Description: AWS DiGAV Blueprint CDK is an AWS Quick Start that helps companies deploy core AWS Infrastructure with restrictions designed to help them comply with the Digitale Gesundheitsanwendungen-Verordnung (also referred to as DiGAV) standards. (qs-fltrw0ng4) (ib-fltrw0ng4) Resources: VpcCoreProductionD971AE3A: Type: AWS::EC2::VPC Properties: CidrBlock: 10.50.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/Resource VpcCoreProductionDMZSubnet1Subnet8CB63360: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreProductionD971AE3A AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.50.0.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1/Subnet VpcCoreProductionDMZSubnet1RouteTable93117E8B: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreProductionD971AE3A Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1/RouteTable VpcCoreProductionDMZSubnet1RouteTableAssociation4C99EF6F: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B SubnetId: Ref: VpcCoreProductionDMZSubnet1Subnet8CB63360 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1/RouteTableAssociation VpcCoreProductionDMZSubnet1DefaultRoute078E8974: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreProductionIGW5A93E1A8 DependsOn: - VpcCoreProductionVPCGW30B6BDB2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1/DefaultRoute VpcCoreProductionDMZSubnet1EIP624812A4: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1/EIP VpcCoreProductionDMZSubnet1NATGatewayC224625E: Type: AWS::EC2::NatGateway Properties: SubnetId: Ref: VpcCoreProductionDMZSubnet1Subnet8CB63360 AllocationId: Fn::GetAtt: - VpcCoreProductionDMZSubnet1EIP624812A4 - AllocationId Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet1/NATGateway VpcCoreProductionDMZSubnet2Subnet544A7F20: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreProductionD971AE3A AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.50.2.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet2/Subnet VpcCoreProductionDMZSubnet2RouteTable280A8E86: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreProductionD971AE3A Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet2/RouteTable VpcCoreProductionDMZSubnet2RouteTableAssociation1698D572: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 SubnetId: Ref: VpcCoreProductionDMZSubnet2Subnet544A7F20 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet2/RouteTableAssociation VpcCoreProductionDMZSubnet2DefaultRoute3F9FD113: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreProductionIGW5A93E1A8 DependsOn: - VpcCoreProductionVPCGW30B6BDB2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DMZSubnet2/DefaultRoute VpcCoreProductionApplicationSubnet1SubnetE209B72D: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreProductionD971AE3A AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.50.4.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet1/Subnet VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreProductionD971AE3A Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet1/RouteTable VpcCoreProductionApplicationSubnet1RouteTableAssociation7EDAC97B: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 SubnetId: Ref: VpcCoreProductionApplicationSubnet1SubnetE209B72D Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet1/RouteTableAssociation VpcCoreProductionApplicationSubnet1DefaultRouteA2D6D34E: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreProductionDMZSubnet1NATGatewayC224625E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet1/DefaultRoute VpcCoreProductionApplicationSubnet2SubnetFF60B9F3: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreProductionD971AE3A AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.50.6.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet2/Subnet VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreProductionD971AE3A Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet2/RouteTable VpcCoreProductionApplicationSubnet2RouteTableAssociation7D462ED9: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C SubnetId: Ref: VpcCoreProductionApplicationSubnet2SubnetFF60B9F3 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet2/RouteTableAssociation VpcCoreProductionApplicationSubnet2DefaultRoute115CEEEB: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreProductionDMZSubnet1NATGatewayC224625E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/ApplicationSubnet2/DefaultRoute VpcCoreProductionDatabaseSubnet1Subnet09EF33D9: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreProductionD971AE3A AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.50.8.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet1/Subnet VpcCoreProductionDatabaseSubnet1RouteTable4189D151: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreProductionD971AE3A Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet1/RouteTable VpcCoreProductionDatabaseSubnet1RouteTableAssociationD1A8D4E9: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDatabaseSubnet1RouteTable4189D151 SubnetId: Ref: VpcCoreProductionDatabaseSubnet1Subnet09EF33D9 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet1/RouteTableAssociation VpcCoreProductionDatabaseSubnet2Subnet128DE8A2: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreProductionD971AE3A AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.50.10.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet2/Subnet VpcCoreProductionDatabaseSubnet2RouteTable72412D1A: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreProductionD971AE3A Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet2/RouteTable VpcCoreProductionDatabaseSubnet2RouteTableAssociation63113979: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDatabaseSubnet2RouteTable72412D1A SubnetId: Ref: VpcCoreProductionDatabaseSubnet2Subnet128DE8A2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/DatabaseSubnet2/RouteTableAssociation VpcCoreProductionIGW5A93E1A8: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Production Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/IGW VpcCoreProductionVPCGW30B6BDB2: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: VpcCoreProductionD971AE3A InternetGatewayId: Ref: VpcCoreProductionIGW5A93E1A8 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/VPCGW VpcCoreProductionS39B8E42EB: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - "" - - com.amazonaws. - Ref: AWS::Region - .s3 VpcId: Ref: VpcCoreProductionD971AE3A RouteTableIds: - Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 - Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C - Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B - Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 - Ref: VpcCoreProductionDatabaseSubnet1RouteTable4189D151 - Ref: VpcCoreProductionDatabaseSubnet2RouteTable72412D1A VpcEndpointType: Gateway Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Production/S3/Resource VpcCoreDevelopment37E2B994: Type: AWS::EC2::VPC Properties: CidrBlock: 10.60.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/Resource VpcCoreDevelopmentDMZSubnet1SubnetD48B44F5: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.60.0.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1/Subnet VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1/RouteTable VpcCoreDevelopmentDMZSubnet1RouteTableAssociationB1D7A6B7: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC SubnetId: Ref: VpcCoreDevelopmentDMZSubnet1SubnetD48B44F5 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1/RouteTableAssociation VpcCoreDevelopmentDMZSubnet1DefaultRouteC1A58F2B: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreDevelopmentIGWAD83048D DependsOn: - VpcCoreDevelopmentVPCGW9558AC45 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1/DefaultRoute VpcCoreDevelopmentDMZSubnet1EIP58CD3212: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1/EIP VpcCoreDevelopmentDMZSubnet1NATGatewayD5175E96: Type: AWS::EC2::NatGateway Properties: SubnetId: Ref: VpcCoreDevelopmentDMZSubnet1SubnetD48B44F5 AllocationId: Fn::GetAtt: - VpcCoreDevelopmentDMZSubnet1EIP58CD3212 - AllocationId Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet1/NATGateway VpcCoreDevelopmentDMZSubnet2SubnetD5020296: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.60.2.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet2/Subnet VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet2/RouteTable VpcCoreDevelopmentDMZSubnet2RouteTableAssociationAD80DA52: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 SubnetId: Ref: VpcCoreDevelopmentDMZSubnet2SubnetD5020296 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet2/RouteTableAssociation VpcCoreDevelopmentDMZSubnet2DefaultRoute705CC16F: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreDevelopmentIGWAD83048D DependsOn: - VpcCoreDevelopmentVPCGW9558AC45 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DMZSubnet2/DefaultRoute VpcCoreDevelopmentApplicationSubnet1Subnet5A750B62: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.60.4.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet1/Subnet VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet1/RouteTable VpcCoreDevelopmentApplicationSubnet1RouteTableAssociationFD1A2A22: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 SubnetId: Ref: VpcCoreDevelopmentApplicationSubnet1Subnet5A750B62 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet1/RouteTableAssociation VpcCoreDevelopmentApplicationSubnet1DefaultRoute1731A859: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreDevelopmentDMZSubnet1NATGatewayD5175E96 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet1/DefaultRoute VpcCoreDevelopmentApplicationSubnet2Subnet3230F190: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.60.6.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet2/Subnet VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet2/RouteTable VpcCoreDevelopmentApplicationSubnet2RouteTableAssociation7C43FB1B: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 SubnetId: Ref: VpcCoreDevelopmentApplicationSubnet2Subnet3230F190 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet2/RouteTableAssociation VpcCoreDevelopmentApplicationSubnet2DefaultRouteA9C5EE12: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreDevelopmentDMZSubnet1NATGatewayD5175E96 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/ApplicationSubnet2/DefaultRoute VpcCoreDevelopmentDatabaseSubnet1Subnet08D67DFC: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.60.8.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet1/Subnet VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet1/RouteTable VpcCoreDevelopmentDatabaseSubnet1RouteTableAssociation386F1245: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62 SubnetId: Ref: VpcCoreDevelopmentDatabaseSubnet1Subnet08D67DFC Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet1/RouteTableAssociation VpcCoreDevelopmentDatabaseSubnet2Subnet05D038F0: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.60.10.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet2/Subnet VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet2/RouteTable VpcCoreDevelopmentDatabaseSubnet2RouteTableAssociation43E36BB0: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265 SubnetId: Ref: VpcCoreDevelopmentDatabaseSubnet2Subnet05D038F0 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/DatabaseSubnet2/RouteTableAssociation VpcCoreDevelopmentIGWAD83048D: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Development Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/IGW VpcCoreDevelopmentVPCGW9558AC45: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: VpcCoreDevelopment37E2B994 InternetGatewayId: Ref: VpcCoreDevelopmentIGWAD83048D Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/VPCGW VpcCoreDevelopmentS37F7BBD0F: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - "" - - com.amazonaws. - Ref: AWS::Region - .s3 VpcId: Ref: VpcCoreDevelopment37E2B994 RouteTableIds: - Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 - Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 - Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC - Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 - Ref: VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62 - Ref: VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265 VpcEndpointType: Gateway Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Development/S3/Resource VpcCoreManagment030DB556: Type: AWS::EC2::VPC Properties: CidrBlock: 10.70.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/Resource VpcCoreManagmentDMZSubnet1Subnet3D4DB21E: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreManagment030DB556 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.70.0.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1/Subnet VpcCoreManagmentDMZSubnet1RouteTableA3569583: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreManagment030DB556 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1/RouteTable VpcCoreManagmentDMZSubnet1RouteTableAssociationCB71CE11: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 SubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1/RouteTableAssociation VpcCoreManagmentDMZSubnet1DefaultRouteB7ED8FC9: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreManagmentIGWE905604F DependsOn: - VpcCoreManagmentVPCGW52A2E34D Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1/DefaultRoute VpcCoreManagmentDMZSubnet1EIP7EFCA2AF: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1/EIP VpcCoreManagmentDMZSubnet1NATGatewayC5BFB186: Type: AWS::EC2::NatGateway Properties: SubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E AllocationId: Fn::GetAtt: - VpcCoreManagmentDMZSubnet1EIP7EFCA2AF - AllocationId Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet1/NATGateway VpcCoreManagmentDMZSubnet2SubnetB133424E: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreManagment030DB556 AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.70.2.