in source/remediation_runbooks/scripts/CreateCloudTrailMultiRegionTrail_createcloudtrailbucketpolicy.py [0:0]
def create_bucket_policy(event, context):
boto_config = Config(
retries ={
'mode': 'standard'
}
)
s3 = connect_to_s3(boto_config)
cloudtrail_bucket = event['cloudtrail_bucket']
aws_partition = event['partition']
aws_account = event['account']
try:
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:" + aws_partition + ":s3:::" + cloudtrail_bucket
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": "arn:" + aws_partition + ":s3:::" + cloudtrail_bucket + "/AWSLogs/" + aws_account + "/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
s3.put_bucket_policy(
Bucket=cloudtrail_bucket,
Policy=json.dumps(bucket_policy)
)
return {
"output": {
"Message": f'Set bucket policy for bucket {cloudtrail_bucket}'
}
}
except Exception as e:
print(e)
exit('PutBucketPolicy failed: ' + str(e))