Versions Compared

Old Version 1

changes.mady.by.user John Gerlock

Saved on

compared with

New Version Current

changes.mady.by.user John Gerlock

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • An S3 bucket for ALB raw log storage (if not already configured)

  • A bucket policy for read-only access by Data Theorem AWS account

  • An SNS topic and subscription for log event notifications to our Logs Analysis service

Example CloudFormation Template To Illustrate Resource Modifications

Note

Do not use this template. The purpose of this template is to show the created SNS resources and the created/modified S3 bucket polices.

Code Block
languageyaml
Parameters:
  S3LoggingBucketName:
    Type: String
  S3LoggingBucketPrefix:
    Type: String
  DataTheoremApiKey:
    Type: String
Resources:
  DataTheoremAWSALBLogSNSTopic:
    Type: AWS::SNS::Topic
  DataTheoremAWSALBLogSNSTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: DataTheoremSNSS3Policy
        Version: "2012-10-17"
        Statement:
          - Sid: datatheorem-logs-s3-bucket-to-sns-topic
            Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action: SNS:Publish
            Resource: !Ref DataTheoremAWSALBLogSNSTopic
            Condition:
              StringEquals:
                - aws:SourceAccount: !Sub ${AWS::AccountId}
              ArnLike:
                - aws:SourceArn: !Sub arn:aws:s3:::${S3LoggingBucket}
      Topics:
        - !Ref DataTheoremAWSALBLogSNSTopic
  DataTheoremAWSALBLogSNSSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      Protocol: https
      TopicArn: !Ref DataTheoremAWSALBLogSNSTopic
      Endpoint: !Sub https://token:${DataTheoremApiKey}@api-protect-api.securetheorem.com/logs/v1/ingest/aws_alb
      DeliveryPolicy:
        healthyRetryPolicy:
          numRetries: 3
          numNoDelayRetries: 0
          minDelayTarget: 20
          maxDelayTarget: 20
          numMinDelayRetries: 0
          numMaxDelayRetries: 0
          backoffFunction: linear
        requestPolicy:
          headerContentType: application/json
  S3LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${S3LoggingBucketName}
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      NotificationConfiguration:
        TopicConfigurations:
          - Event: s3:ObjectCreated:*
            Topic: !Ref DataTheoremAWSALBLogSNSTopic
  S3LoggingBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3LoggingBucket
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: "2012-10-17"
        Statement:
          - Sid: Allow AWS Log Puts
            Effect: Allow
            Principal:
              AWS: "arn:aws:iam::797873946194:root"
            Action: s3:PutObject
            Resource": !Sub arn:aws:s3:::${S3LoggingBucketName}/${S3LoggingBucketPrefix}/AWSLogs/${AWS::AccountId}/*"
          - Sid: GiveS3AccessToDT
            Effect: Allow
            Principal:
              AWS: arn:aws:iam::263348581401:user/prod-api-protect-api-logs-ingest
            Action: s3:GetObject
            Resource: !Sub arn:aws:s3:::${S3LoggingBucketName}/S3LoggingBucketPrefix}/*