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet2/Subnet VpcCoreManagmentDMZSubnet2RouteTable6C5999E3: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreManagment030DB556 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet2/RouteTable VpcCoreManagmentDMZSubnet2RouteTableAssociation642ADD19: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 SubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet2/RouteTableAssociation VpcCoreManagmentDMZSubnet2DefaultRoute05771B64: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreManagmentIGWE905604F DependsOn: - VpcCoreManagmentVPCGW52A2E34D Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/DMZSubnet2/DefaultRoute VpcCoreManagmentApplicationSubnet1Subnet1DE5C8C4: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreManagment030DB556 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" CidrBlock: 10.70.4.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet1/Subnet VpcCoreManagmentApplicationSubnet1RouteTable12C52E22: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreManagment030DB556 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet1 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet1/RouteTable VpcCoreManagmentApplicationSubnet1RouteTableAssociation06F8E2E2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 SubnetId: Ref: VpcCoreManagmentApplicationSubnet1Subnet1DE5C8C4 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet1/RouteTableAssociation VpcCoreManagmentApplicationSubnet1DefaultRoute2CE87E61: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreManagmentDMZSubnet1NATGatewayC5BFB186 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet1/DefaultRoute VpcCoreManagmentApplicationSubnet2SubnetF1B8CE48: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VpcCoreManagment030DB556 AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" CidrBlock: 10.70.6.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet2/Subnet VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VpcCoreManagment030DB556 Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet2 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet2/RouteTable VpcCoreManagmentApplicationSubnet2RouteTableAssociationD38A75C2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 SubnetId: Ref: VpcCoreManagmentApplicationSubnet2SubnetF1B8CE48 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet2/RouteTableAssociation VpcCoreManagmentApplicationSubnet2DefaultRoute05B09043: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreManagmentDMZSubnet1NATGatewayC5BFB186 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/ApplicationSubnet2/DefaultRoute VpcCoreManagmentIGWE905604F: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: AwsDiGavBlueprint/VpcCore/Managment Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/IGW VpcCoreManagmentVPCGW52A2E34D: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: VpcCoreManagment030DB556 InternetGatewayId: Ref: VpcCoreManagmentIGWE905604F Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/Managment/VPCGW VpcCoreManagmentToProductionPeering22C33F18: Type: AWS::EC2::VPCPeeringConnection Properties: PeerVpcId: Ref: VpcCoreProductionD971AE3A VpcId: Ref: VpcCoreManagment030DB556 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/ManagmentToProductionPeering VpcCoreManagmentToDevelopmentPeering3A7C248E: Type: AWS::EC2::VPCPeeringConnection Properties: PeerVpcId: Ref: VpcCoreDevelopment37E2B994 VpcId: Ref: VpcCoreManagment030DB556 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/ManagmentToDevelopmentPeering VpcCoremgmtPublicToDev00CE2841B: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPublicToDev-0 VpcCoremgmtPublicToDev11C8BD95A: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPublicToDev-1 VpcCoremgmtPrivateToDev0786AB1D9: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPrivateToDev-0 VpcCoremgmtPrivateToDev19BBE4CA7: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPrivateToDev-1 VpcCoredevPublicToMgmt0A0CBE086: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/devPublicToMgmt-0 VpcCoredevPublicToMgmt17BB06B4B: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/devPublicToMgmt-1 VpcCoredevPrivateToMgmt015322763: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/devPrivateToMgmt-0 VpcCoredevPrivateToMgmt18C0769D9: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/devPrivateToMgmt-1 VpcCoredevIsolatedToMgmt06FAE198F: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/devIsolatedToMgmt-0 VpcCoredevIsolatedToMgmt1D9C968A0: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/devIsolatedToMgmt-1 VpcCoremgmtPublicToProd09E91CB4A: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPublicToProd-0 VpcCoremgmtPublicToProd13B87535A: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPublicToProd-1 VpcCoremgmtPrivateToProd02E427081: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPrivateToProd-0 VpcCoremgmtPrivateToProd190B37EA5: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/mgmtPrivateToProd-1 VpcCoreprodPublicToMgmt0A4005CA8: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/prodPublicToMgmt-0 VpcCoreprodPublicToMgmt1EC8240AC: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/prodPublicToMgmt-1 VpcCoreprodPrivateToMgmt0A8B14018: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/prodPrivateToMgmt-0 VpcCoreprodPrivateToMgmt1C6119F45: Type: AWS::EC2::Route Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Metadata: aws:cdk:path: AwsDiGavBlueprint/VpcCore/prodPrivateToMgmt-1 ClientVpnVpnCertificateLambdaCustomResourceRole042AF384: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/VpnCertificateLambdaCustomResourceRole/Resource ClientVpnVpnCertificateLambdaCustomResourceRoleDefaultPolicyBC6B56F1: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - acm:ImportCertificate - acm:DeleteCertificate Effect: Allow Resource: "*" - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - ClientVpnVpnConfigBucketF2E04B98 - Arn - Fn::Join: - "" - - Fn::GetAtt: - ClientVpnVpnConfigBucketF2E04B98 - Arn - /* Version: "2012-10-17" PolicyName: ClientVpnVpnCertificateLambdaCustomResourceRoleDefaultPolicyBC6B56F1 Roles: - Ref: ClientVpnVpnCertificateLambdaCustomResourceRole042AF384 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/VpnCertificateLambdaCustomResourceRole/DefaultPolicy/Resource ClientVpnVpnConfigBucketF2E04B98: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/VpnConfigBucket/Resource ClientVpnVpnConfigBucketPolicy5C6911AC: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: ClientVpnVpnConfigBucketF2E04B98 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - ClientVpnVpnConfigBucketF2E04B98 - Arn - Fn::Join: - "" - - Fn::GetAtt: - ClientVpnVpnConfigBucketF2E04B98 - Arn - /* Version: "2012-10-17" Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/VpnConfigBucket/Policy/Resource ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/vpnCertificateProvider/framework-onEvent/ServiceRole/Resource ClientVpnvpnCertificateProviderframeworkonEventServiceRoleDefaultPolicyE25CE498: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: lambda:InvokeFunction Effect: Allow Resource: - Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambda14FF3DCC - Arn - Fn::Join: - "" - - Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambda14FF3DCC - Arn - :* Version: "2012-10-17" PolicyName: ClientVpnvpnCertificateProviderframeworkonEventServiceRoleDefaultPolicyE25CE498 Roles: - Ref: ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/vpnCertificateProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource ClientVpnvpnCertificateProviderframeworkonEvent3C19EA05: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3Bucket766250D8 S3Key: Fn::Join: - "" - - Fn::Select: - 0 - Fn::Split: - "||" - Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181 - Fn::Select: - 1 - Fn::Split: - "||" - Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181 Role: Fn::GetAtt: - ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0 - Arn Description: AWS CDK resource provider framework - onEvent (AwsDiGavBlueprint/ClientVpn/vpnCertificateProvider) Environment: Variables: USER_ON_EVENT_FUNCTION_ARN: Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambda14FF3DCC - Arn Handler: framework.onEvent Runtime: nodejs14.x Timeout: 900 DependsOn: - ClientVpnvpnCertificateProviderframeworkonEventServiceRoleDefaultPolicyE25CE498 - ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/vpnCertificateProvider/framework-onEvent/Resource aws:asset:path: asset.3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671 aws:asset:is-bundled: false aws:asset:property: Code ClientVpnvpnCertificate550A99D6: Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: Fn::GetAtt: - ClientVpnvpnCertificateProviderframeworkonEvent3C19EA05 - Arn VpnConfigBucket: Fn::Join: - "" - - s3:// - Ref: ClientVpnVpnConfigBucketF2E04B98 - / UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/vpnCertificate/Default ClientVpnClientVpnAccessLogGroup8491CD05: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 180 UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/ClientVpnAccessLogGroup/Resource ClientVpnClientVpnAccessLogStream5480C352: Type: AWS::Logs::LogStream Properties: LogGroupName: Ref: ClientVpnClientVpnAccessLogGroup8491CD05 UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/ClientVpnAccessLogStream/Resource ClientVpnVpnUsersSG5BB5DCBE: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group associated with VPN users accessing the network through the Client VPN Endpoint in the managment VPC. GroupName: VpnUsersSG SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" VpcId: Ref: VpcCoreManagment030DB556 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/VpnUsersSG/Resource ClientVpnclientVpnEndpoint53D29AAC: Type: AWS::EC2::ClientVpnEndpoint Properties: AuthenticationOptions: - MutualAuthentication: ClientRootCertificateChainArn: Ref: ClientVpnvpnCertificate550A99D6 Type: certificate-authentication ClientCidrBlock: 10.71.0.0/16 ConnectionLogOptions: CloudwatchLogGroup: Ref: ClientVpnClientVpnAccessLogGroup8491CD05 CloudwatchLogStream: Ref: ClientVpnClientVpnAccessLogStream5480C352 Enabled: true ServerCertificateArn: Ref: ClientVpnvpnCertificate550A99D6 Description: Internal VPN Endpoint DnsServers: - 10.70.0.2 SecurityGroupIds: - Fn::GetAtt: - ClientVpnVpnUsersSG5BB5DCBE - GroupId SplitTunnel: true VpcId: Ref: VpcCoreManagment030DB556 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/clientVpnEndpoint ClientVpn0clientVpnEndpointAssociation8160B577: Type: AWS::EC2::ClientVpnTargetNetworkAssociation Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC SubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/0-clientVpnEndpointAssociation ClientVpn1clientVpnEndpointAssociation19D93CB9: Type: AWS::EC2::ClientVpnTargetNetworkAssociation Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC SubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/1-clientVpnEndpointAssociation ClientVpnProductionAuthorization8EEF0591: Type: AWS::EC2::ClientVpnAuthorizationRule Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC TargetNetworkCidr: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock AuthorizeAllGroups: true Description: Allows VPN users access to Production VPC Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/ProductionAuthorization ClientVpnDevelopmentAuthorizationF2F84AF6: Type: AWS::EC2::ClientVpnAuthorizationRule Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC TargetNetworkCidr: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock AuthorizeAllGroups: true Description: Allows VPN users access to Development VPC Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/DevelopmentAuthorization ClientVpnManagmentAuthorization5FD7AAA7: Type: AWS::EC2::ClientVpnAuthorizationRule Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC TargetNetworkCidr: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock AuthorizeAllGroups: true Description: Allows Transit VPN users access to Managment VPC Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/ManagmentAuthorization ClientVpn0productionRoute7AD177DA: Type: AWS::EC2::ClientVpnRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/0-productionRoute ClientVpn0developmentRouteDE605129: Type: AWS::EC2::ClientVpnRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/0-developmentRoute ClientVpn1productionRouteE229C4FD: Type: AWS::EC2::ClientVpnRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/1-productionRoute ClientVpn1developmentRouteBB456F2F: Type: AWS::EC2::ClientVpnRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsDiGavBlueprint/ClientVpn/1-developmentRoute SingletonLambdaCreateVpnCertificateLambda14FF3DCC: Type: AWS::Lambda::Function Properties: Code: ZipFile: |- S=True R='/tmp/' Q='ErrorMessage' P='responseData' O='VpnConfigBucket' N='ResourceProperties' M=Exception L='PhysicalResourceId' K=False import subprocess as D,os,sys,boto3 as B,logging as G,json,traceback T=B.client('ec2') U=B.client('ssm') H=B.client('acm') A=G.getLogger() A.setLevel(G.INFO) E={} def I(event,context,isUpdate=K): D=event try: E['Complete']='True';F=D[L];B=D[N][O];I=['aws s3 rm {0}ca.crt'.format(B),'aws s3 rm {0}server.crt'.format(B),'aws s3 rm {0}server.key'.format(B),'aws s3 rm {0}client1.domain.tld.crt'.format(B),'aws s3 rm {0}client1.domain.tld.key'.format(B)];R=C(I);H.delete_certificate(CertificateArn=F) if isUpdate==K:return{L:F,P:E} except M as G:A.error(G);J=G.args[0];S={Q:J};return K def J(event,context): try:A.info('Starting to create certificate');B=event[N][O];I=['curl -L