Parameters: validityInDays: Type: Number Description: Validity in days for new PAA vendorId: Type: String Description: The vendorId associated with this PAA paaCommonName: Type: String Description: The Common Name for this PAA paaOrganization: Type: String Description: The Organization associated with this PAA paaOU: Type: String Description: The Organizational Unit associated with this PAA Resources: CAPAA: Type: AWS::ACMPCA::CertificateAuthority Properties: KeyAlgorithm: EC_prime256v1 SigningAlgorithm: SHA256WITHECDSA Subject: CustomAttributes: - ObjectIdentifier: 2.5.4.3 Value: Ref: paaCommonName - ObjectIdentifier: 1.3.6.1.4.1.37244.2.1 Value: Ref: vendorId - ObjectIdentifier: 2.5.4.10 Value: Ref: paaOrganization - ObjectIdentifier: 2.5.4.11 Value: Ref: paaOU Type: ROOT KeyStorageSecurityStandard: FIPS_140_2_LEVEL_3_OR_HIGHER Tags: - Key: matterCAType Value: paa - Key: matterPKITag Value: "" UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAA/CA-PAA CertPAA: Type: AWS::ACMPCA::Certificate Properties: CertificateAuthorityArn: Fn::GetAtt: - CAPAA - Arn CertificateSigningRequest: Fn::GetAtt: - CAPAA - CertificateSigningRequest SigningAlgorithm: SHA256WITHECDSA Validity: Type: DAYS Value: Ref: validityInDays TemplateArn: arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1 Metadata: aws:cdk:path: MatterStackPAA/Cert-PAA CertActivationPAA: Type: AWS::ACMPCA::CertificateAuthorityActivation Properties: Certificate: Fn::GetAtt: - CertPAA - Certificate CertificateAuthorityArn: Fn::GetAtt: - CAPAA - Arn Status: ACTIVE Metadata: aws:cdk:path: MatterStackPAA/CertActivation-PAA MatterManagePAARole206A10AF: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Version: "2012-10-17" Path: /MatterPKI/ RoleName: MatterManagePAARole Tags: - Key: matterPKITag Value: "" Metadata: aws:cdk:path: MatterStackPAA/MatterManagePAARole/Resource MatterPAAD2AC60DA: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - acm-pca:DescribeCertificateAuthority - acm-pca:GetCertificate - acm-pca:GetCertificateAuthorityCertificate - acm-pca:UpdateCertificateAuthority Effect: Allow Resource: Fn::GetAtt: - CAPAA - Arn - Action: acm-pca:ListCertificateAuthorities Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: MatterPAAD2AC60DA Roles: - Ref: MatterManagePAARole206A10AF Metadata: aws:cdk:path: MatterStackPAA/MatterPAA/Resource MatterIssuePAIRole9F2B04D3: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Version: "2012-10-17" Path: /MatterPKI/ RoleName: MatterIssuePAIRole Tags: - Key: matterPKITag Value: "" Metadata: aws:cdk:path: MatterStackPAA/MatterIssuePAIRole/Resource IssuePAICertEBF36D03: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: acm-pca:IssueCertificate Condition: StringLike: acm-pca:TemplateArn: arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V* Effect: Allow Resource: Fn::GetAtt: - CAPAA - Arn - Action: acm-pca:IssueCertificate Condition: StringNotLike: acm-pca:TemplateArn: arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V* Effect: Deny Resource: Fn::GetAtt: - CAPAA - Arn - Action: - acm-pca:DeleteCertificateAuthority - acm-pca:DescribeCertificateAuthority - acm-pca:GetCertificateAuthorityCertificate - acm-pca:GetCertificateAuthorityCsr - acm-pca:ImportCertificateAuthorityCertificate - acm-pca:UpdateCertificateAuthority Condition: StringEquals: aws:ResourceTag/matterCAType: pai Effect: Allow Resource: "*" - Action: - acm-pca:DescribeCertificateAuthority - acm-pca:GetCertificate - acm-pca:GetCertificateAuthorityCertificate - acm-pca:RevokeCertificate Effect: Allow Resource: Fn::GetAtt: - CAPAA - Arn - Action: - acm-pca:CreateCertificateAuthority - acm-pca:ListCertificateAuthorities - acm-pca:TagCertificateAuthority Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: IssuePAICertEBF36D03 Roles: - Ref: MatterIssuePAIRole9F2B04D3 Metadata: aws:cdk:path: MatterStackPAA/IssuePAICert/Resource MatterAuditorRole03712E04: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Version: "2012-10-17" Path: /MatterPKI/ RoleName: MatterAuditorRole Tags: - Key: matterPKITag Value: "" Metadata: aws:cdk:path: MatterStackPAA/MatterAuditorRole/Resource MatterAuditorRoleDefaultPolicy27A0C339: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:Describe* - logs:FilterLogEvents - logs:Get* - logs:List* - logs:StartQuery - logs:StopQuery - logs:TestMetricFilter Effect: Allow Resource: Fn::GetAtt: - MatterAudit3BAC79D2 - Arn Version: "2012-10-17" PolicyName: MatterAuditorRoleDefaultPolicy27A0C339 Roles: - Ref: MatterAuditorRole03712E04 Metadata: aws:cdk:path: MatterStackPAA/MatterAuditorRole/DefaultPolicy/Resource MatterAuditorD8BE1FAA: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - acm-pca:CreateCertificateAuthorityAuditReport - acm-pca:DescribeCertificateAuthority - acm-pca:DescribeCertificateAuthorityAuditReport - acm-pca:GetCertificate - acm-pca:GetCertificateAuthorityCertificate - acm-pca:GetCertificateAuthorityCsr - acm-pca:GetPolicy - acm-pca:ListPermissions - acm-pca:ListTags Effect: Allow Resource: Fn::GetAtt: - CAPAA - Arn - Action: - acm-pca:CreateCertificateAuthorityAuditReport - acm-pca:DescribeCertificateAuthority - acm-pca:DescribeCertificateAuthorityAuditReport - acm-pca:GetCertificate - acm-pca:GetCertificateAuthorityCertificate - acm-pca:GetCertificateAuthorityCsr - acm-pca:GetPolicy - acm-pca:ListPermissions - acm-pca:ListTags Condition: StringEquals: aws:ResourceTag/matterCAType: pai Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: MatterAuditorD8BE1FAA Roles: - Ref: MatterAuditorRole03712E04 Metadata: aws:cdk:path: MatterStackPAA/MatterAuditor/Resource S3BackupRole5A829B6E: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: backup.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore Path: /MatterPKI/ RoleName: S3BackupRole Metadata: aws:cdk:path: MatterStackPAA/S3BackupRole/Resource MatterIssueDACRoleD87F8C18: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Version: "2012-10-17" Path: /MatterPKI/ RoleName: MatterIssueDACRole Tags: - Key: matterPKITag Value: "" Metadata: aws:cdk:path: MatterStackPAA/MatterIssueDACRole/Resource IssueDACCertC12F3700: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: acm-pca:IssueCertificate Condition: StringLike: acm-pca:TemplateArn: arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V* StringEquals: aws:ResourceTag/matterCAType: pai Effect: Allow Resource: "*" - Action: acm-pca:IssueCertificate Condition: StringNotLike: acm-pca:TemplateArn: arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V* StringEquals: aws:ResourceTag/matterCAType: pai Effect: Deny Resource: "*" - Action: - acm-pca:DescribeCertificateAuthority - acm-pca:GetCertificate - acm-pca:GetCertificateAuthorityCertificate - acm-pca:RevokeCertificate Condition: StringEquals: aws:ResourceTag/matterCAType: pai Effect: Allow Resource: "*" - Action: acm-pca:ListCertificateAuthorities Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: IssueDACCertC12F3700 Roles: - Ref: MatterIssueDACRoleD87F8C18 Metadata: aws:cdk:path: MatterStackPAA/IssueDACCert/Resource MatterAuditLoggingBackupPlanE7841230: Type: AWS::Backup::BackupPlan Properties: BackupPlan: BackupPlanName: MatterAuditLoggingBackupPlan BackupPlanRule: - Lifecycle: DeleteAfterDays: 32 RuleName: RuleForMonthlyBackups ScheduleExpression: cron(0 0 1 * ? *) TargetBackupVault: Fn::GetAtt: - MatterAuditLoggingBackupVault52FF6D37 - BackupVaultName Metadata: aws:cdk:path: MatterStackPAA/MatterAuditLoggingBackupPlan/Resource MatterAuditLoggingBackupPlanS3BackupSelection72BC7F41: Type: AWS::Backup::BackupSelection Properties: BackupPlanId: Fn::GetAtt: - MatterAuditLoggingBackupPlanE7841230 - BackupPlanId BackupSelection: IamRoleArn: Fn::GetAtt: - S3BackupRole5A829B6E - Arn Resources: - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn SelectionName: S3BackupSelection Metadata: aws:cdk:path: MatterStackPAA/MatterAuditLoggingBackupPlan/S3BackupSelection/Resource MatterAuditLoggingBackupVault52FF6D37: Type: AWS::Backup::BackupVault Properties: BackupVaultName: MatterAuditLoggingBackupVault UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAA/MatterAuditLoggingBackupVault/Resource MatterPKIAuditLogsKMSKey8EB68491: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: kms:* Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: "*" - Action: - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: "*" - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Principal: AWS: Fn::GetAtt: - MatterAuditorRole03712E04 - Arn Resource: "*" Version: "2012-10-17" EnableKeyRotation: true UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAA/MatterPKIAuditLogsKMSKey/Resource matterpkiauditlogsB56DAB62: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: KMSMasterKeyID: Fn::GetAtt: - MatterPKIAuditLogsKMSKey8EB68491 - Arn SSEAlgorithm: aws:kms LifecycleConfiguration: Rules: - ExpirationInDays: 1827 Id: MatterAuditLogsArchivingToGlacier Status: Enabled Transitions: - StorageClass: GLACIER TransitionInDays: 60 ObjectLockConfiguration: ObjectLockEnabled: Enabled Rule: DefaultRetention: Mode: GOVERNANCE Days: 1827 ObjectLockEnabled: true PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAA/matter-pki-audit-logs/Resource matterpkiauditlogsPolicyB878ED00: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: matterpkiauditlogsB56DAB62 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - /* - Action: - s3:GetBucket* - s3:GetObject* - s3:List* Effect: Allow Principal: AWS: Fn::GetAtt: - MatterAuditorRole03712E04 - Arn Resource: - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - /* - Action: s3:GetBucketAcl Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - Action: s3:PutObject Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - /AWSLogs/ - Ref: AWS::AccountId - /* Version: "2012-10-17" Metadata: aws:cdk:path: MatterStackPAA/matter-pki-audit-logs/Policy/Resource MatterAudit3BAC79D2: Type: AWS::Logs::LogGroup Properties: LogGroupName: MatterAudit RetentionInDays: 60 UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAA/MatterAudit/Resource AllPCAEventsFilterE7C3AA2E: Type: AWS::Logs::MetricFilter Properties: FilterPattern: '{ ($.eventSource = "acm-pca.amazonaws.com") }' LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: AllPCAEventsFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/AllPCAEventsFilter/Resource MatterAuditLoggingBucketFilterE3E26940: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - '{ ($.eventSource= "s3.amazonaws.com") && ($.requestParameters.bucketName = "' - Ref: matterpkiauditlogsB56DAB62 - '*") }' LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditLoggingBucketFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterAuditLoggingBucketFilter/Resource MatterTaggedFilterE39C37A6: Type: AWS::Logs::MetricFilter Properties: FilterPattern: matterPKITag LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterTaggedFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterTaggedFilter/Resource MatterPAARoleFilter44C49326: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - "iam.amazonaws.com " - Ref: MatterManagePAARole206A10AF LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterPAARoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterPAARoleFilter/Resource MatterPAIRoleFilter61075128: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - "iam.amazonaws.com " - Ref: MatterIssuePAIRole9F2B04D3 LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterPAIRoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterPAIRoleFilter/Resource MatterAuditorRoleFilter23F9E901: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - "iam.amazonaws.com " - Ref: MatterAuditorRole03712E04 LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditorRoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterAuditorRoleFilter/Resource MatterAuditLoggingBackupRoleFilter082062E4: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - "iam.amazonaws.com " - Ref: S3BackupRole5A829B6E LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditLoggingBackupRoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterAuditLoggingBackupRoleFilter/Resource MatterAuditLoggingBackupPlanFilter4DD6905B: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - "backup.amazonaws.com " - Fn::GetAtt: - MatterAuditLoggingBackupPlanE7841230 - BackupPlanId LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditLoggingBackupPlanFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAA/MatterAuditLoggingBackupPlanFilter/Resource MatterAuditTrailLogsRoleA5220186: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: cloudtrail.