######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an organization IAM Access Analyzer - 'iam_access_analyzer' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse52) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution with resolving SSM parameters Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pAuditAccountId - pRootOrganizationalUnitId - Label: default: IAM Access Analyzer Properties Parameters: - pOrganizationAccessAnalyzerName - pAccessAnalyzerNamePrefix - pAccessAnalyzerRegionsToEnable - pRegisterDelegatedAdminAccount ParameterLabels: pAccessAnalyzerNamePrefix: default: Access Analyzer Name Prefix pAccessAnalyzerRegionsToEnable: default: Regions to Enable Access Analyzer pAuditAccountId: default: Audit Account ID pOrganizationAccessAnalyzerName: default: Organization Access Analyzer Name pRegisterDelegatedAdminAccount: default: Register Delegated Admin Account pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRASolutionName: default: SRA Solution Name pSRASolutionVersion: default: SRA Solution Version pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAccessAnalyzerNamePrefix: Default: sra-account-access-analyzer Description: Access Analyzer Name Prefix. The Account ID will be appended to the name. Type: String pAccessAnalyzerRegionsToEnable: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/regions/customer-control-tower-regions Description: SSM Parameter for AWS regions to enable AWS Config Type: AWS::SSM::Parameter::Value> pAuditAccountId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/audit-account-id Description: SSM Parameter for AWS Account ID of the Control Tower account to delegate administration. Type: AWS::SSM::Parameter::Value pOrganizationAccessAnalyzerName: Default: sra-organization-access-analyzer Description: Organization Access Analyzer Name Type: String pRegisterDelegatedAdminAccount: AllowedValues: ['Yes', 'No'] Default: 'Yes' Description: Register a delegated administrator account using the Common Register Delegated Administrator solution. Type: String pRootOrganizationalUnitId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/root-organizational-unit-id Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRASolutionName: AllowedValues: [sra-iam-access-analyzer] Default: sra-iam-access-analyzer Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/staging-s3-bucket-name Description: SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: AWS::SSM::Parameter::Value Conditions: cRegisterDelegatedAdmin: !Equals [!Ref pRegisterDelegatedAdminAccount, 'Yes'] Resources: rCommonRegisterDelegatedAdminStack: Type: AWS::CloudFormation::Stack Condition: cRegisterDelegatedAdmin DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-common-register-delegated-administrator/templates/sra-common-register-delegated-administrator-ssm.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pLambdaLogGroupKmsKey: '' pRegisterDelegatedAdminLambdaRoleName: sra-iam-access-analyzer-delegated-admin-lambda pRegisterDelegatedAdminLambdaFunctionName: sra-iam-access-analyzer-delegated-admin pServicePrincipalList: access-analyzer.amazonaws.com rIAMAccessAnalyzerAccountStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-access-analyzer-account.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pAccessAnalyzerNamePrefix: !Ref pAccessAnalyzerNamePrefix rIAMAccessAnalyzerAccountStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-iam-access-analyzer-account AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring an account level IAM Access Analyzer ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: !Ref pAccessAnalyzerRegionsToEnable TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-access-analyzer-account.yaml Parameters: - ParameterKey: pAccessAnalyzerNamePrefix ParameterValue: !Ref pAccessAnalyzerNamePrefix Tags: - Key: sra-solution Value: !Ref pSRASolutionName rIAMAccessAnalyzerOrganizationStackSet: Type: AWS::CloudFormation::StackSet DependsOn: - rIAMAccessAnalyzerAccountStack - rIAMAccessAnalyzerAccountStackSet Properties: StackSetName: sra-iam-access-analyzer-org AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !If - cRegisterDelegatedAdmin - !Sub [ "${pSRASolutionVersion} - This template creates an AWS Organizations IAM Access Analyzer in the Control Tower Audit account. - 'config_conformance_pack_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples. Delegated Admin Solution - ${SolutionName}", SolutionName: !GetAtt rCommonRegisterDelegatedAdminStack.Outputs.oSRASolutionName, ] - !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations IAM Access Analyzer in the Control Tower Audit account. - 'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples. ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: !Ref pAccessAnalyzerRegionsToEnable TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-access-analyzer-org.yaml Parameters: - ParameterKey: pAccessAnalyzerName ParameterValue: !Ref pOrganizationAccessAnalyzerName Tags: - Key: sra-solution Value: !Ref pSRASolutionName