: + AccessControl: LogDeliveryWrite + BucketName: !Sub cloudavail-target-bucket-${Environment} + + TargetBucketAccessLogPolicy: Type: AWS::S3::BucketPolicy DependsOn: - - SourceBucket + - TargetBucket Properties: - Bucket: !Ref SourceBucket + Bucket: !Ref TargetBucket PolicyDocument: Version: '2012-10-17' Statement: @@ -35,7 +49,7 @@ Resources: Resource: !Join - '' - - 'arn:aws:s3:::' - - !Ref LogBucket + - !Ref TargetBucket - /* Condition: ArnLike: @@ -46,19 +60,3 @@ Resources: - /* StringEquals: aws:SourceAccount: 187376578462 - - SourceBucket: - Type: AWS::S3::Bucket - Properties: - AccessControl: Private - BucketName: !Sub cloudavail-source-bucket-${Environment} - LoggingConfiguration: - DestinationBucketName: !Ref LogBucket - LogFilePrefix: test-logs - - LogBucket: - Type: AWS::S3::Bucket - Properties: - AccessControl: LogDeliveryWrite - BucketName: !Sub cloudavail-log-bucket-${Environment} - From b8f4efc0349cceb7e326611db3e08a04f738997a Mon Sep 17 00:00:00 2001 From: Rgee92 Date: Wed, 2 Feb 2022 10:40:22 -0800 Subject: [PATCH 3/5] rename s3 buckets --- aws/s3/s3_access_log/s3_access_log.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/s3/s3_access_log/s3_access_log.yaml b/aws/s3/s3_access_log/s3_access_log.yaml index 8c71e33c..fdbde5b4 100644 --- a/aws/s3/s3_access_log/s3_access_log.yaml +++ b/aws/s3/s3_access_log/s3_access_log.yaml @@ -20,7 +20,7 @@ Resources: SourceBucket: Type: AWS::S3::Bucket Properties: - BucketName: !Sub cloudavail-source-bucket-${Environment} + BucketName: !Sub cloudavail-test-bucket-${Environment} LoggingConfiguration: DestinationBucketName: !Ref TargetBucket LogFilePrefix: test-logs @@ -29,7 +29,7 @@ Resources: Type: AWS::S3::Bucket Properties: AccessControl: LogDeliveryWrite - BucketName: !Sub cloudavail-target-bucket-${Environment} + BucketName: !Sub cloudavail-test-bucket-logs-${Environment} TargetBucketAccessLogPolicy: Type: AWS::S3::BucketPolicy From d8f4e0fa7da014b0bc1dd715536ca04d6b292a09 Mon Sep 17 00:00:00 2001 From: Rgee92 Date: Wed, 2 Feb 2022 11:38:01 -0800 Subject: [PATCH 4/5] access logs for target bucket --- aws/s3/s3_access_log/s3_access_log.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/aws/s3/s3_access_log/s3_access_log.yaml b/aws/s3/s3_access_log/s3_access_log.yaml index fdbde5b4..4f834bea 100644 --- a/aws/s3/s3_access_log/s3_access_log.yaml +++ b/aws/s3/s3_access_log/s3_access_log.yaml @@ -23,7 +23,6 @@ Resources: BucketName: !Sub cloudavail-test-bucket-${Environment} LoggingConfiguration: DestinationBucketName: !Ref TargetBucket - LogFilePrefix: test-logs TargetBucket: Type: AWS::S3::Bucket From 67b6b9780fcdf51642e4df27faa7251aeb3e9ad3 Mon Sep 17 00:00:00 2001 From: Rgee92 Date: Wed, 2 Feb 2022 11:44:40 -0800 Subject: [PATCH 5/5] access logs for target bucket --- aws/s3/s3_access_log/client_handoff.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 aws/s3/s3_access_log/client_handoff.md diff --git a/aws/s3/s3_access_log/client_handoff.md b/aws/s3/s3_access_log/client_handoff.md new file mode 100644 index 00000000..89beafa9 --- /dev/null +++ b/aws/s3/s3_access_log/client_handoff.md @@ -0,0 +1,5 @@ +# Client Handoff + +## Notes +- Target bucket is the S3 bucket where you want logs to go to. +- replace bucket name on `BucketName` for Source and Target buckets