--- AWSTemplateFormatVersion: 2010-09-09 Description: Provides nesting for required stacks to deploy a full sample web application with reverse proxy, ELBs, IAM, and other resources (for demonstration/POC/testing) QS(0029) Metadata: Stack: Value: 0 VersionDate: Value: 20160518 Identifier: Value: main Input: Description: Input of all required parameters in nested stacks Output: Description: N/A AWS::CloudFormation::Interface: ParameterGroups: - Label: default: 'Please provide the following parameter values:' Parameters: - pDBPassword - pNotifyEmail - pEC2KeyPairBastion - pEC2KeyPair - pSupportsConfig - pAvailabilityZones - Label: default: Wazuh Cluster Configuration Parameters: - WazuhAdminName - WazuhAdminPass - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - Label: default: Wazuh required parameters Parameters: - pSshUsername - pSshPassword - pWazuhInstanceType - pWazuhApiAdminPassword - pKibanaPassword - pAwsSecretKey - pAwsAccessKey - pSSLCertificateARN ParameterLabels: pDBPassword: default: Database Password pNotifyEmail: default: Notification Email Address pEC2KeyPairBastion: default: Existing SSH Key for the Bastion Instance pEC2KeyPair: default: Existing SSH Key for Other Instances pSupportsConfig: default: Support Config pAvailabilityZones: default: Availability Zones pVPCTenancy: default: Instance tenancy QSS3BucketName: default: Quick Start S3 Bucket Name QSS3KeyPrefix: default: Quick Start S3 Key Prefix Parameters: pSshUsername: Default: wazuh Description: SSH username Type: String MinLength: '5' MaxLength: '32' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Only alphanumeric characters. Minimum length 5. Maximum length 32. pSshPassword: Description: SSH Password NoEcho: 'True' Type: String MinLength: '8' MaxLength: '64' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Only alphanumeric characters. Minimum length 8. Maximum length 64. pWazuhInstanceType: AllowedValues: - t2.micro - t2.medium - t2.large - m5.large - m5.xlarge - m5.2xlarge ConstraintDescription: Must contain valid instance type Default: t2.medium Description: Type of EC2 instance for Wazuh instance Type: String pWazuhApiAdminPassword: Description: Admin password for Wazuh API NoEcho: 'True' Type: String MinLength: '1' MaxLength: '48' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Only alphanumeric characters pKibanaPassword: Description: Password for Kibana access NoEcho: 'True' Type: String MinLength: '1' MaxLength: '48' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Only alphanumeric characters pAwsSecretKey: Description: (Optional) Secret key for AWS integration Type: String pAwsAccessKey: Description: (Optional) Access key for AWS integration Type: String pSSLCertificateARN: Description: 'Used for HTTPS access to WUI. Existent certificate, identified by its Amazon Resource Name (ARN).' Type: String pDBPassword: Description: Mixed alphanumeric and must be between 8 and 28 characters and contain at least one capital letter NoEcho: true Type: String MinLength: 8 MaxLength: 28 AllowedPattern: '[a-zA-Z0-9!^*\-_+]*' ConstraintDescription: Can only contain alphanumeric characters or the following special characters !^*-_+, between 8 and 28 characters pNotifyEmail: Description: Notification email address for security events (you will receive a confirmation email) Type: String Default: distlist@example.org pEC2KeyPairBastion: Description: The SSH key pair in your account to use for the bastion host login Type: AWS::EC2::KeyPair::KeyName pEC2KeyPair: Description: The SSH key pair in your account to use for all other EC2 instance logins Type: AWS::EC2::KeyPair::KeyName pSupportsConfig: Description: Is AWS Config Rules already configured for this region? Use ''false'' if you are uncertain. See AWS Config Management Console or Deployment Guide for details. AllowedValues: - 'true' - 'false' Default: 'false' Type: String pAvailabilityZones: Description: Availability Zones Type: List pVPCTenancy: Description: Instance tenancy behavior for this VPC Type: String Default: default AllowedValues: - default - dedicated QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-.]