0-Global.yml

---
AWSTemplateFormatVersion: "2010-09-09"
Description: Run once per AWS account. 1) CloudTrail 2) CloudWatch alerts for CloudTrail 3) Audit IAM group and user 4) Allow StackSets to be created/managed.

Parameters:

  AdministratorAccountId:
    Type: String
    Description: AWS Account Id of the administrator account (the account in which StackSets will be created).
    MaxLength: 12
    MinLength: 12

  AlertEmail:
    Type: String
    Description: Email address to send CloudWatch Alerts to.

  TrailName:
    Type: String
    Default: CloudTrail

Resources:

  # ========== The CloudTrail ==========

  CloudTrail:
    Type: AWS::CloudTrail::Trail
    DependsOn:
      - CloudTrailBucketPolicy
      - CloudTrailCloudWatchLogsLogGroup
    Properties:
      CloudWatchLogsRoleArn: !GetAtt CloudTrailCloudWatchLogsRole.Arn
      CloudWatchLogsLogGroupArn: !GetAtt CloudTrailCloudWatchLogsLogGroup.Arn
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: All
      IncludeGlobalServiceEvents: true
      IsLogging: true
      IsMultiRegionTrail: true
      S3BucketName: !Ref CloudTrailBucket
      TrailName: !Ref TrailName

  # ========== S3 Bucket for CloudTrail ==========

  CloudTrailBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      AccessControl: Private
      VersioningConfiguration:
        Status: Enabled

  CloudTrailBucketPolicy:
    Type: AWS::S3::BucketPolicy
    DependsOn:
      - CloudTrailBucket
    Properties:
      Bucket: !Ref CloudTrailBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSCloudTrailAclCheck20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !Sub arn:aws:s3:::${CloudTrailBucket}
          - Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Sub arn:aws:s3:::${CloudTrailBucket}/AWSLogs/${AWS::AccountId}/*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

  # ========== CloudWatch Logs for CloudTrail ==========

  CloudTrailCloudWatchLogsLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Ref TrailName

  CloudTrailCloudWatchLogsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - cloudtrail.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: CloudTrail
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Sid: AWSCloudTrailCreateLogStream20141101
            Effect: Allow
            Action:
            - logs:CreateLogStream
            Resource: !Sub arn:aws:logs:${AWS::Region}:*:log-group:${CloudTrailCloudWatchLogsLogGroup}:log-stream:*
          - Sid: AWSCloudTrailPutLogEvents20141101
            Effect: Allow
            Action:
            - logs:PutLogEvents
            Resource: !Sub arn:aws:logs:${AWS::Region}:*:log-group:${CloudTrailCloudWatchLogsLogGroup}:log-stream:*

  # ========== Email Alert On CloudTrail Triggers ==========

  AdminEmailerTopic:
    Type: AWS::SNS::Topic
    DependsOn:
      - CloudTrail
    Properties:
      DisplayName: Admin Alerts
      Subscription:
        - Endpoint: !Ref AlertEmail
          Protocol: email

  AllowSnsTopicPublishPolicy:
    Type: AWS::SNS::TopicPolicy
    DependsOn:
      - CloudTrail
    Properties:
      PolicyDocument:
        Id: AllowSnsTopicPublishPolicy
        Version: '2012-10-17'
        Statement:
        - Sid: AllowCWEToPublishEventsToVpnEmailAlarmTopic
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sns:Publish
          Resource: !Ref AdminEmailerTopic
        - Sid: AllowAllToPublishToEmailAlarmTopic
          Effect: Allow
          Principal:
            AWS: "*"
          Action:
            - SNS:GetTopicAttributes
            - SNS:SetTopicAttributes
            - SNS:AddPermission
            - SNS:RemovePermission
            - SNS:DeleteTopic
            - SNS:Subscribe
            - SNS:ListSubscriptionsByTopic
            - SNS:Publish
            - SNS:Receive
          Resource: !Ref AdminEmailerTopic
          Condition:
            StringEquals:
              AWS:SourceOwner: !Ref AWS::AccountId
      Topics:
        - !Ref AdminEmailerTopic

  # Create a filtered version of the CloudTrail logs for events of interest
  CloudTrailFilteredCloudWatchLogsLogGroup:
    Type: AWS::Logs::LogGroup
    DependsOn:
      - CloudTrail
    Properties:
      LogGroupName: !Sub ${TrailName}-Filtered

  CloudTrailFilteredCloudWatchLogsLogStream:
    Type: AWS::Logs::LogStream
    Properties:
      LogGroupName: !Ref CloudTrailFilteredCloudWatchLogsLogGroup
      LogStreamName: !Ref CloudTrailFilteredCloudWatchLogsLogGroup