https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz -O','mkdir /tmp/easyrsa','mkdir /tmp/vpndetails','tar -xvzf /tmp/EasyRSA-unix-v3.0.6.tgz -C /tmp/easyrsa','ls /tmp/easyrsa'];C(I);J=['/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa init-pki','/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-ca nopass','/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-server-full server nopass','/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-client-full client1.domain.tld nopass','cp /tmp/pki/ca.crt /tmp/vpndetails/ca.crt','cp /tmp/pki/issued/server.crt /tmp/vpndetails/server.crt','cp /tmp/pki/private/server.key /tmp/vpndetails/server.key','cp /tmp/pki/issued/client1.domain.tld.crt /tmp/vpndetails/client1.domain.tld.crt','cp /tmp/pki/private/client1.domain.tld.key /tmp/vpndetails/client1.domain.tld.key'];C(J,'/tmp/easy-rsa/EasyRSA-v3.0.6');D=H.import_certificate(Certificate=F('/tmp/vpndetails/server.crt'),PrivateKey=F('/tmp/vpndetails/server.key'),CertificateChain=F('/tmp/vpndetails/ca.crt'));A.info(D);K=['aws s3 cp /tmp/vpndetails/ca.crt {0}ca.crt'.format(B),'aws s3 cp /tmp/vpndetails/server.crt {0}server.crt'.format(B),'aws s3 cp /tmp/vpndetails/server.key {0}server.key'.format(B),'aws s3 cp /tmp/vpndetails/client1.domain.tld.crt {0}client1.domain.tld.crt'.format(B),'aws s3 cp /tmp/vpndetails/client1.domain.tld.key {0}client1.domain.tld.key'.format(B)];C(K);return{P:E,L:D['CertificateArn']} except M as G:A.error(G);R={Q:G};return R def C(commands,workDir=R): I='PATH';B=os.environ.copy();B[I]='/tmp/bin:'+B[I];B['PYTHONPATH']='/tmp/:';B['EASYRSA_BATCH']='1';C=[] for E in commands:G=D.Popen([E],env=B,cwd=R,shell=S,stdout=D.PIPE,stderr=D.PIPE);F,H=G.communicate();A.info(E);A.info(F);A.info(H);C.append(F) return C def F(filename):return open(filename,'rb').read() def main(event,context): E='RequestType';D=context;B=event;A.info(B);F=['pip3 install awscli --upgrade --no-cache-dir --ignore-installed --target=/tmp/'];C(F) if B[E]=='Delete':return I(B,D) elif B[E]=='Create':return J(B,D) elif B[E]=='Update':I(B,D,S);return J(B,D) Role: Fn::GetAtt: - ClientVpnVpnCertificateLambdaCustomResourceRole042AF384 - Arn Handler: index.main MemorySize: 1024 Runtime: python3.7 Timeout: 300 DependsOn: - ClientVpnVpnCertificateLambdaCustomResourceRoleDefaultPolicyBC6B56F1 - ClientVpnVpnCertificateLambdaCustomResourceRole042AF384 Metadata: aws:cdk:path: AwsDiGavBlueprint/SingletonLambdaCreateVpnCertificateLambda/Resource ConfigEnabledPromiseConfigBucket2F967063: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigEnabledPromise/ConfigBucket/Resource ConfigEnabledPromiseConfigBucketPolicy2B9A439D: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 PolicyDocument: Statement: - Action: s3:* Condition: Bool: aws:SecureTransport: "false" Effect: Deny Principal: AWS: "*" Resource: - Fn::GetAtt: - ConfigEnabledPromiseConfigBucket2F967063 - Arn - Fn::Join: - "" - - Fn::GetAtt: - ConfigEnabledPromiseConfigBucket2F967063 - Arn - /* - Action: s3:GetBucketAcl Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:aws:iam::" - Ref: AWS::AccountId - :role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms Resource: Fn::Join: - "" - - "arn:aws:s3:::" - Ref: ConfigEnabledPromiseConfigBucket2F967063 Sid: AWSConfigConformsBucketPermissionsCheck - Action: s3:PutObject Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:aws:iam::" - Ref: AWS::AccountId - :role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms Resource: Fn::Join: - "" - - "arn:aws:s3:::" - Ref: ConfigEnabledPromiseConfigBucket2F967063 - /* Sid: AWSConfigConformsBucketDelivery - Action: s3:GetObject Effect: Allow Principal: AWS: Fn::Join: - "" - - "arn:aws:iam::" - Ref: AWS::AccountId - :role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms Resource: Fn::Join: - "" - - "arn:aws:s3:::" - Ref: ConfigEnabledPromiseConfigBucket2F967063 - /* Sid: " AWSConfigConformsBucketReadAccess" Version: "2012-10-17" Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigEnabledPromise/ConfigBucket/Policy/Resource ConfigEnabledPromiseConfigDeliveryChannel84DA8CB8: Type: AWS::Config::DeliveryChannel Properties: S3BucketName: Ref: ConfigEnabledPromiseConfigBucket2F967063 Name: BlueprintConfigDeliveryChannel Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigEnabledPromise/ConfigDeliveryChannel ConfigEnabledPromiseConfigRecorderRoleFC6F886B: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: config.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSConfigRole Policies: - PolicyDocument: Statement: - Action: s3:PutObject Condition: StringLike: s3:x-amz-acl: bucket-owner-full-control Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:s3:::" - Ref: ConfigEnabledPromiseConfigBucket2F967063 - /* - Action: s3:GetBucketAcl Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:s3:::" - Ref: ConfigEnabledPromiseConfigBucket2F967063 Version: "2012-10-17" PolicyName: configRecorderS3Access Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigEnabledPromise/ConfigRecorderRole/Resource ConfigEnabledPromiseConfigRecorder0A75B039: Type: AWS::Config::ConfigurationRecorder Properties: RoleARN: Fn::GetAtt: - ConfigEnabledPromiseConfigRecorderRoleFC6F886B - Arn Name: BlueprintConfigRecorder RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigEnabledPromise/ConfigRecorder ConfigPacksCPOperationalBestPracticesForAWSIdentityAndAccessManagement7100FE82: Type: AWS::Config::ConformancePack Properties: ConformancePackName: Operational-Best-Practices-For-AWS-Identity-And-Access-Management ConformancePackInputParameters: [] DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-For-AWS-Identity-And-Access-Management TemplateBody: |- ################################################################################ # # Conformance Pack: # Operational Best Practices for AWS Identity and Access Management # # See Parameters section for names and descriptions of required parameters. # ################################################################################ Parameters: AccessKeysRotatedParameterMaxAccessKeyAge: Description: Maximum number of days without rotation. Default 90. Type: String Default: 90 IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge: Description: Maximum number of days a credential cannot be used. The default value is 90 days. Type: String Default: 90 Resources: AccessKeysRotated: Properties: ConfigRuleName: AccessKeysRotated Description: Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: Ref: AccessKeysRotatedParameterMaxAccessKeyAge Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule IAMGroupHasUsersCheck: Properties: ConfigRuleName: IAMGroupHasUsersCheck Description: Checks whether IAM groups have at least one IAM user. Source: Owner: AWS SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK Type: AWS::Config::ConfigRule IAMPasswordPolicy: Properties: ConfigRuleName: IAMPasswordPolicy Description: Checks whether the account password policy for IAM users meets the specified requirements. Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IAMPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess Description: 'Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has "Effect": "Allow" with "Action": "*" over "Resource": "*", the rule is non-compliant.' Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IAMRootAccessKeyCheck: Properties: ConfigRuleName: IAMRootAccessKeyCheck Description: Checks whether the root user access key is available. The rule is compliant if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: AWS::Config::ConfigRule IAMUserGroupMembershipCheck: Properties: ConfigRuleName: IAMUserGroupMembershipCheck Description: Checks whether IAM users are members of at least one IAM group. Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IAMUserMFAEnabled: Properties: ConfigRuleName: IAMUserMFAEnabled Description: Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED Type: AWS::Config::ConfigRule IAMUserNoPoliciesCheck: Properties: ConfigRuleName: IAMUserNoPoliciesCheck Description: Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IAMUserUnusedCredentialsCheck: Properties: ConfigRuleName: IAMUserUnusedCredentialsCheck Description: Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. InputParameters: maxCredentialUsageAge: Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule MFAEnabledForIAMConsoleAccess: Properties: ConfigRuleName: MFAEnabledForIAMConsoleAccess Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is compliant if MFA is enabled. Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule RootAccountHardwareMFAEnabled: Properties: ConfigRuleName: RootAccountHardwareMFAEnabled Description: Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: AWS::Config::ConfigRule RootAccountMFAEnabled: Properties: ConfigRuleName: RootAccountMFAEnabled Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigPacks/CP-Operational-Best-Practices-For-AWS-Identity-And-Access-Management ConfigPacksCPOperationalBestPracticesForAmazonS30892D47D: Type: AWS::Config::ConformancePack Properties: ConformancePackName: Operational-Best-Practices-For-Amazon-S3 ConformancePackInputParameters: [] DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-For-Amazon-S3 TemplateBody: |- ############################################################################################### # # Conformance Pack: # Operational Best Practices for Amazon S3 # # This pack contains AWS Config rules based on the best practice guidelines for Amazon S3. # ############################################################################################### Resources: S3BucketPublicReadProhibited: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: S3BucketPublicReadProhibited Description: >- Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL). Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED MaximumExecutionFrequency: Six_Hours S3BucketPublicWriteProhibited: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketPublicWriteProhibited Description: "Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL)." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED MaximumExecutionFrequency: Six_Hours S3BucketReplicationEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketReplicationEnabled Description: "Checks whether the Amazon S3 buckets have cross-region replication enabled." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED S3BucketSSLRequestsOnly: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketSSLRequestsOnly Description: "Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY ServerSideReplicationEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: ServerSideReplicationEnabled Description: "Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED S3BucketLoggingEnabled: Type: "AWS::Config::ConfigRule" Properties: ConfigRuleName: S3BucketLoggingEnabled Description: "Checks whether logging is enabled for your S3 buckets." Scope: ComplianceResourceTypes: - "AWS::S3::Bucket" Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigPacks/CP-Operational-Best-Practices-For-Amazon-S3 ConfigPacksCPOperationalBestPracticesforNISTCSFB3E464EB: Type: AWS::Config::ConformancePack Properties: ConformancePackName: Operational-Best-Practices-for-NIST-CSF ConformancePackInputParameters: [] DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-for-NIST-CSF TemplateBody: |- ################################################################################## # # Conformance Pack: # Operational Best Practices for NIST CSF # # This conformance pack helps verify compliance with NIST CSF requirements. # # This Conformance Pack has been designed for compatibility with the majority of AWS # regions and to not require setting of any Parameters. Additional managed rules that # require parameters to be set for your environment and/or for your specific region can # be found at https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html # # See Parameters section for names and descriptions of required parameters. # ################################################################################## Parameters: AccessKeysRotatedParamMaxAccessKeyAge: Default: '90' Type: String AcmCertificateExpirationCheckParamDaysToExpiration: Default: '90' Type: String GuarddutyNonArchivedFindingsParamDaysHighSev: Default: '1' Type: String GuarddutyNonArchivedFindingsParamDaysLowSev: Default: '30' Type: String GuarddutyNonArchivedFindingsParamDaysMediumSev: Default: '7' Type: String IamPasswordPolicyParamMaxPasswordAge: Default: '90' Type: String IamPasswordPolicyParamMinimumPasswordLength: Default: '14' Type: String IamPasswordPolicyParamPasswordReusePrevention: Default: '24' Type: String IamPasswordPolicyParamRequireLowercaseCharacters: Default: 'TRUE' Type: String IamPasswordPolicyParamRequireNumbers: Default: 'TRUE' Type: String IamPasswordPolicyParamRequireSymbols: Default: 'TRUE' Type: String IamPasswordPolicyParamRequireUppercaseCharacters: Default: 'TRUE' Type: String IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Default: '90' Type: String RestrictedIncomingTrafficParamBlockedPort1: Default: '20' Type: String RestrictedIncomingTrafficParamBlockedPort2: Default: '21' Type: String RestrictedIncomingTrafficParamBlockedPort3: Default: '3389' Type: String RestrictedIncomingTrafficParamBlockedPort4: Default: '3306' Type: String RestrictedIncomingTrafficParamBlockedPort5: Default: '4333' Type: String S3AccountLevelPublicAccessBlocksParamBlockPublicAcls: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets: Default: 'True' Type: String Resources: AccessKeysRotated: Properties: ConfigRuleName: access-keys-rotated InputParameters: maxAccessKeyAge: Fn::If: - accessKeysRotatedParamMaxAccessKeyAge - Ref: AccessKeysRotatedParamMaxAccessKeyAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule