AWSTemplateFormatVersion: '2010-09-09' Description: 'AWS CloudFormation Sample Template CloudWatch_Logs: Provisions a minimal web application, that streams the provisioning logs (cloud-init.log, cfn-init.log, cfn-hup.log, and cfn-wire.log) to CloudWatch Logs.' Parameters: AutoHibernateTimeout: Default: 30 Description: How many minutes idle before shutting down the IDE Type: Number SubnetIdentifier: Description: SubnetId Type: AWS::EC2::Subnet::Id AllowedPattern: ".+" InstanceType: Description: WebServer EC2 instance type Type: String Default: t2.small AllowedValues: - t1.micro - t2.nano - t2.micro - t2.small ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: Name of an existing EC2 KeyPair to enable SSH access to the instances Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: must be the name of an existing EC2 KeyPair. AllowedPattern: ".+" SSHLocation: Description: The IP address range that can be used to SSH to the EC2 instances Type: String MinLength: '9' MaxLength: '18' Default: 0.0.0.0/0 AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. Mappings: Region2Examples: us-east-1: Examples: https://s3.amazonaws.com/cloudformation-examples-us-east-1 us-west-2: Examples: https://s3-us-west-2.amazonaws.com/cloudformation-examples-us-west-2 us-west-1: Examples: https://s3-us-west-1.amazonaws.com/cloudformation-examples-us-west-1 eu-west-1: Examples: https://s3-eu-west-1.amazonaws.com/cloudformation-examples-eu-west-1 eu-west-2: Examples: https://s3-eu-west-2.amazonaws.com/cloudformation-examples-eu-west-2 eu-west-3: Examples: https://s3-eu-west-3.amazonaws.com/cloudformation-examples-eu-west-3 eu-central-1: Examples: https://s3-eu-central-1.amazonaws.com/cloudformation-examples-eu-central-1 ap-southeast-1: Examples: https://s3-ap-southeast-1.amazonaws.com/cloudformation-examples-ap-southeast-1 ap-northeast-1: Examples: https://s3-ap-northeast-1.amazonaws.com/cloudformation-examples-ap-northeast-1 ap-northeast-2: Examples: https://s3-ap-northeast-2.amazonaws.com/cloudformation-examples-ap-northeast-2 ap-northeast-3: Examples: https://s3-ap-northeast-3.amazonaws.com/cloudformation-examples-ap-northeast-3 ap-southeast-2: Examples: https://s3-ap-southeast-2.amazonaws.com/cloudformation-examples-ap-southeast-2 ap-south-1: Examples: https://s3-ap-south-1.amazonaws.com/cloudformation-examples-ap-south-1 us-east-2: Examples: https://s3-us-east-2.amazonaws.com/cloudformation-examples-us-east-2 ca-central-1: Examples: https://s3-ca-central-1.amazonaws.com/cloudformation-examples-ca-central-1 sa-east-1: Examples: https://s3-sa-east-1.amazonaws.com/cloudformation-examples-sa-east-1 cn-north-1: Examples: https://s3.cn-north-1.amazonaws.com.cn/cloudformation-examples-cn-north-1 cn-northwest-1: Examples: https://s3.cn-northwest-1.amazonaws.com.cn/cloudformation-examples-cn-northwest-1 AWSInstanceType2Arch: t1.micro: Arch: HVM64 t2.nano: Arch: HVM64 t2.micro: Arch: HVM64 t2.small: Arch: HVM64 AWSInstanceType2NATArch: t1.micro: Arch: NATHVM64 t2.nano: Arch: NATHVM64 t2.micro: Arch: NATHVM64 t2.small: Arch: NATHVM64 AWSRegionArch2AMI: us-east-1: HVM64: ami-0ff8a91507f77f867 HVMG2: ami-0a584ac55a7631c0c us-west-2: HVM64: ami-a0cfeed8 HVMG2: ami-0e09505bc235aa82d us-west-1: HVM64: ami-0bdb828fd58c52235 HVMG2: ami-066ee5fd4a9ef77f1 eu-west-1: HVM64: ami-047bb4163c506cd98 HVMG2: ami-0a7c483d527806435 eu-west-2: HVM64: ami-f976839e HVMG2: NOT_SUPPORTED eu-west-3: HVM64: ami-0ebc281c20e89ba4b HVMG2: NOT_SUPPORTED eu-central-1: HVM64: ami-0233214e13e500f77 HVMG2: ami-06223d46a6d0661c7 ap-northeast-1: HVM64: ami-06cd52961ce9f0d85 HVMG2: ami-053cdd503598e4a9d