LoginSignup
3
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@nishimura-toruin株式会社ネットネイティブ

CloudFormationテンプレート(JSON) - CloudTrail 設定

Last updated at Posted at 2018-01-15

#1. 概要

#2. 各リソースメモ

#3. JSONテンプレート

CloudTrail.json
{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Description" : "CloudTrail",
     "Resources" : {
        "S3Bucket" : {
            "Type" : "AWS::S3::Bucket",
            "Properties" : {
                "BucketName" : { "Fn::Join" : [ "", [ "cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] }
            }
        },
        "S3BucketPolicy" : {
            "Type" : "AWS::S3::BucketPolicy",
            "Properties" : {
                "Bucket" : { "Ref" : "S3Bucket"},
                "PolicyDocument" : {
                    "Version" : "2012-10-17",
                    "Statement" : [
                        {
                            "Sid" : "AWSCloudTrailAclCheck20150319",
                            "Effect" : "Allow",
                            "Principal" : { "Service" : "cloudtrail.amazonaws.com"},
                            "Action" : "s3:GetBucketAcl",
                            "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] }
                        },
                        {
                            "Sid" : "AWSCloudTrailWrite20150319",
                            "Effect" : "Allow",
                            "Principal" : { "Service" : "cloudtrail.amazonaws.com" },
                            "Action" : "s3:PutObject",
                            "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::cloudtrail-", { "Ref" : "AWS::AccountId" }, "/AWSLogs/", { "Ref" : "AWS::AccountId" }, "/*" ] ] },
                            "Condition" : { "StringEquals" : { "s3:x-amz-acl" : "bucket-owner-full-control" } }
                        }
                    ]
                }
            }
        },
        "IAMRole" : {
            "Type" : "AWS::IAM::Role",
            "Properties" : {
                "AssumeRolePolicyDocument" : {
                    "Version" : "2012-10-17",
                    "Statement" : [
                        {
                            "Sid" : "",
                            "Effect" : "Allow",
                            "Principal" : {
                                "Service" : "cloudtrail.amazonaws.com"
                            },
                            "Action" : "sts:AssumeRole"
                        }
                      ]
                },
                "Path" : "/",
                "Policies" : [
                    {
                        "PolicyName" : "cloudtrail",
                        "PolicyDocument" : {
                            "Version" : "2012-10-17",
                            "Statement" : [
                                {
                                    "Sid" : "AWSCloudTrailCreateLogStream20141101",
                                    "Effect" : "Allow",
                                    "Action" : [ "logs:CreateLogStream" ],
                                    "Resource" : { "Fn::Join" : [ "", [ "arn:aws:logs:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":log-group:CloudTrail:log-stream:", { "Ref" : "AWS::AccountId" }, "_CloudTrail_", { "Ref" : "AWS::Region" }, "*" ] ] }
                                },
                                {
                                    "Sid" : "AWSCloudTrailPutLogEvents20141101",
                                    "Effect" : "Allow",
                                    "Action" : [ "logs:PutLogEvents" ],
                                    "Resource" : { "Fn::Join" : [ "", [ "arn:aws:logs:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":log-group:CloudTrail:log-stream:", { "Ref" : "AWS::AccountId" }, "_CloudTrail_", { "Ref" : "AWS::Region" }, "*" ] ] }
                                }
                            ]
                        }
                    }
                ],
                "RoleName": "cloudtrail"
            }
        },
        "LogsLogGroup": {
            "Type" : "AWS::Logs::LogGroup",
            "Properties" : {
                "LogGroupName" : "CloudTrail",
                "RetentionInDays" : 7
            }
        },
        "CloudTrailTrail" : {
            "DependsOn" : "S3BucketPolicy",
            "Type" : "AWS::CloudTrail::Trail",
            "Properties" : {
                "CloudWatchLogsLogGroupArn" : { "Fn::GetAtt" : [ "LogsLogGroup", "Arn" ] },
                "CloudWatchLogsRoleArn" : { "Fn::GetAtt": [ "IAMRole", "Arn" ] },
                "IncludeGlobalServiceEvents" : true,
                "IsLogging" : true,
                "IsMultiRegionTrail" : true,
                "S3BucketName" : { "Fn::Join": [ "", [ "cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] },
                "TrailName" : { "Ref": "AWS::AccountId" }
            }
        }
    },
    "Outputs" : {
        "S3Bucket" : {
            "Description" : "S3 Bucket Name",
            "Value" : { "Ref" : S3Bucket }
        },
        "IAMRole" : {
            "Description" : "IAM Role Name",
            "Value" : { "Ref" : IAMRole }
        },
        "LogsLogGroup" : {
            "Description" : "Log Group Name",
            "Value" : { "Ref" : LogsLogGroup }
        },
        "CloudTrailTrail" : {
            "Description" : "Trail Name",
            "Value" : { "Ref" : CloudTrailTrail }
        }
    }
}
3
6
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?