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, periods (.), and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-compliance-nist-high/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Mappings: CustomVariables: vResourceEnvironmentTagKey: Value: Environment vResourceEnvironmentTagValue: Value: development RegionServiceSupport: ap-northeast-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' ap-northeast-2: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' ap-south-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' ap-southeast-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' ap-southeast-2: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' ca-central-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' eu-central-1: NatGateway: 'true' ConfigRules: 'true' Glacier: 'true' eu-west-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' eu-west-2: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' sa-east-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'false' us-east-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' us-east-2: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' us-gov-west-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' us-west-1: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' us-west-2: ConfigRules: 'true' NatGateway: 'true' Glacier: 'true' AWSAMIRegionMap: AMI: AMZNLINUXHVM: amzn-ami-hvm-2018.03.0.20181129-x86_64-gp2 ap-northeast-1: AMZNLINUXHVM: ami-00a5245b4816c38e6 InstanceType: m4.large InstanceTypeDatabase: db.m4.large ap-northeast-2: AMZNLINUXHVM: ami-00dc207f8ba6dc919 InstanceType: m4.large InstanceTypeDatabase: db.m4.large ap-south-1: AMZNLINUXHVM: ami-0ad42f4f66f6c1cc9 InstanceType: m4.large InstanceTypeDatabase: db.m4.large ap-southeast-1: AMZNLINUXHVM: ami-05b3bcf7f311194b3 InstanceType: m4.large InstanceTypeDatabase: db.m4.large ap-southeast-2: AMZNLINUXHVM: ami-02fd0b06f06d93dfc InstanceType: m4.large InstanceTypeDatabase: db.m4.large ca-central-1: AMZNLINUXHVM: ami-07423fb63ea0a0930 InstanceType: m4.large InstanceTypeDatabase: db.m4.large eu-central-1: AMZNLINUXHVM: ami-0cfbf4f6db41068ac InstanceType: m4.large InstanceTypeDatabase: db.m4.large eu-west-1: AMZNLINUXHVM: ami-08935252a36e25f85 InstanceType: m4.large InstanceTypeDatabase: db.m4.large eu-west-2: AMZNLINUXHVM: ami-01419b804382064e4 InstanceType: m4.large InstanceTypeDatabase: db.m4.large sa-east-1: AMZNLINUXHVM: ami-05145e0b28ad8e0b2 InstanceType: m4.large InstanceTypeDatabase: db.m3.large us-east-1: AMZNLINUXHVM: ami-0080e4c5bc078760e InstanceType: m4.large InstanceTypeDatabase: db.m4.large us-east-2: AMZNLINUXHVM: ami-0cd3dfa4e37921605 InstanceType: m4.large InstanceTypeDatabase: db.m4.large us-gov-west-1: AMZNLINUXHVM: ami-ffa61d9e InstanceType: m4.large InstanceTypeDatabase: db.m3.large us-west-1: AMZNLINUXHVM: ami-0ec6517f6edbf8044 InstanceType: m4.large InstanceTypeDatabase: db.m4.large us-west-2: AMZNLINUXHVM: ami-01e24be29428c15b2 InstanceType: m4.large InstanceTypeDatabase: db.m4.large Conditions: GovCloudCondition: !Equals - !Ref AWS::Region - us-gov-west-1 LoadConfigRulesTemplate: !Equals - !Ref pSupportsConfig - 'true' LaunchAsDedicatedInstance: !Equals - !Ref pVPCTenancy - dedicated Resources: IamTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://aws-nist.s3-us-west-1.amazonaws.com/iam.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 LoggingTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://aws-nist.s3-us-west-1.amazonaws.com/logging.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pNotifyEmail: !Ref pNotifyEmail pSupportsGlacier: !FindInMap - RegionServiceSupport - !Ref AWS::Region - Glacier ProductionVpcTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://aws-nist.s3-us-west-1.amazonaws.com/vpc-production.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pRegionAZ1Name: !Select [ 0, !Ref pAvailabilityZones ] pRegionAZ2Name: !Select [ 1, !Ref pAvailabilityZones ] pProductionVPCName: Production VPC pBastionSSHCIDR: 0.0.0.0/0 pDMZSubnetACIDR: 10.100.10.0/24 pDMZSubnetBCIDR: 10.100.20.0/24 pManagementCIDR: 10.10.0.0/16 pAppPrivateSubnetACIDR: 10.100.96.0/21 pAppPrivateSubnetBCIDR: 10.100.119.0/21 pDBPrivateSubnetACIDR: 10.100.194.0/21 pDBPrivateSubnetBCIDR: 10.100.212.0/21 pVPCTenancy: !Ref pVPCTenancy pEnvironment: !FindInMap - CustomVariables - vResourceEnvironmentTagValue - Value pEC2KeyPair: !Ref pEC2KeyPair pSupportsNatGateway: !FindInMap - RegionServiceSupport - !Ref AWS::Region - NatGateway pNatAmi: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - AMZNLINUXHVM pNatInstanceType: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - InstanceType QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-compliance-common/ ManagementVpcTemplate: Type: AWS::CloudFormation::Stack DependsOn: ProductionVpcTemplate Properties: TemplateURL: !Sub - https://aws-nist.s3-us-west-1.amazonaws.com/vpc-management.