######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: '2010-09-09' Description: Creates the SRA CodeBuild Project that deploys the staging, common prerequisites, and other components of the SRA. - 'easy_setup' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse7p) Metadata: SRA: Version: 1.0 Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionTagKey - pSRASolutionName # - pAWSControlTowerExecutionRoleName # - pOrganizationId - pSRAStagingS3BucketNamePrefix - pSRAStagingS3BucketStackName - Label: default: CodeBuild Properties Parameters: - pCodeBuildProjectName - pCodeBuildRoleName - Label: default: AWS Code Build Project - Lambda Function Properties Parameters: - pCodeBuildProjectLambdaRoleName - pCodeBuildProjectLambdaFunctionName - Label: default: SRA Solutions to deploy (more settings for each are found below) Parameters: - pDeployAccountAlternateContactsSolution - pDeployCloudTrailSolution - pDeployConfigManagementSolution - pDeployConfigConformancePackSolution - pDeployEC2DefaultEBSEncryptionSolution - pDeployDetectiveSolution - pDeployFirewallManagerSolution - pDeployGuardDutySolution - pDeployIAMAccessAnalyzerSolution - pDeployIAMPasswordPolicySolution - pDeployMacieSolution - pDeployS3BlockAccountPublicAccessSolution - pDeploySecurityHubSolution - pDeployInspectorSolution - Label: default: Account Alternate Contacts Solution (optional parameters are required if solution is deployed) Parameters: - pExcludeAlternateContactAccountTags - pBillingContactAction - pOperationsContactAction - pSecurityContactAction - pBillingName - pBillingTitle - pBillingEmail - pBillingPhone - pOperationsName - pOperationsTitle - pOperationsEmail - pOperationsPhone - pSecurityName - pSecurityTitle - pSecurityEmail - pSecurityPhone - Label: default: AWS CloudTrail Solution Parameters: - pCloudTrailName - pEnableDataEventsOnly - pEnableLambdaDataEvents - pEnableS3DataEvents - pBucketNamePrefix - pCloudTrailLogGroupKmsKey - pCloudTrailLogGroupRetention - pCreateCloudTrailLogGroup - pOrganizationCloudTrailKeyAlias - Label: default: AWS Config Management Solution Parameters: - pAllSupported - pFrequency - pIncludeGlobalResourceTypes - pKmsKeyArn - pResourceTypes - Label: default: AWS Config Conformance Pack Solution Parameters: - pConformancePackName - pConformancePackTemplateName - pDeliveryS3KeyPrefix - pConformancePackExcludedAccounts - Label: default: Detective Solution Parameters: - pDatasourcePackages - pGuarddutyEnabledForMoreThan48Hours - Label: default: EC2 Default EBS Encryption Solution Parameters: - pExcludeEC2DefaultEBSEncryptionTags - Label: default: Firewall Manager Solution Parameters: - pEnableRemediation - pInternalNetCIDR - pCreateVpcForSG - pVPCCidrBlock - pVpcId - Label: default: GuardDuty Solution Parameters: - pDisableGuardDuty - pAutoEnableS3Logs - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring - pEnableEksAddonManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency - pGuardDutyOrgDeliveryBucketPrefix - pGuardDutyOrgDeliveryKeyAlias - Label: default: IAM Access Analyzer Solution Parameters: - pAccessAnalyzerNamePrefix - pOrganizationAccessAnalyzerName - pAccessAnalyzerRegisterDelegatedAdminAccount - Label: default: IAM Password Policy Solution Parameters: - pAllowUsersToChangePassword - pHardExpiry - pMaxPasswordAge - pMinimumPasswordLength - pPasswordReusePrevention - pRequireLowercaseCharacters - pRequireNumbers - pRequireSymbols - pRequireUppercaseCharacters - Label: default: Macie Solution Parameters: - pDisableMacie - pMacieFindingPublishingFrequency - pMacieOrgDeliveryBucketPrefix - pMacieOrgDeliveryKeyAlias - Label: default: S3 Block Account Public Access Solution Parameters: - pExcludeS3BlockAccountPublicAccessTags - pEnableBlockPublicAcls - pEnableBlockPublicPolicy - pEnableIgnorePublicAcls - pEnableRestrictPublicBuckets - Label: default: Security Hub Solution Parameters: - pDisableSecurityHub - pEnableCISStandard - pCISStandardVersion - pEnablePCIStandard - pEnableSecurityBestPracticesStandard - pRegionLinkingMode - Label: default: Inspector Solution Parameters: - pScanComponents - pEcrRescanDuration - Label: default: Common Properties Parameters: - pSRAAlarmEmail - pCreateAWSControlTowerExecutionRole - Label: default: General Lambda Function and EventBridge Properties Parameters: - pComplianceFrequency - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pSRASolutionName: default: SRA Solution Name pCodeBuildProjectName: default: SRA CodeBuild Project Name pCodeBuildRoleName: default: SRA CodeBuild Role Name pCodeBuildProjectLambdaRoleName: default: SRA CodeBuild Project Lambda Role Name pCodeBuildProjectLambdaFunctionName: default: SRA CodeBuild Project Lambda Function Name pSRAStagingS3BucketNamePrefix: default: SRA Staging S3 Bucket Name Prefix pSRAStagingS3BucketStackName: default: SRA Staging S3 Bucket Stack Name pScanComponents: default: Comma separated list of scan components (EC2, ECR, LAMBDA) pEcrRescanDuration: default: ECR Rescan Duration pDeployInspectorSolution: default: Deploy the Inspector Solution pAccessAnalyzerNamePrefix: default: Access Analyzer Name Prefix pAccessAnalyzerRegisterDelegatedAdminAccount: default: Access Analyzer Register Delegated Admin Account pAllowUsersToChangePassword: default: Allow Users to Change Password pAllSupported: default: All Supported pAutoEnableS3Logs: default: Auto Enable S3 Logs pAutoEnableKubernetesAuditLogs: default: Auto Enable Kubernetes Audit Logs pAutoEnableMalwareProtection: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events pEnableEksRuntimeMonitoring: default: Auto enable EKS Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pBillingContactAction: default: Billing Alternate Contact Action pBillingEmail: default: (Optional) Billing Email Address pBillingName: default: (Optional) Billing Full Name pBillingPhone: default: (Optional) Billing Phone Number pBillingTitle: default: (Optional) Billing Title pBucketNamePrefix: default: S3 Log Bucket Name Prefix pCISStandardVersion: default: CIS Standard Version pCloudTrailLogGroupKmsKey: default: (Optional) CloudTrail CloudWatch Logs KMS Key pCloudTrailLogGroupRetention: default: CloudTrail Log Group Retention pCloudTrailName: default: CloudTrail Name pComplianceFrequency: default: Frequency to Check for Organizational Compliance pConformancePackExcludedAccounts: default: (Optional) Account IDs to Exclude From the Conformance Pack pConformancePackName: default: Conformance Pack Name pConformancePackTemplateName: default: Conformance Pack Template Name pCreateCloudTrailLogGroup: default: Create CloudTrail CloudWatch Log Group pCreateLambdaLogGroup: default: Create Lambda Log Group pCreateVpcForSG: default: Create VPC For Security Group pDatasourcePackages: default: (Optional) Datasource packages to start pDeliveryS3KeyPrefix: default: (Optional) Delivery S3 Key Prefix pDeployAccountAlternateContactsSolution: default: Deploy the Account Alternate Contacts Solution pDeployCloudTrailSolution: default: Deploy the CloudTrail Solution pDeployConfigConformancePackSolution: default: Deploy the AWS Config Conformance Pack Solution pDeployConfigManagementSolution: default: Deploy the AWS Config Management Solution pDeployEC2DefaultEBSEncryptionSolution: default: Deploy the EC2 Default EBS Encryption Solution pDeployDetectiveSolution: default: Deploy the Detective Solution pDeployFirewallManagerSolution: default: Deploy the Firewall Manager Solution pDeployGuardDutySolution: default: Deploy the GuardDuty Solution pDeployIAMAccessAnalyzerSolution: default: Deploy the IAM Access Analyzer Solution pDeployIAMPasswordPolicySolution: default: Deploy the IAM Password Policy Solution pDeployMacieSolution: default: Deploy the Macie Solution pDeployS3BlockAccountPublicAccessSolution: default: Deploy the S3 Block Account Public Access Solution pDeploySecurityHubSolution: default: Deploy the Security Hub Solution pDisableGuardDuty: default: Disable GuardDuty pDisableMacie: default: Disable Macie pDisableSecurityHub: default: Disable Security Hub pEnableBlockPublicAcls: default: S3 Enable Block Public ACLs pEnableBlockPublicPolicy: default: S3 Enable Block Public Policy pEnableCISStandard: default: Enable CIS Standard pEnableDataEventsOnly: default: Enable Data Events Only pEnableIgnorePublicAcls: default: S3 Enable Ignore Public ACLs pEnableLambdaDataEvents: default: Enable Lambda Data Events pEnablePCIStandard: default: Enable PCI Standard pEnableRemediation: default: Enable Remediation pEnableRestrictPublicBuckets: default: S3 Enable Restrict Public Buckets pEnableS3DataEvents: default: Enable S3 Data Events pEnableSecurityBestPracticesStandard: default: Enable AWS Foundational Security Best Practices Standard pExcludeAlternateContactAccountTags: default: (Optional) Exclude Alternate Contact Account Tags pExcludeEC2DefaultEBSEncryptionTags: default: (Optional) Exclude EC2 Default EBS Encryption Tags pExcludeS3BlockAccountPublicAccessTags: default: (Optional) Exclude S3 Block Account Public Access Tags pFrequency: default: Frequency pGuarddutyEnabledForMoreThan48Hours: default: Guardduty Enabled More Than 48 Hours pGuardDutyFindingPublishingFrequency: default: GuardDuty Finding Publishing Frequency pGuardDutyOrgDeliveryBucketPrefix: default: GuardDuty Delivery Bucket Prefix pGuardDutyOrgDeliveryKeyAlias: default: GuardDuty Delivery KMS Key Alias pHardExpiry: default: Hard Expiry pIncludeGlobalResourceTypes: default: Include Global Resource Types pInternalNetCIDR: default: Internal Network CIDR pKmsKeyArn: default: (Optional) KMS Key ARN pLambdaLogGroupKmsKey: default: (Optional) Lambda Log Group KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pMacieFindingPublishingFrequency: default: Macie Finding Publishing Frequency pMacieOrgDeliveryBucketPrefix: default: Macie Delivery Bucket Prefix pMacieOrgDeliveryKeyAlias: default: Macie Delivery KMS Key Alias pMaxPasswordAge: default: Max Password Age pMinimumPasswordLength: default: Minimum Password Length pOperationsContactAction: default: Operations Alternate Contact Action pOperationsEmail: default: Operations Email Address pOperationsName: default: Operations Full Name pOperationsPhone: default: Operations Phone Number pOperationsTitle: default: Operations Title pOrganizationAccessAnalyzerName: default: Organization Access Analyzer Name pOrganizationCloudTrailKeyAlias: default: Organization CloudTrail KMS Key Alias pPasswordReusePrevention: default: Password Reuse Prevention pRegionLinkingMode: default: Region Linking Mode pRequireLowercaseCharacters: default: Require Lowercase Characters pRequireNumbers: default: Require Numbers pRequireSymbols: default: Require Symbols pRequireUppercaseCharacters: default: Require Uppercase Characters pResourceTypes: default: (Optional) Resource Types pSRAAlarmEmail: default: (Optional) SRA Alarm Email pCreateAWSControlTowerExecutionRole: default: Create AWS Control Tower Execution Role pSecurityContactAction: default: Security Alternate Contact Action pSecurityEmail: default: Security Email Address pSecurityName: default: Security Full Name pSecurityPhone: default: Security Phone Number pSecurityTitle: default: Security Title pVPCCidrBlock: default: New VPC CIDR Block pVpcId: default: (Optional) Existing VPC ID Parameters: pSRASolutionName: AllowedValues: [sra-common-prerequisites] Default: sra-common-prerequisites Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRASolutionTagKey: AllowedValues: [sra-solution] Default: sra-solution Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName. Type: String pCodeBuildProjectName: AllowedValues: [sra-codebuild-project] Default: sra-codebuild-project Description: SRA CodeBuild project name Type: String pCodeBuildRoleName: AllowedValues: [sra-codebuild-role] Default: sra-codebuild-role Description: SRA CodeBuild role name Type: String pCodeBuildProjectLambdaRoleName: AllowedPattern: '^[\w+=,.@-]{1,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]. Default: sra-codebuild-project-lambda-role Description: Lambda execution role for starting the code build project Type: String pCodeBuildProjectLambdaFunctionName: AllowedPattern: '^[\w-]{1,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -] Default: sra-codebuild-project-lambda Description: Lambda function name for starting the code build project Type: String pSRAStagingS3BucketNamePrefix: AllowedValues: [sra-staging] Default: sra-staging Description: SRA Staging S3 bucket name prefix for the SRA artifacts relevant to the solutions. (e.g., lambda zips, CloudFormation templates). The account and region are added to the prefix --. Example = sra-staging-123456789012-us-east-1. Type: String pSRAStagingS3BucketStackName: AllowedValues: [sra-common-prerequisites-staging-s3-bucket] Default: sra-common-prerequisites-staging-s3-bucket Description: SRA Common Prerequisite Staging S3 bucket stack name. This stack will be created by the SRA CodeBuild Project. Type: String pScanComponents: AllowedValues: [EC2, ECR, LAMBDA] Default: EC2, ECR, LAMBDA Description: Lambda Function Logging Level Type: CommaDelimitedList pEcrRescanDuration: AllowedValues: [LIFETIME, DAYS_30, DAYS_180] Default: LIFETIME Description: ECR Rescan Duration Type: String pDeployInspectorSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the Inspector solution Type: String pAccessAnalyzerNamePrefix: Default: sra-account-access-analyzer Description: Access Analyzer Name Prefix. The Account ID will be appended to the name. Type: String pAccessAnalyzerRegisterDelegatedAdminAccount: AllowedValues: ['Yes', 'No'] Default: 'Yes' Description: Register a delegated administrator account using the Common Register Delegated Administrator solution. Type: String pAllowUsersToChangePassword: AllowedValues: ['true', 'false'] Default: 'true' Description: You can permit all IAM users in your account to use the IAM console to change their own passwords. Type: String pAllSupported: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether to record all supported resource types. If set to 'false', then the 'Resource Types' parameter must have a value. Type: String pAutoEnableS3Logs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable S3 logs Type: String pAutoEnableKubernetesAuditLogs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Kubernetes Audit Logs Type: String pAutoEnableMalwareProtection: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Malware Protection Type: String pEnableRdsLoginEvents: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable RDS Login Events Type: String pEnableEksRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Lambda Network Logs Type: String