cfndsl-pipeline 0.1.2 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +11 -0
- data/.rspec +3 -0
- data/.rubocop.yml +33 -0
- data/.travis.yml +10 -0
- data/Gemfile +7 -0
- data/Guardfile +5 -0
- data/LICENCE +21 -0
- data/README.md +58 -0
- data/Rakefile +6 -0
- data/bin/cfndsl_pipeline +16 -14
- data/cfndsl-pipeline.gemspec +40 -0
- data/examples/common_definitions.yaml +63 -0
- data/examples/pipeline_multple_files.rb +42 -0
- data/examples/pipeline_single_file.rb +54 -0
- data/examples/s3bucket.rb +316 -0
- data/examples/s3bucket.yaml +241 -0
- data/examples/standard_tags.yaml +41 -0
- data/lib/cfndsl-pipeline.rb +15 -15
- data/lib/cli_options.rb +124 -0
- data/lib/exec_cfn_nag.rb +58 -0
- data/lib/{run-cfndsl.rb → exec_cfndsl.rb} +7 -5
- data/lib/exec_syntax.rb +87 -0
- data/lib/{monkey_patches.rb → monkey-patches/cfndsl_patch.rb} +40 -24
- data/lib/{stdout_capture.rb → monkey-patches/stdout_capture.rb} +0 -0
- data/lib/options.rb +10 -4
- data/lib/params.rb +6 -5
- data/lib/version.rb +2 -1
- data/spec/cfndsl/pipeline_spec.rb +11 -0
- data/spec/spec_helper.rb +15 -0
- metadata +119 -30
- data/lib/run-cfn_nag.rb +0 -38
- data/lib/run-syntax.rb +0 -89
|
@@ -0,0 +1,316 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
CloudFormation do
|
|
3
|
+
Description 'S3 Storage integrated with KMS and IAM'
|
|
4
|
+
AWSTemplateFormatVersion '2010-09-09'
|
|
5
|
+
|
|
6
|
+
Parameter('ProvisioningRoleID') do
|
|
7
|
+
Description 'IAM RoleID to be allowed to administer KMS Key and access S3'
|
|
8
|
+
Type 'String'
|
|
9
|
+
Default 'AROAABCDEFGHIJKLMNOP'
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
Parameter('InstanceRoleID') do
|
|
13
|
+
Description 'IAM RoleID of instance profile using the KMS Key and access S3'
|
|
14
|
+
Type 'String'
|
|
15
|
+
Default 'AROA1234567890123456'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
Parameter('LoggingBucket') do
|
|
19
|
+
Description 'S3 Bucket where access logs from new S3 bucket will be sent'
|
|
20
|
+
Type 'String'
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
Parameter('VPCEndpoint') do
|
|
24
|
+
Description 'VPC Endpoint ID'
|
|
25
|
+
Type 'String'
|
|
26
|
+
Default 'vpce-1234abcd5678ef90'
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
Parameter('BucketName') do
|
|
30
|
+
Description 'Hexadecimal string for bucket name'
|
|
31
|
+
Type 'String'
|
|
32
|
+
Default 'f4c8e474d09b'
|
|
33
|
+
end
|
|
34
|
+
KMS_Key('KMSKey') do
|
|
35
|
+
Description 'KMS Key for encrypting S3 Bucket'
