--- AWSTemplateFormatVersion: 2010-09-09 Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Shield Advanced Configurations" Parameters: - EnabledProactiveEngagement - EnableSRTAccess - EmergencyContactCount - EmergencyContactEmail1 - EmergencyContactPhone1 - EmergencyContactEmail2 - EmergencyContactPhone2 - SrtAccessRoleName - Label: default: "Lambda Code" Parameters: - CodeS3BucketPrefix - CodeS3Key Parameters: CodeS3BucketPrefix: Type: String CodeS3Key: Type: String Default: lambda.zip EmergencyContactCount: Type: String Default: 1 AllowedValues: - 1 - 2 EmergencyContactEmail1: Type: String EmergencyContactEmail2: Type: String EmergencyContactPhone1: Type: String Default: '+15555555555' AllowedPattern: ^\+[0-9]{11} EmergencyContactPhone2: Type: String Default: '+15555555555' AllowedPattern: ^\+[0-9]{11} EnabledProactiveEngagement: Type: String Default: true AllowedValues: - true - false SrtAccessRoleName: Type: String Default: AWSSRTAccess EnableSRTAccess: Type: String Default: True AllowedValues: - True - False Conditions: SecondEmergencyContact: !Equals [!Ref EmergencyContactCount , 2] Resources: ConfigureShieldLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / ConfigureShieldLambdaPolicy: Type: 'AWS::IAM::Policy' Metadata: cfn_nag: rules_to_suppress: - id: W12 reason: "Wildcard IAM policy required, resource scoping not supported for APIs" - id: W58 reason: "Permissions granted, CFN_Nag not parsing correctly?" Properties: PolicyName: ConfigureShieldLambdaPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - "logs:CreateLogGroup" - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: "arn:aws:logs:*:*:*" - Sid: CreateAndManageSRTRole Effect: Allow Action: - iam:GetRole - iam:PassRole - iam:ListAttachedRolePolicies - iam:CreateRole - iam:AttachRolePolicy Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/${SrtAccessRoleName}" - Sid: ShieldAdvancedConfiguration Effect: Allow Action: - shield:UpdateEmergencyContactSettings - shield:AssociateDRTLogBucket - shield:CreateSubscription - shield:UpdateSubscription - shield:AssociateDRTRole - shield:DisassociateDRTRole - shield:DescribeDRTAccess - shield:DescribeEmergencyContactSettings - shield:EnableProactiveEngagement - shield:DisableProactiveEngagement - shield:AssociateProactiveEngagementDetails - "xray:PutTraceSegments" - "xray:PutTelemetryRecords" Resource: "*" Roles: - !Ref ConfigureShieldLambdaRole ConfigureShieldAdvancedLambda: DependsOn: ConfigureShieldLambdaPolicy Type: Custom::ConfigureShieldAdvanced Properties: ServiceToken: !GetAtt ConfigureShieldLambda.Arn EmergencyContactEmail1: !Ref EmergencyContactEmail1 EmergencyContactEmail2: !If [SecondEmergencyContact, !Ref EmergencyContactEmail2, !Ref "AWS::NoValue"] EmergencyContactPhone1: !Ref EmergencyContactPhone1 EmergencyContactPhone2: !If [SecondEmergencyContact, !Ref EmergencyContactPhone2, !Ref "AWS::NoValue"] EnabledProactiveEngagement: !Ref EnabledProactiveEngagement EmergencyContactCount: !Ref EmergencyContactCount EnableSRTAccess: !Ref EnableSRTAccess SRTAccessRoleName: !Ref SrtAccessRoleName ConfigureShieldLambda: Type: AWS::Lambda::Function Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: "Permissions granted, CFN_Nag not parsing correctly?" - id: W89 reason: "Not applicable for use case" - id: W92 reason: "Not applicable for use case" Properties: TracingConfig: Mode: Active Runtime: python3.9 Timeout: 15 Role: !GetAtt ConfigureShieldLambdaRole.Arn Handler: shield/enableConfigure/lambda/index.lambda_handler Code: S3Bucket: !Sub "${CodeS3BucketPrefix}-${AWS::Region}" S3Key: !Ref CodeS3Key