######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates Lambda function and associated resources to enable the S3 account level block public access settings - 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t) Metadata: SRA: Version: 1.3 Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pRootOrganizationalUnitId - pSRAAlarmEmail - Label: default: Lambda Function Properties Parameters: - pOrganizationId - Label: default: Custom Resource Properties Parameters: - pEnableBlockPublicAcls - pEnableBlockPublicPolicy - pEnableIgnorePublicAcls - pEnableRestrictPublicBuckets - pExcludeS3BlockAccountPublicAccessTags - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel - Label: default: EventBridge Rule Properties Parameters: - pComplianceFrequency ParameterLabels: pComplianceFrequency: default: Frequency to Check for Organizational Compliance pCreateLambdaLogGroup: default: Create Lambda Log Group pEnableBlockPublicAcls: default: S3 Enable Block Public ACLs pEnableBlockPublicPolicy: default: S3 Enable Block Public Policy pEnableIgnorePublicAcls: default: S3 Enable Ignore Public ACLs pEnableRestrictPublicBuckets: default: S3 Enable Restrict Public Buckets pExcludeS3BlockAccountPublicAccessTags: default: (Optional) Exclude S3 Block Account Public Access Tags pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pOrganizationId: default: Organization ID pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRAAlarmEmail: default: (Optional) SRA Alarm Email pSRASolutionName: default: SRA Solution Name pSRASolutionVersion: default: SRA Solution Version pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pComplianceFrequency: ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive. Default: 7 Description: Frequency (in days between 1 and 30, default is 7) to check organizational compliance MinValue: 1 MaxValue: 30 Type: Number pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pEnableBlockPublicAcls: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Block Public ACLs Type: String pEnableBlockPublicPolicy: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Block Public Policy Type: String pEnableIgnorePublicAcls: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Ignore Public ACLs Type: String pEnableRestrictPublicBuckets: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Restrict Public Buckets Type: String pExcludeS3BlockAccountPublicAccessTags: AllowedPattern: '^$|.*' Default: '' Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].' Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogLevel: AllowedValues: [DEBUG, INFO, ERROR] Default: INFO Description: Lambda Function Logging Level Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pOrganizationId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/organization-id Description: SSM Parameter for AWS Organizations ID Type: AWS::SSM::Parameter::Value pRootOrganizationalUnitId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/root-organizational-unit-id Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRAAlarmEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. Default: '' Description: (Optional) Email address for receiving DLQ alarms. If empty, CloudWatch Alarm will not be created to notify when the DLQ has a queue depth of 1. Type: String pSRASolutionName: AllowedValues: [sra-s3-block-account-public-access] Default: sra-s3-block-account-public-access Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/staging-s3-bucket-name Description: SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: AWS::SSM::Parameter::Value pSRASolutionVersion: AllowedValues: [v1.3] Default: v1.3 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String Conditions: cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]] Resources: rS3BlockAccountPublicAccessRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-s3-block-account-public-access-role AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring S3 block account public access. ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rS3BlockAccountPublicAccessRoleStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access-role.yaml Parameters: pManagementAccountId: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rS3BlockAccountPublicAccessStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete DependsOn: - rS3BlockAccountPublicAccessRoleStackSet - rS3BlockAccountPublicAccessRoleStack UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access.yaml Parameters: pComplianceFrequency: !Ref pComplianceFrequency pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pEnableBlockPublicAcls: !Ref pEnableBlockPublicAcls pEnableBlockPublicPolicy: !Ref pEnableBlockPublicPolicy pEnableIgnorePublicAcls: !Ref pEnableIgnorePublicAcls pEnableRestrictPublicBuckets: !Ref pEnableRestrictPublicBuckets pExcludeS3BlockAccountPublicAccessTags: !Ref pExcludeS3BlockAccountPublicAccessTags pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pManagementAccountId: !Ref AWS::AccountId pOrganizationId: !Ref pOrganizationId pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName pSRAAlarmEmail: !Ref pSRAAlarmEmail Tags: - Key: sra-solution Value: !Ref pSRASolutionName rS3BlockAccountPublicAccessGlobalEventsStackSet: Type: AWS::CloudFormation::StackSet Condition: cNotGlobalRegionUsEast1 DependsOn: rS3BlockAccountPublicAccessStack Properties: StackSetName: sra-s3-block-account-public-access-global-events AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region. ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref AWS::AccountId Regions: - us-east-1 TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access-global-events.yaml Parameters: - ParameterKey: pHomeRegion ParameterValue: !Ref AWS::Region Tags: - Key: sra-solution Value: !Ref pSRASolutionName