|
|
36
|
+
Enabled(true)
|
|
37
|
+
EnableKeyRotation(true)
|
|
38
|
+
KeyPolicy({
|
|
39
|
+
'Id' => 'KMS Key Access',
|
|
40
|
+
'Statement' => [
|
|
41
|
+
{
|
|
42
|
+
'Action' => [
|
|
43
|
+
'kms:ScheduleKeyDeletion',
|
|
44
|
+
'kms:Delete*'
|
|
45
|
+
],
|
|
46
|
+
'Effect' => 'Deny',
|
|
47
|
+
'Principal' => '*',
|
|
48
|
+
'Resource' => [
|
|
49
|
+
'*'
|
|
50
|
+
],
|
|
51
|
+
'Sid' => 'DenyDelete'
|
|
52
|
+
},
|
|
53
|
+
{
|
|
54
|
+
'Action' => [
|
|
55
|
+
'kms:*'
|
|
56
|
+
],
|
|
57
|
+
'Condition' => {
|
|
58
|
+
'StringNotLike' => {
|
|
59
|
+
'aws:userId' => [
|
|
60
|
+
FnSub('${ProvisioningRoleID}:*')
|
|
61
|
+
]
|
|
62
|
+
}
|
|
63
|
+
},
|
|
64
|
+
'Effect' => 'Deny',
|
|
65
|
+
'Principal' => '*',
|
|
66
|
+
'Resource' => [
|
|
67
|
+
'*'
|
|
68
|
+
],
|
|
69
|
+
'Sid' => 'DenyKeyAccess'
|
|
70
|
+
},
|
|
71
|
+
{
|
|
72
|
+
'Action' => [
|
|
73
|
+
'kms:CreateKey',
|
|
74
|
+
'kms:CreateAlias',
|
|
75
|
+
'kms:CreateGrant',
|
|
76
|
+
'kms:Describe*',
|
|
77
|
+
'kms:Enable*',
|
|
78
|
+
'kms:List*',
|
|
79
|
+
'kms:Put*',
|
|
80
|
+
'kms:Update*',
|
|
81
|
+
'kms:Revoke*',
|
|
82
|
+
'kms:Disable*',
|
|
83
|
+
'kms:Get*',
|
|
84
|
+
'kms:TagResource',
|
|
85
|
+
'kms:UntagResource',
|
|
86
|
+
'kms:CancelKeyDeletion',
|
|
87
|
+
'kms:GenerateDataKey*'
|
|
88
|
+
],
|
|
89
|
+
'Condition' => {
|
|
90
|
+
'StringLike' => {
|
|
91
|
+
'aws:userId' => [
|
|
92
|
+
FnSub('${ProvisioningRoleID}:*')
|
|
93
|
+
]
|
|
94
|
+
}
|
|
95
|
+
},
|
|
96
|
+
'Effect' => 'Allow',
|
|
97
|
+
'Principal' => '*',
|
|
98
|
+
'Resource' => [
|
|
99
|
+
'*'
|
|
100
|
+
],
|
|
101
|
+
'Sid' => 'AllowAccessForKeyAdministrator'
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
'Action' => [
|
|
105
|
+
'kms:Encrypt',
|
|
106
|
+
'kms:Decrypt',
|
|
107
|
+
'kms:DescribeKey',
|
|
108
|
+
'kms:GenerateDataKey*'
|
|
109
|
+
],
|
|
110
|
+
'Condition' => {
|
|
111
|
+
'StringLike' => {
|
|
112
|
+
'aws:userId' => [
|
|
113
|
+
FnSub('${InstanceRoleID}:*')
|
|
114
|
+
]
|
|
115
|
+
}
|
|
116
|
+
},
|
|
117
|
+
'Effect' => 'Allow',
|
|
118
|
+
'Principal' => '*',
|
|
119
|
+
'Resource' => [
|
|
120
|
+
'*'
|
|
121
|
+
],
|
|
122
|
+
'Sid' => 'AllowUseOftheKey'
|
|
123
|
+
}
|
|
124
|
+
],
|
|
125
|
+
'Version' => '2012-10-17'
|
|
126
|
+
})
|
|
127
|
+
end
|
|
128
|
+
S3_BucketPolicy('BucketPolicy') do
|
|
129
|
+
DependsOn('Bucket')
|
|
130
|
+
Bucket(Ref('Bucket'))
|
|
131
|
+
PolicyDocument({
|
|
132
|
+
'Statement' => [
|
|
133
|
+
{
|
