Updated per @Kishore request (#23)

* updated/re-shuffle of README.md

* initial commit of guide

* removed root principals from dlq policies

Author: ZacharyWallace

templates/deepwatch-logging-resource-configuration.yaml

@@ -91,9 +91,10 @@ Resources:
             Resource: !GetAtt 
               - rGuardDutyDeadLetterQueue
               - Arn
-            Principal:
-              AWS:
-                - !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Principal: '*'
+            Condition:
+              ArnEquals:
+                'aws:Sourcearn': !Sub 'arn:aws:s3:::${pGuardDutyBucketName}'
       Queues:
         - !Ref rGuardDutyDeadLetterQueue
 
@@ -168,9 +169,10 @@ Resources:
             Resource: !GetAtt 
               - rCloudTrailDeadLetterQueue
               - Arn
-            Principal:
-              AWS:
-                - !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Principal: '*'
+            Condition:
+              ArnEquals:
+                'aws:Sourcearn': !Sub 'arn:aws:s3:::${pGuardDutyBucketName}'
       Queues:
         - !Ref rCloudTrailDeadLetterQueue
 
@@ -244,9 +246,10 @@ Resources:
             Resource: !GetAtt 
               - rControlTowerPreProcessedDeadLetterQueue
               - Arn
-            Principal:
-              AWS:
-                - !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Principal: '*'
+            Condition:
+              ArnEquals:
+                'aws:Sourcearn': !Sub 'arn:aws:s3:::${pGuardDutyBucketName}'
       Queues:
         - !Ref rControlTowerPreProcessedDeadLetterQueue
 
@@ -696,4 +699,4 @@ Outputs:
     Value: !GetAtt [rGuardDutyQueue, Arn]
   oDeepwatchRoleArn:
     Description: The Arn of the IAM Role for Deepwatch log ingestion, supply to Deepwatch onboarding engineer
-    Value: !GetAtt [rDeepwatchRole, Arn]
+    Value: !GetAtt [rDeepwatchRole, Arn]