-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6c67e6a
commit b28b453
Showing
2 changed files
with
249 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| AWSTemplateFormatVersion: '2010-09-09' | ||
| Description: Deploy Bucket & KMS Key for GuardDuty Findings | ||
|
|
||
| Parameters: | ||
|
|
||
| pSecureBucket: | ||
| Description: Name of the GuardDuty Finding Bucket | ||
| Type: String | ||
|
|
||
| Resources: | ||
|
|
||
| # Create the Bucket | ||
| SecureBucket: | ||
| Type: AWS::S3::Bucket | ||
| # Keep the bucket if we delete the stack. | ||
| DeletionPolicy: Retain | ||
| Properties: | ||
| AccessControl: Private | ||
| BucketName: !Ref pSecureBucket | ||
| # Add Versioning. Always safe vs sorry | ||
| VersioningConfiguration: | ||
| Status: Enabled | ||
| BucketEncryption: | ||
| ServerSideEncryptionConfiguration: | ||
| - BucketKeyEnabled: True | ||
| ServerSideEncryptionByDefault: | ||
| KMSMasterKeyID: !Ref KMSKey | ||
| SSEAlgorithm: 'aws:kms' | ||
|
|
||
| SecureBucketPolicy: | ||
| Type: "AWS::S3::BucketPolicy" | ||
| Properties: | ||
| Bucket: !Ref pSecureBucket | ||
| PolicyDocument: | ||
| Version: '2012-10-17' | ||
| Statement: | ||
| - Sid: Deny non-HTTPS access | ||
| Effect: Deny | ||
| Principal: | ||
| Service: guardduty.amazonaws.com | ||
| Action: s3:* | ||
| Resource: !Sub "arn:aws:s3:::${pSecureBucket}/*" | ||
| Condition: | ||
| Bool: | ||
| aws:SecureTransport: 'false' | ||
| - Sid: Deny incorrect encryption header | ||
| Effect: Deny | ||
| Principal: | ||
| Service: guardduty.amazonaws.com | ||
| Action: s3:PutObject | ||
| Resource: !Sub "arn:aws:s3:::${pSecureBucket}/*" | ||
| Condition: | ||
| StringNotEquals: | ||
| s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt KMSKey.Arn | ||
| - Sid: Deny unencrypted object uploads | ||
| Effect: Deny | ||
| Principal: | ||
| Service: guardduty.amazonaws.com | ||
| Action: s3:PutObject | ||
| Resource: !Sub "arn:aws:s3:::${pSecureBucket}/*" | ||
| Condition: | ||
| StringNotEquals: | ||
| s3:x-amz-server-side-encryption: aws:kms | ||
| - Sid: Allow PutObject | ||
| Effect: Allow | ||
| Principal: | ||
| Service: guardduty.amazonaws.com | ||
| Action: s3:PutObject | ||
| Resource: !Sub "arn:aws:s3:::${pSecureBucket}/*" | ||
| Condition: | ||
| StringLike: | ||
| aws:SourceAccount: !Ref AWS::AccountId | ||
| aws:SourceArn: !Sub "arn:aws:guardduty:*:${AWS::AccountId}:detector/*" | ||
| - Sid: Allow GetBucketLocation | ||
| Effect: Allow | ||
| Principal: | ||
| Service: guardduty.amazonaws.com | ||
| Action: s3:GetBucketLocation | ||
| Resource: !Sub "arn:aws:s3:::${pSecureBucket}" | ||
| Condition: | ||
| StringLike: | ||
| aws:SourceAccount: !Ref AWS::AccountId | ||
| aws:SourceArn: !Sub "arn:aws:guardduty:*:${AWS::AccountId}:detector/*" | ||
|
|
||
| # KMS Resources | ||
| # | ||
| # First we create a key. | ||
| KMSKey: | ||
| Type: "AWS::KMS::Key" | ||
| Properties: | ||
| Description: !Sub "Key to secure content in ${pSecureBucket}" | ||
| KeyPolicy: | ||
| Version: "2012-10-17" | ||
| Id: "key-default-1" | ||
| Statement: | ||
| - Sid: "Allow administration of the key" | ||
| Effect: "Allow" | ||
| Principal: | ||
| AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" | ||
| Action: | ||
| - "kms:*" | ||
| Resource: "*" | ||
| - Sid: "Allow GuardDuty to encrypt findings" | ||
| Effect: Allow | ||
| Principal: | ||
| Service: guardduty.amazonaws.com | ||
| Action: kms:GenerateDataKey | ||
| Resource: "*" | ||
| Condition: | ||
| StringLike: | ||
| aws:SourceAccount: !Ref AWS::AccountId | ||
| aws:SourceArn: !Sub "arn:aws:guardduty:*:${AWS::AccountId}:detector/*" | ||
|
|
||
| # Then we give it an Alias | ||
| KMSKeyAlias: | ||
| Type: AWS::KMS::Alias | ||
| Properties: | ||
| AliasName: !Sub "alias/${pSecureBucket}" | ||
