// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`BLEAFSI-BASE Compare Snapshot test GuestAccount Stacks 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "SSMSessionManagerLogBucket": { "Description": "Bucket for SSM Session Manager Log Bucket", "Value": { "Ref": "SessionManagerLogBucket06607CB7", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CloudTrailA62D711D": { "DependsOn": [ "CloudTrailBucketPolicyAC26EA97", "CloudTrailLogsRoleDefaultPolicyD9019B15", "CloudTrailLogsRole9F6E6663", ], "Properties": { "CloudWatchLogsLogGroupArn": { "Fn::GetAtt": [ "CloudTrailLogGroup2F0A1829", "Arn", ], }, "CloudWatchLogsRoleArn": { "Fn::GetAtt": [ "CloudTrailLogsRole9F6E6663", "Arn", ], }, "EnableLogFileValidation": true, "EventSelectors": [], "IncludeGlobalServiceEvents": true, "IsLogging": true, "IsMultiRegionTrail": true, "KMSKeyId": { "Fn::GetAtt": [ "CloudTrailKmsKeyED651FAE", "Arn", ], }, "S3BucketName": { "Ref": "CloudTrailBucketDFB11A28", }, }, "Type": "AWS::CloudTrail::Trail", }, "CloudTrailBucketAccessLogsAutoDeleteObjectsCustomResource9415F946": { "DeletionPolicy": "Delete", "DependsOn": [ "CloudTrailBucketAccessLogsPolicy90AE4727", ], "Properties": { "BucketName": { "Ref": "CloudTrailBucketAccessLogsF0177B6B", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CloudTrailBucketAccessLogsF0177B6B": { "DeletionPolicy": "Delete", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "BucketName": { "Fn::Join": [ "", [ "bleafsi-base-trail-log-", { "Ref": "AWS::AccountId", }, "-logs", ], ], }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": 2555, "Status": "Enabled", "Transitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90, }, ], }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CloudTrailBucketAccessLogsPolicy90AE4727": { "Properties": { "Bucket": { "Ref": "CloudTrailBucketAccessLogsF0177B6B", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CloudTrailBucketAccessLogsF0177B6B", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailBucketAccessLogsF0177B6B", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CloudTrailBucketAccessLogsF0177B6B", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailBucketAccessLogsF0177B6B", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:DeleteObject", "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailBucketAccessLogsF0177B6B", "Arn", ], }, "/*", ], ], }, "Sid": "Restrict Delete* Actions", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CloudTrailBucketAutoDeleteObjectsCustomResource4777BE67": { "DeletionPolicy": "Delete", "DependsOn": [ "CloudTrailBucketPolicyAC26EA97", ], "Properties": { "BucketName": { "Ref": "CloudTrailBucketDFB11A28", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CloudTrailBucketDFB11A28": { "DeletionPolicy": "Delete", "Properties": { "AccessControl": "Private", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "BucketName": { "Fn::Join": [ "", [ "bleafsi-base-trail-log-", { "Ref": "AWS::AccountId", }, ], ], }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": 180, "Status": "Enabled", }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CloudTrailBucketAccessLogsF0177B6B", }, "LogFilePrefix": "cloudtraillogs", }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CloudTrailBucketPolicyAC26EA97": { "Properties": { "Bucket": { "Ref": "CloudTrailBucketDFB11A28", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CloudTrailBucketDFB11A28", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailBucketDFB11A28", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CloudTrailBucketDFB11A28", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailBucketDFB11A28", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:GetBucketAcl", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com", }, "Resource": { "Fn::GetAtt": [ "CloudTrailBucketDFB11A28", "Arn", ], }, }, { "Action": "s3:PutObject", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", }, }, "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudTrailBucketDFB11A28", "Arn", ], }, "/AWSLogs/", { "Ref": "AWS::AccountId", }, "/*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CloudTrailKmsKeyED651FAE": { "DeletionPolicy": "Retain", "Properties": { "Description": "BLEAFSI GovernanceBase: Used for CloudTrail Logs Encryption", "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, { "Action": "kms:GenerateDataKey*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ { "Fn::Join": [ "", [ "arn:aws:cloudtrail:*:", { "Ref": "AWS::AccountId", }, ":trail/*", ], ], }, ], }, }, "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com", }, "Resource": "*", }, { "Action": "kms:DescribeKey", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com", }, "Resource": "*", }, { "Action": [ "kms:Decrypt", "kms:ReEncryptFrom", ], "Condition": { "StringEquals": { "kms:CallerAccount": { "Ref": "AWS::AccountId", }, }, "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ { "Fn::Join": [ "", [ "arn:aws:cloudtrail:*:", { "Ref": "AWS::AccountId", }, ":trail/*", ], ], }, ], }, }, "Effect": "Allow", "Principal": { "AWS": "*", }, "Resource": "*", }, { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*", ], "Condition": { "ArnEquals": { "kms:EncryptionContext:aws:logs:arn": { "Fn::Join": [ "", [ "arn:aws:logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:*", ], ], }, }, }, "Effect": "Allow", "Principal": { "Service": { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::Region", }, ".", { "Ref": "AWS::URLSuffix", }, ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "CloudTrailLogGroup2F0A1829": { "DeletionPolicy": "Retain", "Properties": { "KmsKeyId": { "Fn::GetAtt": [ "CloudTrailKmsKeyED651FAE", "Arn", ], }, "RetentionInDays": 90, }, "Type": "AWS::Logs::LogGroup", "UpdateReplacePolicy": "Retain", }, "CloudTrailLogsRole9F6E6663": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CloudTrailLogsRoleDefaultPolicyD9019B15": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CloudTrailLogGroup2F0A1829", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CloudTrailLogsRoleDefaultPolicyD9019B15", "Roles": [ { "Ref": "CloudTrailLogsRole9F6E6663", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "64267bdade6530c78c99e1df05c9336e81c8dad82fdb06133ee90f7390f69d26.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "CloudTrailBucketAccessLogsF0177B6B", }, " S3 bucket.", ], ], }, "Handler": "index.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "IamSampleIamAdminGroup19652A7C": { "Properties": { "ManagedPolicyArns": [ { "Ref": "IamSampleIamAdminRolePolicy4CCA8928", }, ], }, "Type": "AWS::IAM::Group", }, "IamSampleIamAdminRole90E34260": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Ref": "IamSampleIamAdminRolePolicy4CCA8928", }, ], }, "Type": "AWS::IAM::Role", }, "IamSampleIamAdminRolePolicy4CCA8928": { "Properties": { "Description": "", "Path": "/", "PolicyDocument": { "Statement": [ { "Action": "iam:*", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true", }, }, "Effect": "Allow", "Resource": "*", }, { "Action": "aws-portal:*Billing", "Effect": "Deny", "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, "IamSampleInstanceOpsGroup8B030A9F": { "Properties": { "ManagedPolicyArns": [ { "Ref": "IamSampleInstanceOpsRolePolicyDCCC71C1", }, ], }, "Type": "AWS::IAM::Group", }, "IamSampleInstanceOpsRoleEE82A10D": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Ref": "IamSampleInstanceOpsRolePolicyDCCC71C1", }, ], }, "Type": "AWS::IAM::Role", }, "IamSampleInstanceOpsRolePolicyDCCC71C1": { "Properties": { "Description": "", "Path": "/", "PolicyDocument": { "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", }, { "Action": "elasticloadbalancing:*", "Effect": "Allow", "Resource": "*", }, { "Action": "cloudwatch:*", "Effect": "Allow", "Resource": "*", }, { "Action": "autoscaling:*", "Effect": "Allow", "Resource": "*", }, { "Action": [ "ec2:CreateVpc*", "ec2:DeleteVpc*", "ec2:ModifyVpc*", "ec2:CreateSubnet*", "ec2:DeleteSubnet*", "ec2:ModifySubnet*", "ec2:Create*Route*", "ec2:DeleteRoute*", "ec2:AssociateRoute*", "ec2:ReplaceRoute*", "ec2:CreateVpn*", "ec2:DeleteVpn*", "ec2:AttachVpn*", "ec2:DetachVpn*", "ec2:CreateNetworkAcl*", "ec2:DeleteNetworkAcl*", "ec2:ReplaceNetworkAcl*", "ec2:*Gateway*", "ec2:*PeeringConnection*", ], "Effect": "Deny", "Resource": "*", }, { "Action": "aws-portal:*Billing", "Effect": "Deny", "Resource": "*", }, { "Action": [ "kms:Create*", "kms:Revoke*", "kms:Enable*", "kms:Get*", "kms:Disable*", "kms:Delete*", "kms:Put*", "kms:Update*", ], "Effect": "Deny", "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, "IamSampleReadOnlyAdminGroupD167C5A0": { "Properties": { "ManagedPolicyArns": [ { "Ref": "IamSampleReadOnlyAdminRolePolicyF58E518D", }, ], }, "Type": "AWS::IAM::Group", }, "IamSampleReadOnlyAdminRole24925F77": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Ref": "IamSampleReadOnlyAdminRolePolicyF58E518D", }, ], }, "Type": "AWS::IAM::Role", }, "IamSampleReadOnlyAdminRolePolicyF58E518D": { "Properties": { "Description": "", "Path": "/", "PolicyDocument": { "Statement": [ { "Action": [ "appstream:Get*", "autoscaling:Describe*", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:List*", "cloudfront:Get*", "cloudfront:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "directconnect:Describe*", "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:Describe*", "elasticache:Describe*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticloadbalancing:Describe*", "elastictranscoder:Read*", "elastictranscoder:List*", "iam:List*", "iam:Get*", "kinesis:Describe*", "kinesis:Get*", "kinesis:List*", "opsworks:Describe*", "opsworks:Get*", "route53:Get*", "route53:List*", "redshift:Describe*", "redshift:ViewQueriesInConsole", "rds:Describe*", "rds:ListTagsForResource", "s3:Get*", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage", "storagegateway:List*", "storagegateway:Describe*", "trustedadvisor:Describe*", ], "Effect": "Allow", "Resource": "*", }, { "Action": "aws-portal:*Billing", "Effect": "Deny", "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, "IamSampleSysAdminGroup9E405E05": { "Properties": { "ManagedPolicyArns": [ { "Ref": "IamSampleSysAdminRolePolicy1D5A763B", }, ], }, "Type": "AWS::IAM::Group", }, "IamSampleSysAdminRole0CA7C8F4": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Ref": "IamSampleSysAdminRolePolicy1D5A763B", }, ], }, "Type": "AWS::IAM::Role", }, "IamSampleSysAdminRolePolicy1D5A763B": { "Properties": { "Description": "", "Path": "/", "PolicyDocument": { "Statement": [ { "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true", }, }, "Effect": "Allow", "NotAction": "iam:*", "Resource": "*", }, { "Action": "aws-portal:*Billing", "Effect": "Deny", "Resource": "*", }, { "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", ], "Effect": "Deny", "Resource": "*", }, { "Action": [ "kms:Create*", "kms:Revoke*", "kms:Enable*", "kms:Get*", "kms:Disable*", "kms:Delete*", "kms:Put*", "kms:Update*", ], "Effect": "Deny", "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, "SecurityAlarmCWAlarmCWAlarmIAMPolicyChanged1B8AAF50": { "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, ], "AlarmDescription": "IAM Configuration changes detected!", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "MetricName": "IAMPolicyEventCount", "Namespace": "CloudTrailMetrics", "Period": 300, "Statistic": "Sum", "Threshold": 1, }, "Type": "AWS::CloudWatch::Alarm", }, "SecurityAlarmCWAlarmCWAlarmNewAccessKeyCreatedA7EFB97C": { "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, ], "AlarmDescription": "Warning: New IAM access Eey was created. Please be sure this action was