Enable versioning and server access logging for ArtifactBucket

aws-cloudformation · Feb 19, 2020 · df9de54 · df9de54
1 parent 19c1570
commit df9de54
Showing 1 changed file with 59 additions and 3 deletions.
diff --git a/src/rpdk/core/data/managed-upload-infrastructure.yaml b/src/rpdk/core/data/managed-upload-infrastructure.yaml
@@ -19,6 +19,31 @@ Resources:
             Status: Enabled
             AbortIncompleteMultipartUpload:
               DaysAfterInitiation: 1
+      VersioningConfiguration:
+        Status: Enabled
+      LoggingConfiguration:
+        DestinationBucketName: !Ref AccessLogsBucket
+        LogFilePrefix: ArtifactBucket
+
+  AccessLogsBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: { 'Fn::Sub' : "artifact-bucket-access-logs-${AWS::AccountId}-${AWS::Region}" }
+      AccessControl: LogDeliveryWrite
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - ServerSideEncryptionByDefault:
+            SSEAlgorithm: aws:kms
+            KMSMasterKeyID: !Ref EncryptionKey
+      LifecycleConfiguration:
+        Rules:
+          - Status: Enabled
+            ExpirationInDays: 3653
+      VersioningConfiguration:
+        Status: Enabled
+      LoggingConfiguration:
+        DestinationBucketName: { 'Fn::Sub' : "artifact-bucket-access-logs-${AWS::AccountId}-${AWS::Region}" }
+        LogFilePrefix: AccessLogsBucket
 
   ArtifactCopyPolicy:
     Type: AWS::S3::BucketPolicy
@@ -48,14 +73,45 @@ Resources:
                 "aws:SecureTransport": "false"
             Principal: "*"
 
+  AccessLogsPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref AccessLogsBucket
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: Allow delivery logs to read and write to the bucket
+            Effect: Allow
+            Principal:
+              Service: delivery.logs.amazonaws.com
+            Action:
+              - s3:PutObject
+              - s3:GetBucketAcl
+            Resource:
+              - !Sub "arn:${AWS::Partition}:s3:::${AccessLogsBucket}"
+              - !Sub "arn:${AWS::Partition}:s3:::${AccessLogsBucket}/*"
+            Condition:
+              Bool:
+                "aws:SecureTransport": "false"
+          - Sid: Require Secure Transport
+            Action: "s3:*"
+            Effect: Deny
+            Resource:
+              - !Sub "arn:${AWS::Partition}:s3:::${AccessLogsBucket}"
+              - !Sub "arn:${AWS::Partition}:s3:::${AccessLogsBucket}/*"
+            Condition:
+              Bool:
+                "aws:SecureTransport": "false"
+            Principal: "*"
+
   EncryptionKey:
     Type: AWS::KMS::Key
     DeletionPolicy: Retain
     Properties:
       Description: KMS key used to encrypt the resource type artifacts
       EnableKeyRotation: true
       KeyPolicy:
-        Version: 2012-10-17
+        Version: "2012-10-17"
         Statement:
         - Sid: Enable full access for owning account
           Effect: Allow
@@ -80,7 +136,7 @@ Resources:
     Properties:
       MaxSessionDuration: 43200
       AssumeRolePolicyDocument:
-        Version: '2012-10-17'
+        Version: "2012-10-17"
         Statement:
         - Effect: Allow
           Principal:
@@ -92,7 +148,7 @@ Resources:
       Policies:
       - PolicyName: LogAndMetricsDeliveryRolePolicy
         PolicyDocument:
-          Version: '2012-10-17'
+          Version: "2012-10-17"
           Statement:
           - Effect: Allow
             Action: