@@ -15,12 +15,15 @@ Metadata:
1515 - TrustedIdentity
1616 - BucketARN
1717 - KMSKeyARN
18+ - KMSAccountId
1819 - BucketAccountId
20+ - TopicAccountId
1921 - OrganizationalUnitIds
2022 - CreateTopic
2123 - TopicARN
2224 - Endpoint
2325 - Partition
26+ - TopicRegion
2427
2528 ParameterLabels :
2629 NameSuffix :
@@ -33,8 +36,12 @@ Metadata:
3336 default : Bucket ARN
3437 KMSKeyARN :
3538 default : KMS Key ARN
39+ KMSAccountId :
40+ default : KMS Account ID
3641 BucketAccountId :
3742 default : Bucket Account ID
43+ TopicAccountId :
44+ default : SNS Topic Account ID
3845 OrganizationalUnitIds :
3946 default : Organizational Unit IDs
4047 CreateTopic :
@@ -45,6 +52,8 @@ Metadata:
4552 default : Sysdig Secure endpoint
4653 Partition :
4754 default : AWS Partition
55+ TopicRegion :
56+ default : The AWS region where the SNS topic is located
4857
4958Parameters :
5059 NameSuffix :
@@ -67,10 +76,18 @@ Parameters:
6776 Type : String
6877 Description : The ARN of the KMS key used to encrypt the S3 bucket.
6978 Default : " "
79+ KMSAccountId :
80+ Type : String
81+ Description : The AWS Account ID that owns the KMS key.
82+ Default : " "
7083 BucketAccountId :
7184 Type : String
7285 Description : The AWS Account ID that owns the S3 bucket, if different from the current account.
7386 Default : " "
87+ TopicAccountId :
88+ Type : String
89+ Description : The AWS Account ID that owns the SNS topic.
90+ Default : " "
7491 OrganizationalUnitIds :
7592 Type : String
7693 Description : Comma-separated list of AWS Organizations organizational unit (OU) IDs for cross-account deployments.
@@ -92,6 +109,10 @@ Parameters:
92109 Type : String
93110 Description : AWS Partition of your account or organization to create resources in
94111 Default : ' aws'
112+ TopicRegion :
113+ Type : String
114+ Description : The AWS region where the SNS topic is located
115+ AllowedPattern : ' ^[a-zA-Z0-9-]{1,128}$'
95116
96117Conditions :
97118 CreateSNSTopic : !Equals [ !Ref CreateTopic, "true" ]
@@ -100,16 +121,18 @@ Conditions:
100121 !Not [ !Equals [ !Ref BucketAccountId, "" ] ],
101122 !Not [ !Equals [ !Ref BucketAccountId, !Ref "AWS::AccountId" ] ]
102123 ]
103- BucketInTargetAccount : !Not [BucketCrossAccount]
104- # Extract KMS account ID from KMS key ARN
105- KMSAccountId : !Select [4, !Split [":", !Ref KMSKeyARN]]
124+ BucketInTargetAccount : !Equals [ !Ref BucketAccountId, !Ref "AWS::AccountId" ]
106125 # Check if KMS key is in a different account from bucket
107126 NeedKMSPolicy : !And [
108- HasKMSKey ,
109- !Equals [ !Ref KMSAccountId, !Ref BucketAccountId ]
127+ !Not [ !Equals [ !Ref KMSKeyARN, "" ] ] ,
128+ !Not [ ! Equals [ !Ref KMSAccountId, !Ref BucketAccountId ] ]
110129 ]
111- IsTopicAccount : !Equals [ !Select [4, !Split [":", ! Ref TopicARN]] , !Ref "AWS::AccountId" ]
130+ IsTopicAccount : !Equals [ !Ref TopicAccountId , !Ref "AWS::AccountId" ]
112131 IsBucketAccount : !Equals [ !Ref BucketAccountId, !Ref "AWS::AccountId" ]
132+ NeedKMSPolicyInTargetAccount :
133+ Fn::And :
134+ - !Condition NeedKMSPolicy
135+ - !Condition BucketInTargetAccount
113136
114137Resources :
115138 # Role and resources for same-account deployments
@@ -165,6 +188,7 @@ Resources:
165188 TopicName : !Select [ 5, !Split [ ":", !Ref TopicARN ] ]
166189
167190 CloudTrailNotificationsSubscription :
191+ Condition : IsTopicAccount
168192 Type : " AWS::SNS::Subscription"
169193 Properties :
170194 TopicArn : !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
@@ -206,6 +230,8 @@ Resources:
206230 FailureTolerancePercentage : 90
207231 ConcurrencyMode : SOFT_FAILURE_TOLERANCE
208232 Parameters :
233+ - ParameterKey : NameSuffix
234+ ParameterValue : !Ref NameSuffix
209235 - ParameterKey : RoleName
210236 ParameterValue : !Sub sysdig-secure-cloudlogs-${AWS::AccountId}-${NameSuffix}
211237 - ParameterKey : TrustedIdentity
@@ -220,21 +246,30 @@ Resources:
220246 ParameterValue : !Ref BucketAccountId
221247 - ParameterKey : TopicARN
222248 ParameterValue : !Ref TopicARN
249+ - ParameterKey : TopicAccountId