pBillingContactAction: AllowedValues: ['add', 'delete', 'ignore'] Default: add Description: Indicates whether to add, delete, or ignore the Billing alternate contact. Type: String pBillingEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. Default: '' Description: (Optional) Email Address for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pBillingName: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' Default: '' Description: (Optional) Full Name for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pBillingPhone: AllowedPattern: '^$|^[\s0-9()+-]+$' ConstraintDescription: Must be numbers, special characters [()+-], and/or whitespace Default: '' Description: (Optional) Phone Number for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pBillingTitle: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' Default: '' Description: (Optional) Title for Billing alternate contact. If 'Billing Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pBucketNamePrefix: AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-org-trail-logs Description: S3 bucket prefix. The account and region will get added to the end. e.g. bucket-prefix-123456789012-us-east-1 Type: String pCISStandardVersion: AllowedValues: [1.2.0, 1.4.0] Default: 1.4.0 Description: CIS Standard Version Type: String pCloudTrailLogGroupKmsKey: AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the CloudTrail log group data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pCloudTrailLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 400 Description: Specifies the number of days you want to retain log events Type: String pCloudTrailName: AllowedPattern: '^[A-Za-z0-9][a-zA-Z0-9-\-_.]{2,127}$' ConstraintDescription: Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-) Start with a letter or number, and end with a letter or number Be between 3 and 128 characters Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are invalid. Not be in IP address format (for example, 192.168.5.4) Default: sra-org-trail Description: CloudTrail name Type: String pComplianceFrequency: ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive. Default: 7 Description: Frequency (in days between 1 and 30, default is 7) to check organizational compliance MinValue: 1 MaxValue: 30 Type: Number pConformancePackExcludedAccounts: AllowedPattern: '^$|^(\d{12})$|^((\d{12},)*\d{12})$' ConstraintDescription: AWS Account IDs separated by commas. (e.g. 123456789012,234567890123) Default: '' Description: (Optional) Comma delimited list of account IDs to exclude from the Organization conformance pack. Accounts that do not have AWS Config enabled must be excluded. Type: String pConformancePackName: AllowedPattern: '^[a-zA-Z][-a-zA-Z0-9]*$' ConstraintDescription: Name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Max length is 128 characters. Default: sra-operational-best-practices-for-encryption-and-keys Description: The name you assign to an organization conformance pack Type: String pConformancePackTemplateName: Default: Operational-Best-Practices-for-Encryption-and-Keys.yaml Description: Conformance pack template file name within the aws_config_conformance_packs folder. e.g. my-conformance-pack.yaml Type: String pCreateCloudTrailLogGroup: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether a CloudWatch Log Group should be created for the CloudTrail, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pCreateLambdaLogGroup: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pCreateVpcForSG: AllowedValues: ['true', 'false'] Default: 'true' Description: Create a new VPC for the Firewall Manager Security Groups Type: String pDatasourcePackages: AllowedValues: [ASFF_SECURITYHUB_FINDING, EKS_AUDIT, ''] Default: ASFF_SECURITYHUB_FINDING, EKS_AUDIT Description: Optional datasources used to populate the behavior graph. Valid values are ASFF_SECURITYHUB_FINDING and EKS_AUDIT Type: CommaDelimitedList pDeliveryS3KeyPrefix: AllowedPattern: '^$|^[a-zA-Z][-a-zA-Z0-9]*$' ConstraintDescription: Delivery S3 prefix can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: '' Description: (Optional) The prefix for the Amazon S3 bucket. Type: String pDeployAccountAlternateContactsSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the Account Alternate Contacts solution Type: String pDeployCloudTrailSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the CloudTrail solution Type: String pDeployConfigConformancePackSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the AWS Config Conformance Pack solution Type: String pDeployConfigManagementSolution: AllowedValues: ['Yes', 'No', 'Already Deployed'] Default: 'No' Description: Deploy the AWS Config Management solution. Note, if solution was previously deployed, choose 'Already Deployed'. Type: String pDeployDetectiveSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the Detective solution Type: String pDeployEC2DefaultEBSEncryptionSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the EC2 Default EBS Encryption solution Type: String pDeployFirewallManagerSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the Firewall Manager solution Type: String pDeployGuardDutySolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the GuardDuty solution Type: String pDeployIAMAccessAnalyzerSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the IAM Access Analyzer solution Type: String pDeployIAMPasswordPolicySolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the IAM Password Policy solution Type: String pDeployMacieSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the Macie solution Type: String pDeployS3BlockAccountPublicAccessSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the S3 Block Account Public Access solution Type: String pDeploySecurityHubSolution: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Deploy the Security Hub solution Type: String pDisableGuardDuty: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Disable the GuardDuty solution in all accounts and regions before deleting the stack. Type: String pDisableMacie: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Disable the Macie solution in all accounts and regions before deleting the stack. Type: String pDisableSecurityHub: AllowedValues: ['Yes', 'No'] Default: 'No' Description: Disable the Security Hub solution in all accounts and regions before deleting the stack. Type: String pEnableBlockPublicAcls: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Block Public ACLs Type: String pEnableBlockPublicPolicy: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Block Public Policy Type: String pEnableCISStandard: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether to enable the CIS AWS Foundations Benchmark Standard. Type: String pEnableDataEventsOnly: AllowedValues: ['true', 'false'] Default: 'true' Description: Only Enable Cloud Trail Data Events Type: String pEnableIgnorePublicAcls: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Ignore Public ACLs Type: String pEnableLambdaDataEvents: AllowedValues: ['true', 'false'] Default: 'true' Description: Enable Cloud Trail Data Events for all Lambda functions Type: String pEnablePCIStandard: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS). Type: String pEnableRemediation: AllowedValues: [true, false] Default: false Description: Chose to enable auto-remediation on Security Groups that violate the rules in the template Type: String pEnableRestrictPublicBuckets: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Restrict Public Buckets Type: String pEnableS3DataEvents: AllowedValues: ['true', 'false'] Default: 'true' Description: Enable Cloud Trail S3 Data Events for all buckets Type: String pEnableSecurityBestPracticesStandard: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether to enable the AWS Foundational Security Best Practices Standard. Type: String pExcludeAlternateContactAccountTags: AllowedPattern: '^$|.