-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogging.ts
77 lines (69 loc) · 2.56 KB
/
logging.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import { Stack, StackProps } from 'aws-cdk-lib';
import { DataResourceType, ReadWriteType, Trail } from 'aws-cdk-lib/aws-cloudtrail';
import { PolicyStatement, ServicePrincipal, Effect } from 'aws-cdk-lib/aws-iam';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
import { BaseStack } from './baseStack';
type LoggingStackProps = StackProps & {
accountId: string;
awsOrganizationsId: string;
};
export class LoggingStack extends BaseStack {
constructor(scope: Construct, id: string, props: LoggingStackProps) {
super(scope, id, props);
const { awsOrganizationsId } = props;
const { region, account } = Stack.of(this);
const trailName = 'OrganizationTrail';
const trailBucket: Bucket = new Bucket(this, 'OrganizationsTrailBucket', {
bucketName: `${account}-organizations-trail`,
});
trailBucket.addToResourcePolicy(
new PolicyStatement({
resources: [trailBucket.bucketArn],
actions: ['s3:GetBucketAcl'],
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
effect: Effect.ALLOW,
sid: 'AWSCloudTrailAclCheck',
}),
);
trailBucket.addToResourcePolicy(
new PolicyStatement({
resources: [`${trailBucket.bucketArn}/AWSLogs/${account}/*`],
effect: Effect.ALLOW,
actions: ['s3:PutObject'],
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
sid: 'AWSCloudTrailWrite',
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
'aws:SourceArn': `arn:aws:cloudtrail:${region}:${account}:trail/${trailName}`,
},
},
}),
);
trailBucket.addToResourcePolicy(
new PolicyStatement({
resources: [`arn:aws:s3:::${trailBucket.bucketName}/AWSLogs/${awsOrganizationsId}/*`],
effect: Effect.ALLOW,
actions: ['s3:PutObject'],
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
sid: 'AWSCloudTrailWriteOrganization',
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
'aws:SourceArn': `arn:aws:cloudtrail:${region}:${account}:trail/${trailName}`,
},
},
}),
);
const orgTrail = new Trail(this, trailName, {
bucket: trailBucket,
isOrganizationTrail: true,
trailName,
isMultiRegionTrail: true,
includeGlobalServiceEvents: true,
managementEvents: ReadWriteType.ALL,
});
orgTrail.addEventSelector(DataResourceType.S3_OBJECT, ['arn:aws:s3']);
}
}