-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathtemplate.yaml
138 lines (134 loc) · 4.23 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: >
This SAM example creates the following resources:
S3 Bucket: S3 Bucket to hold the CloudTrail Logs
CloudTrail: Create CloudTrail trail for all regions and configures it to delivery logs to the above S3 Bucket
SNS Topic: Configure SNS topic to receive notifications when the CloudTrail log file is created in s3
Elasticsearch Domain: Create Elasticsearch Domain to hold the CloudTrail logs for advanced analytics
Lambda Function: Create Function which get's triggered when SNS receives notification, reads the contents from s3 and stores them in Elasticsearch Domain
Last Modified: 22nd November 2017
Author: Kuldeep Chowhan <[email protected]>
Outputs:
S3Bucket:
Description: "S3 Bucket Name where CloudTrail Logs are delivered"
Value: !Ref S3Bucket
LambdaFunction:
Description: "Lambda Function that reads CloudTrail logs and stores them into Elasticsearch Domain"
Value: !GetAtt Function.Arn
ElasticsearchUrl:
Description: "Elasticsearch Domain Endpoint that you can use to access the CloudTrail logs and analyze them"
Value: !GetAtt ElasticsearchDomain.DomainEndpoint
Resources:
SNSTopic:
Type: AWS::SNS::Topic
SNSTopicPolicy:
Type: "AWS::SNS::TopicPolicy"
Properties:
Topics:
- Ref: "SNSTopic"
PolicyDocument:
Version: "2008-10-17"
Statement:
-
Sid: "AWSCloudTrailSNSPolicy"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Resource: "*"
Action: "SNS:Publish"
S3Bucket:
Type: AWS::S3::Bucket
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AWSCloudTrailAclCheck"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource:
!Sub |-
arn:aws:s3:::${S3Bucket}
-
Sid: "AWSCloudTrailWrite"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource:
!Sub |-
arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
CloudTrail:
Type: AWS::CloudTrail::Trail
DependsOn:
- SNSTopicPolicy
- S3BucketPolicy
Properties:
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- SNSTopic
- TopicName
IsLogging: true
EnableLogFileValidation: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "cloudtrail-log-analytics"
ElasticsearchClusterConfig:
InstanceCount: "2"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 20
VolumeType: "gp2"
AccessPolicies:
Version: "2012-10-17"
Statement:
-
Sid: "AllowESHTTPFullAccessToEveryone"
Effect: "Allow"
Principal:
AWS: "*"
Action: "es:ESHttp*"
Resource:
!Sub |-
arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/cloudtrail-log-analytics/*
ElasticsearchVersion: "5.5"
Function:
Type: 'AWS::Serverless::Function'
DependsOn:
- ElasticsearchDomain
Properties:
Handler: index.handler
Runtime: python2.7
CodeUri: ./
Policies:
- ElasticsearchHttpPostPolicy:
DomainName: !Ref ElasticsearchDomain
- S3ReadPolicy:
BucketName: !Ref S3Bucket
Events:
SNSEvent:
Type: SNS
Properties:
Topic: !Ref SNSTopic
Environment:
Variables:
es_host:
Fn::GetAtt:
- ElasticsearchDomain
- DomainEndpoint