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: MatterStackPAA/MatterAuditTrail/LogsRole/Resource MatterAuditTrailLogsRoleDefaultPolicy5D8B82A7: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::GetAtt: - MatterAudit3BAC79D2 - Arn Version: "2012-10-17" PolicyName: MatterAuditTrailLogsRoleDefaultPolicy5D8B82A7 Roles: - Ref: MatterAuditTrailLogsRoleA5220186 Metadata: aws:cdk:path: MatterStackPAA/MatterAuditTrail/LogsRole/DefaultPolicy/Resource MatterAuditTrail535B0DA6: Type: AWS::CloudTrail::Trail Properties: IsLogging: true S3BucketName: Ref: matterpkiauditlogsB56DAB62 CloudWatchLogsLogGroupArn: Fn::GetAtt: - MatterAudit3BAC79D2 - Arn CloudWatchLogsRoleArn: Fn::GetAtt: - MatterAuditTrailLogsRoleA5220186 - Arn EnableLogFileValidation: true EventSelectors: - DataResources: - Type: AWS::S3::Object Values: - Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - / IncludeGlobalServiceEvents: true IsMultiRegionTrail: true KMSKeyId: Fn::GetAtt: - MatterPKIAuditLogsKMSKey8EB68491 - Arn DependsOn: - matterpkiauditlogsPolicyB878ED00 - MatterAuditTrailLogsRoleDefaultPolicy5D8B82A7 - MatterAuditTrailLogsRoleA5220186 Metadata: aws:cdk:path: MatterStackPAA/MatterAuditTrail/Resource CDKMetadata: Type: AWS::CDK::Metadata Properties: Analytics: v2:deflate64:H4sIAAAAAAAA/3VQy07DMBD8lt6dBVqBxLFEKgdARCniilzHLds4duSsi5Dlf8cPiYQDp5nZGe2uZg13G1iv+NdUia6vFB7A74mLntVH3XDLB0nSsuh/eC6GUXDw0amlJTyi4CS3jj6NRfpmf+fsn9hWEF44odGBIR/At0blcMbGKBR5VWGBHeIzbgT/kLFRXCd3oQrdSyVF2jq786jod+4UzXaWgfXDBP5J5psRAps28ZgTvSzZwgrM3y11YMqc4pJnc3q0xo3J/+UvkiyKHapUYzSWOjChjOvIclTg3xKkSCYhJPrqaHTEWjkZZ0WpacFrozssVWrTSThPV5ebe7iF69V5Qqys04SDhLbgDzMntgbtAQAA Metadata: aws:cdk:path: MatterStackPAA/CDKMetadata/Default Condition: CDKMetadataAvailable Outputs: PAACertArn: Description: The ARN of the PAA certificate Value: Fn::GetAtt: - CertPAA - Arn PAACertLink: Description: The link to the PAA certificate in the AWS Private CA console Value: Fn::Join: - "" - - https://console.aws.amazon.com/acm-pca/home?region= - Ref: AWS::Region - "#/details?arn=" - Fn::GetAtt: - CAPAA - Arn - "&tab=certificate" PAA: Description: The ARN of the PAA Value: Fn::Join: - "" - - VID= - Ref: vendorId - " CN=" - Ref: paaCommonName - " " - Fn::GetAtt: - CAPAA - Arn LogGroupName: Description: The name of the CloudWatch LogGroup Value: Ref: MatterAudit3BAC79D2 CloudTrailArn: Description: The ARN of the CloudTrail Value: Fn::GetAtt: - MatterAuditTrail535B0DA6 - Arn Conditions: CDKMetadataAvailable: Fn::Or: - Fn::Or: - Fn::Equals: - Ref: AWS::Region - af-south-1 - Fn::Equals: - Ref: AWS::Region - ap-east-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-2 - Fn::Equals: - Ref: AWS::Region - ap-south-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-2 - Fn::Equals: - Ref: AWS::Region - ca-central-1 - Fn::Equals: - Ref: AWS::Region - cn-north-1 - Fn::Equals: - Ref: AWS::Region - cn-northwest-1 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - eu-central-1 - Fn::Equals: - Ref: AWS::Region - eu-north-1 - Fn::Equals: - Ref: AWS::Region - eu-south-1 - Fn::Equals: - Ref: AWS::Region - eu-west-1 - Fn::Equals: - Ref: AWS::Region - eu-west-2 - Fn::Equals: - Ref: AWS::Region - eu-west-3 - Fn::Equals: - Ref: AWS::Region - me-south-1 - Fn::Equals: - Ref: AWS::Region - sa-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-2 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - us-west-1 - Fn::Equals: - Ref: AWS::Region - us-west-2