ã‚„ã‚ŠãŸã„ã“ã¨
- S3ã®ã‚µãƒ¼ãƒãƒ¼ã‚µã‚¤ãƒ‰ãƒã‚°ã‚’有効化ã—ã¦Logæƒ…å ±ã‚’åŽé›†ã—ãŸã„
- åŽé›†ã—ãŸãƒã‚°æƒ…å ±ã¯ã‚ªãƒ–ジェクトãƒãƒƒã‚¯æœ‰ï¼ˆã‚¬ãƒãƒŠãƒ³ã‚¹ãƒ¢ãƒ¼ãƒ‰ï¼‰ã«ã—ãŸã„
- IaC化ã™ã‚‹ãŸã‚ã€CloudFormation(特ã«SAM)を使ã£ã¦ãƒªã‚½ãƒ¼ã‚¹ã¯å®šç¾©ãƒ»å±•é–‹ã—ãŸã„
- 最低é™ã®ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«ãƒãƒªã‚·ãƒ¼ï¼ˆä¸€å®šæœŸé–“ãŒçµŒã£ãŸã‚‰ã€ã‚¹ãƒˆãƒ¬ãƒ¼ã‚¸ã‚¯ãƒ©ã‚¹ã‚’変更ã—ãŸã‚Šã€ä¸å®Œå…¨ãªãƒžãƒ«ãƒã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã¯å‰Šé™¤ã—ãŸã‚Šï¼‰ã¯ã„ã‚Œã¦ãŠããŸã„
実装上ã®è©°ã¾ã£ãŸPoint
オブジェクトãƒãƒƒã‚¯ã‚’有効化ã—ãŸãƒã‚±ãƒƒãƒˆã«ã¯ã€ã‚µãƒ¼ãƒãƒ¼ã‚µã‚¤ãƒ‰ãƒã‚°ã®æ›¸ã出ã—ãƒã‚±ãƒƒãƒˆã¨ã—ã¦ã¯ç™»éŒ²ã§ããªã„よã†ã§ã™ã€‚
ãªã®ã§ã€
- [1]ä¸é–“ãƒã‚±ãƒƒãƒˆã«ä¸€æ—¦ã€ãƒã‚°ãƒ‡ãƒ¼ã‚¿ã‚’書ã出ã—
- [2]ä¸é–“ãƒã‚±ãƒƒãƒˆã®ãƒ¬ãƒ—リケーションを有効化ã—ã€ãƒã‚°ãƒã‚±ãƒƒãƒˆã«ãƒ¬ãƒ—リケーション(複製)を行ã†
- [3]ä¸é–“ãƒã‚±ãƒƒãƒˆã«æ›¸ã出ã•ã‚Œã‚‹ãƒ‡ãƒ¼ã‚¿ã¯é€æ¬¡å‰Šé™¤ã—ã¦ã€ã‚³ã‚¹ãƒˆæœ€é©åŒ–ã‚’è¡Œã†
ã¨ã„ã†æ§‹æˆã§å®Ÿè£…ã—ã¾ã—ãŸã€‚
ä»–ã«ã‚‚ã€è‰¯ã„アプãƒãƒ¼ãƒãŒã‚ã‚Œã°æ•™ãˆã¦ä¸‹ã•ã„。
ソースコード
AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Resources: # サーãƒã‚µã‚¤ãƒ‰ãƒã‚°ã‚’有効化ã—ãŸã„ãƒã‚±ãƒƒãƒˆã‚’定義 SourceBucket: Type: AWS::S3::Bucket Properties: BucketName: source-bucket ReplicationConfiguration: Role: !GetAtt LogBucketInteremediateRole.Arn Rules: - Destination: Bucket: !Sub arn:aws:s3:::${LogBucket} Status: Enabled VersioningConfiguration: Status: Enabled LifecycleConfiguration: Rules: - Id: delete-multipart Status: Enabled AbortIncompleteMultipartUpload: DaysAfterInitiation: 1 # ä¸é–“ãƒã‚±ãƒƒãƒˆã‚’定義 IntermediateLogBucket: Type: AWS::S3::Bucket Properties: BucketName: mid-log-bucket ReplicationConfiguration: Role: !GetAtt LogBucketInteremediateRole.Arn Rules: - Destination: Bucket: !Sub arn:aws:s3:::${LogBucket} Status: Enabled VersioningConfiguration: Status: Enabled LifecycleConfiguration: Rules: - Id: delete-multipart Status: Enabled AbortIncompleteMultipartUpload: DaysAfterInitiation: 1 - Id: delete-objects-after-1-day Status: Enabled Expiration: Days: 1 # IAM Roleを定義 LogBucketInteremediateRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: s3.amazonaws.com Policies: - PolicyName: s3-replication-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:ListBucket - s3:GetReplicationConfiguration Resource: mid-log-bucket - Effect: Allow Action: - s3:GetObjectVersionForReplication - s3:GetObjectVersionAcl - s3:GetObjectVersionTagging Resource: mid-log-bucket* - Effect: Allow Action: - s3:ReplicateObject - s3:ReplicateDelete - s3:ReplicateTags Resource: - !Sub arn:aws:s3:::${LogBucket}/* # オブジェクトãƒãƒƒã‚¯ãƒãƒƒã‚¯ã‚’有効化ã™ã‚‹ãƒã‚±ãƒƒãƒˆã‚’定義 LogBucket: Type: AWS::S3::Bucket Properties: BucketName: log-bucket VersioningConfiguration: Status: Enabled ObjectLockEnabled: True ObjectLockConfiguration: ObjectLockEnabled: Enabled Rule: DefaultRetention: Mode: GOVERNANCE Years: 3 LifecycleConfiguration: Rules: - Id: delete-multipart Status: Enabled AbortIncompleteMultipartUpload: DaysAfterInitiation: 1 - Id: archive Status: Enabled Prefix: logs/ Transitions: - StorageClass: GLACIER_IR TransitionInDays: 30 # ãƒã‚±ãƒƒãƒˆãƒãƒªã‚·ãƒ¼ã‚’定義 LogBucketIntermediatePolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref IntermediateLogBucket PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: logging.s3.amazonaws.com Action: s3:PutObject Resource: !Sub arn:aws:s3:::${IntermediateLogBucket}/* Condition: ArnLike: aws:SourceArn: arn:aws:s3:::source-bucket # ãƒã‚±ãƒƒãƒˆãƒãƒªã‚·ãƒ¼ã‚’定義 LogBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref LogBucket PolicyDocument: Statement: - Action: - s3:GetBucketAcl Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: !Sub arn:aws:s3:::${LogBucket} - Action: - s3:PutObject Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: !Sub arn:aws:s3:::${LogBucket}/* Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control