*' Default: '' Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-alternate-contacts", "Value": "true"}].' Type: String pExcludeEC2DefaultEBSEncryptionTags: AllowedPattern: '^$|.*' Default: '' Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-ec2-default-ebs-encryption", "Value": "true"}].' Type: String pExcludeS3BlockAccountPublicAccessTags: AllowedPattern: '^$|.*' Default: '' Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].' Type: String pFrequency: AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours] Default: 1hour Description: The frequency with which AWS Config delivers configuration snapshots. Type: String pGuarddutyEnabledForMoreThan48Hours: AllowedValues: ['true', 'false'] Default: 'false' Description: Has Guardduty been enabled in the Organization for more than 48 hours? Type: String pGuardDutyFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES Description: Finding publishing frequency Type: String pGuardDutyOrgDeliveryBucketPrefix: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-guardduty-org-delivery Description: GuardDuty Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-guardduty-delivery-123456789012-us-east-1 Type: String pGuardDutyOrgDeliveryKeyAlias: Default: sra-guardduty-org-delivery-key Description: GuardDuty Delivery KMS Key Alias Type: String pHardExpiry: AllowedValues: ['true', 'false'] Default: 'false' Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' Type: String pIncludeGlobalResourceTypes: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether AWS Config records all supported global resource types. Type: String pInternalNetCIDR: AllowedPattern: '^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 192.168.1.0/24 Description: The CIDR block for the Internal Network (include both VPCs and On-Prem if using VPN/DirectConnect) - This is used to detect rules that don't align with the IP Space. Use CIDR Format. Example 192.168.1.0/24 Type: String pKmsKeyArn: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: Key ARN example - arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab Default: '' Description: (Optional) KMS key ARN to use for encrypting the AWS Config configuration snapshots and history files when storing in the S3 bucket in the Log Archive account. If empty, snapshots and history files will be encrypted based on the Default Encryption setting of the S3 bucket. Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pMacieFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES Description: Finding publishing frequency Type: String pMacieOrgDeliveryBucketPrefix: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-macie-org-delivery Description: Macie Delivery S3 bucket prefix. The account and region will get added to the end. e.g. macie-delivery-123456789012-us-east-1 Type: String pMacieOrgDeliveryKeyAlias: AllowedPattern: '^[a-zA-Z0-9/_-]+$' ConstraintDescription: The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Default: sra-macie-org-delivery-key Description: Macie Delivery KMS Key Alias Type: String pMaxPasswordAge: ConstraintDescription: Must be in the range [1-1095] Default: 90 Description: You can set IAM user passwords to be valid for only the specified number of days. MaxValue: 1095 MinValue: 1 Type: Number pMinimumPasswordLength: ConstraintDescription: Must be in the range [6-128] Default: 14 Description: You can specify the minimum number of characters allowed in an IAM user password. MaxValue: 128 MinValue: 6 Type: Number pOperationsContactAction: AllowedValues: ['add', 'delete', 'ignore'] Default: add Description: Indicates whether to add, delete, or ignore the Operations alternate contact. Type: String pOperationsEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. Default: '' Description: (Optional) Email Address for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pOperationsName: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' Default: '' Description: (Optional) Full Name for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pOperationsPhone: AllowedPattern: '^$|^[\s0-9()+-]+$' ConstraintDescription: Must be numbers, special characters [()+-], and/or whitespace Default: '' Description: (Optional) Phone Number for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pOperationsTitle: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' Default: '' Description: (Optional) Title for Operations alternate contact. If 'Operations Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pOrganizationAccessAnalyzerName: Default: sra-organization-access-analyzer Description: Organization Access Analyzer Name Type: String pOrganizationCloudTrailKeyAlias: Default: sra-cloudtrail-org-key Description: Organization CloudTrail KMS Key Alias Type: String pPasswordReusePrevention: ConstraintDescription: Must be in the range [1-24] Default: 24 Description: You can prevent IAM users from reusing a specified number of previous passwords. MaxValue: 24 MinValue: 1 Type: Number pRegionLinkingMode: AllowedValues: [SPECIFIED_REGIONS, ALL_REGIONS] Default: SPECIFIED_REGIONS Description: Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. Type: String pRequireLowercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). Type: String pRequireNumbers: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one numeric character (0 to 9). Type: String pRequireSymbols: AllowedValues: ['true', 'false'] Default: 'true' Description: "You can require that IAM user passwords contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '" Type: String pRequireUppercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). Type: String pResourceTypes: AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$' Default: '' Description: (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is set to 'false', then this parameter becomes required. Type: String pSRAAlarmEmail: Description: (Optional) Email address for receiving SRA alarms Type: String pCreateAWSControlTowerExecutionRole: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether the AWS Control Tower Execution role should be created. Type: String pSecurityContactAction: AllowedValues: ['add', 'delete', 'ignore'] Default: add Description: Indicates whether to add, delete, or ignore the Security alternate contact. Type: String pSecurityEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. Default: '' Description: (Optional) Email Address for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pSecurityName: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' Default: '' Description: (Optional) Full Name for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pSecurityPhone: AllowedPattern: '^$|^[\s0-9()+-]+$' ConstraintDescription: Must be numbers, special characters [()+-], and/or whitespace Default: '' Description: (Optional) Phone Number for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pSecurityTitle: AllowedPattern: '^(?![&<>\\%|]).