Resources: LogstashBucket: Type: AWS::S3::Bucket Properties:

1. Resources:
2.   LogstashBucket:
3.     Type: AWS::S3::Bucket
4.     Properties:
5.       BucketName: !Ref S3BucketName
6.       BucketEncryption:
7.         ServerSideEncryptionConfiguration:
8.           -
9.             ServerSideEncryptionByDefault:
10.               SSEAlgorithm: AES256
11.       PublicAccessBlockConfiguration:
12.         BlockPublicAcls: true
13.         BlockPublicPolicy: true
14.         IgnorePublicAcls: true
15.         RestrictPublicBuckets: true
16.       AccessControl: Private
17.   LogstashBucketPolicyPut:
18.     Type: AWS::S3::BucketPolicy
19.     Properties:
20.       Bucket: !Ref LogstashBucket
21.       PolicyDocument:
22.         Statement:
23.        -
24.           Effect: "Allow"
25.           # Only allow container services to put files to this bucket, despite the bucket being private.
26.           Principal:
27.             Service:
28.               - "ecs-tasks.amazonaws.com"
29.           Action: "s3:PutObject"
30.           Resource:
31.             Fn::Join:
32.             - ""
33.             -   - "arn:aws:s3:::"
34.                 - !Ref LogstashBucket
35.                 - "/*"  
36.           #Condition: ArnEquals: !GetAtt LogstashTaskDef.Arn  
37.   LogstashPolicyPutToS3:
38.     Type: AWS::IAM::ManagedPolicy
39.     Properties:
40.       ManagedPolicyName: "LogstashPolicyPutToS3"
41.       PolicyDocument:
42.         Version: "2012-10-17"
43.         Statement:
44.         -
45.           Effect: "Allow"
46.           Action: "s3:PutObject"
47.           Resource: !GetAtt LogstashBucket.Arn    
48.   LogstashRolePutToS3:
49.     Type: AWS::IAM::Role
50.     Properties:
51.       AssumeRolePolicyDocument:
52.         Version: "2012-10-17"
53.         Statement:
54.          -
55.             Effect: "Allow"
56.             Principal:
57.               Service:
58.                 - "ecs-tasks.amazonaws.com"
59.             Action: "sts:AssumeRole"
60.       ManagedPolicyArns:
61.         - !Ref LogstashPolicyPutToS3
62.       RoleName: "LogstashRolePutToS3"
63. LogstashTaskDef:
64.     Type: AWS::ECS::TaskDefinition
65.     Properties:
66.       NetworkMode: awsvpc
67.       RequiresCompatibilities:
68.         - FARGATE
69.       Cpu: !Ref ContainerCPU
70.       Memory: !Ref ContainerMemory  
71.       ExecutionRoleArn: !Ref RoleECSExecution                                      
72.       TaskRoleArn: !Ref LogstashRolePutToS3
73.       ContainerDefinitions:
74.         -
75.           Name: !Ref LogstashContainerName
76.           Image: !Ref ImageUrl
77.           PortMappings:
78.            -
79.               ContainerPort: !Ref SyslogInputPort
80.               HostPort: !Ref SyslogInputPort
81.           LogConfiguration:
82.             LogDriver: awslogs
83.             Options:
84.               awslogs-region: !Ref AWS::Region
85.               awslogs-group: !Ref LogGroup
86.               awslogs-stream-prefix: ecs
87.           Environment:
88.             - Name: S3_BUCKET_BUCKETNAME
89.               Value: !Ref S3BucketName
90.             - Name: S3_BUCKET_CANNED_ACL
91.               Value: !Ref S3BucketCannedACL
92.             - Name: SYSLOG_INPUT_PORT
93.               Value: !Ref SyslogInputPort
94.             - Name: S3_BUCKET_REGION
95.               Value: !Ref S3BucketRegion