neccessary.", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "MetricName": "NewAccessKeyCreatedEventCount", "Namespace": "CloudTrailMetrics", "Period": 300, "Statistic": "Sum", "Threshold": 1, }, "Type": "AWS::CloudWatch::Alarm", }, "SecurityAlarmCWAlarmCWAlarmRootUserActivity3082001F": { "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, ], "AlarmDescription": "Root user activity detected!", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "MetricName": "RootUserPolicyEventCount", "Namespace": "CloudTrailMetrics", "Period": 300, "Statistic": "Sum", "Threshold": 1, }, "Type": "AWS::CloudWatch::Alarm", }, "SecurityAlarmCWAlarmCWAlarmUnauthorizedAttemptsD32F0C9F": { "Properties": { "ActionsEnabled": true, "AlarmActions": [ { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, ], "AlarmDescription": "Multiple unauthorized actions or logins attempted!", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "EvaluationPeriods": 1, "MetricName": "UnauthorizedAttemptsEventCount", "Namespace": "CloudTrailMetrics", "Period": 300, "Statistic": "Sum", "Threshold": 5, }, "Type": "AWS::CloudWatch::Alarm", }, "SecurityAlarmCWAlarmMetricFilterIAMPolicyChanged02F8116B": { "Properties": { "FilterPattern": "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}", "LogGroupName": { "Ref": "CloudTrailLogGroup2F0A1829", }, "MetricTransformations": [ { "MetricName": "IAMPolicyEventCount", "MetricNamespace": "CloudTrailMetrics", "MetricValue": "1", }, ], }, "Type": "AWS::Logs::MetricFilter", }, "SecurityAlarmCWAlarmMetricFilterNewAccessKeyCreated6011CDC8": { "Properties": { "FilterPattern": "{($.eventName=CreateAccessKey)}", "LogGroupName": { "Ref": "CloudTrailLogGroup2F0A1829", }, "MetricTransformations": [ { "MetricName": "NewAccessKeyCreatedEventCount", "MetricNamespace": "CloudTrailMetrics", "MetricValue": "1", }, ], }, "Type": "AWS::Logs::MetricFilter", }, "SecurityAlarmCWAlarmMetricFilterRootUserActivity215F97D8": { "Properties": { "FilterPattern": "{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}", "LogGroupName": { "Ref": "CloudTrailLogGroup2F0A1829", }, "MetricTransformations": [ { "MetricName": "RootUserPolicyEventCount", "MetricNamespace": "CloudTrailMetrics", "MetricValue": "1", }, ], }, "Type": "AWS::Logs::MetricFilter", }, "SecurityAlarmCWAlarmMetricFilterUnauthorizedAttempts4507C6FF": { "Properties": { "FilterPattern": "{($.errorCode=AccessDenied)||($.errorCode=UnauthorizedOperation)}", "LogGroupName": { "Ref": "CloudTrailLogGroup2F0A1829", }, "MetricTransformations": [ { "MetricName": "UnauthorizedAttemptsEventCount", "MetricNamespace": "CloudTrailMetrics", "MetricValue": "1", }, ], }, "Type": "AWS::Logs::MetricFilter", }, "SecurityAlarmEventBridgeRulesAWSHealthEvent415EB94C": { "Properties": { "Description": "Notify AWS Health event", "EventPattern": { "detail-type": [ "AWS Health Event", ], "source": [ "aws.health", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmEventBridgeRulesCloudTrailChanged5A202848": { "Properties": { "Description": "Notify to change on CloudTrail log configuration", "EventPattern": { "detail": { "eventName": [ "StopLogging", "DeleteTrail", "UpdateTrail", ], "eventSource": [ "cloudtrail.amazonaws.com", ], }, "detail-type": [ "AWS API Call via CloudTrail", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmEventBridgeRulesConfigRuleComplianceChage836003B4": { "Properties": { "Description": "EventBridge Event Rule to send notification on Config Rule compliance changes.", "EventPattern": { "detail": { "configRuleName": [ "bb-default-security-group-closed", ], "newEvaluationResult": { "complianceType": [ "NON_COMPLIANT", ], }, }, "detail-type": [ "Config Rules Compliance Change", ], "source": [ "aws.config", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmEventBridgeRulesGuardDutyFindingsA03F9E1E": { "Properties": { "Description": "EventBridge Event Rule to send notification on GuardDuty