Skip to content

Commit

Permalink
Merge pull request #60 from nao1215/feat/cfn-guard
Browse files Browse the repository at this point in the history
Add CloudFormation Guard (GitHub Actions)
  • Loading branch information
nao1215 authored Feb 8, 2024
2 parents c3497b2 + 1380772 commit fadaeee
Show file tree
Hide file tree
Showing 5 changed files with 128 additions and 21 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/cfn-guard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: CloudFormation Guard Action

on:
push:
#paths:
# - 'cloudformation/**'

jobs:
cfn-guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: grolston/guard-action@main
with:
data_directory: './cloudformation/'
rule_set: "wa-Reliability-Pillar"

- uses: grolston/guard-action@main
with:
data_directory: './cloudformation/'
rule_set: "wa-Security-Pillar"
5 changes: 2 additions & 3 deletions .github/workflows/cloudformation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@ name: Deploy to LocalStack

on:
push:
branches: [main]
pull_request:
branches: [main]
paths:
- 'cloudformation/**'

jobs:
deploy:
Expand Down
4 changes: 4 additions & 0 deletions cloudformation/cloudwatch-rum/template.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ Resources:
# https://docs.aws.amazon.com/ja_jp/aws-managed-policy/latest/reference/AmazonCloudWatchRUMFullAccess.html
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonCloudWatchRUMFullAccess
Metadata:
guard:
SuppressedRules:
- IAM_NO_INLINE_POLICY_CHECK

CWRumAppMonitor:
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rum-appmonitor.html
Expand Down
24 changes: 12 additions & 12 deletions cloudformation/lambda-batch/template.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,17 +43,8 @@ Resources:
Principal:
Service: "lambda.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "LambdaBatchPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

LambdaLogGroup:
Type: "AWS::Logs::LogGroup"
Expand All @@ -62,4 +53,13 @@ Resources:
Properties:
LogGroupName: !Sub "/aws/lambda/${LambdaBatch}"
RetentionInDays: 7

KmsKeyId: !Ref LambdaLogGroupKMSKey

LambdaLogGroupKMSKey:
Type: AWS::KMS::Key
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
Description: "KMS key for encrypting CloudWatch Logs"
EnableKeyRotation: true

94 changes: 88 additions & 6 deletions cloudformation/static-web-site-distribution/template.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,15 @@ Resources:
DeletionPolicy: Retain
Properties:
BucketName: !Ref ContentBucketName
VersioningConfiguration:
Status: Enabled
ObjectLockConfiguration:
ObjectLockEnabled: Enabled
Rule:
DefaultRetention:
Days: 1
Mode: GOVERNANCE
ObjectLockEnabled: true
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
Expand All @@ -24,6 +33,16 @@ Resources:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ReplicationConfiguration:
Role: !GetAtt ContentBucketReplicationRole.Arn
Rules:
- Destination:
Bucket: !Ref ContentS3BucketReplica
Status: Enabled
Prefix: "replicated/"
LoggingConfiguration:
DestinationBucketName: !Ref ContentS3BucketReplica
LogFilePrefix: "logs/"

ContentBucketPolicy:
Type: AWS::S3::BucketPolicy
Expand All @@ -32,13 +51,76 @@ Resources:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowSSLRequestsOnly
Action: "s3:*"
- Action: "s3:*"
Effect: Deny
Principal: "*"
Resource: "*"
Condition:
Bool:
"aws:SecureTransport": false

ContentBucketReplicationRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-bucket-source-role-${AWS::Region}"
Description: "Role For S3"
Path: "/service/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- s3.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"

ContentS3BucketReplica:
Type: "AWS::S3::Bucket"
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
BucketName: "content-s3-bucket-replica"
ObjectLockConfiguration:
ObjectLockEnabled: Enabled
Rule:
DefaultRetention:
Days: 1
Mode: GOVERNANCE
ObjectLockEnabled: true
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Metadata:
guard:
SuppressedRules:
- S3_BUCKET_REPLICATION_ENABLED
- S3_BUCKET_LOGGING_ENABLED

ContentBucketReplicaPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ContentS3BucketReplica
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ContentBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ContentBucket}/*"
Principal: "*"
Resource: "*"
Condition:
Bool:
"aws:SecureTransport": false
Principal: "*"

0 comments on commit fadaeee

Please sign in to comment.