|
134
|
+
'Action' => [
|
|
135
|
+
's3:*'
|
|
136
|
+
],
|
|
137
|
+
'Condition' => {
|
|
138
|
+
'Bool' => {
|
|
139
|
+
'aws:SecureTransport' => [
|
|
140
|
+
false
|
|
141
|
+
]
|
|
142
|
+
}
|
|
143
|
+
},
|
|
144
|
+
'Effect' => 'Deny',
|
|
145
|
+
'Principal' => '*',
|
|
146
|
+
'Resource' => [
|
|
147
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
148
|
+
FnSub('${Bucket.Arn}/*')
|
|
149
|
+
],
|
|
150
|
+
'Sid' => 'DenyHTTPAccess'
|
|
151
|
+
},
|
|
152
|
+
{
|
|
153
|
+
'Action' => [
|
|
154
|
+
's3:PutObject'
|
|
155
|
+
],
|
|
156
|
+
'Condition' => {
|
|
157
|
+
'StringNotEquals' => {
|
|
158
|
+
's3:x-amz-server-side-encryption' => [
|
|
159
|
+
'aws:kms'
|
|
160
|
+
]
|
|
161
|
+
}
|
|
162
|
+
},
|
|
163
|
+
'Effect' => 'Deny',
|
|
164
|
+
'Principal' => '*',
|
|
165
|
+
'Resource' => [
|
|
166
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
167
|
+
FnSub('${Bucket.Arn}/*')
|
|
168
|
+
],
|
|
169
|
+
'Sid' => 'DenyIncorrectEncryptionHeader'
|
|
170
|
+
},
|
|
171
|
+
{
|
|
172
|
+
'Action' => [
|
|
173
|
+
's3:PutObject'
|
|
174
|
+
],
|
|
175
|
+
'Condition' => {
|
|
176
|
+
'Null' => {
|
|
177
|
+
's3:x-amz-server-side-encryption' => [
|
|
178
|
+
true
|
|
179
|
+
]
|
|
180
|
+
}
|
|
181
|
+
},
|
|
182
|
+
'Effect' => 'Deny',
|
|
183
|
+
'Principal' => '*',
|
|
184
|
+
'Resource' => [
|
|
185
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
186
|
+
FnSub('${Bucket.Arn}/*')
|
|
187
|
+
],
|
|
188
|
+
'Sid' => 'DenyUnEncryptedObjectUploads'
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
'Action' => [
|
|
192
|
+
's3:PutObject'
|
|
193
|
+
],
|
|
194
|
+
'Condition' => {
|
|
195
|
+
'StringNotLikeIfExists' => {
|
|
196
|
+
's3:x-amz-server-side-encryption-aws-kms-key-id' => [
|
|
197
|
+
FnGetAtt('KMSKey', 'Arn')
|
|
198
|
+
]
|
|
199
|
+
}
|
|
200
|
+
},
|
|
201
|
+
'Effect' => 'Deny',
|
|
202
|
+
'Principal' => '*',
|
|
203
|
+
'Resource' => [
|
|
204
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
205
|
+
FnSub('${Bucket.Arn}/*')
|
|
206
|
+
],
|
|
207
|
+
'Sid' => 'DenyAccessIfSpecificKMSKeyIsNotUsed'
|
|
208
|
+
},
|
|
209
|
+
{
|
|
210
|
+
'Action' => [
|
|
211
|
+
's3:Delete*'
|
|
212
|
+
],
|
|
213
|
+
'Effect' => 'Deny',
|
|
214
|
+
'Principal' => '*',
|
|
215
|
+
'Resource' => [
|
|
216
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
217
|
+
FnSub('${Bucket.Arn}/*')
|
|
218
|
+
],
|
|
219
|
+
'Sid' => 'DenyDelete'
|
|
220
|
+
},
|
|
221
|
+
{
|
|
222
|
+
'Action' => [
|
|
223
|
+
's3:*'
|
|
224