findings.", "EventPattern": { "detail": { "severity": [ 4, 4, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5, 5, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6, 6, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 7, 7, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, ], }, "detail-type": [ "GuardDuty Finding", ], "source": [ "aws.guardduty", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmEventBridgeRulesNACLChangedBD2B4099": { "Properties": { "Description": "Notify to create, update or delete a Network ACL.", "EventPattern": { "detail": { "eventName": [ "CreateNetworkAcl", "CreateNetworkAclEntry", "DeleteNetworkAcl", "DeleteNetworkAclEntry", "ReplaceNetworkAclEntry", "ReplaceNetworkAclAssociation", ], "eventSource": [ "ec2.amazonaws.com", ], }, "detail-type": [ "AWS API Call via CloudTrail", ], "source": [ "aws.ec2", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmEventBridgeRulesSecurityGroupChanged596D92F7": { "Properties": { "Description": "Notify to create, update or delete a Security Group.", "EventPattern": { "detail": { "eventName": [ "AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", ], "eventSource": [ "ec2.amazonaws.com", ], }, "detail-type": [ "AWS API Call via CloudTrail", ], "source": [ "aws.ec2", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmEventBridgeRulesSecurityHubFindings3FFD9915": { "Properties": { "Description": "EventBridge Event Rule to send notification on SecurityHub all new findings and all updates.", "EventPattern": { "detail": { "findings": { "Compliance": { "Status": [ "FAILED", ], }, "RecordState": [ "ACTIVE", ], "Severity": { "Label": [ "CRITICAL", "HIGH", ], }, "Workflow": { "Status": [ "NEW", "NOTIFIED", ], }, }, }, "detail-type": [ "Security Hub Findings - Imported", ], "source": [ "aws.securityhub", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "SecurityAlarmSnsTopic5FB6FA74": { "Type": "AWS::SNS::Topic", }, "SecurityAlarmSnsTopicEmailSubscription54ED555A": { "Properties": { "Endpoint": "dummy@amazon.co.jp", "Protocol": "email", "TopicArn": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, }, "Type": "AWS::SNS::Subscription", }, "SecurityAlarmSnsTopicPolicyBC7FEC42": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com", }, "Resource": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Sid": "0", }, { "Action": "SNS:Publish", "Condition": { "Bool": { "aws:SecureTransport": false, }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Sid": "AllowPublishThroughSSLOnly", }, { "Action": "sns:Publish", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, "Resource": { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, "Sid": "2", }, ], "Version": "2012-10-17", }, "Topics": [ { "Ref": "SecurityAlarmSnsTopic5FB6FA74", }, ], }, "Type": "AWS::SNS::TopicPolicy", }, "SecurityAutoRemediationC46F4139": { "Properties": { "Automatic": true, "ConfigRuleName": { "Ref": "SecurityAutoRemediationConfigRule6784E32F", }, "MaximumAutomaticAttempts": 5, "Parameters": { "AutomationAssumeRole": { "StaticValue": { "Values": [ { "Fn::GetAtt": [ "SecurityAutoRemediationIamRole5ED446EC", "Arn", ], }, ], }, }, "GroupId": { "ResourceValue": { "Value": "RESOURCE_ID", }, }, }, "RetryAttemptSeconds": 60, "TargetId": "AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules", "TargetType": "SSM_DOCUMENT", "TargetVersion": "1", }, "Type": "AWS::Config::RemediationConfiguration", }, "SecurityAutoRemediationConfigRule6784E32F": { "Properties": { "ConfigRuleName": "bb-default-security-group-closed", "Description": "Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule is non-compliant if the default security group has one or more inbound or outbound traffic.