  # Alert the admin by email, and also log to the CloudTrail-Filtered Log Group for record keeping and easier tracking
  CloudTrailEmailerFunction:
    Type: AWS::Lambda::Function
    DependsOn:
      - CloudTrail
    Properties:
      Code:
        ZipFile: !Sub >
          var aws = require('aws-sdk');
          var zlib = require('zlib');
          exports.handler = function(event, context) {
            var payload = new Buffer(event.awslogs.data, 'base64');
            zlib.gunzip(payload, function(e, result) {
              if (e) { context.fail(e); }
              else {
                result = JSON.parse(result.toString('ascii'));
                var sns = new aws.SNS();
                const cloudwatchlogs = new aws.CloudWatchLogs();
                var filteredLogGroup = "${CloudTrailFilteredCloudWatchLogsLogGroup}";
                var messageText = "";
                var eventNames = "";
                for (const logEvent of result.logEvents) {
                  const message = JSON.parse(logEvent.message.replace(/"/g,'"'));
                  messageText = messageText + "========== " + message.eventName + " ==========\n" + JSON.stringify(message, null, 2) + "\n\n";
                  eventNames = eventNames + message.eventName + ", ";
                }
                return sns.publish({
                  Message: messageText,
                  Subject: "CloudTrail " + eventNames,
                  TopicArn: "${AdminEmailerTopic}"
                }).promise()
                .catch( error => {
                  console.error("Error sending to SNS: " + error);
                })
                .then( success => {
                  return cloudwatchlogs.describeLogStreams( {
                    logGroupName: filteredLogGroup
                  }).promise();
                })
                .catch( error => {
                  console.error("Error getting Log Streams: " + error);
                })
                .then( data => {
                  return cloudwatchlogs.putLogEvents( {
                    logEvents: [ {
                      message: messageText,
                      timestamp: (new Date()).getTime()
                    } ],
                    logGroupName: filteredLogGroup,
                    logStreamName: filteredLogGroup,
                    sequenceToken: data.logStreams[0].uploadSequenceToken
                  }).promise();
                })
                .catch( error => {
                  console.error("Error putting CloudWatch Log: " + error);
                })
                .then( result => {
                  context.done();
                });
              }
            });
          };
      Handler: index.handler
      Role: !GetAtt CloudTrailEmailerFunctionRole.Arn
      Runtime: nodejs12.x
      Timeout: 10

  CloudTrailEmailerCloudWatchPermission:
    Type: AWS::Lambda::Permission
    DependsOn:
      - CloudTrail
    Properties:
      FunctionName: !GetAtt CloudTrailEmailerFunction.Arn
      Action: lambda:InvokeFunction
      Principal: !Sub logs.${AWS::Region}.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'

  CloudTrailEmailerFunctionRole:
    Type: AWS::IAM::Role
    DependsOn:
      - CloudTrail
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: lambda-logs-SNS
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource:
              - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*
              - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*:log-stream:*
              - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudTrailFilteredCloudWatchLogsLogGroup}
              - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudTrailFilteredCloudWatchLogsLogGroup}:log-stream:*
          - Effect: Allow
            Action:
              - logs:DescribeLogStreams
              - logs:DescribeLogGroups
            Resource:
              - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*
          - Effect: Allow
            Action:
              - sns:Publish
            Resource: !Ref AdminEmailerTopic

  CloudTrailEmailerCloudWatchPermission:
    Type: AWS::Lambda::Permission
    DependsOn:
      - CloudTrail
    Properties:
      FunctionName: !GetAtt CloudTrailEmailerFunction.Arn
      Action: lambda:InvokeFunction
      Principal: !Sub logs.${AWS::Region}.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'

  CloudTrailSubscriptionFilter:
    Type: AWS::Logs::SubscriptionFilter
    DependsOn:
      - CloudTrail
    Properties:
      DestinationArn: !GetAtt CloudTrailEmailerFunction.Arn
      FilterPattern: '{ $.eventName=AuthorizeSecurityGroupIngress || $.eventName=AuthorizeSecurityGroupEgress
|| $.eventName=CreateSecurityGroup || $.eventName=DeleteSecurityGroup
|| (( $.eventName=GetParametersByPath || $.eventName=GetParameter || $.eventName=GetParameters ) && $.requestParameters.withDecryption IS TRUE)
|| $.eventName=RunInstances || $.eventName=StartInstances || $.eventName=TerminateInstances
|| $.eventName=UpdateTrail || $.eventName=DeleteTrail || $.eventName=StopLogging
|| $.eventName=PutGroupPolicy || $.eventName=PutRolePolicy || $.eventName=PutUserPolicy
|| $.eventName=CreatePolicyVersion || $.eventName=AttachRolePolicy || $.eventName=AttachUserPolicy || $.eventName=AttachGroupPolicy}'
      LogGroupName: !Ref TrailName

