######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates Lambda function and associated resources to enable the S3 account level block public access settings - 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t) Metadata: SRA: Version: 1.3 Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pRootOrganizationalUnitId - pSRAAlarmEmail - Label: default: Lambda Function Properties Parameters: - pOrganizationId - Label: default: Custom Resource Properties Parameters: - pEnableBlockPublicAcls - pEnableBlockPublicPolicy - pEnableIgnorePublicAcls - pEnableRestrictPublicBuckets - pExcludeS3BlockAccountPublicAccessTags - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel - Label: default: EventBridge Rule Properties Parameters: - pComplianceFrequency ParameterLabels: pComplianceFrequency: default: Frequency to Check for Organizational Compliance pCreateLambdaLogGroup: default: Create Lambda Log Group pEnableBlockPublicAcls: default: S3 Enable Block Public ACLs pEnableBlockPublicPolicy: default: S3 Enable Block Public Policy pEnableIgnorePublicAcls: default: S3 Enable Ignore Public ACLs pEnableRestrictPublicBuckets: default: S3 Enable Restrict Public Buckets pExcludeS3BlockAccountPublicAccessTags: default: (Optional) Exclude S3 Block Account Public Access Tags pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pOrganizationId: default: Organization ID pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRAAlarmEmail: default: (Optional) SRA Alarm Email pSRASolutionName: default: SRA Solution Name pSRASolutionVersion: default: SRA Solution Version pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pComplianceFrequency: ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive. Default: 7 Description: Frequency (in days between 1 and 30, default is 7) to check organizational compliance MinValue: 1 MaxValue: 30 Type: Number pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pEnableBlockPublicAcls: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Block Public ACLs Type: String pEnableBlockPublicPolicy: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Block Public Policy Type: String pEnableIgnorePublicAcls: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Ignore Public ACLs Type: String pEnableRestrictPublicBuckets: AllowedValues: ['true', 'false'] Default: 'true' Description: S3 Enable Restrict Public Buckets Type: String pExcludeS3BlockAccountPublicAccessTags: AllowedPattern: '^$|.*' Default: '' Description: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].' Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogLevel: AllowedValues: [DEBUG, INFO, ERROR] Default: INFO Description: Lambda Function Logging Level Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pOrganizationId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: AWS Organizations ID Type: String pRootOrganizationalUnitId: AllowedPattern: '^r-[0-9a-z]{4,32}$' ConstraintDescription: Must start with 'r-' followed by from 4 to 32 lowercase letters or digits. (e.g. r-abc123) Description: Root Organizational Unit ID Type: String pSRAAlarmEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Email Validation as per RFC2822 standards. Default: '' Description: (Optional) Email address for receiving DLQ alarms. If empty, CloudWatch Alarm will not be created to notify when the DLQ has a queue depth of 1. Type: String pSRASolutionName: AllowedValues: [sra-s3-block-account-public-access] Default: sra-s3-block-account-public-access Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String pSRASolutionVersion: AllowedValues: [v1.3] Default: v1.3 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String Conditions: cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]] Resources: rS3BlockAccountPublicAccessRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-s3-block-account-public-access-role AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring S3 block account public access. ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rS3BlockAccountPublicAccessRoleStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access-role.yaml Parameters: pManagementAccountId: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rS3BlockAccountPublicAccessStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete DependsOn: - rS3BlockAccountPublicAccessRoleStackSet - rS3BlockAccountPublicAccessRoleStack UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access.yaml Parameters: pComplianceFrequency: !Ref pComplianceFrequency pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pEnableBlockPublicAcls: !Ref pEnableBlockPublicAcls pEnableBlockPublicPolicy: !Ref pEnableBlockPublicPolicy pEnableIgnorePublicAcls: !Ref pEnableIgnorePublicAcls pEnableRestrictPublicBuckets: !Ref pEnableRestrictPublicBuckets pExcludeS3BlockAccountPublicAccessTags: !Ref pExcludeS3BlockAccountPublicAccessTags pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pManagementAccountId: !Ref AWS::AccountId pOrganizationId: !Ref pOrganizationId pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName pSRAAlarmEmail: !Ref pSRAAlarmEmail Tags: - Key: sra-solution Value: !Ref pSRASolutionName rS3BlockAccountPublicAccessGlobalEventsStackSet: Type: AWS::CloudFormation::StackSet Condition: cNotGlobalRegionUsEast1 DependsOn: rS3BlockAccountPublicAccessStack Properties: StackSetName: sra-s3-block-account-public-access-global-events AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region. ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref AWS::AccountId Regions: - us-east-1 TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-s3-block-account-public-access-global-events.yaml Parameters: - ParameterKey: pHomeRegion ParameterValue: !Ref AWS::Region Tags: - Key: sra-solution Value: !Ref pSRASolutionName