AcmCertificateExpirationCheck: Properties: ConfigRuleName: acm-certificate-expiration-check InputParameters: daysToExpiration: Fn::If: - acmCertificateExpirationCheckParamDaysToExpiration - Ref: AcmCertificateExpirationCheckParamDaysToExpiration - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::ACM::Certificate Source: Owner: AWS SourceIdentifier: ACM_CERTIFICATE_EXPIRATION_CHECK Type: AWS::Config::ConfigRule AlbHttpToHttpsRedirectionCheck: Properties: ConfigRuleName: alb-http-to-https-redirection-check Source: Owner: AWS SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK Type: AWS::Config::ConfigRule ApiGwCacheEnabledAndEncrypted: Properties: ConfigRuleName: api-gw-cache-enabled-and-encrypted Scope: ComplianceResourceTypes: - AWS::ApiGateway::Stage Source: Owner: AWS SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED Type: AWS::Config::ConfigRule ApiGwExecutionLoggingEnabled: Properties: ConfigRuleName: api-gw-execution-logging-enabled Scope: ComplianceResourceTypes: - AWS::ApiGateway::Stage - AWS::ApiGatewayV2::Stage Source: Owner: AWS SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED Type: AWS::Config::ConfigRule AutoscalingGroupElbHealthcheckRequired: Properties: ConfigRuleName: autoscaling-group-elb-healthcheck-required Scope: ComplianceResourceTypes: - AWS::AutoScaling::AutoScalingGroup Source: Owner: AWS SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED Type: AWS::Config::ConfigRule CloudTrailCloudWatchLogsEnabled: Properties: ConfigRuleName: cloud-trail-cloud-watch-logs-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Type: AWS::Config::ConfigRule CloudTrailEnabled: Properties: ConfigRuleName: cloudtrail-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule CloudTrailEncryptionEnabled: Properties: ConfigRuleName: cloud-trail-encryption-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED Type: AWS::Config::ConfigRule CloudTrailLogFileValidationEnabled: Properties: ConfigRuleName: cloud-trail-log-file-validation-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Type: AWS::Config::ConfigRule CloudtrailS3DataeventsEnabled: Properties: ConfigRuleName: cloudtrail-s3-dataevents-enabled Source: Owner: AWS SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED Type: AWS::Config::ConfigRule CloudwatchAlarmActionCheck: Properties: ConfigRuleName: cloudwatch-alarm-action-check InputParameters: alarmActionRequired: 'TRUE' insufficientDataActionRequired: 'TRUE' okActionRequired: 'FALSE' Scope: ComplianceResourceTypes: - AWS::CloudWatch::Alarm Source: Owner: AWS SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK Type: AWS::Config::ConfigRule CloudwatchLogGroupEncrypted: Properties: ConfigRuleName: cloudwatch-log-group-encrypted Source: Owner: AWS SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED Type: AWS::Config::ConfigRule CodebuildProjectEnvvarAwscredCheck: Properties: ConfigRuleName: codebuild-project-envvar-awscred-check Scope: ComplianceResourceTypes: - AWS::CodeBuild::Project Source: Owner: AWS SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK Type: AWS::Config::ConfigRule CodebuildProjectSourceRepoUrlCheck: Properties: ConfigRuleName: codebuild-project-source-repo-url-check Scope: ComplianceResourceTypes: - AWS::CodeBuild::Project Source: Owner: AWS SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK Type: AWS::Config::ConfigRule DbInstanceBackupEnabled: Properties: ConfigRuleName: db-instance-backup-enabled Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED Type: AWS::Config::ConfigRule DmsReplicationNotPublic: Properties: ConfigRuleName: dms-replication-not-public Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC Type: AWS::Config::ConfigRule DynamodbAutoscalingEnabled: Properties: ConfigRuleName: dynamodb-autoscaling-enabled Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED Type: AWS::Config::ConfigRule DynamodbPitrEnabled: Properties: ConfigRuleName: dynamodb-pitr-enabled Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_PITR_ENABLED Type: AWS::Config::ConfigRule DynamodbThroughputLimitCheck: Properties: ConfigRuleName: dynamodb-throughput-limit-check Source: Owner: AWS SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK Type: AWS::Config::ConfigRule EbsOptimizedInstance: Properties: ConfigRuleName: ebs-optimized-instance Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EBS_OPTIMIZED_INSTANCE Type: AWS::Config::ConfigRule EbsSnapshotPublicRestorableCheck: Properties: ConfigRuleName: ebs-snapshot-public-restorable-check Source: Owner: AWS SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK Type: AWS::Config::ConfigRule Ec2InstanceDetailedMonitoringEnabled: Properties: ConfigRuleName: ec2-instance-detailed-monitoring-enabled Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED Type: AWS::Config::ConfigRule Ec2InstanceManagedBySsm: Properties: ConfigRuleName: ec2-instance-managed-by-systems-manager Scope: ComplianceResourceTypes: - AWS::EC2::Instance - AWS::SSM::ManagedInstanceInventory Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM Type: AWS::Config::ConfigRule Ec2InstanceNoPublicIp: Properties: ConfigRuleName: ec2-instance-no-public-ip Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP Type: AWS::Config::ConfigRule Ec2ManagedinstanceAssociationComplianceStatusCheck: Properties: ConfigRuleName: ec2-managedinstance-association-compliance-status-check Scope: ComplianceResourceTypes: - AWS::SSM::AssociationCompliance Source: Owner: AWS SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK Type: AWS::Config::ConfigRule Ec2ManagedinstancePatchComplianceStatusCheck: Properties: ConfigRuleName: ec2-managedinstance-patch-compliance-status-check Scope: ComplianceResourceTypes: - AWS::SSM::PatchCompliance Source: Owner: AWS SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK Type: AWS::Config::ConfigRule Ec2SecurityGroupAttachedToEni: Properties: ConfigRuleName: ec2-security-group-attached-to-eni Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI Type: AWS::Config::ConfigRule Ec2StoppedInstance: Properties: ConfigRuleName: ec2-stopped-instance Source: Owner: AWS SourceIdentifier: EC2_STOPPED_INSTANCE Type: AWS::Config::ConfigRule Ec2VolumeInuseCheck: Properties: ConfigRuleName: ec2-volume-inuse-check Scope: ComplianceResourceTypes: - AWS::EC2::Volume Source: Owner: AWS SourceIdentifier: EC2_VOLUME_INUSE_CHECK Type: AWS::Config::ConfigRule EfsEncryptedCheck: Properties: ConfigRuleName: efs-encrypted-check Source: Owner: AWS SourceIdentifier: EFS_ENCRYPTED_CHECK Type: AWS::Config::ConfigRule EipAttached: Properties: ConfigRuleName: eip-attached Scope: ComplianceResourceTypes: - AWS::EC2::EIP Source: Owner: AWS SourceIdentifier: EIP_ATTACHED Type: AWS::Config::ConfigRule ElasticacheRedisClusterAutomaticBackupCheck: Properties: ConfigRuleName: elasticache-redis-cluster-automatic-backup-check Source: Owner: AWS SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Type: AWS::Config::ConfigRule ElasticsearchEncryptedAtRest: Properties: ConfigRuleName: elasticsearch-encrypted-at-rest Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST Type: AWS::Config::ConfigRule ElasticsearchInVpcOnly: Properties: ConfigRuleName: elasticsearch-in-vpc-only Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY Type: AWS::Config::ConfigRule ElbAcmCertificateRequired: Properties: ConfigRuleName: elb-acm-certificate-required Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED Type: AWS::Config::ConfigRule ElbDeletionProtectionEnabled: Properties: ConfigRuleName: elb-deletion-protection-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED Type: AWS::Config::ConfigRule ElbLoggingEnabled: Properties: ConfigRuleName: elb-logging-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_LOGGING_ENABLED Type: AWS::Config::ConfigRule EmrKerberosEnabled: Properties: ConfigRuleName: emr-kerberos-enabled Source: Owner: AWS SourceIdentifier: EMR_KERBEROS_ENABLED Type: AWS::Config::ConfigRule EmrMasterNoPublicIp: Properties: ConfigRuleName: emr-master-no-public-ip Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP Type: AWS::Config::ConfigRule EncryptedVolumes: Properties: ConfigRuleName: encrypted-volumes Scope: ComplianceResourceTypes: - AWS::EC2::Volume Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Type: AWS::Config::ConfigRule GuarddutyEnabledCentralized: Properties: ConfigRuleName: guardduty-enabled-centralized Source: Owner: AWS SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED Type: AWS::Config::ConfigRule GuarddutyNonArchivedFindings: Properties: ConfigRuleName: guardduty-non-archived-findings InputParameters: daysHighSev: Fn::If: - guarddutyNonArchivedFindingsParamDaysHighSev - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev - Ref: AWS::NoValue daysLowSev: Fn::If: - guarddutyNonArchivedFindingsParamDaysLowSev - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev - Ref: AWS::NoValue daysMediumSev: Fn::If: - guarddutyNonArchivedFindingsParamDaysMediumSev - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS Type: AWS::Config::ConfigRule IamGroupHasUsersCheck: Properties: ConfigRuleName: iam-group-has-users-check Scope: ComplianceResourceTypes: - AWS::IAM::Group Source: Owner: AWS SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK Type: AWS::Config::ConfigRule IamPasswordPolicy: Properties: ConfigRuleName: iam-password-policy InputParameters: MaxPasswordAge: Fn::If: - iamPasswordPolicyParamMaxPasswordAge - Ref: IamPasswordPolicyParamMaxPasswordAge - Ref: AWS::NoValue MinimumPasswordLength: Fn::If: - iamPasswordPolicyParamMinimumPasswordLength - Ref: IamPasswordPolicyParamMinimumPasswordLength - Ref: AWS::NoValue PasswordReusePrevention: Fn::If: - iamPasswordPolicyParamPasswordReusePrevention - Ref: IamPasswordPolicyParamPasswordReusePrevention - Ref: AWS::NoValue RequireLowercaseCharacters: Fn::If: - iamPasswordPolicyParamRequireLowercaseCharacters - Ref: IamPasswordPolicyParamRequireLowercaseCharacters - Ref: AWS::NoValue RequireNumbers: Fn::If: - iamPasswordPolicyParamRequireNumbers - Ref: IamPasswordPolicyParamRequireNumbers - Ref: AWS::NoValue RequireSymbols: Fn::If: - iamPasswordPolicyParamRequireSymbols - Ref: IamPasswordPolicyParamRequireSymbols - Ref: AWS::NoValue RequireUppercaseCharacters: Fn::If: - iamPasswordPolicyParamRequireUppercaseCharacters - Ref: IamPasswordPolicyParamRequireUppercaseCharacters - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IamPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: iam-policy-no-statements-with-admin-access Scope: ComplianceResourceTypes: - AWS::IAM::Policy Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IamRootAccessKeyCheck: Properties: ConfigRuleName: iam-root-access-key-check Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: AWS::Config::ConfigRule IamUserGroupMembershipCheck: Properties: ConfigRuleName: iam-user-group-membership-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IamUserMfaEnabled: Properties: ConfigRuleName: iam-user-mfa-enabled Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED Type: AWS::Config::ConfigRule IamUserNoPoliciesCheck: Properties: ConfigRuleName: iam-user-no-policies-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IamUserUnusedCredentialsCheck: Properties: ConfigRuleName: iam-user-unused-credentials-check InputParameters: maxCredentialUsageAge: Fn::If: - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule IncomingSshDisabled: Properties: ConfigRuleName: restricted-ssh Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED Type: AWS::Config::ConfigRule InstancesInVpc: Properties: ConfigRuleName: ec2-instances-in-vpc Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: INSTANCES_IN_VPC Type: AWS::Config::ConfigRule InternetGatewayAuthorizedVpcOnly: Properties: ConfigRuleName: internet-gateway-authorized-vpc-only Scope: ComplianceResourceTypes: - AWS::EC2::InternetGateway Source: Owner: AWS SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY Type: AWS::Config::ConfigRule KmsCmkNotScheduledForDeletion: Properties: ConfigRuleName: kms-cmk-not-scheduled-for-deletion Scope: ComplianceResourceTypes: - AWS::KMS::Key Source: Owner: AWS SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION Type: AWS::Config::ConfigRule LambdaConcurrencyCheck: Properties: ConfigRuleName: lambda-concurrency-check Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_CONCURRENCY_CHECK Type: AWS::Config::ConfigRule LambdaDlqCheck: Properties: ConfigRuleName: lambda-dlq-check Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_DLQ_CHECK Type: AWS::Config::ConfigRule LambdaFunctionPublicAccessProhibited: Properties: ConfigRuleName: lambda-function-public-access-prohibited Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED Type: AWS::Config::ConfigRule LambdaInsideVpc: Properties: ConfigRuleName: lambda-inside-vpc Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_INSIDE_VPC Type: AWS::Config::ConfigRule MfaEnabledForIamConsoleAccess: Properties: ConfigRuleName: mfa-enabled-for-iam-console-access Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule MultiRegionCloudTrailEnabled: Properties: ConfigRuleName: multi-region-cloudtrail-enabled Source: Owner: AWS SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule RdsEnhancedMonitoringEnabled: Properties: ConfigRuleName: rds-enhanced-monitoring-enabled Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_ENHANCED_MONITORING_ENABLED Type: AWS::Config::ConfigRule RdsInstancePublicAccessCheck: Properties: ConfigRuleName: rds-instance-public-access-check Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK Type: AWS::Config::ConfigRule RdsMultiAzSupport: Properties: ConfigRuleName: rds-multi-az-support Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_MULTI_AZ_SUPPORT Type: AWS::Config::ConfigRule RdsSnapshotsPublicProhibited: Properties: ConfigRuleName: rds-snapshots-public-prohibited Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot - AWS::RDS::DBClusterSnapshot Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED Type: AWS::Config::ConfigRule RdsStorageEncrypted: Properties: ConfigRuleName: rds-storage-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Type: AWS::Config::ConfigRule RedshiftClusterConfigurationCheck: Properties: ConfigRuleName: redshift-cluster-configuration-check InputParameters: clusterDbEncrypted: 'TRUE' loggingEnabled: 'TRUE' Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK Type: AWS::Config::ConfigRule RedshiftClusterPublicAccessCheck: Properties: ConfigRuleName: redshift-cluster-public-access-check Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK Type: AWS::Config::ConfigRule RedshiftRequireTlsSsl: Properties: ConfigRuleName: redshift-require-tls-ssl Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL Type: AWS::Config::ConfigRule RestrictedIncomingTraffic: Properties: ConfigRuleName: restricted-common-ports InputParameters: blockedPort1: Fn::If: - restrictedIncomingTrafficParamBlockedPort1 - Ref: RestrictedIncomingTrafficParamBlockedPort1 - Ref: AWS::NoValue blockedPort2: Fn::If: - restrictedIncomingTrafficParamBlockedPort2 - Ref: RestrictedIncomingTrafficParamBlockedPort2 - Ref: AWS::NoValue blockedPort3: Fn::If: - restrictedIncomingTrafficParamBlockedPort3 - Ref: RestrictedIncomingTrafficParamBlockedPort3 - Ref: AWS::NoValue blockedPort4: Fn::If: - restrictedIncomingTrafficParamBlockedPort4 - Ref: RestrictedIncomingTrafficParamBlockedPort4 - Ref: AWS::NoValue blockedPort5: Fn::If: - restrictedIncomingTrafficParamBlockedPort5 - Ref: RestrictedIncomingTrafficParamBlockedPort5 - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC Type: AWS::Config::ConfigRule RootAccountHardwareMfaEnabled: Properties: ConfigRuleName: root-account-hardware-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: AWS::Config::ConfigRule RootAccountMfaEnabled: Properties: ConfigRuleName: root-account-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule S3AccountLevelPublicAccessBlocks: Properties: ConfigRuleName: s3-account-level-public-access-blocks InputParameters: BlockPublicAcls: Fn::If: - s3AccountLevelPublicAccessBlocksParamBlockPublicAcls - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls - Ref: AWS::NoValue BlockPublicPolicy: Fn::If: - s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy - Ref: AWS::NoValue IgnorePublicAcls: Fn::If: - s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls - Ref: AWS::NoValue RestrictPublicBuckets: Fn::If: - s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::S3::AccountPublicAccessBlock Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS Type: AWS::Config::ConfigRule S3BucketDefaultLockEnabled: Properties: ConfigRuleName: s3-bucket-default-lock-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED Type: AWS::Config::ConfigRule S3BucketLoggingEnabled: Properties: ConfigRuleName: s3-bucket-logging-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED Type: AWS::Config::ConfigRule S3BucketPolicyGranteeCheck: Properties: ConfigRuleName: s3-bucket-policy-grantee-check Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK Type: AWS::Config::ConfigRule S3BucketPublicReadProhibited: Properties: ConfigRuleName: s3-bucket-public-read-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Type: AWS::Config::ConfigRule S3BucketPublicWriteProhibited: Properties: ConfigRuleName: s3-bucket-public-write-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Type: AWS::Config::ConfigRule S3BucketReplicationEnabled: Properties: ConfigRuleName: s3-bucket-replication-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED Type: AWS::Config::ConfigRule S3BucketServerSideEncryptionEnabled: Properties: ConfigRuleName: s3-bucket-server-side-encryption-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Type: AWS::Config::ConfigRule S3BucketSslRequestsOnly: Properties: ConfigRuleName: s3-bucket-ssl-requests-only Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY Type: AWS::Config::ConfigRule S3BucketVersioningEnabled: Properties: ConfigRuleName: s3-bucket-versioning-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Type: AWS::Config::ConfigRule SagemakerEndpointConfigurationKmsKeyConfigured: Properties: ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured Source: Owner: AWS SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED Type: AWS::Config::ConfigRule SagemakerNotebookInstanceKmsKeyConfigured: Properties: ConfigRuleName: sagemaker-notebook-instance-kms-key-configured Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED Type: AWS::Config::ConfigRule SagemakerNotebookNoDirectInternetAccess: Properties: ConfigRuleName: sagemaker-notebook-no-direct-internet-access Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS Type: AWS::Config::ConfigRule SecretsmanagerRotationEnabledCheck: Properties: ConfigRuleName: secretsmanager-rotation-enabled-check Scope: ComplianceResourceTypes: - AWS::SecretsManager::Secret Source: Owner: AWS SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK Type: AWS::Config::ConfigRule SecretsmanagerScheduledRotationSuccessCheck: Properties: ConfigRuleName: secretsmanager-scheduled-rotation-success-check Scope: ComplianceResourceTypes: - AWS::SecretsManager::Secret Source: Owner: AWS SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK Type: AWS::Config::ConfigRule SecurityhubEnabled: Properties: ConfigRuleName: securityhub-enabled Source: Owner: AWS SourceIdentifier: SECURITYHUB_ENABLED Type: AWS::Config::ConfigRule SnsEncryptedKms: Properties: ConfigRuleName: sns-encrypted-kms Scope: ComplianceResourceTypes: - AWS::SNS::Topic Source: Owner: AWS SourceIdentifier: SNS_ENCRYPTED_KMS Type: AWS::Config::ConfigRule VpcDefaultSecurityGroupClosed: Properties: ConfigRuleName: vpc-default-security-group-closed Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED Type: AWS::Config::ConfigRule VpcFlowLogsEnabled: Properties: ConfigRuleName: vpc-flow-logs-enabled Source: Owner: AWS SourceIdentifier: VPC_FLOW_LOGS_ENABLED Type: AWS::Config::ConfigRule VpcSgOpenOnlyToAuthorizedPorts: Properties: ConfigRuleName: vpc-sg-open-only-to-authorized-ports Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS Type: AWS::Config::ConfigRule VpcVpn2TunnelsUp: Properties: ConfigRuleName: vpc-vpn-2-tunnels-up Scope: ComplianceResourceTypes: - AWS::EC2::VPNConnection Source: Owner: AWS SourceIdentifier: VPC_VPN_2_TUNNELS_UP Type: AWS::Config::ConfigRule Conditions: accessKeysRotatedParamMaxAccessKeyAge: Fn::Not: - Fn::Equals: - '' - Ref: AccessKeysRotatedParamMaxAccessKeyAge acmCertificateExpirationCheckParamDaysToExpiration: Fn::Not: - Fn::Equals: - '' - Ref: AcmCertificateExpirationCheckParamDaysToExpiration guarddutyNonArchivedFindingsParamDaysHighSev: Fn::Not: - Fn::Equals: - '' - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev guarddutyNonArchivedFindingsParamDaysLowSev: Fn::Not: - Fn::Equals: - '' - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev guarddutyNonArchivedFindingsParamDaysMediumSev: Fn::Not: - Fn::Equals: - '' - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev iamPasswordPolicyParamMaxPasswordAge: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamMaxPasswordAge iamPasswordPolicyParamMinimumPasswordLength: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamMinimumPasswordLength iamPasswordPolicyParamPasswordReusePrevention: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamPasswordReusePrevention iamPasswordPolicyParamRequireLowercaseCharacters: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireLowercaseCharacters iamPasswordPolicyParamRequireNumbers: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireNumbers iamPasswordPolicyParamRequireSymbols: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireSymbols iamPasswordPolicyParamRequireUppercaseCharacters: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireUppercaseCharacters iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Fn::Not: - Fn::Equals: - '' - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge restrictedIncomingTrafficParamBlockedPort1: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort1 restrictedIncomingTrafficParamBlockedPort2: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort2 restrictedIncomingTrafficParamBlockedPort3: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort3 restrictedIncomingTrafficParamBlockedPort4: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort4 restrictedIncomingTrafficParamBlockedPort5: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort5 s3AccountLevelPublicAccessBlocksParamBlockPublicAcls: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigPacks/CP-Operational-Best-Practices-for-NIST-CSF ConfigPacksCPAWSControlTowerDetectiveGuardrailsConformancePack9184C90A: Type: AWS::Config::ConformancePack Properties: ConformancePackName: AWS-Control-Tower-Detective-Guardrails-Conformance-Pack ConformancePackInputParameters: [] DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: AWS-Control-Tower-Detective-Guardrails-Conformance-Pack TemplateBody: |- ################################################################################### # # Conformance Pack: # AWS Control Tower Detective Guardrails Conformance Pack # # The AWS Control Tower detective guardrails conformance pack contains all of the # AWS Config Rules based guardrails from AWS Control Tower. Use this conformance # pack to apply AWS Control Tower detective guardrails to your existing accounts # prior to enrolling them in AWS Control Tower or to manage resources in your # accounts in regions not currently supported by AWS Control Tower. ################################################################################### Resources: CheckForEbsOptimizedInstance: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForEbsOptimizedInstance Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized Source: Owner: AWS SourceIdentifier: EBS_OPTIMIZED_INSTANCE Scope: ComplianceResourceTypes: - AWS::EC2::Instance CheckForEc2VolumesInUse: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForEc2VolumesInUs Description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances InputParameters: deleteOnTermination: true Source: Owner: AWS SourceIdentifier: EC2_VOLUME_INUSE_CHECK Scope: ComplianceResourceTypes: - AWS::EC2::Volume CheckForEncryptedVolumes: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForEncryptedVolumes Description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted. Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Scope: ComplianceResourceTypes: - AWS::EC2::Volume CheckForIAMUserMFA: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForIAMUserMFA Description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. The rule is COMPLIANT if MFA is enabled. Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED MaximumExecutionFrequency: One_Hour CheckForIAMUserConsoleMFA: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForIAMUserConsoleMFA Description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled. Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS MaximumExecutionFrequency: One_Hour CheckForRdsPublicAccess: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForRdsPublicAccess Description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance CheckForPublicRdsSnapshots: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForPublicRdsSnapshots Description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot CheckForRdsStorageEncryption: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForRdsStorageEncryption Description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances. Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance CheckForRestrictedCommonPortsPolicy: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForRestrictedCommonPortsPolicy Description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports. InputParameters: blockedPort1: 20 blockedPort2: 21 blockedPort3: 3389 blockedPort4: 3306 blockedPort5: 4333 Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC CheckForRestrictedSshPolicy: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForRestrictedSshPolicy Description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED CheckForRootMfa: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForRootMfa Description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED MaximumExecutionFrequency: One_Hour CheckForS3PublicRead: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForS3PublicRead Description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket CheckForS3PublicWrite: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForS3PublicWrite Description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket CheckForS3VersioningEnabled: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: CheckForS3VersioningEnabled Description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets. Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Scope: ComplianceResourceTypes: - AWS::S3::Bucket DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigPacks/CP-AWS-Control-Tower-Detective-Guardrails-Conformance-Pack ConfigPacksCPOperationalBestPracticesforHIPAASecurity01583019: Type: AWS::Config::ConformancePack Properties: ConformancePackName: Operational-Best-Practices-for-HIPAA-Security ConformancePackInputParameters: [] DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-for-HIPAA-Security TemplateBody: |- ################################################################################## # # Conformance Pack: # Operational Best Practices for HIPAA Security # # This conformance pack helps verify compliance with HIPAA Security requirements. # # See Parameters section for names and descriptions of required parameters. # ################################################################################## Parameters: AccessKeysRotatedParamMaxAccessKeyAge: Default: '90' Type: String CloudwatchAlarmActionCheckParamInsufficientDataActionRequired: Default: 'TRUE' Type: String CloudwatchAlarmActionCheckParamOkActionRequired: Default: 'FALSE' Type: String DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage: Default: '80' Type: String DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage: Default: '80' Type: String GuarddutyNonArchivedFindingsParamDaysHighSev: Default: '1' Type: String GuarddutyNonArchivedFindingsParamDaysLowSev: Default: '30' Type: String GuarddutyNonArchivedFindingsParamDaysMediumSev: Default: '7' Type: String IamPasswordPolicyParamMaxPasswordAge: Default: '90' Type: String IamPasswordPolicyParamMinimumPasswordLength: Default: '14' Type: String IamPasswordPolicyParamPasswordReusePrevention: Default: '24' Type: String IamPasswordPolicyParamRequireLowercaseCharacters: Default: 'TRUE' Type: String IamPasswordPolicyParamRequireNumbers: Default: 'TRUE' Type: String IamPasswordPolicyParamRequireSymbols: Default: 'TRUE' Type: String IamPasswordPolicyParamRequireUppercaseCharacters: Default: 'TRUE' Type: String IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Default: '90' Type: String InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds: Default: ' ' Type: String RestrictedIncomingTrafficParamBlockedPort1: Default: '20' Type: String RestrictedIncomingTrafficParamBlockedPort2: Default: '21' Type: String RestrictedIncomingTrafficParamBlockedPort3: Default: '3389' Type: String RestrictedIncomingTrafficParamBlockedPort4: Default: '3306' Type: String RestrictedIncomingTrafficParamBlockedPort5: Default: '4333' Type: String S3AccountLevelPublicAccessBlocksParamBlockPublicAcls: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls: Default: 'True' Type: String S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets: Default: 'True' Type: String Resources: AccessKeysRotated: Properties: ConfigRuleName: access-keys-rotated InputParameters: maxAccessKeyAge: Fn::If: - accessKeysRotatedParamMaxAccessKeyAge - Ref: AccessKeysRotatedParamMaxAccessKeyAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule AlbHttpToHttpsRedirectionCheck: Properties: ConfigRuleName: alb-http-to-https-redirection-check Source: Owner: AWS SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK Type: AWS::Config::ConfigRule ApiGwCacheEnabledAndEncrypted: Properties: ConfigRuleName: api-gw-cache-enabled-and-encrypted Scope: ComplianceResourceTypes: - AWS::ApiGateway::Stage Source: Owner: AWS SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED Type: AWS::Config::ConfigRule ApiGwExecutionLoggingEnabled: Properties: ConfigRuleName: api-gw-execution-logging-enabled Scope: ComplianceResourceTypes: - AWS::ApiGateway::Stage - AWS::ApiGatewayV2::Stage Source: Owner: AWS SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED Type: AWS::Config::ConfigRule AutoscalingGroupElbHealthcheckRequired: Properties: ConfigRuleName: autoscaling-group-elb-healthcheck-required Scope: ComplianceResourceTypes: - AWS::AutoScaling::AutoScalingGroup Source: Owner: AWS SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED Type: AWS::Config::ConfigRule CloudTrailCloudWatchLogsEnabled: Properties: ConfigRuleName: cloud-trail-cloud-watch-logs-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED Type: AWS::Config::ConfigRule CloudTrailEnabled: Properties: ConfigRuleName: cloudtrail-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule CloudTrailEncryptionEnabled: Properties: ConfigRuleName: cloud-trail-encryption-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED Type: AWS::Config::ConfigRule CloudTrailLogFileValidationEnabled: Properties: ConfigRuleName: cloud-trail-log-file-validation-enabled Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED Type: AWS::Config::ConfigRule CloudtrailS3DataeventsEnabled: Properties: ConfigRuleName: cloudtrail-s3-dataevents-enabled Source: Owner: AWS SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED Type: AWS::Config::ConfigRule CloudwatchAlarmActionCheck: Properties: ConfigRuleName: cloudwatch-alarm-action-check InputParameters: alarmActionRequired: 'TRUE' insufficientDataActionRequired: Ref: CloudwatchAlarmActionCheckParamInsufficientDataActionRequired okActionRequired: Ref: CloudwatchAlarmActionCheckParamOkActionRequired Scope: ComplianceResourceTypes: - AWS::CloudWatch::Alarm Source: Owner: AWS SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK Type: AWS::Config::ConfigRule CloudwatchLogGroupEncrypted: Properties: ConfigRuleName: cloudwatch-log-group-encrypted Source: Owner: AWS SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED Type: AWS::Config::ConfigRule CodebuildProjectEnvvarAwscredCheck: Properties: ConfigRuleName: codebuild-project-envvar-awscred-check Scope: ComplianceResourceTypes: - AWS::CodeBuild::Project Source: Owner: AWS SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK Type: AWS::Config::ConfigRule CodebuildProjectSourceRepoUrlCheck: Properties: ConfigRuleName: codebuild-project-source-repo-url-check Scope: ComplianceResourceTypes: - AWS::CodeBuild::Project Source: Owner: AWS SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK Type: AWS::Config::ConfigRule DbInstanceBackupEnabled: Properties: ConfigRuleName: db-instance-backup-enabled Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED Type: AWS::Config::ConfigRule DmsReplicationNotPublic: Properties: ConfigRuleName: dms-replication-not-public Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC Type: AWS::Config::ConfigRule DynamodbAutoscalingEnabled: Properties: ConfigRuleName: dynamodb-autoscaling-enabled Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED Type: AWS::Config::ConfigRule DynamodbPitrEnabled: Properties: ConfigRuleName: dynamodb-pitr-enabled Scope: ComplianceResourceTypes: - AWS::DynamoDB::Table Source: Owner: AWS SourceIdentifier: DYNAMODB_PITR_ENABLED Type: AWS::Config::ConfigRule DynamodbThroughputLimitCheck: Properties: ConfigRuleName: dynamodb-throughput-limit-check InputParameters: accountRCUThresholdPercentage: Fn::If: - dynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage - Ref: DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage - Ref: AWS::NoValue accountWCUThresholdPercentage: Fn::If: - dynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage - Ref: DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK Type: AWS::Config::ConfigRule EbsSnapshotPublicRestorableCheck: Properties: ConfigRuleName: ebs-snapshot-public-restorable-check Source: Owner: AWS SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK Type: AWS::Config::ConfigRule Ec2EbsEncryptionByDefault: Properties: ConfigRuleName: ec2-ebs-encryption-by-default Source: Owner: AWS SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT Type: AWS::Config::ConfigRule Ec2InstanceNoPublicIp: Properties: ConfigRuleName: ec2-instance-no-public-ip Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP Type: AWS::Config::ConfigRule Ec2StoppedInstance: Properties: ConfigRuleName: ec2-stopped-instance Source: Owner: AWS SourceIdentifier: EC2_STOPPED_INSTANCE Type: AWS::Config::ConfigRule EfsEncryptedCheck: Properties: ConfigRuleName: efs-encrypted-check Source: Owner: AWS SourceIdentifier: EFS_ENCRYPTED_CHECK Type: AWS::Config::ConfigRule ElasticacheRedisClusterAutomaticBackupCheck: Properties: ConfigRuleName: elasticache-redis-cluster-automatic-backup-check Source: Owner: AWS SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Type: AWS::Config::ConfigRule ElasticsearchEncryptedAtRest: Properties: ConfigRuleName: elasticsearch-encrypted-at-rest Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST Type: AWS::Config::ConfigRule ElasticsearchInVpcOnly: Properties: ConfigRuleName: elasticsearch-in-vpc-only Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY Type: AWS::Config::ConfigRule ElbAcmCertificateRequired: Properties: ConfigRuleName: elb-acm-certificate-required Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED Type: AWS::Config::ConfigRule ElbDeletionProtectionEnabled: Properties: ConfigRuleName: elb-deletion-protection-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED Type: AWS::Config::ConfigRule ElbLoggingEnabled: Properties: ConfigRuleName: elb-logging-enabled Scope: ComplianceResourceTypes: - AWS::ElasticLoadBalancing::LoadBalancer - AWS::ElasticLoadBalancingV2::LoadBalancer Source: Owner: AWS SourceIdentifier: ELB_LOGGING_ENABLED Type: AWS::Config::ConfigRule EmrKerberosEnabled: Properties: ConfigRuleName: emr-kerberos-enabled Source: Owner: AWS SourceIdentifier: EMR_KERBEROS_ENABLED Type: AWS::Config::ConfigRule EmrMasterNoPublicIp: Properties: ConfigRuleName: emr-master-no-public-ip Scope: ComplianceResourceTypes: [] Source: Owner: AWS SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP Type: AWS::Config::ConfigRule EncryptedVolumes: Properties: ConfigRuleName: encrypted-volumes Scope: ComplianceResourceTypes: - AWS::EC2::Volume Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Type: AWS::Config::ConfigRule GuarddutyEnabledCentralized: Properties: ConfigRuleName: guardduty-enabled-centralized Source: Owner: AWS SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED Type: AWS::Config::ConfigRule GuarddutyNonArchivedFindings: Properties: ConfigRuleName: guardduty-non-archived-findings InputParameters: daysHighSev: Fn::If: - guarddutyNonArchivedFindingsParamDaysHighSev - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev - Ref: AWS::NoValue daysLowSev: Fn::If: - guarddutyNonArchivedFindingsParamDaysLowSev - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev - Ref: AWS::NoValue daysMediumSev: Fn::If: - guarddutyNonArchivedFindingsParamDaysMediumSev - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS Type: AWS::Config::ConfigRule IamGroupHasUsersCheck: Properties: ConfigRuleName: iam-group-has-users-check Scope: ComplianceResourceTypes: - AWS::IAM::Group Source: Owner: AWS SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK Type: AWS::Config::ConfigRule IamPasswordPolicy: Properties: ConfigRuleName: iam-password-policy InputParameters: MaxPasswordAge: Fn::If: - iamPasswordPolicyParamMaxPasswordAge - Ref: IamPasswordPolicyParamMaxPasswordAge - Ref: AWS::NoValue MinimumPasswordLength: Fn::If: - iamPasswordPolicyParamMinimumPasswordLength - Ref: IamPasswordPolicyParamMinimumPasswordLength - Ref: AWS::NoValue PasswordReusePrevention: Fn::If: - iamPasswordPolicyParamPasswordReusePrevention - Ref: IamPasswordPolicyParamPasswordReusePrevention - Ref: AWS::NoValue RequireLowercaseCharacters: Fn::If: - iamPasswordPolicyParamRequireLowercaseCharacters - Ref: IamPasswordPolicyParamRequireLowercaseCharacters - Ref: AWS::NoValue RequireNumbers: Fn::If: - iamPasswordPolicyParamRequireNumbers - Ref: IamPasswordPolicyParamRequireNumbers - Ref: AWS::NoValue RequireSymbols: Fn::If: - iamPasswordPolicyParamRequireSymbols - Ref: IamPasswordPolicyParamRequireSymbols - Ref: AWS::NoValue RequireUppercaseCharacters: Fn::If: - iamPasswordPolicyParamRequireUppercaseCharacters - Ref: IamPasswordPolicyParamRequireUppercaseCharacters - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IamPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: iam-policy-no-statements-with-admin-access Scope: ComplianceResourceTypes: - AWS::IAM::Policy Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IamRootAccessKeyCheck: Properties: ConfigRuleName: iam-root-access-key-check Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: AWS::Config::ConfigRule IamUserGroupMembershipCheck: Properties: ConfigRuleName: iam-user-group-membership-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IamUserMfaEnabled: Properties: ConfigRuleName: iam-user-mfa-enabled Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED Type: AWS::Config::ConfigRule IamUserNoPoliciesCheck: Properties: ConfigRuleName: iam-user-no-policies-check Scope: ComplianceResourceTypes: - AWS::IAM::User Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IamUserUnusedCredentialsCheck: Properties: ConfigRuleName: iam-user-unused-credentials-check InputParameters: maxCredentialUsageAge: Fn::If: - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule IncomingSshDisabled: Properties: ConfigRuleName: restricted-ssh Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED Type: AWS::Config::ConfigRule InstancesInVpc: Properties: ConfigRuleName: ec2-instances-in-vpc Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: INSTANCES_IN_VPC Type: AWS::Config::ConfigRule InternetGatewayAuthorizedVpcOnly: Properties: ConfigRuleName: internet-gateway-authorized-vpc-only InputParameters: AuthorizedVpcIds: Fn::If: - internetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds - Ref: InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::EC2::InternetGateway Source: Owner: AWS SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY Type: AWS::Config::ConfigRule KmsCmkNotScheduledForDeletion: Properties: ConfigRuleName: kms-cmk-not-scheduled-for-deletion Scope: ComplianceResourceTypes: - AWS::KMS::Key Source: Owner: AWS SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION Type: AWS::Config::ConfigRule LambdaDlqCheck: Properties: ConfigRuleName: lambda-dlq-check Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_DLQ_CHECK Type: AWS::Config::ConfigRule LambdaFunctionPublicAccessProhibited: Properties: ConfigRuleName: lambda-function-public-access-prohibited Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED Type: AWS::Config::ConfigRule LambdaInsideVpc: Properties: ConfigRuleName: lambda-inside-vpc Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_INSIDE_VPC