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::SecurityGroup", ], }, "Source": { "Owner": "AWS", "SourceIdentifier": "VPC_DEFAULT_SECURITY_GROUP_CLOSED", }, }, "Type": "AWS::Config::ConfigRule", }, "SecurityAutoRemediationIamRole5ED446EC": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole", ], "Path": "/", }, "Type": "AWS::IAM::Role", }, "SecurityAutoRemediationIamRoleDefaultPolicy14E21D3C": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:DescribeSecurityGroups", ], "Effect": "Allow", "Resource": "*", }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SecurityAutoRemediationIamRole5ED446EC", "Arn", ], }, }, { "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": "arn:aws:ssm:::automation-definition/AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules", }, ], "Version": "2012-10-17", }, "PolicyName": "SecurityAutoRemediationIamRoleDefaultPolicy14E21D3C", "Roles": [ { "Ref": "SecurityAutoRemediationIamRole5ED446EC", }, ], }, "Type": "AWS::IAM::Policy", }, "SessionManagerLogBucket06607CB7": { "DeletionPolicy": "Delete", "Properties": { "AccessControl": "Private", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "BucketName": { "Fn::Join": [ "", [ "bleafsi-base-sm-auditlog-", { "Ref": "AWS::AccountId", }, ], ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "SessionManagerLogBucketAccessLogs0616B159", }, }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "SessionManagerLogBucketAccessLogs0616B159": { "DeletionPolicy": "Delete", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "BucketName": { "Fn::Join": [ "", [ "bleafsi-base-sm-auditlog-", { "Ref": "AWS::AccountId", }, "-logs", ], ], }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": 2555, "Status": "Enabled", "Transitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90, }, ], }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], "VersioningConfiguration": { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "SessionManagerLogBucketAccessLogsAutoDeleteObjectsCustomResourceCB584BA2": { "DeletionPolicy": "Delete", "DependsOn": [ "SessionManagerLogBucketAccessLogsPolicy779064AF", ], "Properties": { "BucketName": { "Ref": "SessionManagerLogBucketAccessLogs0616B159", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "SessionManagerLogBucketAccessLogsPolicy779064AF": { "Properties": { "Bucket": { "Ref": "SessionManagerLogBucketAccessLogs0616B159", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "SessionManagerLogBucketAccessLogs0616B159", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucketAccessLogs0616B159", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "SessionManagerLogBucketAccessLogs0616B159", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucketAccessLogs0616B159", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:DeleteObject", "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucketAccessLogs0616B159", "Arn", ], }, "/*", ], ], }, "Sid": "Restrict Delete* Actions", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "SessionManagerLogBucketAutoDeleteObjectsCustomResource88CAB925": { "DeletionPolicy": "Delete", "DependsOn": [ "SessionManagerLogBucketPolicy2B270762", ], "Properties": { "BucketName": { "Ref": "SessionManagerLogBucket06607CB7", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "SessionManagerLogBucketPolicy2B270762": { "Properties": { "Bucket": { "Ref": "SessionManagerLogBucket06607CB7", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:DeleteObject", "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, "/*", ], ], }, "Sid": "Restrict Delete* Actions", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "SessionManagerLogWritePolicy068C1E66": { "Properties": { "Description": "", "Path": "/", "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObjectAcl", "s3:PutObject", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, "/AWSLogs/*", ], ], }, }, { "Action": "s3:GetEncryptionConfiguration", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SessionManagerLogBucket06607CB7", "Arn", ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `;