New: Become a sponsor via GitHub Sponsors!

Antivirus for Amazon S3

This template creates a malware scanner cluster for S3 buckets. Connect as many S3 buckets as you like.

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

Features

Additional Commercial Features by bucketAV

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

Installation Guide

Visit the template's repository for installation instructions: aws-s3-virusscan

Account Password Policy

This template creates an account password policy for your IAM users. You can:

Or just use the suggested defaults.

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/account-password-policy.yaml

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

Authentication Proxy using your GitHub Organization

This template describes a highly available authentication proxy that forwards request to a upstream http(s) endpoint if the user is authenticated against your GitHub Organization.

Architecture

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/auth-proxy-ha-github-orga.yaml

Installation Guide

  1. This template depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Dependencies

Limitations

CloudTrail across all regions

This template enables CloudTrail to records AWS API calls across all regions in your AWS account. API calls are archived in S3 and also pushed CloudWatch Logs. If new API calls are available in S3 a SNS topic is notified.

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/cloudtrail.yaml

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

If you want to use an external S3 bucket, the bucket needs to have the following S3 bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AWSCloudTrailAclCheck",
    "Effect": "Allow",
    "Principal": {
      "Service": "cloudtrail.amazonaws.com"
    },
    "Action": "s3:GetBucketAcl",
    "Resource": "arn:aws:s3:::$ExternalTrailBucket"
  }, {
    "Sid": "AWSCloudTrailWrite",
    "Effect": "Allow",
    "Principal": {
      "Service": "cloudtrail.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": [
      "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[0]/*",
      "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[1]/*",
      "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[2]/*"
    ],
    "Condition": {
      "StringEquals": {
        "s3:x-amz-acl": "bucket-owner-full-control"
      }
    }
  }]
}

Replace $ExternalTrailBucket with the name of your bucket, and add a row for every account you want to write from $AccountId[*].

AWS Config setup

This template enables AWS Config to deliver a AWS resource inventory to S3. Allowing you to keep track of infrastructure changes for compliance and debugging of your cloud infrastructure.

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/config.yaml

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

If you want to use an external S3 bucket, the bucket needs to have the following S3 bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSConfigBucketPermissionsCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": [
         "config.amazonaws.com"
        ]
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::$ExternalConfigBucket"
    },
    {
      "Sid": " AWSConfigBucketDelivery",
      "Effect": "Allow",
      "Principal": {
        "Service": [
         "config.amazonaws.com"
        ]
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::$ExternalConfigBucket/AWSLogs/$AccountId[0]/Config/*",
        "arn:aws:s3:::$ExternalConfigBucket/AWSLogs/$AccountId[0]/Config/*",
        "arn:aws:s3:::$ExternalConfigBucket/AWSLogs/$AccountId[2]/Config/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control" 
        }
      }
    }
  ]
}

Replace $ExternalTrailBucket with the name of your bucket, and add a row for every account you want to write from $AccountId[*].

KMS customer managed CMK for AWS services

This template provides a KMS customer managed CMK used by AWS services. Access control via IAM is also enabled. In case of a CMK deletion, a event is forwarded to the ParentAlertStack (if specified).

ATTENTION: If you delete a stack based on this template, the KMS CMK is NOT deleted to prevent data loss! Mark the CMK for deletion if you really want to delete the CMK! All resources encrypted with the CMK (including RDS snapshots) are unusable after the deletion!

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/kms-key.yaml

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Click Create to start the creation of the stack.
  7. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing KMS customer managed CMK you can wrap it into our required form using a legacy KMS customer managed CMK wrapper: Launch Stack

Dependencies

Security Hub controls

This template provides a way to disable controls when enabling security hub and standards via administrator account. In other words, we assume that the default hub is created and the security standard is enabled where you disable controls.

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/securityhub-controls.yaml

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

Web Application Firewall

This templates provides a WebACL with preconfigured rules.

Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/stable/security/waf.yaml

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Click Create to start the creation of the stack.
  7. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing WEB ACL, or if you need a WAF for CloudFront in a different region, you can wrap it into our required form using a legacy WAF wrapper: Launch Stack