250+ ParameterValue : !Ref TopicAccountId
223251 - ParameterKey : Endpoint
224252 ParameterValue : !Ref Endpoint
253+ - ParameterKey : TopicRegion
254+ ParameterValue : !Ref TopicRegion
225255 StackInstancesGroup :
226256 - DeploymentTargets :
227257 OrganizationalUnitIds : !Split [",", !Ref OrganizationalUnitIds]
228258 Accounts : [!Ref BucketAccountId]
259+ AccountFilterType : INTERSECTION
229260 Regions : [!Ref "AWS::Region"]
230261 - DeploymentTargets :
231262 OrganizationalUnitIds : !Split [",", !Ref OrganizationalUnitIds]
232- Accounts : [!Select [4, !Split [":", !Ref TopicARN]]] # Extract account ID from topic ARN
233- Regions : [!Select [3, !Split [":", !Ref TopicARN]]] # Extract region from topic ARN
263+ Accounts : [!Ref TopicAccountId]
264+ AccountFilterType : INTERSECTION
265+ Regions : [!Ref TopicRegion]
234266 TemplateBody : |
235267 AWSTemplateFormatVersion: "2010-09-09"
236268 Description: IAM Role for S3 bucket and KMS access for Sysdig Cloud Logs integration
237269 Parameters:
270+ NameSuffix:
271+ Type: String
272+ Description: Suffix to append to the resource name identifiers
238273 RoleName:
239274 Type: String
240275 Description: Name of the role to be created in the bucket account
@@ -257,9 +292,15 @@ Resources:
257292 TopicARN:
258293 Type: String
259294 Description: ARN of the SNS topic
295+ TopicAccountId:
296+ Type: String
297+ Description: AWS Account ID that owns the SNS topic
260298 Endpoint:
261299 Type: String
262300 Description: Sysdig Secure endpoint to receive CloudTrail notifications
301+ TopicRegion:
302+ Type: String
303+ Description: The AWS region where the SNS topic is located
263304 Conditions:
264305 IsBucketAccount: !Equals [ !Ref BucketAccountId, !Ref "AWS::AccountId" ]
265306 IsTopicAccount: !Equals [ !Ref TopicAccountId, !Ref "AWS::AccountId" ]
@@ -281,7 +322,7 @@ Resources:
281322 StringEquals:
282323 "sts:ExternalId": !Ref ExternalID
283324 Policies:
284- - PolicyName: "cloudlogs_s3_access_policy "
325+ - PolicyName: !Sub "sysdig-secure-cloudlogs-policy-${AWS::AccountId}-${NameSuffix} "
285326 PolicyDocument:
286327 Version: "2012-10-17"
287328 Statement:
@@ -320,45 +361,17 @@ Resources:
320361 TopicArn: !Ref TopicARN
321362 Protocol: "https"
322363 Endpoint: !Ref Endpoint
323- Outputs:
324- S3AccessRoleArn:
325- Description: ARN of the IAM role created in the bucket account for S3 access
326- Value: !GetAtt S3AccessRole.Arn
327- KMSPolicyInstructions:
328- Description: Instructions for updating KMS key policy when KMS encryption is enabled
329- Condition: HasKMSKey
330- Value: !Sub |
331- IMPORTANT: MANUAL ACTION REQUIRED
332-
333- Please add the following statement to your KMS key policy to allow Sysdig to decrypt logs.
334- This is necessary when KMS encryption is enabled for your S3 bucket.
335- Without this policy addition, Sysdig may not be able to read your encrypted logs.
336-
337- {
338- "Sid": "Sysdig-Decrypt",
339- "Effect": "Allow",
340- "Principal": {
341- "AWS": "${S3AccessRole.Arn}"
342- },
343- "Action": "kms:Decrypt",
344- "Resource": "*"
345- }
346-
347364Outputs :
348365 TopicARN :
349366 Description : " The ARN of the SNS Topic created for CloudTrail notifications."
350367 Value : !If [ CreateSNSTopic, !Ref CloudTrailNotificationsTopic, !Ref TopicARN ]
351- RoleARN :
352- Description : " The ARN of the IAM Role created for CloudTrail logs access."
353- Condition : BucketInTargetAccount
354- Value : !GetAtt CloudLogsRole.Arn
355368 CrossAccountRoleARN :
356369 Description : " ARN of the Cross-Account IAM Role for accessing the S3 bucket."
357370 Condition : BucketCrossAccount
358371 Value : !Sub "arn:${Partition}:iam::${BucketAccountId}:role/sysdig-secure-cloudlogs-${AWS::AccountId}-${NameSuffix}"
359372 KMSPolicyInstructions :
360373 Description : " Instructions for updating KMS key policy when KMS encryption is enabled"
361- Condition : NeedKMSPolicy
374+ Condition : NeedKMSPolicyInTargetAccount
362375 Value : !Sub |
363376 IMPORTANT: MANUAL ACTION REQUIRED
364377
0 commit comments