{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"paramVPCId": {
"Type": "String"
},
"paramSNSTopic": {
"Type": "String"
}
},
"Resources": {
"iamRoleLambda": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "lambda.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
{ "Ref": "iamManagedPolicyLambdaRole" }
],
"RoleName": "role-DbRestore-awssoldb"
}
},
"iamRoleEc2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "lambda.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
{ "Ref": "iamManagedPolicyEc2Role" }
],
"RoleName": "role-DbRestoreEc2-awssoldb"
}
},
"ec2InstProf": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "iamRoleEc2"
}
],
"InstanceProfileName": "ec2InstProf-awssoldb"
}
},
"iamRoleStepFunctions": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "states.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"ManagedPolicyArns": [
{ "Ref": "iamManagedPolicyStepFunctionsRole" }
],
"RoleName": "StepFunctionsRoleAutomatic-awssoldb"
}
},
"iamManagedPolicyStepFunctionsRole": {
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {
"ManagedPolicyName" : "iamManagedPolicyStepFunctionsRole-awssoldb",
"Path": "/",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "arn:aws:lambda:*:*:function:*"
}
]
}
}
},
"iamManagedPolicyLambdaRole": {
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {
"ManagedPolicyName" : "iamManagedPolicyLambdaRole-awssoldb",
"Path": "/",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:EnableKey",
"kms:ImportKeyMaterial",
"kms:GetPublicKey",
"kms:Decrypt",
"secretsmanager:DescribeSecret",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Verify",
"kms:CancelKeyDeletion",
"kms:GenerateDataKeyPair",
"secretsmanager:GetSecretValue",
"sns:Publish",
"kms:Encrypt",
"secretsmanager:RotateSecret",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:EnableKeyRotation",
"kms:ListKeyPolicies",
"kms:UpdateKeyDescription",
"dynamodb:PutItem",
"kms:GetKeyPolicy",
"kms:DeleteImportedKeyMaterial",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:DisableKey",
"kms:ListGrants",
"kms:UpdateAlias",
"secretsmanager:UpdateSecret",
"kms:GenerateDataKey",
"kms:CreateAlias",
"kms:DeleteAlias",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*",
{ "Fn::Sub": "arn:aws:kms:*:${AWS::AccountId}:alias/*" },
{ "Fn::Sub": "arn:aws:kms:*:${AWS::AccountId}:key/*" },
{ "Fn::Sub": "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/dbalignment-awssol" },
{ "Fn::Sub": [ "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${SNSTopic}", { "SNSTopic": {"Ref" : "paramSNSTopic" }} ]}
]
},
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"rds:RestoreDBClusterFromSnapshot",
"ec2:DescribeInstances",
"secretsmanager:CreateSecret",
"iam:PassRole",
"ec2:DescribeNetworkInterfaces",
"rds:CreateDBInstance",
"rds:DescribeDBInstances",
"rds:ModifyDBInstance",
"s3:DeleteObject",
"rds:DeleteDBCluster",
"rds:RestoreDBClusterToPointInTime",
"rds:DeleteDBInstance",
"rds:AddTagsToResource",
"lambda:InvokeFunction",
"rds:DescribeDBSnapshots",
"ec2:DeleteNetworkInterface",
"sts:*",
"rds:StopDBInstance",
"ssm:GetCommandInvocation",
"ec2:CreateNetworkInterface",
"s3:PutObject",
"s3:GetObject",
"rds:ListTagsForResource",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:DescribeDBClusterSnapshots",
"rds:ModifyDBCluster",
"rds:CreateDBInstanceReadReplica",
"rds:DescribeDBClusters",
"rds:RestoreDBInstanceToPointInTime"
],
"Resource": "*"
}
]
}
}
},
"iamManagedPolicy0LambdaSecretsManagerRole": {
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {
"ManagedPolicyName" : "iamManagedPolicy0LambdaSecretsManagerRole-awssoldb",
"Path": "/",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
}
},
"iamManagedPolicyEc2Role": {
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {
"ManagedPolicyName" : "iamManagedPolicyEc2Role-awssoldb",
"Path": "/",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
}
},
"vpcSecurityGroupForDB": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group attached to the databases used for testing",
"GroupName" : "RDSSecGrp-awssoldb",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : 5433,
"ToPort" : 5433,
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : 5434,
"ToPort" : 5434,
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : 3307,
"ToPort" : 3307,
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : 3308,
"ToPort" : 3308,
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : 1522,
"ToPort" : 1522,
"CidrIp" : "0.0.0.0/0"
}
],
"Tags" : [ { "Key": "Name", "Value": "RDSSecGrp-awssoldb" } ],
"VpcId" : { "Ref": "paramVPCId" }
}
},
"vpcSecurityGroupForLambda": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group attached to the Lambda functions used to rotate secrets",
"GroupName" : "LambdaSecGrp-awssoldb",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : 0,
"ToPort" : 65535,
"SourceSecurityGroupId" : { "Ref": "vpcSecurityGroupForDB" }
}
],
"Tags" : [ { "Key": "Name", "Value": "LambdaSecGrp-awssoldb" } ],
"VpcId" : { "Ref": "paramVPCId" }
}
},
"vpcSecurityGroupForEc2": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group attached to the EC2 instance used to run .sql scripts",
"GroupName" : "Ec2SecGrp-awssoldb",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : 22,
"ToPort" : 22,
"CidrIp" : "0.0.0.0/0"
}
],
"Tags" : [ { "Key": "Name", "Value": "Ec2SecGrp-awssoldb" } ],
"VpcId" : { "Ref": "paramVPCId" }
}
}
},
"Outputs": {
"vpcSecurityGroupForDB" : {
"Value" : {
"Ref" : "vpcSecurityGroupForDB"
}
},
"vpcSecurityGroupForLambda" : {
"Value" : {
"Ref" : "vpcSecurityGroupForLambda"
}
},
"vpcSecurityGroupForEc2" : {
"Value" : {
"Ref" : "vpcSecurityGroupForEc2"
}
},
"iamRoleLambda" : {
"Value" : {
"Ref" : "iamRoleLambda"
}
},
"ec2InstProf" : {
"Value" : {
"Ref" : "ec2InstProf"
}
},
"iamRoleStepFunctions" : {
"Value" : {
"Ref" : "iamRoleStepFunctions"
}
}
},
"Description": "awssoldb_security"
}