  # ==================================================
  # ======= OPENWATCH USER & AUDIT IAM GROUP =========
  # ==================================================

  OpenWatchUserAccessKey:
    Type: AWS::IAM::AccessKey
    DependsOn:
      - CloudTrail
      - OpenWatchUser
    Properties:
      Status: Active
      UserName: !Ref OpenWatchUser

  OpenWatchUser:
    Type: AWS::IAM::User
    DependsOn:
      - CloudTrail
      - CloudTrailBucket
    Properties:
      UserName: OpenWatch
      Policies:
        - PolicyName: OnlyPermissionsForCloudTrailLogs
          PolicyDocument:
            Version: 2012-10-17
            Statement:
            - Effect: Allow
              Action:
                - cloudtrail:DescribeTrails
                - cloudtrail:ListPublicKeys
              Resource:
                - "*"
            - Effect: Allow
              Action:
                - s3:ListBucket
              Resource:
                - !Sub
                  - arn:aws:s3:::${CloudTrailBucket}
                  - CloudTrailBucket: !Ref CloudTrailBucket
            - Effect: Allow
              Action:
                - s3:GetObject
              Resource:
                - !Sub
                  - arn:aws:s3:::${CloudTrailBucket}/*
                  - CloudTrailBucket: !Ref CloudTrailBucket