ap-northeast-2: HVM64: ami-0a10b2721688ce9d2 HVMG2: NOT_SUPPORTED ap-southeast-1: HVM64: ami-08569b978cc4dfa10 HVMG2: ami-0be9df32ae9f92309 ap-southeast-2: HVM64: ami-09b42976632b27e9b HVMG2: ami-0a9ce9fecc3d1daf8 us-east-2: HVM64: ami-0b59bfac6be064b78 HVMG2: NOT_SUPPORTED Region2Principal: us-east-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com us-west-2: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com us-west-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com eu-west-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com eu-west-2: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com eu-west-3: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ap-southeast-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ap-northeast-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ap-northeast-2: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ap-northeast-3: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ap-southeast-2: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ap-south-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com us-east-2: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com ca-central-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com sa-east-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com cn-north-1: EC2Principal: ec2.amazonaws.com.cn OpsWorksPrincipal: opsworks.amazonaws.com.cn cn-northwest-1: EC2Principal: ec2.amazonaws.com.cn OpsWorksPrincipal: opsworks.amazonaws.com.cn eu-central-1: EC2Principal: ec2.amazonaws.com OpsWorksPrincipal: opsworks.amazonaws.com Region2ARNPrefix: us-east-1: ARNPrefix: 'arn:aws:' us-west-1: ARNPrefix: 'arn:aws:' us-west-2: ARNPrefix: 'arn:aws:' eu-west-1: ARNPrefix: 'arn:aws:' eu-west-2: ARNPrefix: 'arn:aws:' eu-west-3: ARNPrefix: 'arn:aws:' ap-northeast-1: ARNPrefix: 'arn:aws:' ap-northeast-2: ARNPrefix: 'arn:aws:' ap-northeast-3: ARNPrefix: 'arn:aws:' ap-southeast-1: ARNPrefix: 'arn:aws:' ap-southeast-2: ARNPrefix: 'arn:aws:' ap-south-1: ARNPrefix: 'arn:aws:' us-east-2: ARNPrefix: 'arn:aws:' ca-central-1: ARNPrefix: 'arn:aws:' sa-east-1: ARNPrefix: 'arn:aws:' cn-north-1: ARNPrefix: 'arn:aws-cn:' cn-northwest-1: ARNPrefix: 'arn:aws-cn:' eu-central-1: ARNPrefix: 'arn:aws:' Resources: LogRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - !FindInMap - Region2Principal - !Ref 'AWS::Region' - EC2Principal Action: - sts:AssumeRole Path: / Policies: - PolicyName: LogRolePolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams Resource: - !Sub - ${Param1}logs:*:*:* - Param1: !FindInMap - Region2ARNPrefix - !Ref 'AWS::Region' - ARNPrefix LogRoleInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref 'LogRole' CloudFormationLogs: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 1 WebServerInstance: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: install_all: - install_cfn - install_app - install_logs install_cfn: files: /etc/cfn/cfn-hup.conf: content: !Sub | [main] stack=${AWS::StackId} region=${AWS::Region} mode: '000400' owner: root group: root /etc/cfn/hooks.d/cfn-auto-reloader.conf: content: !Sub | [cfn-auto-reloader-hook] triggers=post.update path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --configsets install_all --region ${AWS::Region} runas=root mode: '000400' owner: root group: root services: sysvinit: cfn-hup: enabled: 'true' ensureRunning: 'true' files: - /etc/cfn/cfn-hup.conf - /etc/cfn/hooks.d/cfn-auto-reloader.conf install_app: packages: yum: httpd: [] files: /var/www/html/index.html: content: !Sub - |- AWS CloudFormation Logo

Congratulations, you have successfully launched the AWS CloudFormation sample.

