DaisukeMiyamoto · October 9, 2018 00:47
diff --git a/cloudtrail.yaml b/cloudtrail.yaml
 ---
 AWSTemplateFormatVersion: "2010-09-09"


 Description: |
  CloudTrail: v0.1.0 -
  CloudTrail Trail, related S3 bucket, and KMS Key for encryption


 Parameters: 
  BucketName:
    Type: String
    AllowedPattern: '[a-z][a-z0-9-]*[a-z0-9]*'
    Default: 'cloudtrail-bucket'
    Description: Name of Amazon S3 bucket to store CloudTrail

  TrailName:
    Type: String
    AllowedPattern: '[a-z][a-z0-9-]*[a-z0-9]*'
    Default: 'my-trail'
    Description: Name of CloudTrail trail

 Resources:
  CloudTrailKey:
    DeletionPolicy : Retain
    Type: AWS::KMS::Key
    Properties: 
      Description: for CloudTrail log files
      Enabled: true
      KeyPolicy: {
        "Id": "cloudtrailkey",
        "Statement": [
          {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": { "AWS": { "Fn::Join" : [ ":", ["arn:aws:iam:", { "Ref" : "AWS::AccountId" } , "role/Admin"]]}},
            "Action": [
              "kms:*"
            ],
           "Resource": "*"
          },
          {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
            ],
            "Resource": "*"
          }
        ]
      }

  CloudTrailKeyAlias:
    DependsOn: 
      - CloudTrailKey
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/Cloudtrail-key
      TargetKeyId: 
        Ref: CloudTrailKey

  S3Bucket: 
    DeletionPolicy: Retain
    Type: AWS::S3::Bucket
    Properties: 
      BucketEncryption: 
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      BucketName: !Ref BucketName
      VersioningConfiguration:
        Status: Enabled

  BucketPolicy: 
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: 
        Ref: S3Bucket
      PolicyDocument: 
        Statement: 
          - 
            Sid: AWSCloudTrailAclCheck
            Effect: Allow
            Principal: 
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: 
              !Sub |-
                arn:aws:s3:::${S3Bucket}
          - 
            Sid: AWSCloudTrailWrite
            Effect: Allow
            Principal: 
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource:
              !Sub |-
                arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
            Condition: 
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

  Trail: 
    DependsOn: 
      - CloudTrailKeyAlias
      - BucketPolicy
    Type: AWS::CloudTrail::Trail
    Properties: 
      TrailName: !Ref BucketName
      IncludeGlobalServiceEvents : true
      IsMultiRegionTrail: true
      KMSKeyId: !Ref CloudTrailKey
      S3BucketName: !Ref S3Bucket
      IsLogging: true
	---
	AWSTemplateFormatVersion: "2010-09-09"


	Description: \|
	CloudTrail: v0.1.0 -
	CloudTrail Trail, related S3 bucket, and KMS Key for encryption


	Parameters:
	BucketName:
	Type: String
	AllowedPattern: '[a-z][a-z0-9-][a-z0-9]'
	Default: 'cloudtrail-bucket'
	Description: Name of Amazon S3 bucket to store CloudTrail

	TrailName:
	Type: String
	AllowedPattern: '[a-z][a-z0-9-][a-z0-9]'
	Default: 'my-trail'
	Description: Name of CloudTrail trail

	Resources:
	CloudTrailKey:
	DeletionPolicy : Retain
	Type: AWS::KMS::Key
	Properties:
	Description: for CloudTrail log files
	Enabled: true
	KeyPolicy: {
	"Id": "cloudtrailkey",
	"Statement": [
	{
	"Sid": "Allow administration of the key",
	"Effect": "Allow",
	"Principal": { "AWS": { "Fn::Join" : [ ":", ["arn:aws:iam:", { "Ref" : "AWS::AccountId" } , "role/Admin"]]}},
	"Action": [
	"kms:*"
	],
	"Resource": "*"
	},
	{
	"Sid": "Allow use of the key",
	"Effect": "Allow",
	"Principal": {
	"Service": "cloudtrail.amazonaws.com"
	},
	"Action": [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:ReEncrypt",
	"kms:GenerateDataKey*",
	"kms:DescribeKey"
	],
	"Resource": "*"
	}
	]
	}

	CloudTrailKeyAlias:
	DependsOn:
	- CloudTrailKey
	Type: AWS::KMS::Alias
	Properties:
	AliasName: alias/Cloudtrail-key
	TargetKeyId:
	Ref: CloudTrailKey

	S3Bucket:
	DeletionPolicy: Retain
	Type: AWS::S3::Bucket
	Properties:
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	BucketName: !Ref BucketName
	VersioningConfiguration:
	Status: Enabled

	BucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket:
	Ref: S3Bucket
	PolicyDocument:
	Statement:
	-
	Sid: AWSCloudTrailAclCheck
	Effect: Allow
	Principal:
	Service: cloudtrail.amazonaws.com
	Action: s3:GetBucketAcl
	Resource:
	!Sub \|-
	arn:aws:s3:::${S3Bucket}
	-
	Sid: AWSCloudTrailWrite
	Effect: Allow
	Principal:
	Service: cloudtrail.amazonaws.com
	Action: s3:PutObject
	Resource:
	!Sub \|-
	arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
	Condition:
	StringEquals:
	s3:x-amz-acl: bucket-owner-full-control

	Trail:
	DependsOn:
	- CloudTrailKeyAlias
	- BucketPolicy
	Type: AWS::CloudTrail::Trail
	Properties:
	TrailName: !Ref BucketName
	IncludeGlobalServiceEvents : true
	IsMultiRegionTrail: true
	KMSKeyId: !Ref CloudTrailKey
	S3BucketName: !Ref S3Bucket
	IsLogging: true