AWSTemplateFormatVersion: 2010-09-09 Description: FlowLog - Infrastructure at the hub account for VPC Flow Log automation Parameters: OrgId: Type: String Description: The Amazon Organizations ID MinLength: 12 MaxLength: 12 AllowedPattern: '^[o][\-][a-z0-9]{10}$' ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters EventBusDestinationAccount: Type: String Description: AWS Account ID where the dedicated Event bus will be created AllowedPattern: '^[0-9]{12}$' MinLength: 12 MaxLength: 12 StackSetArn: Type: String Description: ARN of the StackSet deployed from Control Tower Master account (ct_vpc_flowlog_master_stack.yml) Mappings: SourceCode: Key: Activator: "ct_flowlog_activator.zip" LifeCycle: "ct_flowlog_lifecycle.zip" S3perRegion: us-east-1: NAME: marketplace-sa-resources-ct-us-east-1 us-east-2: NAME: marketplace-sa-resources-ct-us-east-2 us-west-2: NAME: marketplace-sa-resources-ct-us-west-2 eu-west-1: NAME: marketplace-sa-resources-ct-eu-west-1 ap-southeast-2: NAME: marketplace-sa-resources-ct-ap-southeast-2 Resources: FlowLogHubRole: Type: AWS::IAM::Role Properties: RoleName: FlowLogHubRole Description: FlowLog - Role assumed by Lambda in Hub Account AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: !Join - '' - - 'arn:aws:iam::' - !Ref EventBusDestinationAccount - ':root' Action: - "sts:AssumeRole" Condition: StringEquals: sts:ExternalId: !Ref OrgId Path: "/" Policies: - PolicyName: FlowLogHubPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cloudformation:ListStackInstances Resource: - !Ref StackSetArn Metadata: cfn_nag: rules_to_suppress: - id: W28 reason: "Explicit role name required for reference on other resources" FlowLogLifeCycleRole: Type: AWS::IAM::Role Properties: Description: FlowLog - Role used by lambda for life cycle / new account creation AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "lambda.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" Policies: - PolicyName: StackSetPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cloudformation:ListStackInstances - cloudformation:CreateStackInstances Resource: - !Ref StackSetArn - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*' FlowLogLifeCycle: Type: "AWS::Lambda::Function" Properties: FunctionName: !Sub ${AWS::StackName}-FlowLogLifeCycle Description: FlowLog - Function to handle Control Tower LifeCycle Handler: "ct_flowlog_lifecycle.lambda_handler" Role: !GetAtt FlowLogLifeCycleRole.Arn Code: S3Bucket: !FindInMap [ S3perRegion, !Ref "AWS::Region", NAME ] S3Key: !Join ["/", [!FindInMap ["SourceCode", "Key", "LifeCycle"]]] Runtime: "python3.7" MemorySize: 128 Timeout: 300 Environment: Variables: stack_set_arn: !Ref StackSetArn CreateAccountLifeCycleRule: Type: AWS::Events::Rule Properties: Description: FlowLog - CT Life Cycle for CreateManageAccount EventPattern: { "source": [ "aws.controltower" ], "detail-type": [ "AWS Service Event via CloudTrail" ], "detail": { "eventSource": [ "controltower.amazonaws.com" ], "eventName": [ "CreateManagedAccount" ] } } State: ENABLED Targets: - Arn: !GetAtt FlowLogLifeCycle.Arn Id: "OrganizationalUnitLifeCycle" CreateAccountLifeCycleRulePermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt FlowLogLifeCycle.Arn Action: "lambda:InvokeFunction" Principal: "events.amazonaws.com" SourceArn: !GetAtt CreateAccountLifeCycleRule.Arn