Last active
January 23, 2023 01:07
-
-
Save mauricioklein/62b923208aac0852790625fb7fd5aaef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: S3 bucket remediation automation using AWS Config and AWS Service Manager | |
| Parameters: | |
| Versioning: | |
| Type: String | |
| AllowedValues: [ "true", "false" ] | |
| Default: "true" | |
| Logging: | |
| Type: String | |
| AllowedValues: [ "true", "false" ] | |
| Default: "true" | |
| NoPublicRW: | |
| Type: String | |
| AllowedValues: [ "true", "false" ] | |
| Default: "true" | |
| SSE: | |
| Type: String | |
| AllowedValues: [ "true", "false" ] | |
| Default: "true" | |
| Conditions: | |
| EnsureVersioning: !Equals [ !Ref Versioning, "true" ] | |
| EnsureLogging: !Equals [ !Ref Logging, "true" ] | |
| EnsureNoPublicRW: !Equals [ !Ref NoPublicRW, "true" ] | |
| EnsureSSE: !Equals [ !Ref SSE, "true" ] | |
| Resources: | |
| # | |
| # S3 bucket used by AWS Config Recorder to record resources state | |
| # | |
| RecorderBucket: | |
| Type: AWS::S3::Bucket | |
| # | |
| # S3 bucket used to log other S3 buckets access | |
| # | |
| LoggingBucket: | |
| Type: AWS::S3::Bucket | |
| Condition: EnsureLogging | |
| Properties: | |
| AccessControl: LogDeliveryWrite | |
| # | |
| # Service role for AWS Config | |
| # | |
| ServiceRole: | |
| Type: AWS::IAM::ServiceLinkedRole | |
| Properties: | |
| AWSServiceName: config.amazonaws.com | |
| # | |
| # IAM role for AWS Config Recorder to interact with the S3 recorder bucket | |
| # | |
| RecorderRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - config.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/service-role/AWS_ConfigRole | |
| Policies: | |
| - PolicyName: S3Policy | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:PutObject | |
| - s3:PutObjectAcl | |
| Resource: !Sub | |
| - ${BucketArn}/AWSLogs/${AccountId}/Config/* | |
| - BucketArn: !GetAtt [ RecorderBucket, Arn ] | |
| AccountId: !Ref AWS::AccountId | |
| - Effect: Allow | |
| Action: | |
| - s3:GetBucketAcl | |
| Resource: !GetAtt [ RecorderBucket, Arn ] | |
| # | |
| # IAM role used by AWS Config auto-remediation to change configuration on S3 buckets | |
| # | |
| RemediationRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - ssm.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole | |
| - arn:aws:iam::aws:policy/AmazonS3FullAccess | |
| # | |
| # AWS Config Recorder configuration, recording changes only on S3 buckets | |
| # | |
| RecorderConfiguration: | |
| Type: AWS::Config::ConfigurationRecorder | |
| Properties: | |
| Name: S3BucketRecorderConfig | |
| RecordingGroup: | |
| AllSupported: false | |
| IncludeGlobalResourceTypes: false | |
| ResourceTypes: | |
| - AWS::S3::Bucket | |
| RoleARN: !GetAtt [ RecorderRole, Arn ] | |
| # | |
| # AWS Config rule for bucket versioning | |
| # | |
| BucketVersioningRule: | |
| Type: AWS::Config::ConfigRule | |
| Condition: EnsureVersioning | |
| DependsOn: RecorderConfiguration | |
| Properties: | |
| ConfigRuleName: BucketVersioningRule | |
| Description: "Rule to enable versioning on S3 buckets" | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED | |
| # | |
| # AWS Config auto-remediation for bucket versioning | |
| # | |
| BucketVersioningRemediation: | |
| Type: AWS::Config::RemediationConfiguration | |
| Condition: EnsureVersioning | |
| Properties: | |
| Automatic: true | |
| MaximumAutomaticAttempts: 5 | |
| RetryAttemptSeconds: 30 | |
| ConfigRuleName: !Ref BucketVersioningRule | |
| TargetId: AWS-ConfigureS3BucketVersioning | |
| TargetType: SSM_DOCUMENT | |
| Parameters: | |
| AutomationAssumeRole: | |
| StaticValue: | |
| Values: | |
| - !GetAtt [ RemediationRole, Arn ] | |
| BucketName: | |
| ResourceValue: | |
| Value: RESOURCE_ID | |
| VersioningState: | |
| StaticValue: | |
| Values: | |
| - Enabled | |
| # | |
| # AWS Config rule for bucket logging | |
| # | |
| BucketLoggingRule: | |
| Type: AWS::Config::ConfigRule | |
| Condition: EnsureLogging | |
| DependsOn: RecorderConfiguration | |
| Properties: | |
| ConfigRuleName: BucketLoggingRule | |