| TargetKeyId: | ||
| Ref: KMSKey | ||
|
|
||
| Outputs: | ||
| KMSKeyId: | ||
| Description: Key ID of KMS Key Created | ||
| Value: !Ref KMSKey | ||
| KMSKeyArn: | ||
| Value: !GetAtt KMSKey.Arn | ||
| SecureBucketArn: | ||
| Value: !Sub "arn:aws:s3:::${pSecureBucket}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| AWSTemplateFormatVersion: '2010-09-09' | ||
| Description: Deploy Bucket & KMS Key for Macie Data Discovery | ||
|
|
||
| Parameters: | ||
|
|
||
| pSecureBucket: | ||
| Description: Name of the Macie Bucket | ||
| Type: String | ||
|
|
||
| Resources: | ||
|
|
||
| # Create the Bucket | ||
| SecureBucket: | ||
| Type: AWS::S3::Bucket | ||
| # Keep the bucket if we delete the stack. | ||
| DeletionPolicy: Retain | ||
| Properties: | ||
| AccessControl: Private | ||
| BucketName: !Ref pSecureBucket | ||
| # Add Versioning. Always safe vs sorry | ||
| VersioningConfiguration: | ||
| Status: Enabled | ||
| BucketEncryption: | ||
| ServerSideEncryptionConfiguration: | ||
| - BucketKeyEnabled: True | ||
| ServerSideEncryptionByDefault: | ||
| KMSMasterKeyID: !Ref KMSKey | ||
| SSEAlgorithm: 'aws:kms' | ||
|
|
||
| SecureBucketPolicy: | ||
| Type: "AWS::S3::BucketPolicy" | ||
| Properties: | ||
| Bucket: !Ref pSecureBucket | ||
| PolicyDocument: | ||
| Version: '2012-10-17' | ||
| Statement: | ||
| - Sid: Allow Macie to use the GetBucketLocation operation | ||
| Effect: Allow | ||
| Principal: | ||
| Service: macie.amazonaws.com | ||
| Action: s3:GetBucketLocation | ||
| Resource: !Sub arn:aws:s3:::${pSecureBucket} | ||
| - Sid: Allow Macie to add objects to the bucket | ||
| Effect: Allow | ||
| Principal: | ||
| Service: macie.amazonaws.com | ||
| Action: s3:PutObject | ||
| Resource: !Sub arn:aws:s3:::${pSecureBucket}/* | ||
| - Sid: Deny unencrypted object uploads. This is optional | ||
| Effect: Deny | ||
| Principal: | ||
| Service: macie.amazonaws.com | ||
| Action: s3:PutObject | ||
| Resource: !Sub arn:aws:s3:::${pSecureBucket}/* | ||
| Condition: | ||
| StringNotEquals: | ||
| s3:x-amz-server-side-encryption: aws:kms | ||
| - Sid: Deny incorrect encryption headers. This is optional | ||
| Effect: Deny | ||
| Principal: | ||
| Service: macie.amazonaws.com | ||
| Action: s3:PutObject | ||
| Resource: !Sub arn:aws:s3:::${pSecureBucket}/* | ||
| Condition: | ||
| StringNotEquals: | ||
| s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt KMSKey.Arn | ||
| - Sid: Deny non-HTTPS access | ||
| Effect: Deny | ||
| Principal: "*" | ||
| Action: s3:* | ||
| Resource: !Sub arn:aws:s3:::${pSecureBucket}/* | ||
| Condition: | ||
| Bool: | ||
| aws:SecureTransport: 'false' | ||
|
|
||
|
|
||
|
|
||
| # KMS Resources | ||
| # | ||
| # First we create a key. | ||
| KMSKey: | ||
| Type: "AWS::KMS::Key" | ||
| Properties: | ||
| Description: !Sub "Key to secure content in ${pSecureBucket}" | ||
| KeyPolicy: | ||
| Version: "2012-10-17" | ||
| Id: "key-default-1" | ||
| Statement: | ||
| - Sid: "Allow administration of the key" | ||
| Effect: "Allow" | ||
| Principal: | ||
| AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" | ||
| Action: | ||
| - "kms:*" | ||
| Resource: "*" | ||
| - Sid: "Allow Macie to use the key" | ||
| Effect: Allow | ||
| Principal: | ||
| Service: macie.amazonaws.com | ||
| Action: | ||
| - kms:GenerateDataKey | ||
| - kms:Encrypt | ||
| Resource: "*" | ||
|
|
||
| # Then we give it an Alias | ||
| KMSKeyAlias: | ||
| Type: AWS::KMS::Alias | ||
| Properties: | ||
| AliasName: !Sub "alias/${pSecureBucket}" | ||
| TargetKeyId: | ||
| Ref: KMSKey | ||
|
|
||
| Outputs: | ||
| KMSKeyId: | ||
| Description: Key ID of KMS Key Created | ||
| Value: !Ref KMSKey | ||
| MKSKeyArn: | ||
| Value: !GetAtt KMSKey.Arn | ||
| SecureBucket: | ||
| Value: !Ref pSecureBucket |