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pProductionVPC: !GetAtt - ProductionVpcTemplate - Outputs.rVPCProduction pRouteTableProdPrivate: !GetAtt - ProductionVpcTemplate - Outputs.rRouteTableProdPrivate pRouteTableProdPublic: !GetAtt - ProductionVpcTemplate - Outputs.rRouteTableProdPublic pProductionCIDR: 10.100.0.0/16 pBastionSSHCIDR: 0.0.0.0/0 pManagementCIDR: 10.10.0.0/16 pManagementDMZSubnetACIDR: 10.10.1.0/24 pManagementDMZSubnetBCIDR: 10.10.2.0/24 pManagementPrivateSubnetACIDR: 10.10.20.0/24 pManagementPrivateSubnetBCIDR: 10.10.30.0/24 pManagementVPCName: Management VPC pEC2KeyPairBastion: !Ref pEC2KeyPairBastion pEC2KeyPair: !Ref pEC2KeyPair pVPCTenancy: !Ref pVPCTenancy pBastionAmi: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - AMZNLINUXHVM pRegionAZ1Name: !Select [ 0, !Ref pAvailabilityZones ] pRegionAZ2Name: !Select [ 1, !Ref pAvailabilityZones ] pEnvironment: !FindInMap - CustomVariables - vResourceEnvironmentTagValue - Value pBastionInstanceType: !If - LaunchAsDedicatedInstance - m4.large - t2.small pSupportsNatGateway: !FindInMap - RegionServiceSupport - !Ref AWS::Region - NatGateway pNatAmi: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - AMZNLINUXHVM pNatInstanceType: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - InstanceType QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-compliance-common/ ConfigRulesTemplate: Type: AWS::CloudFormation::Stack Condition: LoadConfigRulesTemplate DependsOn: - IamTemplate - ProductionVpcTemplate - ManagementVpcTemplate - LoggingTemplate Properties: TemplateURL: !Sub - https://aws-nist.s3-us-west-1.amazonaws.com/config-rules.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pRequiredTagKey: !FindInMap - CustomVariables - vResourceEnvironmentTagKey - Value WazuhTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: https://aws-nist.s3-us-west-1.amazonaws.com/wazuh_template.yml TimeoutInMinutes: 30 Parameters: pSubnetWazuh: !GetAtt - ProductionVpcTemplate - Outputs.rAppPrivateSubnetA AvailabilityZone: !Join - ',' - !Ref pAvailabilityZones KeyPairName: !Ref pEC2KeyPair WazuhVpc: !GetAtt - ProductionVpcTemplate - Outputs.rVPCProduction SshUsername: !Ref pSshUsername SshPassword: !Ref pSshPassword WazuhInstanceType: !Ref pWazuhInstanceType WazuhApiAdminPassword: !Ref pWazuhApiAdminPassword KibanaPassword: !Ref pKibanaPassword AwsSecretKey: !Ref pAwsSecretKey AwsAccessKey: !Ref pAwsAccessKey SSLCertificateARN: !Ref pSSLCertificateARN ApplicationTemplate: Type: AWS::CloudFormation::Stack DependsOn: WazuhTemplate Properties: TemplateURL: !Sub - https://aws-nist.s3-us-west-1.amazonaws.com/application.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 30 Parameters: pSecurityAlarmTopic: !GetAtt - LoggingTemplate - Outputs.rSecurityAlarmTopic pEC2KeyPair: !Ref pEC2KeyPair pProductionCIDR: 10.100.0.0/16 pProductionVPC: !GetAtt - ProductionVpcTemplate - Outputs.rVPCProduction pDMZSubnetA: !GetAtt - ProductionVpcTemplate - Outputs.rDMZSubnetA pDMZSubnetB: !GetAtt - ProductionVpcTemplate - Outputs.rDMZSubnetB pAppPrivateSubnetA: !GetAtt - ProductionVpcTemplate - Outputs.rAppPrivateSubnetA pAppPrivateSubnetB: !GetAtt - ProductionVpcTemplate - Outputs.rAppPrivateSubnetB pWebInstanceType: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - InstanceType pAppInstanceType: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - InstanceType pDBPrivateSubnetA: !GetAtt - ProductionVpcTemplate - Outputs.rDBPrivateSubnetA pDBPrivateSubnetB: !GetAtt - ProductionVpcTemplate - Outputs.rDBPrivateSubnetB pManagementCIDR: 10.10.0.0/16 pRegionAZ1Name: !Select [ 0, !Ref pAvailabilityZones ] pRegionAZ2Name: !Select [ 1, !Ref pAvailabilityZones ] pWebServerAMI: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - AMZNLINUXHVM pAppAmi: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - AMZNLINUXHVM pDBUser: testuserdb pDBName: testDB pDBPassword: !Ref pDBPassword pDBClass: !FindInMap - AWSAMIRegionMap - !Ref AWS::Region - InstanceTypeDatabase pDBAllocatedStorage: "10" pEnvironment: !FindInMap - CustomVariables - vResourceEnvironmentTagValue - Value pBastionSSHCIDR: 0.0.0.0/0 pSupportsGlacier: !FindInMap - RegionServiceSupport - !Ref AWS::Region - Glacier WazuhManagerIp: !GetAtt - WazuhTemplate - Outputs.WazuhMasterIp QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix Outputs: TemplateType: Value: Standard Multi-Tier Web Application TemplateVersion: Value: 2.0 BastionIP: Description: Use this IP via SSH to connect to Bastion Instance Value: !GetAtt - ManagementVpcTemplate - Outputs.rBastionInstanceIP LandingPageURL: Value: !GetAtt - ApplicationTemplate - Outputs.LandingPageURL WebsiteURL: Value: !GetAtt - ApplicationTemplate - Outputs.WebsiteURL Help: Description: For assistance or questions regarding this quickstart please email compliance-accelerator@amazon.com Value: '' ...