|
+
],
|
|
225
|
+
'Condition' => {
|
|
226
|
+
'StringNotEquals' => {
|
|
227
|
+
'aws:sourceVpce' => FnSub('${VPCEndpoint}')
|
|
228
|
+
}
|
|
229
|
+
},
|
|
230
|
+
'Effect' => 'Deny',
|
|
231
|
+
'Principal' => '*',
|
|
232
|
+
'Resource' => [
|
|
233
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
234
|
+
FnSub('${Bucket.Arn}/*')
|
|
235
|
+
],
|
|
236
|
+
'Sid' => 'DenyAllExceptConnectAndOthersViaVPCE'
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
'Action' => [
|
|
240
|
+
's3:PutObject*',
|
|
241
|
+
's3:Get*',
|
|
242
|
+
's3:List*'
|
|
243
|
+
],
|
|
244
|
+
'Condition' => {
|
|
245
|
+
'StringLike' => {
|
|
246
|
+
'aws:userId' => [
|
|
247
|
+
FnSub('${InstanceRoleID}:*')
|
|
248
|
+
]
|
|
249
|
+
}
|
|
250
|
+
},
|
|
251
|
+
'Effect' => 'Allow',
|
|
252
|
+
'Principal' => '*',
|
|
253
|
+
'Resource' => [
|
|
254
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
255
|
+
FnSub('${Bucket.Arn}/*')
|
|
256
|
+
],
|
|
257
|
+
'Sid' => 'AllowObjectReadWrite'
|
|
258
|
+
},
|
|
259
|
+
{
|
|
260
|
+
'Action' => [
|
|
261
|
+
's3:*'
|
|
262
|
+
],
|
|
263
|
+
'Condition' => {
|
|
264
|
+
'StringLike' => {
|
|
265
|
+
'aws:userId' => [
|
|
266
|
+
FnSub('${ProvisioningRoleID}:*')
|
|
267
|
+
]
|
|
268
|
+
}
|
|
269
|
+
},
|
|
270
|
+
'Effect' => 'Allow',
|
|
271
|
+
'Principal' => '*',
|
|
272
|
+
'Resource' => [
|
|
273
|
+
FnGetAtt('Bucket', 'Arn'),
|
|
274
|
+
FnSub('${Bucket.Arn}/*')
|
|
275
|
+
],
|
|
276
|
+
'Sid' => 'AllowBucketConfiguration'
|
|
277
|
+
}
|
|
278
|
+
],
|
|
279
|
+
'Version' => '2012-10-17'
|
|
280
|
+
})
|
|
281
|
+
end
|
|
282
|
+
S3_Bucket('Bucket') do
|
|
283
|
+
BucketName(FnSub('${BucketName}'))
|
|
284
|
+
Property("BucketEncryption", {
|
|
285
|
+
'ServerSideEncryptionConfiguration' => [
|
|
286
|
+
{
|
|
287
|
+
'ServerSideEncryptionByDefault' => {
|
|
288
|
+
'KMSMasterKeyID' => FnGetAtt('KMSKey', 'Arn'),
|
|
289
|
+
'SSEAlgorithm' => 'aws:kms'
|
|
290
|
+
}
|
|
291
|
+
}
|
|
292
|
+
]
|
|
293
|
+
})
|
|
294
|
+
Property("PublicAccessBlockConfiguration", {
|
|
295
|
+
'BlockPublicAcls' => true,
|
|
296
|
+
'BlockPublicPolicy' => true,
|
|
297
|
+
'IgnorePublicAcls' => true,
|
|
298
|
+
'RestrictPublicBuckets' => true
|
|
299
|
+
})
|
|
300
|
+
Property("LoggingConfiguration",{
|
|
301
|
+
'DestinationBucketName' => FnSub('${LoggingBucket}'),
|
|
302
|
+
'LogFilePrefix' => FnSub('S3logs/${AWS::AccountId}/${BucketName}/')
|
|
303
|
+
})
|
|
304
|
+
Property("VersioningConfiguration", { 'Status' => 'Enabled' })
