Route53 Resolver のクエリログを取得するCloudFormation

Template

内容

• Route53 Resolverのクエリログを設定
• クエリログ出力先のS3バケットを作成
• S3バケットのバケットポリシーを設定

AWSTemplateFormatVersion: 2010-09-09

Parameters:
    VpcId:
        Type: String

Resources:
    ResolverQueryLoggingConfig:
        Type: AWS::Route53Resolver::ResolverQueryLoggingConfig
        Properties:
            Name: vpc-query-logs
            DestinationArn: !GetAtt Route53ResolverQueryLogS3Bucket.Arn

    ResolverQueryLoggingConfigAssociation:
        Type: AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation
        Properties:
            ResolverQueryLogConfigId: !Ref ResolverQueryLoggingConfig
            ResourceId: !Ref VpcId

    Route53ResolverQueryLogS3Bucket:
        Type: AWS::S3::Bucket
        Properties:
            BucketName: sample-route53-resolver-qeury-log
            BucketEncryption:
                ServerSideEncryptionConfiguration:
                    - ServerSideEncryptionByDefault:
                          SSEAlgorithm: AES256
            LifecycleConfiguration:
                Rules:
                    - Id: life-cycle-rule
                      Status: Enabled
                      ExpirationInDays: 365
                      NoncurrentVersionExpiration:
                          NewerNoncurrentVersions: 1
                          NoncurrentDays: 90
            PublicAccessBlockConfiguration:
                BlockPublicAcls: True
                BlockPublicPolicy: True
                IgnorePublicAcls: True
                RestrictPublicBuckets: True
            VersioningConfiguration:
                Status: Enabled
        DeletionPolicy: Delete

    Route53ResolverQueryLogS3BucketPolicy:
        Type: AWS::S3::BucketPolicy
        Properties:
            Bucket: !Ref Route53ResolverQueryLogS3Bucket
            PolicyDocument:
                Version: 2012-10-17
                Statement:
                    - Sid: AWSLogDeliveryWrite
                      Effect: Allow
                      Principal:
                          Service:
                              - delivery.logs.amazonaws.com
                      Action:
                          - "s3:PutObject"
                      Resource:
                          - !Sub ${Route53ResolverQueryLogS3Bucket.Arn}/AWSLogs/${AWS::AccountId}/*
                      Condition:
                          StringEquals:
                              "s3:x-amz-acl": "bucket-owner-full-control"
                              "aws:SourceAccount": !Ref AWS::AccountId
                          ArnLike:
                              AWS:SourceArn: !Sub arn:aws:logs:ap-northeast-1:${AWS::AccountId}:*
                    - Sid: AWSLogDeliveryAclCheck
                      Effect: Allow
                      Principal:
                          Service:
                              - delivery.logs.amazonaws.com
                      Action:
                          - "s3:GetBucketAcl"
                      Resource:
                          - !Sub ${Route53ResolverQueryLogS3Bucket.Arn}
                      Condition:
                          StringEquals:
                              "aws:SourceAccount": !Ref AWS::AccountId
                          ArnLike:
                              AWS:SourceArn: !Sub arn:aws:logs:ap-northeast-1:${AWS::AccountId}:*

ハマった点とか

バケットポリシーのConditionの書き方がわからなかった
当初は下記のように書いていたが、ポリシーの構文エラーで全然デプロイできなかった。
リスト型にせず、そのまま記載すればよかった。

Condition:
    StringEquals:
        - "s3:x-amz-acl": "bucket-owner-full-control"
        - "aws:SourceAccount": !Ref AWS::AccountId
    ArnLike:
        - AWS:SourceArn: !Sub arn:aws:logs:ap-northeast-1:${AWS::AccountId}:*