Parameters: productId: Type: String Description: The product ID associated with this PAI vendorId: Type: String Description: The vendorId associated with this PAI validityInDays: Type: Number Description: Validity in days for this PAI dacValidityInDays: Type: Number Description: Validity in days for DACs issued by the Lambda. paaArn: Type: String Description: The ARN of the PAA that is used to sign the PAI certificate paiCommonName: Type: String Description: The Common Name for this PAI paiOrganization: Type: String Description: The Organization associated with this PAI paiOU: Type: String Description: The Organizational Unit associated with this PAI Resources: PaaPemMatterStackPAI9E94FD8B: Type: Custom::AWS Properties: ServiceToken: Fn::GetAtt: - AWS679f53fac002430cb0da5b7982bd22872D164C4C - Arn Create: Fn::Join: - "" - - '{"service":"ACMPCA","action":"getCertificateAuthorityCertificate","parameters":{"CertificateAuthorityArn":"' - Ref: paaArn - '"},"region":"' - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn - '","physicalResourceId":{"id":"1677602540631"}}' Update: Fn::Join: - "" - - '{"service":"ACMPCA","action":"getCertificateAuthorityCertificate","parameters":{"CertificateAuthorityArn":"' - Ref: paaArn - '"},"region":"' - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn - '","physicalResourceId":{"id":"1677602540631"}}' InstallLatestAwsSdk: false DependsOn: - PaaPemMatterStackPAICustomResourcePolicy93FEF6DD UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: MatterStackPAI/PaaPemMatterStackPAI/Resource/Default PaaPemMatterStackPAICustomResourcePolicy93FEF6DD: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: acm-pca:GetCertificateAuthorityCertificate Effect: Allow Resource: Ref: paaArn Version: "2012-10-17" PolicyName: PaaPemMatterStackPAICustomResourcePolicy93FEF6DD Roles: - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 Metadata: aws:cdk:path: MatterStackPAI/PaaPemMatterStackPAI/CustomResourcePolicy/Resource AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: MatterStackPAI/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource AWS679f53fac002430cb0da5b7982bd22872D164C4C: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Fn::Sub: ${AWS::AccountId}-matter-cfn-deployment-assets S3Key: PcaAwsCall.zip Role: Fn::GetAtt: - AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 - Arn Handler: index.handler Runtime: nodejs14.x Timeout: 120 DependsOn: - AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 Metadata: aws:cdk:path: MatterStackPAI/AWS679f53fac002430cb0da5b7982bd2287/Resource CAPAI0: Type: AWS::ACMPCA::CertificateAuthority Properties: KeyAlgorithm: EC_prime256v1 SigningAlgorithm: SHA256WITHECDSA Subject: CustomAttributes: - ObjectIdentifier: 2.5.4.3 Value: Ref: paiCommonName - ObjectIdentifier: 1.3.6.1.4.1.37244.2.1 Value: Ref: vendorId - ObjectIdentifier: 1.3.6.1.4.1.37244.2.2 Value: Ref: productId - ObjectIdentifier: 2.5.4.10 Value: Ref: paiOrganization - ObjectIdentifier: 2.5.4.11 Value: Ref: paiOU Type: SUBORDINATE KeyStorageSecurityStandard: FIPS_140_2_LEVEL_3_OR_HIGHER Tags: - Key: matterCAType Value: pai - Key: matterPKITag Value: "" UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/CA-PAI-0 MatterStackPAIPAICSR017E82ECC: Type: AWS::SSM::Parameter Properties: Type: String Value: Fn::Join: - \n - Fn::Split: - "\n" - Fn::GetAtt: - CAPAI0 - CertificateSigningRequest Name: /MatterStackPAI/PAI-CSR0 Metadata: aws:cdk:path: MatterStackPAI/MatterStackPAI-PAI-CSR-0/Resource CertificatePAI03F296F37: Type: Custom::AWS Properties: ServiceToken: Fn::GetAtt: - AWS679f53fac002430cb0da5b7982bd22872D164C4C - Arn Create: Fn::Join: - "" - - '{"service":"ACMPCA","action":"issueCertificate","parameters":{"CertificateAuthorityArn":"' - Ref: paaArn - '","Csr":"' - Fn::GetAtt: - MatterStackPAIPAICSR017E82ECC - Value - '","SigningAlgorithm":"SHA256WITHECDSA","Validity":{"Type":"DAYS","Value":' - Ref: validityInDays - '},"TemplateArn":"arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1","ApiPassthrough":{"Extensions":{"CustomExtensions":[{"ObjectIdentifier":"2.5.29.15","Value":"AwIBBg==","Critical":true}]}}},"region":"' - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn - '","physicalResourceId":{"id":"1677602540653"}}' Update: Fn::Join: - "" - - '{"service":"ACMPCA","action":"issueCertificate","parameters":{"CertificateAuthorityArn":"' - Ref: paaArn - '","Csr":"' - Fn::GetAtt: - MatterStackPAIPAICSR017E82ECC - Value - '","SigningAlgorithm":"SHA256WITHECDSA","Validity":{"Type":"DAYS","Value":' - Ref: validityInDays - '},"TemplateArn":"arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1","ApiPassthrough":{"Extensions":{"CustomExtensions":[{"ObjectIdentifier":"2.5.29.15","Value":"AwIBBg==","Critical":true}]}}},"region":"' - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn - '","physicalResourceId":{"id":"1677602540653"}}' InstallLatestAwsSdk: true DependsOn: - CertificatePAI0CustomResourcePolicy48E777E4 UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: MatterStackPAI/Certificate-PAI-0/Resource/Default CertificatePAI0CustomResourcePolicy48E777E4: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: acm-pca:IssueCertificate Effect: Allow Resource: Ref: paaArn Version: "2012-10-17" PolicyName: CertificatePAI0CustomResourcePolicy48E777E4 Roles: - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 Metadata: aws:cdk:path: MatterStackPAI/Certificate-PAI-0/CustomResourcePolicy/Resource CertificatePemPAI0AC317715: Type: Custom::AWS Properties: ServiceToken: Fn::GetAtt: - AWS679f53fac002430cb0da5b7982bd22872D164C4C - Arn Create: Fn::Join: - "" - - '{"service":"ACMPCA","action":"getCertificate","parameters":{"CertificateArn":"' - Fn::GetAtt: - CertificatePAI03F296F37 - CertificateArn - '","CertificateAuthorityArn":"' - Ref: paaArn - '"},"region":"' - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn - '","physicalResourceId":{"id":"1677602540654"}}' Update: Fn::Join: - "" - - '{"service":"ACMPCA","action":"getCertificate","parameters":{"CertificateArn":"' - Fn::GetAtt: - CertificatePAI03F296F37 - CertificateArn - '","CertificateAuthorityArn":"' - Ref: paaArn - '"},"region":"' - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn - '","physicalResourceId":{"id":"1677602540654"}}' InstallLatestAwsSdk: false DependsOn: - CertificatePemPAI0CustomResourcePolicyBA6B7480 UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: MatterStackPAI/CertificatePem-PAI-0/Resource/Default CertificatePemPAI0CustomResourcePolicyBA6B7480: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: acm-pca:GetCertificate Effect: Allow Resource: Ref: paaArn Version: "2012-10-17" PolicyName: CertificatePemPAI0CustomResourcePolicyBA6B7480 Roles: - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 Metadata: aws:cdk:path: MatterStackPAI/CertificatePem-PAI-0/CustomResourcePolicy/Resource CertActivationPAI0: Type: AWS::ACMPCA::CertificateAuthorityActivation Properties: Certificate: Fn::GetAtt: - CertificatePemPAI0AC317715 - Certificate CertificateAuthorityArn: Fn::GetAtt: - CAPAI0 - Arn CertificateChain: Fn::GetAtt: - PaaPemMatterStackPAI9E94FD8B - Certificate Status: ACTIVE Metadata: aws:cdk:path: MatterStackPAI/CertActivation-PAI-0 MatterAuditorRoleInPAIStackPolicyCE7DAB06: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetBucket* - s3:GetObject* - s3:List* Effect: Allow Resource: - Fn::GetAtt: - DacInputS3ToSQSS3LoggingBucket92EDF008 - Arn - Fn::Join: - "" - - Fn::GetAtt: - DacInputS3ToSQSS3LoggingBucket92EDF008 - Arn - /* - Action: - logs:Describe* - logs:FilterLogEvents - logs:Get* - logs:List* - logs:StartQuery - logs:StopQuery - logs:TestMetricFilter Effect: Allow Resource: - Fn::GetAtt: - MatterAudit3BAC79D2 - Arn - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":log-group:" - Fn::GetAtt: - SqsToDacIssuingLambdaLambdaFunctionLogRetention3FB85518 - LogGroupName - :* Version: "2012-10-17" PolicyName: MatterAuditorRoleInPAIStackPolicyCE7DAB06 Roles: - MatterAuditorRole Metadata: aws:cdk:path: MatterStackPAI/MatterAuditorRoleInPAIStack/Policy/Resource Condition: isMultiRegion DacInputS3ToSQSS3LoggingBucket92EDF008: Type: AWS::S3::Bucket Properties: AccessControl: LogDeliveryWrite BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true Tags: - Key: matterPKITag Value: "" VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/S3LoggingBucket/Resource