| Description: "Rule to enable logging on S3 buckets" | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_LOGGING_ENABLED | |
| # | |
| # AWS Config auto-remediation for bucket logging | |
| # | |
| BucketLoggingRemediation: | |
| Type: AWS::Config::RemediationConfiguration | |
| Condition: EnsureLogging | |
| Properties: | |
| Automatic: true | |
| MaximumAutomaticAttempts: 5 | |
| RetryAttemptSeconds: 30 | |
| ConfigRuleName: !Ref BucketLoggingRule | |
| TargetId: AWS-ConfigureS3BucketLogging | |
| TargetType: SSM_DOCUMENT | |
| Parameters: | |
| AutomationAssumeRole: | |
| StaticValue: | |
| Values: | |
| - !GetAtt [ RemediationRole, Arn ] | |
| BucketName: | |
| ResourceValue: | |
| Value: RESOURCE_ID | |
| GrantedPermission: | |
| StaticValue: | |
| Values: | |
| - FULL_CONTROL | |
| GranteeType: | |
| StaticValue: | |
| Values: | |
| - Group | |
| GranteeUri: | |
| StaticValue: | |
| Values: | |
| - http://acs.amazonaws.com/groups/s3/LogDelivery | |
| TargetBucket: | |
| StaticValue: | |
| Values: | |
| - !Ref LoggingBucket | |
| # | |
| # AWS Config rule for blocking public read | |
| # | |
| BucketPublicReadProhibitedRule: | |
| Type: AWS::Config::ConfigRule | |
| Condition: EnsureNoPublicRW | |
| DependsOn: RecorderConfiguration | |
| Properties: | |
| ConfigRuleName: BucketPublicReadProhibitedRule | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED | |
| # | |
| # AWS Config auto-remediation for bucket public-read access | |
| # | |
| BucketPublicReadRemediation: | |
| Type: AWS::Config::RemediationConfiguration | |
| Condition: EnsureNoPublicRW | |
| Properties: | |
| Automatic: true | |
| MaximumAutomaticAttempts: 5 | |
| RetryAttemptSeconds: 30 | |
| ConfigRuleName: !Ref BucketPublicReadProhibitedRule | |
| TargetId: AWS-DisableS3BucketPublicReadWrite | |
| TargetType: SSM_DOCUMENT | |
| Parameters: | |
| AutomationAssumeRole: | |
| StaticValue: | |
| Values: | |
| - !GetAtt [ RemediationRole, Arn ] | |
| S3BucketName: | |
| ResourceValue: | |
| Value: RESOURCE_ID | |
| # | |
| # AWS Config rule for blocking public write | |
| # | |
| BucketPublicWriteProhibitedRule: | |
| Type: AWS::Config::ConfigRule | |
| Condition: EnsureNoPublicRW | |
| DependsOn: RecorderConfiguration | |
| Properties: | |
| ConfigRuleName: BucketPublicWriteProhibitedRule | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED | |
| # | |
| # AWS Config auto-remediation for bucket public-write access | |
| # | |
| BucketPublicWriteRemediation: | |
| Type: AWS::Config::RemediationConfiguration | |
| Condition: EnsureNoPublicRW | |
| Properties: | |
| Automatic: true | |
| MaximumAutomaticAttempts: 5 | |
| RetryAttemptSeconds: 30 | |
| ConfigRuleName: !Ref BucketPublicWriteProhibitedRule | |
| TargetId: AWS-DisableS3BucketPublicReadWrite | |
| TargetType: SSM_DOCUMENT | |
| Parameters: | |
| AutomationAssumeRole: | |
| StaticValue: | |
| Values: | |
| - !GetAtt [ RemediationRole, Arn ] | |
| S3BucketName: | |
| ResourceValue: | |
| Value: RESOURCE_ID | |
| # | |
| # AWS Config rule for server-side encryption | |
| # | |
| BucketSSERule: | |
| Type: AWS::Config::ConfigRule | |
| Condition: EnsureSSE | |
| DependsOn: RecorderConfiguration | |
| Properties: | |
| ConfigRuleName: BucketSSERule | |
| Scope: | |
| ComplianceResourceTypes: | |
| - AWS::S3::Bucket | |
| Source: | |
| Owner: AWS | |
| SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED | |
| # | |
| # AWS Config auto-remediation for bucket server-side encryption | |
| # | |
| BucketSSERemediation: | |
| Type: AWS::Config::RemediationConfiguration | |
| Condition: EnsureSSE | |
| Properties: | |
| Automatic: true | |
| MaximumAutomaticAttempts: 5 | |
| RetryAttemptSeconds: 30 | |
| ConfigRuleName: !Ref BucketSSERule | |
| TargetId: AWS-EnableS3BucketEncryption | |
| TargetType: SSM_DOCUMENT | |
| Parameters: | |
| AutomationAssumeRole: | |
| StaticValue: | |
| Values: | |
| - !GetAtt [ RemediationRole, Arn ] | |
| BucketName: | |
| ResourceValue: | |
| Value: RESOURCE_ID | |
| SSEAlgorithm: | |
| StaticValue: | |
| Values: | |
| - AES256 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is awesome, thank you!