WAF のログを 別のアカウントのS3に保存する

WAF のログを 別のアカウントのS3に保存する

#jawsug_chiba のもくもく会で話してアップ忘れてたやつ
#logben で触れたので今日アップします

74cec195bfb6cb5165256d88cb7fcf0f?s=128

Kazuki Miura

June 26, 2020
Tweet

Transcript

  1. WAF ͷϩάΛ ผͷΞΧ΢ϯτͷS3ʹอଘ͢Δ 2020/05/29

  2. ࡾӜҰथ  ๺ւಓςϨϏ์ૹ +"846(ࡳຈ .FEJB+"84 +1@4USJQFTࡳຈ ήετϒϩΨʔ ࣗݾ঺հ

  3. None
  4. WAF ͷϩάΛS3ʹอଘ ALB Kinesis Firehose S3

  5. WAF ͷϩάΛS3ʹอଘ ALB Kinesis Firehose S3 ϚϧνΞΧ΢ϯτ͍ͨ࣌͠΋͋Γ·͢ΑͶ

  6. WAF ͷϩάΛS3ʹอଘ ALB Kinesis Firehose S3 ϚϧνΞΧ΢ϯτ͍ͨ࣌͠΋͋Γ·͢ΑͶ ίϯιʔϧ͔ΒઃఆͰ͖ͳ͍ʂʂ

  7. CloudFormation͕͋Δ͡Όͳ͍͔

  8. 10࣌ؒ͘Β͍ʁͰ͔͚ͨ

  9. AWSTemplateFormatVersion: 2010-09-09 Parameters: BucketArn: Default: “arn:aws:s3:::bucketname" Description: "Please enter the

    ARN of the destination S3" Type: String StreamName: Default: "aws-waf-logs-XXXX" Description: "Enter a name for the delivery stream. The name must start with aws-waf-logs- and end with an arbitrary suffix. For example, it's aws-waf-logs-demo" Type: String IAMRoleName: Default: 'FirehoseToCrossAccountS3Role' Description: "Please enter the name of the IAM Role that this cloudformation stack will generate." Type: String IAMPolicyName: Default: 'firehose_delivery_cross_account_policy' Description: "Please enter the name of the IAM Policy that this cloudformation stack will generate." Type: String Parameter
  10. Resources: Stream: Type: AWS::KinesisFirehose::DeliveryStream Properties: DeliveryStreamName: !Ref StreamName DeliveryStreamType: DirectPut

    S3DestinationConfiguration: BucketARN: !Ref BucketArn BufferingHints: IntervalInSeconds: 300 SizeInMBs: 5 CloudWatchLoggingOptions: Enabled: True LogGroupName: /aws/kinesisfirehose/aws-waf-logs-alb LogStreamName: sodane CompressionFormat: 'GZIP' ErrorOutputPrefix: !Join - '' - - 'AWSLogs/' - !Ref 'AWS::AccountId' - '/WAF-error/' - !Ref 'AWS::Region' - '/' Prefix: !Join - '' - - 'AWSLogs/' - !Ref 'AWS::AccountId' - '/WAF/' - !Ref "AWS::Region" - '/' RoleARN: !GetAtt deliveryRole.Arn Resources
  11. deliveryRole: Type: AWS::IAM::Role Properties: RoleName: !Ref IAMRoleName AssumeRolePolicyDocument: Version: 2012-10-17

    Statement: - Sid: '' Effect: Allow Principal: Service: 'firehose.amazonaws.com' Action: 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref 'AWS::AccountId' Path: '/' Policies: - PolicyName: !Ref IAMPolicyName PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:AbortMultipartUpload' - 's3:GetBucketLocation' - 's3:GetObject' - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:PutObject' - 's3:PutObjectAcl' Resource: - !Ref BucketArn - !Join - '' - - !Ref BucketArn - '/*' - Effect: Allow Action: 'logs:PutLogEvents' Resource: - !Join - '' - - 'arn:aws:logs:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':log-group:/aws/kinesisfirehose' - ':log-stream:*' IAM
  12. Outputs: StreamName: Value: !Ref Stream Description: Delivery Stream Name RoleARN:

    Description: Please tell him the ARN of the IAM Role Value: !GetAtt deliveryRole.Arn OutPuts ͜ͷIAM RoleͷARNΛ όέοτϙϦγʔʹೖΕͯ͋͛Δ
  13. ͜ͷIAM RoleͷARNΛ όέοτϙϦγʔʹೖΕͯ͋͛Δ { "Sid": "Kinesis Firehose to S3", "Effect":

    "Allow", "Principal": { "AWS": [ "arn:aws:iam::XXXXXXXXXXXX:role/FirehoseToCrossAccountS3Role" ] }, "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::bucketname", “arn:aws:s3:::bucketname/*" ] }
  14. ΄΅ॳΊͯॻ͖·͚ͨ͠Ͳศར CloudFormation ɾผͷਓʹ౉ͯ͠࡞ۀͯ͠΋Β͏ͷ͕ͱͬͯ΋ָ ɾೖग़ྗͷը໘΋࡞ΕΔͷͰखॱॻͱ߹ΘͤͨΒ୭Ͱ΋࡞ۀͰ͖Δ ɾStack͕࢒ΔͷͰԿ΍͔ͬͨ΋ݟ͍͍͑ͯײ͡

  15. None