*$' ConstraintDescription: All characters allowed except '&<>\%|' Default: '' Description: (Optional) Title for Security alternate contact. If 'Security Alternate Contact Action' parameter is set to 'add', then this parameter becomes required. Type: String pVPCCidrBlock: AllowedPattern: '^$|^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/28 Description: VPC CIDR Block to use for the new VPC. Only used if Create VPC is true. Type: String pVpcId: AllowedPattern: '^$|^vpc-[0-9a-f]{17}$' ConstraintDescription: Must have a prefix of "vpc-". Followed by 17 characters (numbers, letters "a-f") Default: '' Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false". Type: String Rules: BillingContactValidation: RuleCondition: !And - !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - !Equals [!Ref pBillingContactAction, 'add'] Assertions: - Assert: !And - !Not [!Equals [!Ref pBillingName, '']] - !Not [!Equals [!Ref pBillingTitle, '']] - !Not [!Equals [!Ref pBillingEmail, '']] - !Not [!Equals [!Ref pBillingPhone, '']] AssertDescription: "'Billing Full Name', 'Billing Title', 'Billing Email' and 'Billing Phone' parameters are required if the 'Billing Alternate Contact Action' parameter is set to 'add'." DeployConfigConformancePackSolutionValidation: RuleCondition: !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes'] Assertions: - Assert: !Or - !Equals [!Ref pDeployConfigManagementSolution, 'Yes'] - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed'] AssertDescription: "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the AWS Config Conformance Pack Solution' parameter is set to 'Yes'." DeploySecurityHubSolutionValidation: RuleCondition: !Equals [!Ref pDeploySecurityHubSolution, 'Yes'] Assertions: - Assert: !Or - !Equals [!Ref pDeployConfigManagementSolution, 'Yes'] - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed'] AssertDescription: "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the Security Hub Solution' parameter is set to 'Yes'." OperationsContactValidation: RuleCondition: !And - !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - !Equals [!Ref pOperationsContactAction, 'add'] Assertions: - Assert: !And - !Not [!Equals [!Ref pOperationsName, '']] - !Not [!Equals [!Ref pOperationsTitle, '']] - !Not [!Equals [!Ref pOperationsEmail, '']] - !Not [!Equals [!Ref pOperationsPhone, '']] AssertDescription: "'Operations Full Name', 'Operations Title', 'Operations Email' and 'Operations Phone' parameters are required if the 'Operations Alternate Contact Action' parameter is set to 'add'." SecurityContactValidation: RuleCondition: !And - !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] - !Equals [!Ref pSecurityContactAction, 'add'] Assertions: - Assert: !And - !Not [!Equals [!Ref pSecurityName, '']] - !Not [!Equals [!Ref pSecurityTitle, '']] - !Not [!Equals [!Ref pSecurityEmail, '']] - !Not [!Equals [!Ref pSecurityPhone, '']] AssertDescription: "'Security Full Name', 'Security Title', 'Security Email' and 'Security Phone' parameters are required if the 'Security Alternate Contact Action' parameter is set to 'add'." Conditions: cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] cUseGraviton: !Or - !Equals [!Ref 'AWS::Region', ap-northeast-1] - !Equals [!Ref 'AWS::Region', ap-south-1] - !Equals [!Ref 'AWS::Region', ap-southeast-1] - !Equals [!Ref 'AWS::Region', ap-southeast-2] - !Equals [!Ref 'AWS::Region', eu-central-1] - !Equals [!Ref 'AWS::Region', eu-west-1] - !Equals [!Ref 'AWS::Region', eu-west-2] - !Equals [!Ref 'AWS::Region', us-east-1] - !Equals [!Ref 'AWS::Region', us-east-2] - !Equals [!Ref 'AWS::Region', us-west-2] cDeployInspectorSolution: !Equals [!Ref pDeployInspectorSolution, 'Yes'] cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'Yes'] cDeployAccountAlternateContactsSolution: !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes'] cDeployCloudTrailSolution: !Equals [!Ref pDeployCloudTrailSolution, 'Yes'] cDeployConfigManagementSolution: !Equals [!Ref pDeployConfigManagementSolution, 'Yes'] cDeployConfigManagementSolutionAlreadyDeployed: !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed'] cDeployConfigConformancePackSolution: !And - !Or - !Condition cDeployConfigManagementSolution - !Condition cDeployConfigManagementSolutionAlreadyDeployed - !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes'] cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes'] cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes'] cDeployFirewallManagerSolution: !Equals [!Ref pDeployFirewallManagerSolution, 'Yes'] cDeployGuardDutySolution: !Equals [!Ref pDeployGuardDutySolution, 'Yes'] cDeployIAMAccessAnalyzerSolution: !Equals [!Ref pDeployIAMAccessAnalyzerSolution, 'Yes'] cDeployIAMPasswordPolicySolution: !Equals [!Ref pDeployIAMPasswordPolicySolution, 'Yes'] cDeployMacieSolution: !Equals [!Ref pDeployMacieSolution, 'Yes'] cDeployS3BlockAccountPublicAccessSolution: !Equals [!Ref pDeployS3BlockAccountPublicAccessSolution, 'Yes'] cDeploySecurityHubSolution: !And - !Or - !Condition cDeployConfigManagementSolution - !Condition cDeployConfigManagementSolutionAlreadyDeployed - !Equals [!Ref pDeploySecurityHubSolution, 'Yes'] cDisableGuardDuty: !Equals [!Ref pDisableGuardDuty, 'Yes'] cDisableMacie: !Equals [!Ref pDisableMacie, 'Yes'] cDisableSecurityHub: !Equals [!Ref pDisableSecurityHub, 'Yes'] Resources: rCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Name: !Sub '${pCodeBuildProjectName}' Artifacts: Type: NO_ARTIFACTS Description: "Codebuild project to get SRA code from github" Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - Name: AWS_DEFAULT_REGION Value: !Ref AWS::Region - Name: AWS_ACCOUNT_ID Value: !Ref "AWS::AccountId" - Name: SRA_DEPLOY_GUARDDUTY Value: !Ref pDeployGuardDutySolution - Name: SRA_STAGING_S3_BUCKET_STACK_NAME Value: !Ref pSRAStagingS3BucketStackName Image: "aws/codebuild/standard:5.0" PrivilegedMode: true Type: "LINUX_CONTAINER" ServiceRole: !GetAtt rCodeBuildRole.Arn TimeoutInMinutes: 120 Source: Type: NO_SOURCE BuildSpec: !Sub | version: 0.2 phases: pre_build: commands: - echo Build started on `date`... build: commands: - echo Build started on `date` in ${AWS::Region} region - echo Cloning SRA repository... - git clone https://github.com/aws-samples/aws-security-reference-architecture-examples.git - echo Listing current directory... - ls - echo Showing current caller identity... - aws sts get-caller-identity - echo Deploying SRA staging bucket cloudformation template... - aws cloudformation deploy --template-file ./aws-security-reference-architecture-examples/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM - echo Staging SRA solutions... - ./aws-security-reference-architecture-examples/aws_sra_examples/utils/packaging_scripts/stage_solution.sh post_build: commands: - echo Build completed on `date` rCommonPrerequisitesManagementAccountParametersStack: Type: AWS::CloudFormation::Stack DependsOn: rStartCodeBuildProjectCustomResource DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub - https://${SRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-common-prerequisites-management-account-parameters.yaml - SRAStagingS3BucketName: !Sub ${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region} Tags: - Key: sra-solution Value: !Ref pSRASolutionName rCommonPrerequisitesMainSsm: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesManagementAccountParametersStack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub - https://${SRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-common-prerequisites-main-ssm.yaml - SRAStagingS3BucketName: !Sub ${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region} Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole rCodeBuildRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: Allow * in resource when required - id: W28 reason: The role name is defined to identify automation resources Properties: RoleName: !Sub '${pCodeBuildRoleName}' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - "sts:AssumeRole" Policies: - PolicyName: "logs-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*" - PolicyName: "cloudformation-changeset-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - cloudformation:CreateChangeSet - cloudformation:DescribeChangeSet - cloudformation:ExecuteChangeSet Resource: - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:changeSet/*" - PolicyName: "cloudformation-describe-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - cloudformation:DescribeStacks Resource: "*" - PolicyName: "IAM-Access-Policy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - iam:GetRole - iam:PassRole - iam:GetRolePolicy - iam:PutRolePolicy - iam:CreateRole - iam:DeleteRolePolicy - iam:DeleteRole - iam:TagRole Resource: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra*" - PolicyName: "lambda-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - lambda:GetFunction - lambda:GetFunctionCodeSigningConfig - lambda:GetRuntimeManagementConfig - lambda:CreateFunction - lambda:DeleteFunction - lambda:TagResource - lambda:InvokeFunction Resource: - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:sra*" - PolicyName: "s3-staging-bucket-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - s3:GetObject - s3:PutObject - s3:ListBucket - s3:GetBucketAcl - s3:GetBucketPolicy - s3:DeleteBucket Resource: - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*" - PolicyName: "s3-create-bucket-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - s3:PutBucketPolicy - s3:PutBucketTagging - s3:PutBucketPublicAccessBlock - s3:GetEncryptionConfiguration - s3:PutEncryptionConfiguration - s3:PutBucketOwnershipControls - s3:CreateBucket - s3:PutBucketAcl - s3:PutBucketObjectLockConfiguration - s3:PutBucketVersioning - s3:SetBucketEncryption - s3:PutBucketEncryption Resource: - "arn:aws:s3:::*" - PolicyName: "ssm-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - ssm:GetParameter - ssm:GetParameters - ssm:PutParameter - ssm:AddTagsToResource Resource: - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*" rStartCodeBuildProjectCustomResource: DependsOn: rCodeBuildProject Type: Custom::LambdaCustomResource Version: '1.0' Properties: ServiceToken: !GetAtt rStartCodeBuildProjectLambdaFunction.Arn rStartCodeBuildProjectLambdaFunction: Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: Lambda role provides access to CloudWatch Logs - id: W89 reason: Lambda does not need to communicate with VPC resources. - id: W92 reason: Lambda does not need reserved concurrent executions. checkov: skip: - id: CKV_AWS_115 comment: Lambda does not need reserved concurrent executions. - id: CKV_AWS_116 comment: DLQ not needed, as Lambda function only triggered by CloudFormation events. - id: CKV_AWS_117 comment: Lambda does not need to communicate with VPC resources. - id: CKV_AWS_173 comment: Environment variables are not sensitive. Type: AWS::Lambda::Function Properties: FunctionName: !Ref pCodeBuildProjectLambdaFunctionName Description: Start SRA codebuild project Architectures: !If - cUseGraviton - [arm64] - !Ref AWS::NoValue Handler: index.lambda_handler Role: !GetAtt rStartCodeBuildProjectLambdaRole.Arn Runtime: python3.9 Timeout: 900 Environment: Variables: LOG_LEVEL: !Ref pLambdaLogLevel CODE_BUILD_PROJECT_NAME: !Ref pCodeBuildProjectName SRA_STAGING_S3_BUCKET_NAME: !Sub ${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region} SRA_STAGING_S3_BUCKET_STACK_NAME: !Ref pSRAStagingS3BucketStackName Tags: - Key: !Ref pSRASolutionTagKey Value: !Ref pSRASolutionName Code: ZipFile: | # type: ignore """Custom Resource to start codebuild project. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 """ import logging import os import boto3 import cfnresponse import time from botocore.exceptions import ClientError LOGGER = logging.getLogger(__name__) log_level: str = os.environ.get("LOG_LEVEL", "INFO") LOGGER.setLevel(log_level) CODE_BUILD_PROJECT_NAME: str = os.environ.get("CODE_BUILD_PROJECT_NAME") SRA_STAGING_S3_BUCKET_NAME: str = os.environ.get("SRA_STAGING_S3_BUCKET_NAME") SRA_STAGING_S3_BUCKET_STACK_NAME: str = os.environ.get("SRA_STAGING_S3_BUCKET_STACK_NAME") def start_build(): """Start build job. Returns: Response data for custom resource """ management_account_session = boto3.Session() codebuild_client = management_account_session.client("codebuild") response = codebuild_client.start_build(projectName=CODE_BUILD_PROJECT_NAME) LOGGER.info({"API_Call": "codebuild:StartBuild", "API_Response": response}) buildId = response["build"]["id"] return wait_for_build([buildId], codebuild_client) def wait_for_build(BuildId, client): buildWaitStatus = "FAILURE_WAIT_TIMEOUT" counter = 0 while counter < 30: time.sleep(10) counter = counter + 1 buildStatus = get_build_status(BuildId, client) if buildStatus == "SUCCEEDED": buildWaitStatus = "SUCCESS" break elif buildStatus == "FAILED" or buildStatus == "FAULT" or buildStatus == "STOPPED" or buildStatus == "TIMED_OUT": buildWaitStatus = "BUILD " + buildStatus + " (check codebuild project cloudwatch log group for details)" break return buildWaitStatus def get_build_status(buildId, client): build = client.batch_get_builds(ids=buildId) return build["builds"][0]["buildStatus"] def create_event(event, context): try: data = {"data": start_build()} if data["data"] == "SUCCESS": cfnresponse.send(event, context, cfnresponse.SUCCESS, data, "CustomResourcePhysicalID") else: reason = f"See the details in CloudWatch Log Stream: '{context.log_group_name} and CloudFormation Events'" cfnresponse.send(event, context, cfnresponse.FAILED, data, "CustomResourcePhysicalID") except Exception: LOGGER.exception("Unexpected!") reason = f"See the details in CloudWatch Log Stream: '{context.log_group_name}'" cfnresponse.send(event, context, cfnresponse.FAILED, {}, "CustomResourcePhysicalID", reason=reason) return "CustomResourcePhysicalID" def delete_event(event, context): cfn_client = boto3.client("cloudformation") s3_client = boto3.resource("s3") staging_bucket = s3_client.Bucket(SRA_STAGING_S3_BUCKET_NAME) try: bucket_versioning = staging_bucket.Versioning() if bucket_versioning.status == "Enabled": LOGGER.info("versioning enabled; deleting object versions") delete_version_response = staging_bucket.object_versions.delete() LOGGER.info("see next message for delete response") LOGGER.info(delete_version_response) LOGGER.info("suspending versioning...") bucket_versioning.suspend() LOGGER.info("deleting objects") delete_object_response = staging_bucket.objects.all().delete() LOGGER.info("see next message for delete object response") LOGGER.info(delete_object_response) except ClientError as e: LOGGER.info(f"Delete objects error: {e}") reason = f"See the details in CloudWatch Log Stream: '{context.log_group_name}'" cfnresponse.send(event, context, cfnresponse.FAILED, {}, "CustomResourcePhysicalID", reason=reason) cfn_response = cfn_client.delete_stack(StackName=SRA_STAGING_S3_BUCKET_STACK_NAME) LOGGER.info(cfn_response) waiter = cfn_client.get_waiter("stack_delete_complete") waiter.wait(StackName=SRA_STAGING_S3_BUCKET_STACK_NAME, WaiterConfig={"Delay": 15, "MaxAttempts": 120}) LOGGER.info(SRA_STAGING_S3_BUCKET_STACK_NAME + " stack deleted") cfnresponse.send(event, context, cfnresponse.SUCCESS, {"delete_operation": f"succeeded deleting {SRA_STAGING_S3_BUCKET_STACK_NAME}"}, "CustomResourcePhysicalID") def lambda_handler(event, context): LOGGER.info(event) if event["RequestType"] == "Create": LOGGER.info("CREATE EVENT!!") create_event(event, context) if event["RequestType"] == "Update": LOGGER.info("UPDATE EVENT!!") if event["RequestType"] == "Delete": LOGGER.info("DELETE EVENT!!") delete_event(event, context) rStartCodeBuildProjectLambdaLogGroup: DeletionPolicy: Retain Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain Properties: LogGroupName: !Sub /aws/lambda/${pCodeBuildProjectLambdaFunctionName} KmsKeyId: !If - cUsingKmsKey - !Ref pLambdaLogGroupKmsKey - !Ref AWS::NoValue RetentionInDays: !Ref pLambdaLogGroupRetention rStartCodeBuildProjectLambdaRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: # - id: W11 # reason: Allow * in resource when required - id: W28 reason: The role name is defined to identify automation resources Properties: RoleName: !Ref pCodeBuildProjectLambdaRoleName Description: !Sub Role for '${pCodeBuildProjectLambdaRoleName}' Lambda function AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - lambda.amazonaws.com Tags: - Key: !Ref pSRASolutionTagKey Value: !Ref pSRASolutionName Policies: - PolicyName: codebuild-access PolicyDocument: Version: 2012-10-17 Statement: - Sid: codebuildStartBuild Effect: Allow Action: - codebuild:StartBuild - codebuild:BatchGetBuilds Resource: !GetAtt rCodeBuildProject.Arn - PolicyName: CloudWatchLogGroup-access PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogs Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pCodeBuildProjectLambdaFunctionName}:log-stream:* - PolicyName: "s3-staging-bucket-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - s3:GetObject - s3:PutObject - s3:ListBucket - s3:GetBucketAcl - s3:GetBucketPolicy - s3:GetObjectAcl - s3:PutObjectAcl - s3:DeleteBucket - s3:DeleteObject - s3:DeleteObjectVersion - s3:GetBucketVersioning - s3:DeleteBucketPolicy - s3:ListBucketVersions - s3:PutBucketVersioning Resource: - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:${AWS::Partition}:s3:::${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*" - PolicyName: "lambda-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - lambda:DeleteFunction - lambda:InvokeFunction Resource: - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:sra*" - PolicyName: "cloudformation-stack-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - cloudformation:DeleteStack - cloudformation:DescribeStacks Resource: - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/sra*" - PolicyName: "IAM-access" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - iam:DeleteRole - iam:DeleteRolePolicy Resource: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/sra*" rAccountAlternateContactsSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployAccountAlternateContactsSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-account-alternate-contacts/templates/sra-account-alternate-contacts-main-ssm.yaml Parameters: pBillingContactAction: !Ref pBillingContactAction pBillingEmail: !Ref pBillingEmail pBillingName: !Ref pBillingName pBillingPhone: !Ref pBillingPhone pBillingTitle: !Ref pBillingTitle pComplianceFrequency: !Ref pComplianceFrequency pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pExcludeAlternateContactAccountTags: !Ref pExcludeAlternateContactAccountTags pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pManagementAccountId: !Ref pManagementAccountId pOperationsContactAction: !Ref pOperationsContactAction pOperationsEmail: !Ref pOperationsEmail pOperationsName: !Ref pOperationsName pOperationsPhone: !Ref pOperationsPhone pOperationsTitle: !Ref pOperationsTitle # pOrganizationId: !Ref pOrganizationId # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId pSecurityContactAction: !Ref pSecurityContactAction pSecurityEmail: !Ref pSecurityEmail pSecurityName: !Ref pSecurityName pSecurityPhone: !Ref pSecurityPhone pSecurityTitle: !Ref pSecurityTitle pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rCloudTrailSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployCloudTrailSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-cloudtrail-org/templates/sra-cloudtrail-org-main-ssm.yaml Parameters: # pAuditAccountId: !Ref pAuditAccountId pBucketNamePrefix: !Ref pBucketNamePrefix pCloudTrailLogGroupKmsKey: !Ref pCloudTrailLogGroupKmsKey pCloudTrailLogGroupRetention: !Ref pCloudTrailLogGroupRetention pCloudTrailName: !Ref pCloudTrailName pCreateCloudTrailLogGroup: !Ref pCreateCloudTrailLogGroup pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pEnableDataEventsOnly: !Ref pEnableDataEventsOnly pEnableLambdaDataEvents: !Ref pEnableLambdaDataEvents pEnableS3DataEvents: !Ref pEnableS3DataEvents pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pLogArchiveAccountId: !Ref pLogArchiveAccountId pOrganizationCloudTrailKeyAlias: !Ref pOrganizationCloudTrailKeyAlias # pOrganizationId: !Ref pOrganizationId # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rConfigManagementSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployConfigManagementSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-config-management-account/templates/sra-config-management-account-main-ssm.yaml Parameters: pAllSupported: !Ref pAllSupported # pAuditAccountId: !Ref pAuditAccountId # pConfigRegionsToEnable: !Ref pConfigRegionsToEnable pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pFrequency: !Ref pFrequency # pHomeRegion: !Ref pHomeRegion pIncludeGlobalResourceTypes: !Ref pIncludeGlobalResourceTypes pKmsKeyArn: !Ref pKmsKeyArn pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pLogArchiveAccountId: !Ref pLogArchiveAccountId # pOrganizationId: !Ref pOrganizationId pResourceTypes: !Ref pResourceTypes # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rConfigConformancePackSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployConfigConformancePackSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-config-conformance-pack-org/templates/sra-config-conformance-pack-org-main-ssm.yaml Parameters: # pAuditAccountId: !Ref pAuditAccountId pConformancePackName: !Ref pConformancePackName pConformancePackTemplateName: !Ref pConformancePackTemplateName pDeliveryS3KeyPrefix: !Ref pDeliveryS3KeyPrefix pExcludedAccounts: !Ref pConformancePackExcludedAccounts # pLogArchiveAccountId: !Ref pLogArchiveAccountId # pOrganizationId: !Ref pOrganizationId # pRegionsToDeployConformancePacks: !Ref pRegionsToDeployConformancePacks # pRegisterDelegatedAdminAccount: !Ref