AWSTemplateFormatVersion: 2010-09-09 Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "FMS Policy" Parameters: - ProtectCloudFront - AutoRemediate - Label: default: "Accounts and Organization" Parameters: - AccountScopeList - IncludeExcludeScope - OUScopeList - ScopeType - Label: default: "FMS Policy Resource Tagging" Parameters: - ResourceTagUsage - ScopeTagName1 - ScopeTagValue1 - ScopeTagName2 - ScopeTagValue2 - ScopeTagName3 - ScopeTagValue3 Parameters: AccountScopeList: Type: CommaDelimitedList Default: OUScopeList: Type: CommaDelimitedList Default: na Description: if OrgOrOUScope is OU, specify a comma separated list of AWS Organization OU"s IncludeExcludeScope: Type: String Default: Include AllowedValues: - Include - Exclude ScopeType: Type: String Description: "Should Firewall Manager Policies be scoped to the entire org (root) or a specific list of OUs (OU)" Default: Org AllowedValues: - Org - OU - Accounts ResourceTagUsage: Type: String Default: Include Description: Include will scope to only include when ResourceTags match, Exclude will exclude when target resource tags match ResourceTags AllowedValues: - Include - Exclude ProtectCloudFront: Type: String Default: true AllowedValues: - true - false AutoRemediate: Type: String Description: "Should configured AWS resource types have Shield Advanced protection enabled (true) or audit (false)" Default: true AllowedValues: - true - false ScopeTagName1: Type: String Default: ScopeTagName2: Type: String Default: ScopeTagName3: Type: String Default: ScopeTagValue1: Type: String Default: ScopeTagValue2: Type: String Default: ScopeTagValue3: Type: String Default: Conditions: ScopeTagName1Flag: !Not [!Equals [!Ref ScopeTagName1, ""]] ScopeTagName2Flag: !Not [!Equals [!Ref ScopeTagName2, ""]] ScopeTagName3Flag: !Not [!Equals [!Ref ScopeTagName3, ""]] ScopeTagValue1Flag: !And [Condition: ScopeTagName1Flag, !Not [!Equals [!Ref ScopeTagValue1, ""]]] ScopeTagValue2Flag: !And [Condition: ScopeTagName2Flag, !Not [!Equals [!Ref ScopeTagValue2, ""]]] ScopeTagValue3Flag: !And [Condition: ScopeTagName3Flag, !Not [!Equals [!Ref ScopeTagValue3, ""]]] CreatePolicyFlag: !Equals [!Ref ProtectCloudFront, "true"] OUScopeFlag: !Equals [!Ref ScopeType, "OU"] AccountScopeFlag: !Equals [!Ref ScopeType, "Accounts"] ExcludeResourceTagFlag: !Equals [!Ref ResourceTagUsage, "Exclude"] IncludeScopeFlag: !Equals [!Ref IncludeExcludeScope, "Include"] ExcludeScopeFlag: !Equals [!Ref IncludeExcludeScope, "Exclude"] AutoRemediateFlag: !Equals [!Ref AutoRemediate, true] Resources: EnableShieldOnResources: Condition: CreatePolicyFlag Type: AWS::FMS::Policy Properties: PolicyName: !Sub "ShieldProtectionCloudFront-${AWS::StackName}" ResourceType: AWS::CloudFront::Distribution ExcludeResourceTags: !If [ExcludeResourceTagFlag, true, false] IncludeMap: ORGUNIT: !If [IncludeScopeFlag, !If [OUScopeFlag, !Ref OUScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"] ACCOUNT: !If [IncludeScopeFlag, !If [AccountScopeFlag, !Ref AccountScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"] ExcludeMap: ORGUNIT: !If [ExcludeScopeFlag, !If [OUScopeFlag, !Ref OUScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"] ACCOUNT: !If [ExcludeScopeFlag, !If [AccountScopeFlag, !Ref AccountScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"] RemediationEnabled: !If [AutoRemediateFlag, true, false] SecurityServicePolicyData: Type: SHIELD_ADVANCED DeleteAllPolicyResources: false ResourceTags: !If - ScopeTagName1Flag - - !If - ScopeTagName1Flag - Key: !Ref ScopeTagName1 Value: !If [ScopeTagValue1Flag, !Ref ScopeTagValue1, ""] - !Ref "AWS::NoValue" - !If - ScopeTagName2Flag - Key: !Ref ScopeTagName2 Value: !If [ScopeTagValue2Flag, !Ref ScopeTagValue2, ""] - !Ref "AWS::NoValue" - !If - ScopeTagName3Flag - Key: !Ref ScopeTagName3 Value: !If [ScopeTagValue3Flag, !Ref ScopeTagValue3, ""] - !Ref "AWS::NoValue" - !Ref "AWS::NoValue"