  AuditGroup:
    Type: AWS::IAM::Group
    DependsOn:
      - CloudTrail
    Properties:
      GroupName: Audit
      Policies:
        - PolicyName: ReadCloudWatchLogsAdminAuditCloudTrail
          PolicyDocument:
            Version: 2012-10-17
            Statement:
            - Effect: Allow
              Action:
                - logs:DescribeLogStreams
                - logs:DescribeLogGroups
              Resource:
                - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*
            - Effect: Allow
              Action:
                - logs:GetLogEvents
                - logs:FilterLogEvents
              Resource:
                - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*-AdminAudit
                - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*-AdminAudit:*
                - !Sub
                  - arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudTrailCloudWatchLogsLogGroup}
                  - CloudTrailCloudWatchLogsLogGroup: !Ref CloudTrailCloudWatchLogsLogGroup
                - !Sub
                  - arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudTrailCloudWatchLogsLogGroup}:*
                  - CloudTrailCloudWatchLogsLogGroup: !Ref CloudTrailCloudWatchLogsLogGroup
            - Effect: Allow
              Action:
                - s3:ListBucket
              Resource:
                - !Sub
                  - arn:aws:s3:::${CloudTrailBucket}
                  - CloudTrailBucket: !Ref CloudTrailBucket
                - arn:aws:s3:::stackset-*
                - arn:aws:s3:::shared-adminauditbucket-*
                - arn:aws:s3:::shared-artifactbucket-*
            - Effect: Allow
              Action:
                - kms:Decrypt
                - s3:GetObject
              Resource:
                - !Sub
                  - arn:aws:s3:::${CloudTrailBucket}/*
                  - CloudTrailBucket: !Ref CloudTrailBucket
                - arn:aws:s3:::stackset-*/*
                - arn:aws:s3:::shared-adminauditbucket-*
                - arn:aws:s3:::shared-artifactbucket-*
                - arn:aws:s3:::shared-adminauditbucket-*/*
                - arn:aws:s3:::shared-artifactbucket-*/*
        - PolicyName: AuditReadOnly
          PolicyDocument:
            Version: 2012-10-17
            Statement:
            - Effect: Allow
              Action:
                - acm:DescribeCertificate
                - acm:ListCertificates
                - autoscaling:Describe*
                - cloudformation:Describe*
                - cloudformation:Get*
                - cloudformation:List*
                - cloudformation:DetectStack*
                - cloudtrail:Describe*
                - cloudtrail:Get*
                - cloudtrail:List*
                - cloudtrail:LookupEvents
                - codebuild:BatchGet*
                - codebuild:List*
                - codecommit:BatchGet*
                - codecommit:Get*
                - codecommit:List*
                - codecommit:Describe*
                - codecommit:GitPull
                - codedeploy:BatchGet*
                - codedeploy:Get*
                - codedeploy:List*
                - codepipeline:List*
                - codepipeline:Get*
                - ec2:DescribeAddresses
                - ec2:DescribeDhcpOptions
                - ec2:DescribeEgressOnlyInternetGateways
                - ec2:DescribeFlowLogs
                - ec2:DescribeIamInstanceProfileAssociations
                - ec2:DescribeImageAttribute
                - ec2:DescribeImages
                - ec2:DescribeInstanceAttribute
                - ec2:DescribeInstances
                - ec2:DescribeInternetGateways
                - ec2:DescribeLaunchTemplates
                - ec2:DescribeLaunchTemplateVersions
                - ec2:DescribeNatGateways
                - ec2:DescribeNetworkAcls
                - ec2:DescribeNetworkInterfaceAttribute
                - ec2:DescribeNetworkInterfacePermissions
                - ec2:DescribeNetworkInterfaces
                - ec2:DescribeRegions
                - ec2:DescribeReservedInstances
                - ec2:DescribeRouteTables
                - ec2:DescribeSecurityGroupReferences
                - ec2:DescribeSecurityGroups
                - ec2:DescribeStaleSecurityGroups
                - ec2:DescribeSubnets
                - ec2:DescribeTags
                - ec2:DescribeTransitGatewayAttachments
                - ec2:DescribeTransitGatewayRouteTables
                - ec2:DescribeTransitGateways
                - ec2:DescribeTransitGatewayVpcAttachments
                - ec2:DescribeVolumeAttribute
                - ec2:DescribeVolumes
                - ec2:DescribeVolumesModifications
                - ec2:DescribeVolumeStatus
                - ec2:DescribeVpcAttribute
                - ec2:DescribeVpcEndpointConnectionNotifications
                - ec2:DescribeVpcEndpointConnections
                - ec2:DescribeVpcEndpoints
                - ec2:DescribeVpcEndpointServiceConfigurations
                - ec2:DescribeVpcEndpointServicePermissions
                - ec2:DescribeVpcEndpointServices
                - ec2:DescribeVpcPeeringConnections
                - ec2:DescribeVpcs
                - ec2:DescribeVpnConnections
                - ec2:DescribeVpnGateways
                - elasticache:Describe*
                - elasticache:List*
                - elasticloadbalancing:DescribeLoadBalancers
                - elasticloadbalancing:DescribeListeners
                - elasticloadbalancing:DescribeListenerCertificates
                - iam:getRole
                - iam:getRolePolicy
                - iam:getInstanceProfile
                - iam:getPolicy
                - iam:getPolicyVersion
                - iam:ListAttachedRolePolicies
                - iam:listInstanceProfiles
                - iam:listInstanceProfilesForRole
                - iam:listPolicies
                - iam:listRoles
                - iam:listRolePolicies
                - iam:ListServerCertificates
                - lambda:List*
                - lambda:Get*
                - lightsail:GetActiveNames
                - lightsail:GetInstance
                - lightsail:GetInstancePortStates
                - lightsail:GetInstanceState
                - lightsail:GetInstances
                - lightsail:GetOperation
                - lightsail:GetOperations
                - lightsail:GetOperationsForResource
                - lightsail:GetRegions
                - lightsail:GetStaticIp
                - lightsail:GetStaticIps
                - rds:Describe*
                - route53:GetHostedZone
                - route53:GetHostedZoneCount
                - route53:ListHostedZones
                - route53:ListHostedZonesByName
                - route53:ListResourceRecordSets
                - s3:ListAllMyBuckets
                - ses:ListIdentities
                - ssm:DescribeAssociation
                - ssm:DescribeDocument
                - ssm:DescribeSessions
                - ssm:ListAssociations
                - ssm:ListCommands
                - ssm:ListDocuments
              Resource: "*"

  # ==================================================
  # =========== ALLOW STACKSET MANAGEMENT ============
  # ==================================================

  AdministrationRole:
    Type: AWS::IAM::Role
    DependsOn:
      - CloudTrail
    Properties:
      RoleName: AWSCloudFormationStackSetAdministrationRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource:
                  - "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"

  ExecutionRole:
    Type: AWS::IAM::Role
    DependsOn:
      - CloudTrail
    Properties:
      RoleName: AWSCloudFormationStackSetExecutionRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref AdministratorAccountId
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess

Outputs:

  OpenWatchUserAccessKeyId:
    Value: !Ref OpenWatchUserAccessKey
    Export:
      Name: OpenWatchUserAccessKeyId
  OpenWatchUserAccessKeySecret:
    Value: !GetAtt OpenWatchUserAccessKey.SecretAccessKey
    Export:
      Name: OpenWatchUserAccessKeySecret