cfn_nag: rules_to_suppress: - id: W35 reason: This S3 bucket is used as the access logging bucket for another bucket DacInputS3ToSQSS3LoggingBucketPolicyD20E8C8F: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: DacInputS3ToSQSS3LoggingBucket92EDF008 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - DacInputS3ToSQSS3LoggingBucket92EDF008 - Arn - Fn::Join: - "" - - Fn::GetAtt: - DacInputS3ToSQSS3LoggingBucket92EDF008 - Arn - /* Version: "2012-10-17" Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/S3LoggingBucket/Policy/Resource DacInputS3ToSQSS3Bucket20254F8D: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - NoncurrentVersionTransitions: - StorageClass: GLACIER TransitionInDays: 90 Status: Enabled LoggingConfiguration: DestinationBucketName: Ref: DacInputS3ToSQSS3LoggingBucket92EDF008 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true Tags: - Key: matterPKITag Value: "" VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/S3Bucket/Resource DacInputS3ToSQSS3BucketPolicy910E9B56: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: DacInputS3ToSQSS3Bucket20254F8D PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - DacInputS3ToSQSS3Bucket20254F8D - Arn - Fn::Join: - "" - - Fn::GetAtt: - DacInputS3ToSQSS3Bucket20254F8D - Arn - /* Version: "2012-10-17" Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/S3Bucket/Policy/Resource DacInputS3ToSQSS3BucketNotificationsFC78CCA7: Type: Custom::S3BucketNotifications Properties: ServiceToken: Fn::GetAtt: - BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691 - Arn BucketName: Ref: DacInputS3ToSQSS3Bucket20254F8D NotificationConfiguration: QueueConfigurations: - Events: - s3:ObjectCreated:* Filter: Key: FilterRules: - Name: suffix Value: .csr QueueArn: Fn::GetAtt: - DacInputS3ToSQSqueueD59411ED - Arn Managed: true DependsOn: - DacInputS3ToSQSqueuePolicy14406618 - DacInputS3ToSQSqueueD59411ED Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/S3Bucket/Notifications/Resource DacInputS3ToSQSdeadLetterQueue9EBD583A: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: alias/aws/sqs Tags: - Key: matterPKITag Value: "" UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/deadLetterQueue/Resource DacInputS3ToSQSdeadLetterQueuePolicy82056AF4: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Statement: - Action: - sqs:AddPermission - sqs:DeleteMessage - sqs:GetQueueAttributes - sqs:ReceiveMessage - sqs:RemovePermission - sqs:SendMessage - sqs:SetQueueAttributes Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: Fn::GetAtt: - DacInputS3ToSQSdeadLetterQueue9EBD583A - Arn Sid: QueueOwnerOnlyAccess - Action: SQS:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: Fn::GetAtt: - DacInputS3ToSQSdeadLetterQueue9EBD583A - Arn Sid: HttpsOnly Version: "2012-10-17" Queues: - Ref: DacInputS3ToSQSdeadLetterQueue9EBD583A Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/deadLetterQueue/Policy/Resource DacInputS3ToSQSEncryptionKey0AD30D7E: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: kms:* Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: "*" - Action: - kms:Decrypt - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* Condition: ArnLike: aws:SourceArn: Fn::GetAtt: - DacInputS3ToSQSS3Bucket20254F8D - Arn Effect: Allow Principal: Service: s3.amazonaws.com Resource: "*" - Action: - kms:Decrypt - kms:GenerateDataKey* Effect: Allow Principal: Service: s3.amazonaws.com Resource: "*" Version: "2012-10-17" EnableKeyRotation: true UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/EncryptionKey/Resource DacInputS3ToSQSqueueD59411ED: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: Fn::GetAtt: - DacInputS3ToSQSEncryptionKey0AD30D7E - Arn RedrivePolicy: deadLetterTargetArn: Fn::GetAtt: - DacInputS3ToSQSdeadLetterQueue9EBD583A - Arn maxReceiveCount: 15 Tags: - Key: matterPKITag Value: "" VisibilityTimeout: 360 UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/queue/Resource DacInputS3ToSQSqueuePolicy14406618: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Statement: - Action: - sqs:AddPermission - sqs:DeleteMessage - sqs:GetQueueAttributes - sqs:ReceiveMessage - sqs:RemovePermission - sqs:SendMessage - sqs:SetQueueAttributes Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: Fn::GetAtt: - DacInputS3ToSQSqueueD59411ED - Arn Sid: QueueOwnerOnlyAccess - Action: SQS:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: Fn::GetAtt: - DacInputS3ToSQSqueueD59411ED - Arn Sid: HttpsOnly - Action: - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:SendMessage Condition: ArnLike: aws:SourceArn: Fn::GetAtt: - DacInputS3ToSQSS3Bucket20254F8D - Arn Effect: Allow Principal: Service: s3.amazonaws.com Resource: Fn::GetAtt: - DacInputS3ToSQSqueueD59411ED - Arn Version: "2012-10-17" Queues: - Ref: DacInputS3ToSQSqueueD59411ED Metadata: aws:cdk:path: MatterStackPAI/DacInputS3ToSQS/queue/Policy/Resource BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: MatterStackPAI/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/Resource BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: s3:PutBucketNotification Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36 Roles: - Ref: BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC Metadata: aws:cdk:path: MatterStackPAI/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource cfn_nag: rules_to_suppress: - id: W12 reason: Bucket resource is '*' due to circular dependency with bucket and role creation at the same time BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691: Type: AWS::Lambda::Function Properties: Description: AWS CloudFormation handler for "Custom::S3BucketNotifications" resources (@aws-cdk/aws-s3) Code: ZipFile: | import boto3 # type: ignore import json import logging import urllib.request s3 = boto3.client("s3") EVENTBRIDGE_CONFIGURATION = 'EventBridgeConfiguration' CONFIGURATION_TYPES = ["TopicConfigurations", "QueueConfigurations", "LambdaFunctionConfigurations"] def handler(event: dict, context): response_status = "SUCCESS" error_message = "" try: props = event["ResourceProperties"] bucket = props["BucketName"] notification_configuration = props["NotificationConfiguration"] request_type = event["RequestType"] managed = props.get('Managed', 'true').lower() == 'true' stack_id = event['StackId'] if managed: config = handle_managed(request_type, notification_configuration) else: config = handle_unmanaged(bucket, stack_id, request_type, notification_configuration) put_bucket_notification_configuration(bucket, config) except Exception as e: logging.exception("Failed to put bucket notification configuration") response_status = "FAILED" error_message = f"Error: {str(e)}. " finally: submit_response(event, context, response_status, error_message) def handle_managed(request_type, notification_configuration): if request_type == 'Delete': return {} return notification_configuration def handle_unmanaged(bucket, stack_id, request_type, notification_configuration): external_notifications = find_external_notifications(bucket, stack_id) if request_type == 'Delete': return external_notifications def with_id(notification): notification['Id'] = f"{stack_id}-{hash(json.dumps(notification, sort_keys=True))}" return notification notifications = {} for t in CONFIGURATION_TYPES: external = external_notifications.get(t, []) incoming = [with_id(n) for n in notification_configuration.get(t, [])] notifications[t] = external + incoming if EVENTBRIDGE_CONFIGURATION in notification_configuration: notifications[EVENTBRIDGE_CONFIGURATION] = notification_configuration[EVENTBRIDGE_CONFIGURATION] elif EVENTBRIDGE_CONFIGURATION in external_notifications: notifications[EVENTBRIDGE_CONFIGURATION] = external_notifications[EVENTBRIDGE_CONFIGURATION] return notifications def find_external_notifications(bucket, stack_id): existing_notifications = get_bucket_notification_configuration(bucket) external_notifications = {} for t in CONFIGURATION_TYPES: external_notifications[t] = [n for n in existing_notifications.get(t, []) if not n['Id'].startswith(f"{stack_id}-")] if EVENTBRIDGE_CONFIGURATION in existing_notifications: external_notifications[EVENTBRIDGE_CONFIGURATION] = existing_notifications[EVENTBRIDGE_CONFIGURATION] return external_notifications def get_bucket_notification_configuration(bucket): return