foundation-logging.yaml
---

Logging & Alerting CloudFormation Deployment

This CloudFormation template will setup and deploy a logging and alerting framework for this account.

AWSTemplateFormatVersion: '2010-09-09' Description: "UITS Account Foundation: Logging & Monitoring Capabilities" Metadata: Stack: Value: '0' VersionDate: Value: '20160510' Identifier: Value: template-logging Input: Description: CloudTrail bucket name Output: Description: Outputs ID of all deployed resources

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

Notification Email Address

This address gets subscribed to the notification SNS topic that is created.

pNotifyEmail: Description: Notification email for security events Type: String Default: '' pSupportsGlacier: Description: Determines hether this region supports Glacier (passed in from Main template) Type: String Default: 'true' pCloudTrailLogBucket: Description: The name of the external S3 bucket to log CloudTrail events to. For UA this is in the CIO ISO Prod account. Type: String Default: 'edu.arizona.iso.cloudtrail' pAccountType: Description: Is this a Production account or a Non-Production account? Type: String AllowedValues: - Production - Non-Production Default: 'Non-Production'

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: dev ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. AccountNumberTag: Type: String Description: Identifies the financial system account number. SubAccountTag: Type: String Description: Identifies the financial system's sub account, which contains a name that identifies a collection of services. TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource.

Conditions

A few conditions to track if this is being deployed in GovCloud, and if this region supports glacier or not.

Conditions: IsGovCloud: !Equals [!Ref "AWS::Region", 'us-gov-west-1'] SupportsGlacier: !Equals [!Ref pSupportsGlacier, 'true'] IsProdAccount: !Equals [!Ref pAccountType, 'Production']

Resources

Resources:

SNS Topic For Notifications

This creates an SNS topic which will receive notifications for the various alerts and triggers set up in this template. An initial email address (passed in via parameters above) is set as a subscriber.

rSecurityAlarmTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref pNotifyEmail Protocol: email

SNS Topic For Lambda Alarm Triggering

This creates an SNS topic which will receive notifications for the various alerts and triggers set up in this template. The lambda-alarm-logs lambda function will then subscribe to this topic, enrich the alarms with log details, and publish a new message to the SNS rSecurityAlarmTopic

rSecurityLambdaTopic: Type: AWS::SNS::Topic

Outputs

Outputs: rSecurityAlarmTopic: Value: !Ref rSecurityAlarmTopic Export: Name: !Sub "${AWS::StackName}-alarm-topic" rSecurityLambdaTopic: Value: !Ref rSecurityLambdaTopic Export: Name: !Sub "${AWS::StackName}-lambda-topic"