Description: EJS SSPM Artifact Store(s) deployed in non home regions Mappings: Config: Service: Name: ejs-sc ArtifactBucketName: ejs-sc-store Parameters: ManagedResourcePrefix: Type: String Default: ejs-sc KmsKeyArn: Type: String Resources: KmsKeyReplica: Type: AWS::KMS::ReplicaKey Properties: Description: Enterprise Jumpstart Artifacts Key PrimaryKeyArn: !Ref KmsKeyArn KeyPolicy: Version: "2012-10-17" Id: !Ref AWS::StackName Statement: - Sid: Allows admin of the key Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: - "kms:Create*" - "kms:Describe*" - "kms:Enable*" - "kms:List*" - "kms:Put*" - "kms:Update*" - "kms:Revoke*" - "kms:Disable*" - "kms:Get*" - "kms:Delete*" - "kms:ScheduleKeyDeletion" - "kms:CancelKeyDeletion" Resource: "*" - Sid: Allow use of the key for Audit/Logs account Effect: Allow Principal: AWS: - !Sub arn:aws:iam::${AWS::AccountId}:root Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: "*" KMSAlias: Type: AWS::KMS::Alias Properties: AliasName: !Sub alias/${ManagedResourcePrefix}-codepipeline TargetKeyId: !Ref KmsKeyReplica ArtifactBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket Properties: BucketName: !Sub '${ManagedResourcePrefix}-${AWS::AccountId}-${AWS::Region}-artifacts' VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: KMSMasterKeyID: !Ref KmsKeyReplica SSEAlgorithm: 'aws:kms' ArtifactBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref ArtifactBucket PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:Get*' - 's3:Put*' - 's3:List*' Effect: Allow Resource: - !Join - '' - - 'arn:aws:s3:::' - !Ref ArtifactBucket - /* - !Join - '' - - 'arn:aws:s3:::' - !Ref ArtifactBucket Principal: AWS: - !Sub arn:aws:iam::${AWS::AccountId}:root ServiceCatalogArtifactsBucket: Type: AWS::S3::Bucket Properties: BucketName: !FindInMap [Config, Service, ArtifactBucketName] VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ServiceCatalogArtifactsReadPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - s3:ListBucketVersions - s3:ListBucket Resource: - !Sub arn:aws:s3:::${ServiceCatalogArtifactsBucket}/* - !GetAtt ServiceCatalogArtifactsBucket.Arn ServiceCatalogArtifactsWritePolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:PutObject - s3:ListBucket Resource: - !Sub arn:aws:s3:::${ServiceCatalogArtifactsBucket}/* - !GetAtt ServiceCatalogArtifactsBucket.Arn Outputs: SSPMServiceCatalogArtifactsBucketName: Value: !Ref ServiceCatalogArtifactsBucket Export: Name: !Sub - ${ServiceName}-artifacts-bucket-name - ServiceName: !FindInMap [Config, Service, Name] SSPMServiceCatalogArtifactsWritePolicyArn: Value: !Ref ServiceCatalogArtifactsWritePolicy Export: Name: !Sub - ${ServiceName}-artifacts-write-policy-arn - ServiceName: !FindInMap [Config, Service, Name] SSPMServiceCatalogArtifactsReadPolicyArn: Value: !Ref ServiceCatalogArtifactsReadPolicy Export: Name: !Sub - ${ServiceName}-artifacts-read-policy-arn - ServiceName: !FindInMap [Config, Service, Name] KmsKeyId: Value: !Ref KmsKeyReplica