|
|
305
|
+
end
|
|
306
|
+
|
|
307
|
+
Output('BucketName') do
|
|
308
|
+
Description 'Bucket Arn'
|
|
309
|
+
Value FnGetAtt('Bucket', 'Arn')
|
|
310
|
+
end
|
|
311
|
+
|
|
312
|
+
Output('KMSKey') do
|
|
313
|
+
Description 'KMS Key Id'
|
|
314
|
+
Value Ref('KMSKey')
|
|
315
|
+
end
|
|
316
|
+
end
|
|
@@ -0,0 +1,241 @@
|
|
|
1
|
+
AWSTemplateFormatVersion: '2010-09-09'
|
|
2
|
+
Description: S3 Storage integrated with KMS and IAM
|
|
3
|
+
Parameters:
|
|
4
|
+
ProvisioningRoleID:
|
|
5
|
+
Type: String
|
|
6
|
+
Default: AROAABCDEFGHIJKLMNOP
|
|
7
|
+
Description: IAM RoleID to be allowed to administer KMS Key and access S3
|
|
8
|
+
AllowPattern: "AROA[A-Z0-9]{17}"
|
|
9
|
+
InstanceRoleID:
|
|
10
|
+
Type: String
|
|
11
|
+
Default: AROA1234567890123456
|
|
12
|
+
Description: IAM RoleID of instance profile using the KMS Key and access S3
|
|
13
|
+
AllowPattern: "AROA[A-Z0-9]{17}"
|
|
14
|
+
LoggingBucket:
|
|
15
|
+
Type: String
|
|
16
|
+
Description: S3 Bucket where access logs from new S3 bucket will be sent
|
|
17
|
+
VPCEndpoint:
|
|
18
|
+
Type: String
|
|
19
|
+
Default: vpce-1234abcd5678ef90
|
|
20
|
+
Description: VPC Endpoint ID
|
|
21
|
+
AllowPattern: "vpce-[a-f0-9]{8,16}"
|
|
22
|
+
BucketName:
|
|
23
|
+
Type: String
|
|
24
|
+
Default: f4c8e474d09b
|
|
25
|
+
Description: Hexadecimal string for bucket name
|
|
26
|
+
AllowPattern: "[a-f0-9]{16}"
|
|
27
|
+
|
|
28
|
+
Resources:
|
|
29
|
+
KMSKey:
|
|
30
|
+
Type: "AWS::KMS::Key"
|
|
31
|
+
Properties:
|
|
32
|
+
Description: 'KMS Key for encrypting S3 Bucket'
|
|
33
|
+
Enabled: True
|
|
34
|
+
EnableKeyRotation: True
|
|
35
|
+
KeyPolicy:
|
|
36
|
+
Version: '2012-10-17'
|
|
37
|
+
Id: KMS Key Access
|
|
38
|
+
Statement:
|
|
39
|
+
- Sid: DenyDelete
|
|
40
|
+
Effect: Deny
|
|
41
|
+
Principal: '*'
|
|
42
|
+
Action:
|
|
43
|
+
- 'kms:ScheduleKeyDeletion'
|
|
44
|
+
- 'kms:Delete*'
|
|
45
|
+
Resource:
|
|
46
|
+
- '*'
|
|
47
|
+
- Sid: DenyKeyAccess
|
|
48
|
+
Effect: Deny
|
|
49
|
+
Principal: '*'
|
|
50
|
+
Action:
|
|
51
|
+
- 'kms:*'
|
|
52
|
+
Resource:
|
|
53
|
+
- '*'
|
|
54
|
+
Condition:
|
|
55
|
+
StringNotLike:
|
|
56
|
+
'aws:userId':
|
|
57
|
+
- !Sub "${ProvisioningRoleID}:*"
|
|
58
|
+
|
|
59
|
+
- Sid: AllowAccessForKeyAdministrator
|
|
60
|
+
Effect: Allow
|
|
61
|
+
Principal: '*'
|
|
62
|
+
Action:
|
|
63
|
+
- 'kms:CreateKey'
|
|
64
|
+
- 'kms:CreateAlias'
|
|
65
|
+
- 'kms:CreateGrant'
|
|
66
|
+
- 'kms:Describe*'
|
|
67
|
+
- 'kms:Enable*'
|
|
