talentdeficit · September 19, 2017 03:48
diff --git a/cloudtrail.yaml b/cloudtrail.yaml
 ---
  AWSTemplateFormatVersion: "2010-09-09"
  Description: "cloudtrail logs and topic"
  Resources:
    Cloudtrail:
      DependsOn: [ "CloudtrailBucketPolicy", "CloudtrailTopicPolicy" ]
      Type: "AWS::CloudTrail::Trail"
      Properties:
        EnableLogFileValidation: true
        IncludeGlobalServiceEvents: true
        IsLogging: true
        S3BucketName: { "Ref": "CloudtrailBucket" }
        SnsTopicName: { 'Fn::GetAtt': [ "CloudtrailTopic", "TopicName" ] }
    ## bucket cloudtrail logs will be written to
    CloudtrailBucket:
      Type: "AWS::S3::Bucket"
      Properties:
        AccessControl: "LogDeliveryWrite"
        LoggingConfiguration:
          LogFilePrefix: "access-logs/"
        VersioningConfiguration:
          Status: "Enabled"
    CloudtrailBucketPolicy:
      Type: "AWS::S3::BucketPolicy"
      Properties:
        Bucket: { "Ref": "CloudtrailBucket" }
        PolicyDocument:
          { "Version": "2012-10-17"
          , "Statement":
            [ { "Effect": "Allow"
              , "Principal": { "Service": "cloudtrail.amazonaws.com" }
              , "Action": "s3:GetBucketAcl"
              , "Resource": { 'Fn::Sub': "arn:aws:s3:::${CloudtrailBucket}" }
              }
            , { "Effect": "Allow"
              , "Principal": { "Service": "cloudtrail.amazonaws.com" }
              , "Action": "s3:PutObject"
              , "Resource": { 'Fn::Sub': "arn:aws:s3:::${CloudtrailBucket}/AWSLogs/${AWS::AccountId}/*" }
              , "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } }
              }
            ]
          }
    # topic cloudtrail events will be published to
    CloudtrailTopic:
      Type: "AWS::SNS::Topic"
      Properties:
        DisplayName:
          'Fn::Sub': "${AWS::StackName}"
    CloudtrailTopicPolicy:
      Type: "AWS::SNS::TopicPolicy"
      Properties:
        Topics: [ {"Ref": "CloudtrailTopic"} ]
        PolicyDocument:
          { "Version": "2008-10-17"
          , "Statement":
            [ { "Effect": "Allow"
              , "Principal": { "Service": "cloudtrail.amazonaws.com" }
              , "Resource": "*"
              , "Action": "SNS:Publish"
              }
            ]
          }
  Outputs:
    CloudtrailBucket:
      Description: "cloudtrail log bucket"
      Value: { "Ref": "CloudtrailBucket" }
      Export:
        Name: { 'Fn::Sub': "${AWS::StackName}-logs" }
    CloudtrailTopic:
      Description: "cloudtrail sns topic"
      Value: { "Ref": "CloudtrailTopic" }
      Export:
        Name: { 'Fn::Sub': "${AWS::StackName}-topic" }
	---
	AWSTemplateFormatVersion: "2010-09-09"
	Description: "cloudtrail logs and topic"
	Resources:
	Cloudtrail:
	DependsOn: [ "CloudtrailBucketPolicy", "CloudtrailTopicPolicy" ]
	Type: "AWS::CloudTrail::Trail"
	Properties:
	EnableLogFileValidation: true
	IncludeGlobalServiceEvents: true
	IsLogging: true
	S3BucketName: { "Ref": "CloudtrailBucket" }
	SnsTopicName: { 'Fn::GetAtt': [ "CloudtrailTopic", "TopicName" ] }
	## bucket cloudtrail logs will be written to
	CloudtrailBucket:
	Type: "AWS::S3::Bucket"
	Properties:
	AccessControl: "LogDeliveryWrite"
	LoggingConfiguration:
	LogFilePrefix: "access-logs/"
	VersioningConfiguration:
	Status: "Enabled"
	CloudtrailBucketPolicy:
	Type: "AWS::S3::BucketPolicy"
	Properties:
	Bucket: { "Ref": "CloudtrailBucket" }
	PolicyDocument:
	{ "Version": "2012-10-17"
	, "Statement":
	[ { "Effect": "Allow"
	, "Principal": { "Service": "cloudtrail.amazonaws.com" }
	, "Action": "s3:GetBucketAcl"
	, "Resource": { 'Fn::Sub': "arn:aws:s3:::${CloudtrailBucket}" }
	}
	, { "Effect": "Allow"
	, "Principal": { "Service": "cloudtrail.amazonaws.com" }
	, "Action": "s3:PutObject"
	, "Resource": { 'Fn::Sub': "arn:aws:s3:::${CloudtrailBucket}/AWSLogs/${AWS::AccountId}/*" }
	, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } }
	}
	]
	}
	# topic cloudtrail events will be published to
	CloudtrailTopic:
	Type: "AWS::SNS::Topic"
	Properties:
	DisplayName:
	'Fn::Sub': "${AWS::StackName}"
	CloudtrailTopicPolicy:
	Type: "AWS::SNS::TopicPolicy"
	Properties:
	Topics: [ {"Ref": "CloudtrailTopic"} ]
	PolicyDocument:
	{ "Version": "2008-10-17"
	, "Statement":
	[ { "Effect": "Allow"
	, "Principal": { "Service": "cloudtrail.amazonaws.com" }
	, "Resource": "*"
	, "Action": "SNS:Publish"
	}
	]
	}
	Outputs:
	CloudtrailBucket:
	Description: "cloudtrail log bucket"
	Value: { "Ref": "CloudtrailBucket" }
	Export:
	Name: { 'Fn::Sub': "${AWS::StackName}-logs" }
	CloudtrailTopic:
	Description: "cloudtrail sns topic"
	Value: { "Ref": "CloudtrailTopic" }
	Export:
	Name: { 'Fn::Sub': "${AWS::StackName}-topic" }