cloudwatch-config-s3-bucket.yaml

#  Once you have created the S3 bucket, you can create a key / folder prefix structure to store your CloudWatch configuration files.  You can use a folder structure such as this:
#
#  * */config/standard/windows/ec2*:  You can store your standard Windows CloudWatch platform configuration file here for EC2.  You may further categorize your standard platform configurations for different windows versions, EC2 instance types, and environments.
#  * */config/standard/windows/onpremises*:  You can store your standard Windows CloudWatch platform configuration file here for on premises servers.  You may further categorize your standard platform configurations for different windows versions, EC2 instance types, and environments.
#  * */config/standard/linux/ec2*:  You can store your standard Linux CloudWatch platform configuration file here for EC2.  You may further categorize your standard platform configuration for different linux distributions, EC2 instance types, and environments.
#  * */config/standard/linux/onpremises*:  You can store your standard Linux CloudWatch platform configuration file here for on premises servers.  You may further categorize your standard platform configuration for different linux distributions, EC2 instance types, and environments.
#  * */config/<application_name>*:  You can store your application specific CloudWatch configuration files here.  You may further categorize your applications with additional folders / prefixes for environments, etc

---
Description: S3 bucket for cross account, cross region access to CloudWatch configuration files
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  OrganizationID:
    Description: Provide read access to all accounts in the organization.  Leave blank for single account S3 bucket permissions.
    Type: String
    Default: ""
Conditions:
  OrgEnabledAccess: !Not [!Equals ["", !Ref OrganizationID]]

Resources:
  DeploymentBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: !Sub "amazon-cloudwatch-config-${AWS::AccountId}"
#      BucketEncryption:
#        ServerSideEncryptionConfiguration:
#          - ServerSideEncryptionByDefault:
#              SSEAlgorithm: aws:kms
#              KMSMasterKeyID:
#                Fn::ImportValue: <S3 CMK KMS Encryption Key>
      VersioningConfiguration:
        Status: Enabled
      #      LoggingConfiguration:
      #        DestinationBucketName:
      #          Fn::ImportValue: !Sub <Destination Log Bucket>
      #        LogFilePrefix: <Logfile Prefix>

  DeploymentBucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket: !Ref DeploymentBucket
      PolicyDocument:
        Version: '2012-10-17'
        Id: SSEAndSSLPolicy
        Statement:
          - Sid: DenyInsecureConnections
            Effect: Deny
            Principal: "*"
            Action: s3:*
            Resource:
              - !Join
                - ''
                - - Fn::GetAtt: [DeploymentBucket, Arn]
                  - '/*'
            Condition:
              Bool:
                aws:SecureTransport: 'false'
          - Sid: DenyS3PublicObjectACL
            Effect: Deny
            Principal: "*"
            Action: s3:PutObjectAcl
            Resource:
              - !Join
                - ''
                - - Fn::GetAtt: [DeploymentBucket, Arn]
                  - '/*'
            Condition:
              StringEqualsIgnoreCaseIfExists:
                s3:x-amz-acl:
                  - public-read
                  - public-read-write
                  - authenticated-read
          - !If
            - OrgEnabledAccess
            - Sid: ''
              Effect: Allow
              Principal: "*"
              Action:
                - s3:ListBucket
              Resource: !GetAtt DeploymentBucket.Arn
              Condition:
                ForAnyValue:StringLike:
                  aws:PrincipalOrgPaths:
                    - !Sub "${OrganizationID}/*"
            - !Ref 'AWS::NoValue'

          - !If
            - OrgEnabledAccess
            - Sid: ''
              Effect: Allow
              Principal: "*"
              Action:
                - s3:Get*
              Resource:
                - !Join
                  - ''
                  - - Fn::GetAtt: [DeploymentBucket, Arn]
                    - '/*'
              Condition:
                ForAnyValue:StringLike:
                  aws:PrincipalOrgPaths:
                    - !Sub "${OrganizationID}/*"
            - !Ref 'AWS::NoValue'
Outputs:
  DeploymentBucketName:
    Value: !Ref DeploymentBucket
    Description: " S3 deployment bucket for cross account, cross region access to CloudFormation configurations"
    Export:
      Name: !Sub "amazon-cloudwatch-config-bucket-name"