68
|
+
- 'kms:List*'
|
|
69
|
+
- 'kms:Put*'
|
|
70
|
+
- 'kms:Update*'
|
|
71
|
+
- 'kms:Revoke*'
|
|
72
|
+
- 'kms:Disable*'
|
|
73
|
+
- 'kms:Get*'
|
|
74
|
+
- 'kms:TagResource'
|
|
75
|
+
- 'kms:UntagResource'
|
|
76
|
+
- 'kms:CancelKeyDeletion'
|
|
77
|
+
- 'kms:GenerateDataKey*'
|
|
78
|
+
Resource:
|
|
79
|
+
- '*'
|
|
80
|
+
Condition:
|
|
81
|
+
StringLike:
|
|
82
|
+
'aws:userId':
|
|
83
|
+
- !Sub "${ProvisioningRoleID}:*"
|
|
84
|
+
|
|
85
|
+
- Sid: AllowUseOftheKey
|
|
86
|
+
Effect: Allow
|
|
87
|
+
Principal: '*'
|
|
88
|
+
Action:
|
|
89
|
+
- "kms:Encrypt"
|
|
90
|
+
- 'kms:Decrypt'
|
|
91
|
+
- 'kms:DescribeKey'
|
|
92
|
+
- 'kms:GenerateDataKey*'
|
|
93
|
+
Resource:
|
|
94
|
+
- '*'
|
|
95
|
+
Condition:
|
|
96
|
+
StringLike:
|
|
97
|
+
'aws:userId':
|
|
98
|
+
- !Sub "${InstanceRoleID}:*"
|
|
99
|
+
|
|
100
|
+
BucketPolicy:
|
|
101
|
+
Type: "AWS::S3::BucketPolicy"
|
|
102
|
+
DependsOn: Bucket
|
|
103
|
+
Properties:
|
|
104
|
+
Bucket: !Ref Bucket
|
|
105
|
+
PolicyDocument:
|
|
106
|
+
Version: '2012-10-17'
|
|
107
|
+
Statement:
|
|
108
|
+
- Sid: DenyHTTPAccess
|
|
109
|
+
Effect: Deny
|
|
110
|
+
Principal: "*"
|
|
111
|
+
Action:
|
|
112
|
+
- 's3:*'
|
|
113
|
+
Resource:
|
|
114
|
+
- !GetAtt Bucket.Arn
|
|
115
|
+
- !Sub "${Bucket.Arn}/*"
|
|
116
|
+
Condition:
|
|
117
|
+
Bool:
|
|
118
|
+
aws:SecureTransport:
|
|
119
|
+
- false
|
|
120
|
+
|
|
121
|
+
- Sid: DenyIncorrectEncryptionHeader
|
|
122
|
+
Effect: Deny
|
|
123
|
+
Principal: "*"
|
|
124
|
+
Action:
|
|
125
|
+
- 's3:PutObject'
|
|
126
|
+
Resource:
|
|
127
|
+
- !GetAtt Bucket.Arn
|
|
128
|
+
- !Sub "${Bucket.Arn}/*"
|
|
129
|
+
Condition:
|
|
130
|
+
StringNotEquals:
|
|
131
|
+
s3:x-amz-server-side-encryption:
|
|
132
|
+
- aws:kms
|
|
133
|
+
|
|
134
|
+
- Sid: DenyUnEncryptedObjectUploads
|
|
135
|
+
Effect: Deny
|
|
136
|
+
Principal: "*"
|
|
137
|
+
Action:
|
|
138
|
+
- 's3:PutObject'
|
|
139
|
+
Resource:
|
|
140
|
+
- !GetAtt Bucket.Arn
|
|
141
|
+
- !Sub "${Bucket.Arn}/*"
|
|
142
|
+
Condition:
|
|
143
|
+
"Null":
|
|
144
|
+
s3:x-amz-server-side-encryption:
|
|
145
|
+
- true
|
|
146
|
+
|
|
147
|
+
- Sid: DenyAccessIfSpecificKMSKeyIsNotUsed
|
|
148
|
+
Effect: Deny
|
|
149
|
+
Principal: '*'
|
|
150
|
+
Action:
|
|
151
|
+
- 's3:PutObject'
|
|
152
|
+
Resource:
|
|
153
|
+
- !GetAtt Bucket.Arn
|
|
154
|
+
- !Sub "${Bucket.Arn}/*"
|
|
155
|
+
Condition:
|
|
156
|
+
StringNotLikeIfExists:
|
|
157
|
+
s3:x-amz-server-side-encryption-aws-kms-key-id:
|
|
158
|
+
- !GetAtt KMSKey.Arn
|
|
159
|
+
|
|
160
|
+
- Sid: DenyDelete
|
|
161
|
+
Effect: Deny
|
|
162
|
+
Principal: "*"
|
|
163
|
+
Action:
|
|
164
|
+
- 's3:Delete*'
|
|
165
|
+
Resource:
|
|
166
|
+
- !GetAtt Bucket.Arn
|
|
167
|
+
- !Sub "${Bucket.Arn}/*"
|
|
168
|
+
|
|
169
|
+
- Sid: DenyAllExceptConnectAndOthersViaVPCE
|
|
170
|
+
Effect: Deny
|
|
171
|
+
Principal: '*'
|
|
172
|
+
Action:
|
|
173
|
+
- 's3:*'
|
|
174
|
+
Resource:
|
|
175
|
+
- !GetAtt Bucket.Arn
|
|
176
|
+
- !Sub "${Bucket.Arn}/*"
|
|
177
|
+
Condition:
|
|
178
|
+
StringNotEquals:
|
|
179
|
+
aws:sourceVpce: !Sub "${VPCEndpoint}"
|
|
180
|
+
|
|
181
|
+
- Sid: AllowObjectReadWrite
|
|
182
|
+
Effect: Allow
|
|
183
|
+
Principal: '*'
|
|
184
|
+
Action:
|
|
185
|
+
- 's3:PutObject*'
|
|
186
|
+
- 's3:Get*'
|
|
187
|
+
- 's3:List*'
|
|
188
|
+
Resource:
|
|
189
|
+
- !GetAtt Bucket.Arn
|
|
190
|
+
- !Sub "${Bucket.Arn}/*"
|
|
191
|
+
Condition:
|
|
192
|
+
StringLike:
|
|
193
|
+
'aws:userId':
|
|
194
|
+
- !Sub "${InstanceRoleID}:*"
|
|
195
|
+
|
|
196
|
+
- Sid: AllowBucketConfiguration
|
|
197
|
+
Effect: Allow
|
|
198
|
+
Principal: '*'
|
|
199
|
+
Action:
|
|
200
|
+
- 's3:*'
|
|
201
|
+
Resource:
|
|
202
|
+
- !GetAtt Bucket.Arn
|
|
203
|
+
- !Sub "${Bucket.Arn}/*"
|
|
204
|
+
Condition:
|
|
205
|
+
StringLike:
|
|
206
|
+
'aws:userId':
|
|
207
|
+
- !Sub "${ProvisioningRoleID}:*"
|
|
208
|
+
|
|
209
|
+
Bucket:
|
|
210
|
+
Type: AWS::S3::Bucket
|
|
211
|
+
Properties:
|
|
212
|
+
BucketName: !Sub "${BucketName}"
|
|
213
|
+
BucketEncryption:
|
|
214
|
+
ServerSideEncryptionConfiguration:
|
|
215
|
+
- ServerSideEncryptionByDefault:
|
|
216
|
+
KMSMasterKeyID: !GetAtt KMSKey.Arn
|
|
217
|
+
SSEAlgorithm: "aws:kms"
|
|
218
|
+
PublicAccessBlockConfiguration:
|
|
219
|
+
BlockPublicAcls: true
|
|
220
|
+
BlockPublicPolicy: true
|
|
221
|
+
IgnorePublicAcls: true
|
|
222
|
+
RestrictPublicBuckets: true
|
|
223
|
+
LoggingConfiguration:
|
|
224
|
+
DestinationBucketName: !Sub "${LoggingBucket}"
|
|
225
|
+
LogFilePrefix: !Sub "S3logs/${AWS::AccountId}/${BucketName}/"
|
|
226
|
+
VersioningConfiguration:
|
|
227
|
+
Status: Enabled
|
|
228
|
+
|
|
229
|
+
Outputs:
|
|
230
|
+
BucketName:
|
|
231
|
+
Description: Bucket Name
|
|
232
|
+
Value: !Ref Bucket
|
|
233
|
+
|
|
234
|
+
BucketName:
|
|
235
|
+
Description: Bucket Arn
|
|
236
|
+
Value: !GetAtt Bucket.Arn
|
|
237
|
+
|
|
238
|
+
KMSKey:
|
|
239
|
+
Description: KMS Key Id
|
|
240
|
+
Value: !Ref KMSKey
|
|
241
|
+
|