{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Lacework AWS CloudTrail Integration", "Metadata" : { "AWS::CloudFormation::Interface" : { "ParameterGroups": [ { "Parameters": [ "ResourceNamePrefix", "CreateTrail" ] }, { "Label": { "default": "New Trail Options"}, "Parameters": [ "NewTrailLogFilePrefix" ] }, { "Label": { "default": "Existing Trail Setup"}, "Parameters": [ "ExistingTrailBucketName", "ExistingTrailTopicArn" ] } ], "ParameterLabels": { "ResourceNamePrefix" : { "default" : "Resource name prefix" }, "CreateTrail": { "default": "Create new trail?" }, "NewTrailLogFilePrefix": { "default": "Log file prefix" }, "ExistingTrailBucketName": { "default": "Bucket name" }, "ExistingTrailTopicArn": { "default": "Topic ARN" } } } }, "Parameters": { "ResourceNamePrefix": { "Description": "Names of resources created by the stack will be prefixed with this value to ensure uniqueness.", "Type": "String", "Default": "%acnt", "MinLength": "1", "MaxLength": "20", "AllowedPattern": "^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$", "ConstraintDescription": "Invalid resource name prefix value. Must match pattern ^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$" }, "CreateTrail": { "Description": "You can have a new multi-region CloudTrail trail be created (along with a new S3 bucket and SNS topic), or use your existing trail setup.", "Type": "String", "AllowedValues": [ "Yes", "No" ], "Default": "Yes" }, "NewTrailLogFilePrefix": { "Description": "If you want the new trail to prefix its log file names, provide the prefix to use. Otherwise, leave it blank.", "Default": "", "Type": "String", "MaxLength": "64", "AllowedPattern": "[a-zA-Z0-9-_.!()* ]*", "ConstraintDescription": "Invalid log file prefix. Must match pattern [a-zA-Z0-9-_.!()* ]*" }, "ExistingTrailBucketName": { "Description": "Provide the name of the S3 bucket for your existing trail setup. The bucket must be owned by the current account.", "Default": "", "Type": "String", "MaxLength": "128" }, "ExistingTrailTopicArn": { "Description": "Provide the ARN of the SNS topic for your existing trail setup.", "Default": "", "Type": "String", "MaxLength": "256" } }, "Conditions": { "CreateNewTrail": { "Fn::Equals": [ { "Ref": "CreateTrail" }, "Yes" ] }, "UseExistingTrail": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "CreateTrail" }, "Yes" ] } ] }, "NewTrailUsesLogFilePrefix": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "NewTrailLogFilePrefix" }, "" ] } ] } }, "Resources": { "LaceworkCWSBucket": { "Condition": "CreateNewTrail", "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": { "Fn::Join": [ "", [ { "Ref": "ResourceNamePrefix" }, "-laceworkcws" ] ] } } }, "LaceworkCWSBucketPolicy": { "Condition": "CreateNewTrail", "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "LaceworkCWSBucket" }, "PolicyDocument": { "Version": "2012-10-17", "Id": "LaceworkCWSBucketPolicy", "Statement": [ { "Sid": "CloudTrailAclCheck", "Action": "s3:GetBucketAcl", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", { "Ref": "LaceworkCWSBucket" } ] ] }, "Principal": { "Service": "cloudtrail.amazonaws.com" } }, { "Sid": "CloudTrailWrite", "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", { "Ref": "LaceworkCWSBucket" }, { "Fn::If": [ "NewTrailUsesLogFilePrefix", { "Fn::Join" : [ "", [ "/", { "Ref": "NewTrailLogFilePrefix" } ] ] }, "" ] }, "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*" ] ] }, "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } } }, "LaceworkCWSTopic": { "Condition": "CreateNewTrail", "Type": "AWS::SNS::Topic", "Properties": { "TopicName": { "Fn::Join": [ "", [ { "Ref": "ResourceNamePrefix" }, "-laceworkcws" ] ] } } }, "LaceworkCWSTopicPolicy": { "Condition": "CreateNewTrail", "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudTrailPublish", "Action": "SNS:Publish", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Resource": "*" } ] }, "Topics": [ { "Ref": "LaceworkCWSTopic" } ] } }, "LaceworkCWSTrail": { "Condition": "CreateNewTrail", "Type": "AWS::CloudTrail::Trail", "DependsOn": [ "LaceworkCWSTopicPolicy", "LaceworkCWSBucketPolicy" ], "Properties": { "TrailName": { "Fn::Join": [ "", [ { "Ref": "ResourceNamePrefix" }, "-laceworkcws" ] ] }, "S3BucketName": { "Ref": "LaceworkCWSBucket" }, "S3KeyPrefix": { "Fn::If" : [ "NewTrailUsesLogFilePrefix", { "Ref": "NewTrailLogFilePrefix" }, { "Ref": "AWS::NoValue" } ] }, "SnsTopicName": { "Fn::GetAtt": [ "LaceworkCWSTopic", "TopicName" ] }, "EnableLogFileValidation": true, "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": true, "IsLogging": true } }, "LaceworkCWSQueue": { "Type": "AWS::SQS::Queue", "Properties": { "QueueName": { "Fn::Join": [ "", [ { "Ref": "ResourceNamePrefix" }, "-laceworkcws" ] ] } } }, "LaceworkCWSQueuePolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AwsSnsAccess", "Effect": "Allow", "Principal": "*", "Action": [ "sqs:SendMessage" ], "Resource": "*", "Condition": { "ArnEquals": { "aws:SourceArn": { "Fn::If": [ "CreateNewTrail", { "Ref": "LaceworkCWSTopic" }, { "Ref": "ExistingTrailTopicArn" } ] } } } } ] }, "Queues": [ { "Ref": "LaceworkCWSQueue" } ] } }, "LaceworkCWSSubscription": { "Type": "AWS::SNS::Subscription", "Properties": { "Endpoint" : { "Fn::GetAtt": [ "LaceworkCWSQueue", "Arn" ] }, "Protocol" : "sqs", "TopicArn" : { "Fn::If": [ "CreateNewTrail", { "Ref": "LaceworkCWSTopic" }, { "Ref": "ExistingTrailTopicArn" } ] } } }, "LaceworkCWSUser": { "Type": "AWS::IAM::User", "Properties": { "UserName": { "Fn::Join": [ "", [ { "Ref": "ResourceNamePrefix" }, "-laceworkcws" ] ] }, "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/SecurityAudit" ] } }, "LaceworkCWSUserAccessKey": { "Type" : "AWS::IAM::AccessKey", "Properties" : { "UserName" : { "Ref" : "LaceworkCWSUser" } } }, "LaceworkCWSPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "LaceworkCWSPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsumeNotifications", "Action": [ "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "LaceworkCWSQueue", "Arn" ] } ] }, { "Sid": "ListLogFiles", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", { "Fn::If": [ "UseExistingTrail", { "Ref": "ExistingTrailBucketName" }, { "Ref": "LaceworkCWSBucket" } ] }, "/*AWSLogs/" ] ] } ], "Condition": { "StringLike": { "s3:prefix": [ "*AWSLogs/" ] } } }, { "Sid": "ReadLogFiles", "Action": [ "s3:Get*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", { "Fn::If": [ "UseExistingTrail", { "Ref": "ExistingTrailBucketName" }, { "Ref": "LaceworkCWSBucket" } ] }, "/*AWSLogs/*" ] ] } ] }, { "Sid": "GetAccountAlias", "Action": [ "iam:ListAccountAliases" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "Debug", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailTopics", "cloudtrail:GetTrailStatus", "cloudtrail:ListPublicKeys", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketLogging", "sns:GetSubscriptionAttributes", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTopics" ], "Effect": "Allow", "Resource": "*" } ] }, "Users": [ { "Ref": "LaceworkCWSUser" } ] } } }, "Outputs": { "AccountId": { "Description": "Account ID to share with Lacework for integration setup", "Value": { "Ref": "AWS::AccountId" } }, "AccessKeyId": { "Description": "Access Key ID to share with Lacework for integration setup", "Value": { "Ref": "LaceworkCWSUserAccessKey" } }, "SecretAccessKey": { "Description": "Secret Access Key to share with Lacework for integration setup", "Value": { "Fn::GetAtt": [ "LaceworkCWSUserAccessKey", "SecretAccessKey" ] } }, "SQSQueueURL": { "Description": "SQS queue URL to share with Lacework for integration setup", "Value": { "Ref": "LaceworkCWSQueue" } }, "TemplateVersion": { "Description": "Template version", "Value": "1.1" } } }