kfs_s3_logging_bucket.yaml
---

S3 Bucket Archive CloudFormation Deployment

This CloudFormation template will deploy an S3 bucket with it's own IAM user. This S3 bucket will be transferred from a standard S3 bucket to an S3 bucket with Infrequent Access and then be transferred to Glacier.

AWSTemplateFormatVersion: '2010-09-09' Description: S3 Bucket for KFS Load Balancer Logs

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

Name of the bucket.

BucketName: Type: String Description: The name of the S3 Bucket.

Indicates the number of days the S3 bucket will stay in standard mode, then it will be moved to Infrequent Access mode.

DaysToInfrequentAccess: Type: Number Description: Migrate to Infrequent Access After This Many Days. (Minimum 30 days) Default: 30 MinValue: 30

Indicates the number of the days the S3 bucket will stay in infrequent access mode, then it will be moved to Glacier.

DaysToGlacier: Type: Number Description: Migrate to Glacier After This Many Days. (Minimum 60 days) Default: 60 MinValue: 60

Indicates the number of days the S3 will bucket will stay in Glacier, then it will be completely deleted. It must stay in Glacier at a minimim of 150 days.

DaysToDeletion: Type: Number Description: Delete From Glacier After This Many Days. (Minimum 150 days) Default: 150 MinValue: 150

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: dev ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. AccountNumberTag: Type: String Description: Identifies the financial system account number. SubAccountTag: Type: String Description: The financial system sub account. TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource.

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: S3 Bucket Configuration Parameters: - BucketName - DaysToInfrequentAccess - DaysToGlacier - DaysToDeletion - Label: default: Tags Parameters: - ServiceTag - EnvironmentTag - ContactNetidTag - AccountNumberTag - SubAccountTag - TicketNumberTag ParameterLabels: BucketName: default: 'Bucket Name:' DaysToInfrequentAccess: default: 'Days to Infq Access:' DaysToGlacier: default: 'Days to Glacier:' DaysToDeletion: default: 'Days to Deletion:' IAMUserName: default: 'IAM User Name:'

Resources

These are all of the resources deployed by this template.

Resources:

S3 Bucket

This deploys the S3 bucket with some tags.

S3Bucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref "BucketName" AccessControl: Private LifecycleConfiguration: Rules: - Id: Archive Status: Enabled ExpirationInDays: !Ref "DaysToDeletion" Transitions: - TransitionInDays: !Ref "DaysToInfrequentAccess" StorageClass: STANDARD_IA - TransitionInDays: !Ref "DaysToGlacier" StorageClass: GLACIER Tags: - Key: Name Value: !Ref BucketName - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubAccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

S3 Bucket Policy

Allows the ELB service to put logs into this bucket

SampleBucketPolicy: Type: "AWS::S3::BucketPolicy" Properties: Bucket: !Ref S3Bucket PolicyDocument: Statement: - Action: - "s3:PutObject" Effect: "Allow" Resource: !Sub "arn:aws:s3:::${S3Bucket}/*/AWSLogs/${AWS::AccountId}/*"

See http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html for required principal account IDs

Principal: AWS: - 797873946194

S3 Bucket User

Creates an IAM user that can only connect to the S3 bucket specified.

S3BucketUser: Type: AWS::IAM::User Properties: Path: "/" Policies: - PolicyName: giveaccesstobucket PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:List* Resource: - "*" - Effect: Allow Action: - s3:* Resource: !Sub "arn:aws:s3:::${S3Bucket}/*"

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: BucketName: Value: !Ref S3Bucket Export: Name: "kfs7-elb-logging-bucket" BucketArn: Value: !GetAtt S3Bucket.Arn Export: Name: "kfs7-elb-logging-bucket-arn"