LoginSignup
3
6

More than 5 years have passed since last update.

@nishimura-toruin株式会社ネットネイティブ

CloudFormationテンプレート(JSON) - CloudTrail 設定

Last updated at Posted at 2018-01-15

#1. 概要

#2. 各リソースメモ

#3. JSONテンプレート

CloudTrail.json
{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Description" : "CloudTrail",
     "Resources" : {
        "S3Bucket" : {
            "Type" : "AWS::S3::Bucket",
            "Properties" : {
                "BucketName" : { "Fn::Join" : [ "", [ "cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] }
            }
        },
        "S3BucketPolicy" : {
            "Type" : "AWS::S3::BucketPolicy",
            "Properties" : {
                "Bucket" : { "Ref" : "S3Bucket"},
                "PolicyDocument" : {
                    "Version" : "2012-10-17",
                    "Statement" : [
                        {
                            "Sid" : "AWSCloudTrailAclCheck20150319",
                            "Effect" : "Allow",
                            "Principal" : { "Service" : "cloudtrail.amazonaws.com"},
                            "Action" : "s3:GetBucketAcl",
                            "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] }
                        },
                        {
                            "Sid" : "AWSCloudTrailWrite20150319",
                            "Effect" : "Allow",
                            "Principal" : { "Service" : "cloudtrail.amazonaws.com" },
                            "Action" : "s3:PutObject",
                            "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::cloudtrail-", { "Ref" : "AWS::AccountId" }, "/AWSLogs/", { "Ref" : "AWS::AccountId" }, "/*" ] ] },
                            "Condition" : { "StringEquals" : { "s3:x-amz-acl" : "bucket-owner-full-control" } }
                        }
                    ]
                }
            }
        },
        "IAMRole" : {
            "Type" : "AWS::IAM::Role",
            "Properties" : {
                "AssumeRolePolicyDocument" : {
                    "Version" : "2012-10-17",
                    "Statement" : [
                        {
                            "Sid" : "",
                            "Effect" : "Allow",
                            "Principal" : {
                                "Service" : "cloudtrail.amazonaws.com"
                            },
                            "Action" : "sts:AssumeRole"
                        }
                      ]
                },
                "Path" : "/",
                "Policies" : [
                    {
                        "PolicyName" : "cloudtrail",
                        "PolicyDocument" : {
                            "Version" : "2012-10-17",
                            "Statement" : [
                                {
                                    "Sid" : "AWSCloudTrailCreateLogStream20141101",
                                    "Effect" : "Allow",
                                    "Action" : [ "logs:CreateLogStream" ],
                                    "Resource" : { "Fn::Join" : [ "", [ "arn:aws:logs:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":log-group:CloudTrail:log-stream:", { "Ref" : "AWS::AccountId" }, "_CloudTrail_", { "Ref" : "AWS::Region" }, "*" ] ] }
                                },
                                {
                                    "Sid" : "AWSCloudTrailPutLogEvents20141101",
                                    "Effect" : "Allow",
                                    "Action" : [ "logs:PutLogEvents" ],
                                    "Resource" : { "Fn::Join" : [ "", [ "arn:aws:logs:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":log-group:CloudTrail:log-stream:", { "Ref" : "AWS::AccountId" }, "_CloudTrail_", { "Ref" : "AWS::Region" }, "*" ] ] }
                                }
                            ]
                        }
                    }
                ],
                "RoleName": "cloudtrail"
            }
        },
        "LogsLogGroup": {
            "Type" : "AWS::Logs::LogGroup",
            "Properties" : {
                "LogGroupName" : "CloudTrail",
                "RetentionInDays" : 7
            }
        },
        "CloudTrailTrail" : {
            "DependsOn" : "S3BucketPolicy",
            "Type" : "AWS::CloudTrail::Trail",
            "Properties" : {
                "CloudWatchLogsLogGroupArn" : { "Fn::GetAtt" : [ "LogsLogGroup", "Arn" ] },
                "CloudWatchLogsRoleArn" : { "Fn::GetAtt": [ "IAMRole", "Arn" ] },
                "IncludeGlobalServiceEvents" : true,
                "IsLogging" : true,
                "IsMultiRegionTrail" : true,
                "S3BucketName" : { "Fn::Join": [ "", [ "cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] },
                "TrailName" : { "Ref": "AWS::AccountId" }
            }
        }
    },
    "Outputs" : {
        "S3Bucket" : {
            "Description" : "S3 Bucket Name",
            "Value" : { "Ref" : S3Bucket }
        },
        "IAMRole" : {
            "Description" : "IAM Role Name",
            "Value" : { "Ref" : IAMRole }
        },
        "LogsLogGroup" : {
            "Description" : "Log Group Name",
            "Value" : { "Ref" : LogsLogGroup }
        },
        "CloudTrailTrail" : {
            "Description" : "Trail Name",
            "Value" : { "Ref" : CloudTrailTrail }
        }
    }
}
3
6
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
6