s3.get_bucket_notification_configuration(Bucket=bucket) def put_bucket_notification_configuration(bucket, notification_configuration): s3.put_bucket_notification_configuration(Bucket=bucket, NotificationConfiguration=notification_configuration) def submit_response(event: dict, context, response_status: str, error_message: str): response_body = json.dumps( { "Status": response_status, "Reason": f"{error_message}See the details in CloudWatch Log Stream: {context.log_stream_name}", "PhysicalResourceId": event.get("PhysicalResourceId") or event["LogicalResourceId"], "StackId": event["StackId"], "RequestId": event["RequestId"], "LogicalResourceId": event["LogicalResourceId"], "NoEcho": False, } ).encode("utf-8") headers = {"content-type": "", "content-length": str(len(response_body))} try: req = urllib.request.Request(url=event["ResponseURL"], headers=headers, data=response_body, method="PUT") with urllib.request.urlopen(req) as response: print(response.read().decode("utf-8")) print("Status code: " + response.reason) except Exception as e: print("send(..) failed executing request.urlopen(..): " + str(e)) Handler: index.handler Role: Fn::GetAtt: - BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC - Arn Runtime: python3.9 Timeout: 300 DependsOn: - BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36 - BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleB6FB88EC Metadata: aws:cdk:path: MatterStackPAI/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Resource cfn_nag: rules_to_suppress: - id: W58 reason: Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions. - id: W89 reason: This is not a rule for the general case, just for specific use cases/industries - id: W92 reason: Impossible for us to define the correct concurrency for clients SqsToDacIssuingLambdaLambdaFunctionServiceRoleB25CC72F: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :log-group:/aws/lambda/* Version: "2012-10-17" PolicyName: LambdaFunctionServiceRolePolicy Metadata: aws:cdk:path: MatterStackPAI/SqsToDacIssuingLambda/LambdaFunctionServiceRole/Resource SqsToDacIssuingLambdaLambdaFunctionServiceRoleDefaultPolicy21809AD9: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - acm-pca:ListCertificateAuthorities - xray:PutTelemetryRecords - xray:PutTraceSegments Effect: Allow Resource: "*" - Action: - sqs:ChangeMessageVisibility - sqs:DeleteMessage - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:ReceiveMessage Effect: Allow Resource: Fn::GetAtt: - DacInputS3ToSQSqueueD59411ED - Arn - Action: kms:Decrypt Effect: Allow Resource: Fn::GetAtt: - DacInputS3ToSQSEncryptionKey0AD30D7E - Arn - Action: - s3:Abort* - s3:DeleteObject* - s3:GetBucket* - s3:GetObject* - s3:List* - s3:PutObject - s3:PutObjectLegalHold - s3:PutObjectRetention - s3:PutObjectTagging - s3:PutObjectVersionTagging Effect: Allow Resource: - Fn::GetAtt: - DacInputS3ToSQSS3Bucket20254F8D - Arn - Fn::Join: - "" - - Fn::GetAtt: - DacInputS3ToSQSS3Bucket20254F8D - Arn - /* - Action: acm-pca:IssueCertificate Condition: StringLike: acm-pca:TemplateArn: arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V* StringEquals: aws:ResourceTag/matterCAType: pai Effect: Allow Resource: "*" - Action: acm-pca:IssueCertificate Condition: StringNotLike: acm-pca:TemplateArn: arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V* StringEquals: aws:ResourceTag/matterCAType: pai Effect: Deny Resource: "*" - Action: - acm-pca:DescribeCertificateAuthority - acm-pca:GetCertificate - acm-pca:GetCertificateAuthorityCertificate - acm-pca:RevokeCertificate Condition: StringEquals: aws:ResourceTag/matterCAType: pai Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: SqsToDacIssuingLambdaLambdaFunctionServiceRoleDefaultPolicy21809AD9 Roles: - Ref: SqsToDacIssuingLambdaLambdaFunctionServiceRoleB25CC72F Metadata: aws:cdk:path: MatterStackPAI/SqsToDacIssuingLambda/LambdaFunctionServiceRole/DefaultPolicy/Resource cfn_nag: rules_to_suppress: - id: W12 reason: Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC. SqsToDacIssuingLambdaLambdaFunction63CBA51A: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Fn::Sub: ${AWS::AccountId}-matter-cfn-deployment-assets