- Param1: !FindInMap - Region2Examples - !Ref 'AWS::Region' - Examples mode: '000644' owner: root group: root services: sysvinit: httpd: enabled: 'true' ensureRunning: 'true' install_logs: packages: yum: awslogs: [] files: /etc/awslogs/awslogs.conf: content: !Sub "[general]\nstate_file= /var/awslogs/state/agent-state\n\ [/var/log/cloud-init.log]\nfile = /var/log/cloud-init.log\nlog_group_name\ \ = ${CloudFormationLogs}\nlog_stream_name = {instance_id}/cloud-init.log\n\ datetime_format = \n[/var/log/cloud-init-output.log]\nfile = /var/log/cloud-init-output.log\n\ log_group_name = ${CloudFormationLogs}\nlog_stream_name = {instance_id}/cloud-init-output.log\n\ datetime_format = \n[/var/log/cfn-init.log]\nfile = /var/log/cfn-init.log\n\ log_group_name = ${CloudFormationLogs}\nlog_stream_name = {instance_id}/cfn-init.log\n\ datetime_format = \n[/var/log/cfn-hup.log]\nfile = /var/log/cfn-hup.log\n\ log_group_name = ${CloudFormationLogs}\nlog_stream_name = {instance_id}/cfn-hup.log\n\ datetime_format = \n[/var/log/cfn-wire.log]\nfile = /var/log/cfn-wire.log\n\ log_group_name = ${CloudFormationLogs}\nlog_stream_name = {instance_id}/cfn-wire.log\n\ datetime_format = \n[/var/log/httpd]\nfile = /var/log/httpd/*\nlog_group_name\ \ = ${CloudFormationLogs}\nlog_stream_name = {instance_id}/httpd\n\ datetime_format = %d/%b/%Y:%H:%M:%S\n" mode: '000444' owner: root group: root /etc/awslogs/awscli.conf: content: !Sub | [plugins] cwlogs = cwlogs [default] region = ${AWS::Region} mode: '000444' owner: root group: root commands: 01_create_state_directory: command: mkdir -p /var/awslogs/state services: sysvinit: awslogs: enabled: 'true' ensureRunning: 'true' files: - /etc/awslogs/awslogs.conf Properties: SecurityGroups: - !Ref 'InstanceSecurityGroup' KeyName: !Ref 'KeyName' InstanceType: !Ref 'InstanceType' IamInstanceProfile: !Ref 'LogRoleInstanceProfile' ImageId: !FindInMap - AWSRegionArch2AMI - !Ref 'AWS::Region' - !FindInMap - AWSInstanceType2Arch - !Ref 'InstanceType' - Arch UserData: !Base64 Fn::Sub: | #!/bin/bash -xe yum update -y aws-cfn-bootstrap /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --configsets install_all --region ${AWS::Region} /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region} CreationPolicy: ResourceSignal: Timeout: PT15M InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable SSH access and HTTP access on the inbound port SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: !Ref 'SSHLocation' - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: 0.0.0.0/0 IDE: Type: AWS::Cloud9::EnvironmentEC2 Properties: Repositories: - RepositoryUrl: https://github.com/aws-samples/aws-iot-device-defender-workshop PathComponent: workshop Description: Cloud9 IDE AutomaticStopTimeMinutes: Ref: AutoHibernateTimeout SubnetId: Ref: SubnetIdentifier InstanceType: Ref: InstanceType Name: Ref: AWS::StackName IoTSNSRole: Type: AWS::IAM::Role Properties: RoleName: DeviceDefenderWorkshopNotification ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSIoTThingsRegistration - arn:aws:iam::aws:policy/service-role/AWSIoTRuleActions - arn:aws:iam::aws:policy/service-role/AWSIoTLogging AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: "Allow" Principal: Service: - "iot.amazonaws.com" Action: - "sts:AssumeRole" SNSTopic: Type: AWS::SNS::Topic Properties: DisplayName: DvcDefendr TopicName: DeviceDefenderNotifications LambdaRole: Type: AWS::IAM::Role Properties: RoleName: DeviceDefenderBuilderLambda ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSIoTFullAccess - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: "Allow" Principal: Service: - "lambda.amazonaws.com" Action: - "sts:AssumeRole" Outputs: URL: Description: URL of the target website Value: !Sub 'http://${WebServerInstance.PublicDnsName}/' Cloud9EnvironmentName: Value: !GetAtt IDE.Name