pConformancePackRegisterDelegatedAdminAccount pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, ''] # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rDetectiveSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployDetectiveSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-detective-org/templates/sra-detective-org-main-ssm.yaml Parameters: pComplianceFrequency: !Ref pComplianceFrequency # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDatasourcePackages: !Join - ',' - !Ref pDatasourcePackages # pDelegatedAdminAccountId: !Ref pAuditAccountId # pEnabledRegions: !Ref pEnabledRegions pGuarddutyEnabledForMoreThan48Hours: !Ref pGuarddutyEnabledForMoreThan48Hours pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pOrganizationId: !Ref pOrganizationId pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rEC2DefaultEBSEncryptionSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployEC2DefaultEBSEncryptionSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-ec2-default-ebs-encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml Parameters: pComplianceFrequency: !Ref pComplianceFrequency # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] # pEnabledRegions: !Ref pEnabledRegions pExcludeEC2DefaultEBSEncryptionTags: !Ref pExcludeEC2DefaultEBSEncryptionTags pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pOrganizationId: !Ref pOrganizationId # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rFirewallManagerSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployFirewallManagerSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-firewall-manager-org/templates/sra-firewall-manager-org-main-ssm.yaml Parameters: pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pCreateVpcForSG: !Ref pCreateVpcForSG # pDelegatedAdminAccountId: !Ref pDelegatedAdminAccountId pEnableRemediation: !Ref pEnableRemediation pInternalNetCIDR: !Ref pInternalNetCIDR pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName pVPCCidrBlock: !Ref pVPCCidrBlock pVpcId: !Ref pVpcId rGuardDutySolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployGuardDutySolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-guardduty-org/templates/sra-guardduty-org-main-ssm.yaml Parameters: # pAuditAccountId: !Ref pAuditAccountId pAutoEnableS3Logs: !Ref pAutoEnableS3Logs pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableGuardDuty: !If [cDisableGuardDuty, true, false] # pEnabledRegions: !Ref pEnabledRegions pFindingPublishingFrequency: !Ref pGuardDutyFindingPublishingFrequency pGuardDutyOrgDeliveryBucketPrefix: !Ref pGuardDutyOrgDeliveryBucketPrefix pGuardDutyOrgDeliveryKeyAlias: !Ref pGuardDutyOrgDeliveryKeyAlias pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pLogArchiveAccountId: !Ref pLogArchiveAccountId # pOrganizationId: !Ref pOrganizationId # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rIAMAccessAnalyzerSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployIAMAccessAnalyzerSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-iam-access-analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml Parameters: pAccessAnalyzerNamePrefix: !Ref pAccessAnalyzerNamePrefix # pAccessAnalyzerRegionsToEnable: !Ref pAccessAnalyzerRegionsToEnable # pAuditAccountId: !Ref pAuditAccountId pOrganizationAccessAnalyzerName: !Ref pOrganizationAccessAnalyzerName pRegisterDelegatedAdminAccount: !Ref pAccessAnalyzerRegisterDelegatedAdminAccount # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rIAMPasswordPolicySolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployIAMPasswordPolicySolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-iam-password-policy/templates/sra-iam-password-policy-main-ssm.yaml Parameters: pAllowUsersToChangePassword: !Ref pAllowUsersToChangePassword pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pHardExpiry: !Ref pHardExpiry pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pMaxPasswordAge: !Ref pMaxPasswordAge pMinimumPasswordLength: !Ref pMinimumPasswordLength pPasswordReusePrevention: !Ref pPasswordReusePrevention pRequireLowercaseCharacters: !Ref pRequireLowercaseCharacters pRequireNumbers: !Ref pRequireNumbers pRequireSymbols: !Ref pRequireSymbols pRequireUppercaseCharacters: !Ref pRequireUppercaseCharacters # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rMacieSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployMacieSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-macie-org/templates/sra-macie-org-main-ssm.yaml Parameters: # pAuditAccountId: !Ref pAuditAccountId # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableMacie: !If [cDisableMacie, true, false] # pEnabledRegions: !Ref pEnabledRegions pFindingPublishingFrequency: !Ref pMacieFindingPublishingFrequency pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pLogArchiveAccountId: !Ref pLogArchiveAccountId pMacieOrgDeliveryBucketPrefix: !Ref pMacieOrgDeliveryBucketPrefix pMacieOrgDeliveryKeyAlias: !Ref pMacieOrgDeliveryKeyAlias # pOrganizationId: !Ref pOrganizationId # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rS3BlockAccountPublicAccessSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployS3BlockAccountPublicAccessSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-s3-block-account-public-access/templates/sra-s3-block-account-public-access-main-ssm.yaml Parameters: pComplianceFrequency: !Ref pComplianceFrequency pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pEnableBlockPublicAcls: !Ref pEnableBlockPublicAcls pEnableBlockPublicPolicy: !Ref pEnableBlockPublicPolicy pEnableIgnorePublicAcls: !Ref pEnableIgnorePublicAcls pEnableRestrictPublicBuckets: !Ref pEnableRestrictPublicBuckets pExcludeS3BlockAccountPublicAccessTags: !Ref pExcludeS3BlockAccountPublicAccessTags pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pOrganizationId: !Ref pOrganizationId # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rSecurityHubSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeploySecurityHubSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-securityhub-org/templates/sra-securityhub-org-main-ssm.yaml Parameters: # pAuditAccountId: !Ref pAuditAccountId pCISStandardVersion: !Ref pCISStandardVersion pComplianceFrequency: !Ref pComplianceFrequency # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableSecurityHub: !If [cDisableSecurityHub, true, false] pEnableCISStandard: !Ref pEnableCISStandard # pEnabledRegions: !Ref pEnabledRegions pEnablePCIStandard: !Ref pEnablePCIStandard pEnableSecurityBestPracticesStandard: !Ref pEnableSecurityBestPracticesStandard pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel # pOrganizationId: !Ref pOrganizationId pRegionLinkingMode: !Ref pRegionLinkingMode # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, ''] pSRAAlarmEmail: !Ref pSRAAlarmEmail # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rInspectorSolutionStack: Type: AWS::CloudFormation::Stack DependsOn: rCommonPrerequisitesMainSsm Condition: cDeployInspectorSolution DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-inspector-org/templates/sra-inspector-org-main-ssm.yaml Parameters: pScanComponents: !Join - ',' - !Ref pScanComponents pEcrRescanDuration: !Ref pEcrRescanDuration pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pSRAAlarmEmail: !Ref pSRAAlarmEmail pComplianceFrequency: !Ref pComplianceFrequency