S3Key: DACIssuingLambda.zip Role: Fn::GetAtt: - SqsToDacIssuingLambdaLambdaFunctionServiceRoleB25CC72F - Arn Handler: com.sample.Handler MemorySize: 512 ReservedConcurrentExecutions: 55 Runtime: java11 Environment: Variables: dacValidityInDays: Ref: dacValidityInDays Tags: - Key: matterPKITag Value: "" Timeout: 60 TracingConfig: Mode: Active DependsOn: - SqsToDacIssuingLambdaLambdaFunctionServiceRoleDefaultPolicy21809AD9 - SqsToDacIssuingLambdaLambdaFunctionServiceRoleB25CC72F Metadata: aws:cdk:path: MatterStackPAI/SqsToDacIssuingLambda/LambdaFunction/Resource cfn_nag: rules_to_suppress: - id: W58 reason: Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions. - id: W89 reason: This is not a rule for the general case, just for specific use cases/industries - id: W92 reason: Impossible for us to define the correct concurrency for clients SqsToDacIssuingLambdaLambdaFunctionLogRetention3FB85518: Type: Custom::LogRetention Properties: ServiceToken: Fn::GetAtt: - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A - Arn LogGroupName: Fn::Join: - "" - - /aws/lambda/ - Ref: SqsToDacIssuingLambdaLambdaFunction63CBA51A RetentionInDays: 60 Metadata: aws:cdk:path: MatterStackPAI/SqsToDacIssuingLambda/LambdaFunction/LogRetention/Resource SqsToDacIssuingLambdaLambdaFunctionSqsEventSourceMatterStackPAIDacInputS3ToSQSqueue334B7A2D9472359E: Type: AWS::Lambda::EventSourceMapping Properties: FunctionName: Ref: SqsToDacIssuingLambdaLambdaFunction63CBA51A BatchSize: 5 Enabled: true EventSourceArn: Fn::GetAtt: - DacInputS3ToSQSqueueD59411ED - Arn FunctionResponseTypes: - ReportBatchItemFailures Metadata: aws:cdk:path: MatterStackPAI/SqsToDacIssuingLambda/LambdaFunction/SqsEventSource:MatterStackPAIDacInputS3ToSQSqueue334B7A2D/Resource LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: MatterStackPAI/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/Resource LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:DeleteRetentionPolicy - logs:PutRetentionPolicy Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB Roles: - Ref: LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB Metadata: aws:cdk:path: MatterStackPAI/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy/Resource LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A: Type: AWS::Lambda::Function Properties: Handler: index.handler Runtime: nodejs14.x Code: S3Bucket: Fn::Sub: ${AWS::AccountId}-matter-cfn-deployment-assets S3Key: LogRetentionLambda.zip Role: Fn::GetAtt: - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB - Arn DependsOn: - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB Metadata: aws:cdk:path: MatterStackPAI/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Resource MatterAuditLoggingBackupPlanE7841230: Type: AWS::Backup::BackupPlan Properties: BackupPlan: BackupPlanName: MatterAuditLoggingBackupPlan BackupPlanRule: - Lifecycle: DeleteAfterDays: 32 RuleName: RuleForMonthlyBackups ScheduleExpression: cron(0 0 1 * ? *) TargetBackupVault: Fn::GetAtt: - MatterAuditLoggingBackupVault52FF6D37 - BackupVaultName Metadata: aws:cdk:path: MatterStackPAI/MatterAuditLoggingBackupPlan/Resource Condition: isMultiRegion MatterAuditLoggingBackupPlanS3BackupSelection72BC7F41: Type: AWS::Backup::BackupSelection Properties: BackupPlanId: Fn::GetAtt: - MatterAuditLoggingBackupPlanE7841230 - BackupPlanId BackupSelection: IamRoleArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :role/MatterPKI/S3BackupRole Resources: - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn SelectionName: S3BackupSelection Metadata: aws:cdk:path: MatterStackPAI/MatterAuditLoggingBackupPlan/S3BackupSelection/Resource Condition: isMultiRegion MatterAuditLoggingBackupVault52FF6D37: Type: AWS::Backup::BackupVault Properties: BackupVaultName: MatterAuditLoggingBackupVault UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/MatterAuditLoggingBackupVault/Resource Condition: isMultiRegion MatterPKIAuditLogsKMSKey8EB68491: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: kms:* Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :root Resource: "*" - Action: - kms:Encrypt - kms:GenerateDataKey* - kms:ReEncrypt* Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: "*" - Action: - kms:Decrypt - kms:DescribeKey Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :role/MatterPKI/MatterAuditorRole Resource: "*" Version: "2012-10-17" EnableKeyRotation: true UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/MatterPKIAuditLogsKMSKey/Resource Condition: isMultiRegion matterpkiauditlogsB56DAB62: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: KMSMasterKeyID: Fn::GetAtt: - MatterPKIAuditLogsKMSKey8EB68491 - Arn SSEAlgorithm: aws:kms LifecycleConfiguration: Rules: - ExpirationInDays: 1827 Id: MatterAuditLogsArchivingToGlacier Status: Enabled Transitions: - StorageClass: GLACIER TransitionInDays: 60 ObjectLockConfiguration: ObjectLockEnabled: Enabled Rule: DefaultRetention: Mode: GOVERNANCE Days: 1827 ObjectLockEnabled: true PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/matter-pki-audit-logs/Resource Condition: isMultiRegion matterpkiauditlogsPolicyB878ED00: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: matterpkiauditlogsB56DAB62 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - /* - Action: - s3:GetBucket* - s3:GetObject* - s3:List* Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":iam::" - Ref: AWS::AccountId - :role/MatterPKI/MatterAuditorRole Resource: - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - /* - Action: s3:GetBucketAcl Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - Action: s3:PutObject Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control Effect: Allow Principal: Service: cloudtrail.amazonaws.com Resource: Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - /AWSLogs/ - Ref: AWS::AccountId - /* Version: "2012-10-17" Metadata: aws:cdk:path: MatterStackPAI/matter-pki-audit-logs/Policy/Resource Condition: isMultiRegion MatterAudit3BAC79D2: Type: AWS::Logs::LogGroup Properties: LogGroupName: MatterAudit RetentionInDays: 60 UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: MatterStackPAI/MatterAudit/Resource Condition: isMultiRegion AllPCAEventsFilterE7C3AA2E: Type: AWS::Logs::MetricFilter Properties: FilterPattern: '{ ($.eventSource = "acm-pca.amazonaws.com") }' LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: AllPCAEventsFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/AllPCAEventsFilter/Resource Condition: isMultiRegion MatterAuditLoggingBucketFilterE3E26940: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - '{ ($.eventSource= "s3.amazonaws.com") && ($.requestParameters.bucketName = "' - Ref: matterpkiauditlogsB56DAB62 - '*") }' LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditLoggingBucketFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/MatterAuditLoggingBucketFilter/Resource Condition: isMultiRegion MatterTaggedFilterE39C37A6: Type: AWS::Logs::MetricFilter Properties: FilterPattern: matterPKITag LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterTaggedFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/MatterTaggedFilter/Resource Condition: isMultiRegion MatterIssueDACRoleFilterEA7F2FB3: Type: AWS::Logs::MetricFilter Properties: FilterPattern: iam.amazonaws.com MatterIssueDACRole LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterIssueDACRoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/MatterIssueDACRoleFilter/Resource Condition: isMultiRegion MatterAuditorRoleFilter23F9E901: Type: AWS::Logs::MetricFilter Properties: FilterPattern: iam.amazonaws.com MatterAuditorRole LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditorRoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/MatterAuditorRoleFilter/Resource Condition: isMultiRegion MatterAuditLoggingBackupRoleFilter082062E4: Type: AWS::Logs::MetricFilter Properties: FilterPattern: iam.amazonaws.com S3BackupRole LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditLoggingBackupRoleFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/MatterAuditLoggingBackupRoleFilter/Resource Condition: isMultiRegion MatterAuditLoggingBackupPlanFilter4DD6905B: Type: AWS::Logs::MetricFilter Properties: FilterPattern: Fn::Join: - "" - - "backup.amazonaws.com " - Fn::GetAtt: - MatterAuditLoggingBackupPlanE7841230 - BackupPlanId LogGroupName: Ref: MatterAudit3BAC79D2 MetricTransformations: - MetricName: MatterAuditLoggingBackupPlanFilter MetricNamespace: CloudTrail MetricValue: "1" Metadata: aws:cdk:path: MatterStackPAI/MatterAuditLoggingBackupPlanFilter/Resource Condition: isMultiRegion MatterAuditTrailLogsRoleA5220186: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: cloudtrail.amazonaws.com Version: "2012-10-17" Metadata: aws:cdk:path: MatterStackPAI/MatterAuditTrail/LogsRole/Resource MatterAuditTrailLogsRoleDefaultPolicy5D8B82A7: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::GetAtt: - MatterAudit3BAC79D2 - Arn Version: "2012-10-17" PolicyName: MatterAuditTrailLogsRoleDefaultPolicy5D8B82A7 Roles: - Ref: MatterAuditTrailLogsRoleA5220186 Metadata: aws:cdk:path: MatterStackPAI/MatterAuditTrail/LogsRole/DefaultPolicy/Resource Condition: isMultiRegion MatterAuditTrail535B0DA6: Type: AWS::CloudTrail::Trail Properties: IsLogging: true S3BucketName: Ref: matterpkiauditlogsB56DAB62 CloudWatchLogsLogGroupArn: Fn::GetAtt: - MatterAudit3BAC79D2 - Arn CloudWatchLogsRoleArn: Fn::GetAtt: - MatterAuditTrailLogsRoleA5220186 - Arn EnableLogFileValidation: true EventSelectors: - DataResources: - Type: AWS::S3::Object Values: - Fn::Join: - "" - - Fn::GetAtt: - matterpkiauditlogsB56DAB62 - Arn - / IncludeGlobalServiceEvents: true IsMultiRegionTrail: true KMSKeyId: Fn::GetAtt: - MatterPKIAuditLogsKMSKey8EB68491 - Arn DependsOn: - matterpkiauditlogsPolicyB878ED00 - MatterAuditTrailLogsRoleDefaultPolicy5D8B82A7 - MatterAuditTrailLogsRoleA5220186 Metadata: aws:cdk:path: MatterStackPAI/MatterAuditTrail/Resource Condition: isMultiRegion CDKMetadata: Type: AWS::CDK::Metadata Properties: Analytics: v2:deflate64:H4sIAAAAAAAA/21SwW7bMAz9lt5ltauxAbstDdYd1mJZHOwaKDKbqZElV6RSDIb+fZTsOUa7i/keSdHkI2/l8KmWt1fqFSvdniprDnJoSOmTWD+5jQqqA4IgdETy3T4A+hg0oFy94rr4tpNLcIn9YFV3aBWXMO5ogby7j06T8U7MgOvO+OsZHDXl/aPqe36Uw++9SRjVyWHjrdF/Smcj2noLmWabBNZ7hQjE3WXDXA53UZ+A7hSCGGFOn9BoLkWXPAmlu17zKBxYQyDzZLQiWEX67YOh8uB//hVPdlZ5Om4Iu6xm4AkuUi515ZQXlMPPCLHMMYLyvbS1oEmcOs7/DiXAJgnrj+x58MctF3RFVSbfgo99zpnxI3Af+t7YqYclT+LAG489y1XsxqqypwUbYQMW5i2+dY38l4qWLuFCk9DWx5aCMlYOu2xyRgEpiTeHlPf5D8+gbJQP8zjdyI9IfSz/WXvXmlHv+kbeXH3Jt4zexuzjq+YPhagJr3NgwLrKmjf1zjcvmPWvpqNluvMPBXNTzrcgn/H6/OGz/Mhln9GYKkRWuAO5He1fdBCtJj4DAAA= Metadata: aws:cdk:path: MatterStackPAI/CDKMetadata/Default Condition: CDKMetadataAvailable Outputs: CertArnPAI0: Description: The certificate Arn for PAI0 Value: Fn::GetAtt: - CertificatePAI03F296F37 - CertificateArn DACIssuingLambdaFunctionName: Description: The name of the Lambda Function that issues DACs Value: Ref: SqsToDacIssuingLambdaLambdaFunction63CBA51A PAI0: Description: The ARN of PAI0 Value: Fn::Join: - "" - - VID= - Ref: vendorId - " PID=" - Ref: productId - " CN=" - Ref: paiCommonName - " " - Fn::GetAtt: - CAPAI0 - Arn CertLinkPAI0: Description: The link to the PAI certificate in the AWS Private CA console Value: Fn::Join: - "" - - https://console.aws.amazon.com/acm-pca/home?region= - Ref: AWS::Region - "#/details?arn=" - Fn::GetAtt: - CAPAI0 - Arn - "&tab=certificate" Conditions: isMultiRegion: Fn::Not: - Fn::Equals: - Ref: AWS::Region - Fn::Select: - 3 - Fn::Split: - ":" - Ref: paaArn CDKMetadataAvailable: Fn::Or: - Fn::Or: - Fn::Equals: - Ref: AWS::Region - af-south-1 - Fn::Equals: - Ref: AWS::Region - ap-east-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-2 - Fn::Equals: - Ref: AWS::Region - ap-south-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-2 - Fn::Equals: - Ref: AWS::Region - ca-central-1 - Fn::Equals: - Ref: AWS::Region - cn-north-1 - Fn::Equals: - Ref: AWS::Region - cn-northwest-1 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - eu-central-1 - Fn::Equals: - Ref: AWS::Region - eu-north-1 - Fn::Equals: - Ref: AWS::Region - eu-south-1 - Fn::Equals: - Ref: AWS::Region - eu-west-1 - Fn::Equals: - Ref: AWS::Region - eu-west-2 - Fn::Equals: - Ref: AWS::Region - eu-west-3 - Fn::Equals: - Ref: AWS::Region - me-south-1 - Fn::Equals: - Ref: AWS::Region - sa-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-2 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - us-west-1 - Fn::Equals: - Ref: AWS::Region - us-west-2