Type: AWS::Config::ConfigRule MfaEnabledForIamConsoleAccess: Properties: ConfigRuleName: mfa-enabled-for-iam-console-access Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule MultiRegionCloudTrailEnabled: Properties: ConfigRuleName: multi-region-cloudtrail-enabled Source: Owner: AWS SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED Type: AWS::Config::ConfigRule RdsInstancePublicAccessCheck: Properties: ConfigRuleName: rds-instance-public-access-check Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK Type: AWS::Config::ConfigRule RdsMultiAzSupport: Properties: ConfigRuleName: rds-multi-az-support Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_MULTI_AZ_SUPPORT Type: AWS::Config::ConfigRule RdsSnapshotEncrypted: Properties: ConfigRuleName: rds-snapshot-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot - AWS::RDS::DBClusterSnapshot Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED Type: AWS::Config::ConfigRule RdsSnapshotsPublicProhibited: Properties: ConfigRuleName: rds-snapshots-public-prohibited Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot - AWS::RDS::DBClusterSnapshot Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED Type: AWS::Config::ConfigRule RdsStorageEncrypted: Properties: ConfigRuleName: rds-storage-encrypted Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Type: AWS::Config::ConfigRule RedshiftClusterConfigurationCheck: Properties: ConfigRuleName: redshift-cluster-configuration-check InputParameters: clusterDbEncrypted: 'TRUE' loggingEnabled: 'TRUE' Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK Type: AWS::Config::ConfigRule RedshiftClusterPublicAccessCheck: Properties: ConfigRuleName: redshift-cluster-public-access-check Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK Type: AWS::Config::ConfigRule RedshiftRequireTlsSsl: Properties: ConfigRuleName: redshift-require-tls-ssl Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL Type: AWS::Config::ConfigRule RestrictedIncomingTraffic: Properties: ConfigRuleName: restricted-common-ports InputParameters: blockedPort1: Fn::If: - restrictedIncomingTrafficParamBlockedPort1 - Ref: RestrictedIncomingTrafficParamBlockedPort1 - Ref: AWS::NoValue blockedPort2: Fn::If: - restrictedIncomingTrafficParamBlockedPort2 - Ref: RestrictedIncomingTrafficParamBlockedPort2 - Ref: AWS::NoValue blockedPort3: Fn::If: - restrictedIncomingTrafficParamBlockedPort3 - Ref: RestrictedIncomingTrafficParamBlockedPort3 - Ref: AWS::NoValue blockedPort4: Fn::If: - restrictedIncomingTrafficParamBlockedPort4 - Ref: RestrictedIncomingTrafficParamBlockedPort4 - Ref: AWS::NoValue blockedPort5: Fn::If: - restrictedIncomingTrafficParamBlockedPort5 - Ref: RestrictedIncomingTrafficParamBlockedPort5 - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC Type: AWS::Config::ConfigRule RootAccountHardwareMfaEnabled: Properties: ConfigRuleName: root-account-hardware-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: AWS::Config::ConfigRule RootAccountMfaEnabled: Properties: ConfigRuleName: root-account-mfa-enabled Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule S3AccountLevelPublicAccessBlocks: Properties: ConfigRuleName: s3-account-level-public-access-blocks InputParameters: BlockPublicAcls: Fn::If: - s3AccountLevelPublicAccessBlocksParamBlockPublicAcls - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls - Ref: AWS::NoValue BlockPublicPolicy: Fn::If: - s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy - Ref: AWS::NoValue IgnorePublicAcls: Fn::If: - s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls - Ref: AWS::NoValue RestrictPublicBuckets: Fn::If: - s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::S3::AccountPublicAccessBlock Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS Type: AWS::Config::ConfigRule S3BucketDefaultLockEnabled: Properties: ConfigRuleName: s3-bucket-default-lock-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED Type: AWS::Config::ConfigRule S3BucketLoggingEnabled: Properties: ConfigRuleName: s3-bucket-logging-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_LOGGING_ENABLED Type: AWS::Config::ConfigRule S3BucketPolicyGranteeCheck: Properties: ConfigRuleName: s3-bucket-policy-grantee-check Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK Type: AWS::Config::ConfigRule S3BucketPublicReadProhibited: Properties: ConfigRuleName: s3-bucket-public-read-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Type: AWS::Config::ConfigRule S3BucketPublicWriteProhibited: Properties: ConfigRuleName: s3-bucket-public-write-prohibited Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Type: AWS::Config::ConfigRule S3BucketReplicationEnabled: Properties: ConfigRuleName: s3-bucket-replication-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED Type: AWS::Config::ConfigRule S3BucketServerSideEncryptionEnabled: Properties: ConfigRuleName: s3-bucket-server-side-encryption-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Type: AWS::Config::ConfigRule S3BucketSslRequestsOnly: Properties: ConfigRuleName: s3-bucket-ssl-requests-only Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY Type: AWS::Config::ConfigRule S3BucketVersioningEnabled: Properties: ConfigRuleName: s3-bucket-versioning-enabled Scope: ComplianceResourceTypes: - AWS::S3::Bucket Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Type: AWS::Config::ConfigRule SagemakerEndpointConfigurationKmsKeyConfigured: Properties: ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured Source: Owner: AWS SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED Type: AWS::Config::ConfigRule SagemakerNotebookInstanceKmsKeyConfigured: Properties: ConfigRuleName: sagemaker-notebook-instance-kms-key-configured Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED Type: AWS::Config::ConfigRule SagemakerNotebookNoDirectInternetAccess: Properties: ConfigRuleName: sagemaker-notebook-no-direct-internet-access Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS Type: AWS::Config::ConfigRule SecretsmanagerRotationEnabledCheck: Properties: ConfigRuleName: secretsmanager-rotation-enabled-check Scope: ComplianceResourceTypes: - AWS::SecretsManager::Secret Source: Owner: AWS SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK Type: AWS::Config::ConfigRule SecurityhubEnabled: Properties: ConfigRuleName: securityhub-enabled Source: Owner: AWS SourceIdentifier: SECURITYHUB_ENABLED Type: AWS::Config::ConfigRule SnsEncryptedKms: Properties: ConfigRuleName: sns-encrypted-kms Scope: ComplianceResourceTypes: - AWS::SNS::Topic Source: Owner: AWS SourceIdentifier: SNS_ENCRYPTED_KMS Type: AWS::Config::ConfigRule VpcFlowLogsEnabled: Properties: ConfigRuleName: vpc-flow-logs-enabled Source: Owner: AWS SourceIdentifier: VPC_FLOW_LOGS_ENABLED Type: AWS::Config::ConfigRule VpcSgOpenOnlyToAuthorizedPorts: Properties: ConfigRuleName: vpc-sg-open-only-to-authorized-ports Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS Type: AWS::Config::ConfigRule VpcVpn2TunnelsUp: Properties: ConfigRuleName: vpc-vpn-2-tunnels-up Scope: ComplianceResourceTypes: - AWS::EC2::VPNConnection Source: Owner: AWS SourceIdentifier: VPC_VPN_2_TUNNELS_UP Type: AWS::Config::ConfigRule Conditions: accessKeysRotatedParamMaxAccessKeyAge: Fn::Not: - Fn::Equals: - '' - Ref: AccessKeysRotatedParamMaxAccessKeyAge dynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage: Fn::Not: - Fn::Equals: - '' - Ref: DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage dynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage: Fn::Not: - Fn::Equals: - '' - Ref: DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage guarddutyNonArchivedFindingsParamDaysHighSev: Fn::Not: - Fn::Equals: - '' - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev guarddutyNonArchivedFindingsParamDaysLowSev: Fn::Not: - Fn::Equals: - '' - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev guarddutyNonArchivedFindingsParamDaysMediumSev: Fn::Not: - Fn::Equals: - '' - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev iamPasswordPolicyParamMaxPasswordAge: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamMaxPasswordAge iamPasswordPolicyParamMinimumPasswordLength: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamMinimumPasswordLength iamPasswordPolicyParamPasswordReusePrevention: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamPasswordReusePrevention iamPasswordPolicyParamRequireLowercaseCharacters: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireLowercaseCharacters iamPasswordPolicyParamRequireNumbers: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireNumbers iamPasswordPolicyParamRequireSymbols: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireSymbols iamPasswordPolicyParamRequireUppercaseCharacters: Fn::Not: - Fn::Equals: - '' - Ref: IamPasswordPolicyParamRequireUppercaseCharacters iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge: Fn::Not: - Fn::Equals: - '' - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge internetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds: Fn::Not: - Fn::Equals: - '' - Ref: InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds restrictedIncomingTrafficParamBlockedPort1: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort1 restrictedIncomingTrafficParamBlockedPort2: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort2 restrictedIncomingTrafficParamBlockedPort3: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort3 restrictedIncomingTrafficParamBlockedPort4: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort4 restrictedIncomingTrafficParamBlockedPort5: Fn::Not: - Fn::Equals: - '' - Ref: RestrictedIncomingTrafficParamBlockedPort5 s3AccountLevelPublicAccessBlocksParamBlockPublicAcls: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets: Fn::Not: - Fn::Equals: - '' - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsDiGavBlueprint/ConfigPacks/CP-Operational-Best-Practices-for-HIPAA-Security DnsHostedZone9A2A44DA: Type: AWS::Route53::HostedZone Properties: Name: corp. VPCs: - VPCId: Ref: VpcCoreManagment030DB556 VPCRegion: Ref: AWS::Region - VPCId: Ref: VpcCoreProductionD971AE3A VPCRegion: Ref: AWS::Region - VPCId: Ref: VpcCoreDevelopment37E2B994 VPCRegion: Ref: AWS::Region Metadata: aws:cdk:path: AwsDiGavBlueprint/Dns/HostedZone/Resource RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/SCPCustomResourceRole/Resource RegionRestrictionscpPromiseSCPCustomResourceRoleDefaultPolicy7FCCD194: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - organizations:Create* - organizations:Describe* - organizations:ListRoots - organizations:EnablePolicyType - organizations:EnableAllFeatures Effect: Allow Resource: "*" - Action: - organizations:CreatePolicy - organizations:AttachPolicy - organizations:DetachPolicy - organizations:DeletePolicy Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: RegionRestrictionscpPromiseSCPCustomResourceRoleDefaultPolicy7FCCD194 Roles: - Ref: RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/SCPCustomResourceRole/DefaultPolicy/Resource RegionRestrictionscpPromiseserviceLinkRolePolicy4E3207AC: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: organizations.amazonaws.com Effect: Allow Resource: arn:aws:iam::*:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations - Action: - iam:AttachRolePolicy - iam:PutRolePolicy Effect: Allow Resource: arn:aws:iam::*:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations Version: "2012-10-17" PolicyName: RegionRestrictionscpPromiseserviceLinkRolePolicy4E3207AC Roles: - Ref: RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/serviceLinkRolePolicy/Resource RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleE7EFB923: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/scpEnabledResourceProvider/framework-onEvent/ServiceRole/Resource RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleDefaultPolicy2C2D3634: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: lambda:InvokeFunction Effect: Allow Resource: - Fn::GetAtt: - SingletonLambda1asdfasdfaw34535sdxf34235351d782809155FA - Arn - Fn::Join: - "" - - Fn::GetAtt: - SingletonLambda1asdfasdfaw34535sdxf34235351d782809155FA - Arn - :* Version: "2012-10-17" PolicyName: RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleDefaultPolicy2C2D3634 Roles: - Ref: RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleE7EFB923 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/scpEnabledResourceProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEvent6CBC8A20: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3Bucket766250D8 S3Key: Fn::Join: - "" - - Fn::Select: - 0 - Fn::Split: - "||" - Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181 - Fn::Select: - 1 - Fn::Split: - "||" - Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181 Role: Fn::GetAtt: - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleE7EFB923 - Arn Description: AWS CDK resource provider framework - onEvent (AwsDiGavBlueprint/RegionRestriction/scpPromise/scpEnabledResourceProvider) Environment: Variables: USER_ON_EVENT_FUNCTION_ARN: Fn::GetAtt: - SingletonLambda1asdfasdfaw34535sdxf34235351d782809155FA - Arn Handler: framework.onEvent Runtime: nodejs14.x Timeout: 900 DependsOn: - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleDefaultPolicy2C2D3634 - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleE7EFB923 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/scpEnabledResourceProvider/framework-onEvent/Resource aws:asset:path: asset.3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671 aws:asset:is-bundled: false aws:asset:property: Code RegionRestrictionscpPromisescpEnabledPromise98664A9F: Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: Fn::GetAtt: - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEvent6CBC8A20 - Arn enableOrgAndScp: "true" UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/scpPromise/scpEnabledPromise/Default RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleF5EE7867: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/regionRestriction/applyScpCustomResourceProvider/framework-onEvent/ServiceRole/Resource RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleDefaultPolicy9D12BC55: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: lambda:InvokeFunction Effect: Allow Resource: - Fn::GetAtt: - SingletonLambda123bhab284702aa5a2234235351d7829940F873 - Arn - Fn::Join: - "" - - Fn::GetAtt: - SingletonLambda123bhab284702aa5a2234235351d7829940F873 - Arn - :* Version: "2012-10-17" PolicyName: RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleDefaultPolicy9D12BC55 Roles: - Ref: RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleF5EE7867 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/regionRestriction/applyScpCustomResourceProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEvent34440983: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3Bucket766250D8 S3Key: Fn::Join: - "" - - Fn::Select: - 0 - Fn::Split: - "||" - Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181 - Fn::Select: - 1 - Fn::Split: - "||" - Ref: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181 Role: Fn::GetAtt: - RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleF5EE7867 - Arn Description: AWS CDK resource provider framework - onEvent (AwsDiGavBlueprint/RegionRestriction/regionRestriction/applyScpCustomResourceProvider) Environment: Variables: USER_ON_EVENT_FUNCTION_ARN: Fn::GetAtt: - SingletonLambda123bhab284702aa5a2234235351d7829940F873 - Arn Handler: framework.onEvent Runtime: nodejs14.x Timeout: 900 DependsOn: - RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleDefaultPolicy9D12BC55 - RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEventServiceRoleF5EE7867 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/regionRestriction/applyScpCustomResourceProvider/framework-onEvent/Resource aws:asset:path: asset.3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671 aws:asset:is-bundled: false aws:asset:property: Code RegionRestrictionregionRestrictionServiceControlPolicy048F74CD: Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: Fn::GetAtt: - RegionRestrictionregionRestrictionapplyScpCustomResourceProviderframeworkonEvent34440983 - Arn policyContentInput: '{"Version":"2012-10-17","Statement":[{"Sid":"DenyAllOutsideEU","Effect":"Deny","NotAction":["a4b:*","acm:*","aws-marketplace-management:*","aws-marketplace:*","aws-portal:*","awsbillingconsole:*","budgets:*","ce:*","chime:*","cloudfront:*","config:*","cur:*","directconnect:*","ec2:DescribeRegions","ec2:DescribeTransitGateways","ec2:DescribeVpnGateways","fms:*","globalaccelerator:*","health:*","iam:*","importexport:*","kms:*","mobileanalytics:*","networkmanager:*","organizations:*","pricing:*","route53:*","route53domains:*","s3:GetAccountPublic*","s3:ListAllMyBuckets","s3:PutAccountPublic*","shield:*","sts:*","support:*","trustedadvisor:*","waf-regional:*","waf:*","wafv2:*","wellarchitected:*"],"Resource":"*","Condition":{"StringNotEquals":{"aws:RequestedRegion":["eu-central-1","eu-west-1","eu-west-3","eu-south-1","eu-north-1"]},"ArnNotLike":{"aws:PrincipalARN":["arn:aws:iam::*:role/Admin-OneClick"]}}}]}' policyNameInput: RegionRestriction DependsOn: - RegionRestrictionscpPromiseSCPCustomResourceRoleDefaultPolicy7FCCD194 - RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 - RegionRestrictionscpPromisescpEnabledPromise98664A9F - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEvent6CBC8A20 - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleDefaultPolicy2C2D3634 - RegionRestrictionscpPromisescpEnabledResourceProviderframeworkonEventServiceRoleE7EFB923 - RegionRestrictionscpPromiseserviceLinkRolePolicy4E3207AC UpdateReplacePolicy: Delete DeletionPolicy: Delete Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/regionRestriction/ServiceControlPolicy/Default RegionRestrictionPermissionsBoundaryPolicy938DB100: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: - iam:CreateRole - iam:DeleteRolePolicy - iam:AttachRolePolicy - iam:DetachRolePolicy - iam:PutRolePolicy - iam:PutRolePermissionsBoundary - iam:CreateUser - iam:DeleteUserPolicy - iam:AttachUserPolicy - iam:DetachUserPolicy - iam:PutUserPolicy - iam:PutUserPermissionsBoundary Condition: StringLike: iam:PermissionsBoundary: arn:aws:iam::*:policy/boundary-policy Effect: Allow Resource: "*" Sid: EnforceBoundary - Action: - iam:*PolicyVersion - iam:DeletePolicy - iam:SetDefaultPolicyVersion Effect: Deny Resource: arn:aws:iam::*:policy/boundary-policy Sid: DenyBoundaryPolicyEdit - Action: iam:Delete*PermissionsBoundary Effect: Deny Resource: "*" Sid: NoBoundaryUserDelete - NotAction: - iam:CreateRole - iam:DeleteRolePolicy - iam:AttachRolePolicy - iam:DetachRolePolicy - iam:PutRolePolicy - iam:PutRolePermissionsBoundary - iam:CreateUser - iam:DeleteUserPolicy - iam:AttachUserPolicy - iam:DetachUserPolicy - iam:PutUserPolicy - iam:PutUserPermissionsBoundary Condition: StringEquals: aws:RequestedRegion: - eu-central-1 - eu-west-1 - eu-west-3 - eu-south-1 - eu-north-1 Effect: Allow Resource: "*" Sid: AllowNotIAMTasks Version: "2012-10-17" Description: "" Path: / Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/Permissions-Boundary-Policy/Resource RegionRestrictionSampleRole7C804651: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: Fn::Join: - "" - - ec2. - Ref: AWS::URLSuffix Version: "2012-10-17" PermissionsBoundary: Ref: RegionRestrictionPermissionsBoundaryPolicy938DB100 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/Sample-Role/Resource RegionRestrictionenforceRegionConfigLambdaRole53D3D76E: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSConfigRulesExecutionRole Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/enforceRegionConfigLambdaRole/Resource RegionRestrictionenforceBoundaryAutomationRole20F78FF2: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: Fn::FindInMap: - ServiceprincipalMap - Ref: AWS::Region - ssm Version: "2012-10-17" Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/enforceBoundaryAutomationRole/Resource RegionRestrictionenforceBoundaryAutomationRoleDefaultPolicyF77F6424: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - iam:PutRolePermissionsBoundary - iam:PutUserPermissionsBoundary - config:GetResourceConfigHistory Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: RegionRestrictionenforceBoundaryAutomationRoleDefaultPolicyF77F6424 Roles: - Ref: RegionRestrictionenforceBoundaryAutomationRole20F78FF2 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/enforceBoundaryAutomationRole/DefaultPolicy/Resource RegionRestrictionremediateBoundaryDoc55870F04: Type: AWS::SSM::Document Properties: Content: description: Used by AWS config to remediate roles and users which dont have a permission boundary. schemaVersion: "0.3" assumeRole: Fn::GetAtt: - RegionRestrictionenforceBoundaryAutomationRole20F78FF2 - Arn parameters: permissionBoundaryPolicyArn: type: String offendingIamPrincipal: type: String mainSteps: - name: Apply_permission_boundary action: aws:executeScript inputs: InputPayload: permissionBoundaryPolicyArn: "{{ permissionBoundaryPolicyArn }}" offendingIamPrincipal: "{{ offendingIamPrincipal }}" Runtime: python3.6 Handler: script_handler Script: |- import boto3 def script_handler(events, context): print(events) print(context) iam = boto3.client('iam') config = boto3.client('config') principalType = ''; try: principalHistory = config.get_resource_config_history(resourceType='AWS::IAM::User', resourceId=events['offendingIamPrincipal']) principalIsUser = 'AWS::IAM::User' except config.exceptions.ResourceNotDiscoveredException as err: principalHistory = config.get_resource_config_history(resourceType='AWS::IAM::Role', resourceId=events['offendingIamPrincipal']) principalIsUser = 'AWS::IAM::Role' if(principalIsUser == 'AWS::IAM::User'): response = iam.put_user_permissions_boundary( UserName=principalHistory['configurationItems'][0]['resourceName'], PermissionsBoundary=events['permissionBoundaryPolicyArn'] ) return response if(principalIsUser == 'AWS::IAM::Role'): response = iam.put_role_permissions_boundary( RoleName=principalHistory['configurationItems'][0]['resourceName'], PermissionsBoundary=events['permissionBoundaryPolicyArn'] ) return response raise Exception("Uknown principal type.") DocumentType: Automation Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/remediateBoundaryDoc RegionRestrictionenforceRegionalPermissionBoundary405B2AF8: Type: AWS::Config::ConfigRule Properties: Source: Owner: CUSTOM_LAMBDA SourceDetails: - EventSource: aws.config MessageType: ConfigurationItemChangeNotification - EventSource: aws.config MessageType: OversizedConfigurationItemChangeNotification SourceIdentifier: Fn::GetAtt: - SingletonLambdaenforceRegionalPermissionBoundaryLambda5331A8F9 - Arn InputParameters: desiredBoundaryPolicyArn: Ref: RegionRestrictionPermissionsBoundaryPolicy938DB100 Scope: ComplianceResourceTypes: - AWS::IAM::Role - AWS::IAM::User DependsOn: - SingletonLambdaenforceRegionalPermissionBoundaryLambdaInvokectWrouK8UBH6gnyK2fQdFfIftiCEoGJ7mhyLPAYA9936DA1 Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/enforceRegionalPermissionBoundary/Resource RegionRestrictionpermissionBoundaryMissingRemediationConfigA2CB411C: Type: AWS::Config::RemediationConfiguration Properties: ConfigRuleName: Ref: RegionRestrictionenforceRegionalPermissionBoundary405B2AF8 TargetId: Ref: RegionRestrictionremediateBoundaryDoc55870F04 TargetType: SSM_DOCUMENT Automatic: false Parameters: permissionBoundaryPolicyArn: StaticValue: Values: - Ref: RegionRestrictionPermissionsBoundaryPolicy938DB100 offendingIamPrincipal: ResourceValue: Value: RESOURCE_ID Metadata: aws:cdk:path: AwsDiGavBlueprint/RegionRestriction/permissionBoundaryMissingRemediationConfig SingletonLambda1asdfasdfaw34535sdxf34235351d782809155FA: Type: AWS::Lambda::Function Properties: Code: ZipFile: |+ import boto3 import botocore import json import logging import cfnresponse logger = logging.getLogger() logger.setLevel(logging.INFO) org = boto3.client('organizations') # Define action for the creation of a template def create_endpoint(event, context): responseData = {} # Check if the account is part of an Organization. Only accounts within an Organization can receive a SCP try: response = org.describe_organization() logger.info("Account is member of an existing Organization.") try: getRootId = org.list_roots() rootId = getRootId['Roots'][0]['Id'] enableSCP = org.enable_policy_type( RootId=rootId, PolicyType='SERVICE_CONTROL_POLICY' ) print("SCP has been enabled") responseData['response'] = enableSCP responseData['statusMessage'] = 'SCP Enabled' cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) return { 'body': 'Organization exists & SCP Policy Type is enabled.' } except: print("SCP policies are already enabled") responseData['response'] = "Success" responseData['statusMessage'] = 'SCP Enabled' cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) return { 'body': 'Organization exists & SCP Policy Type is enabled.' } except: print("Not part of an Organization. Organization will be created.") # Create the Organization based on the current account createOrganization = org.create_organization( FeatureSet='ALL' ) print("Organization created.") print(createOrganization) # Enable SCP getRootId = org.list_roots() rootId = getRootId['Roots'][0]['Id'] enableSCP = org.enable_policy_type( RootId=rootId, PolicyType='SERVICE_CONTROL_POLICY' ) print("SCP has been enabled") responseData['response'] = enableSCP responseData['statusMessage'] = 'SCP Enabled' cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) return { 'body': 'Organization exists & SCP Policy Type is enabled.' } # Define action for the template deletion def delete_endpoint(event, context): return { 'body': 'Organization will not be deleted.' } def main(event, context): print("Received event: " + json.dumps(event, indent=2)) logger.info(event) if event['RequestType'] == 'Delete': return {} #noop elif event['RequestType'] == 'Create': return create_endpoint(event, context) elif event['RequestType'] == 'Update': return {} #noop #print("Completed successfully") Role: Fn::GetAtt: - RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 - Arn Handler: index.main Runtime: python3.7 Timeout: 60 DependsOn: - RegionRestrictionscpPromiseSCPCustomResourceRoleDefaultPolicy7FCCD194 - RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 Metadata: aws:cdk:path: AwsDiGavBlueprint/SingletonLambda1asdfasdfaw34535sdxf34235351d782/Resource SingletonLambda123bhab284702aa5a2234235351d7829940F873: Type: AWS::Lambda::Function Properties: Code: ZipFile: |+ import boto3 import botocore import json import logging logger = logging.getLogger() logger.setLevel(logging.INFO) org = boto3.client('organizations') iam = boto3.client('iam') # Set Global Variables accountNumber = boto3.client('sts').get_caller_identity().get('Account') policyName = "Region-Restriction-Policy" # Define action for the creation of a template def create_scp(event, context): policyContent = event['ResourceProperties']['policyContentInput'] policyName = event['ResourceProperties']['policyNameInput'] # Create the SCP response = org.create_policy( Name=policyName, Type='SERVICE_CONTROL_POLICY', Description='Policy to restrict access to certain regions', Content=policyContent, ) policyId = response['Policy']['PolicySummary']['Id'] # Attach the SCP response = org.attach_policy( PolicyId=policyId, TargetId=accountNumber, ) print(response) return { 'PhysicalResourceId': policyId } def delete_scp(event, context): policyId = event["PhysicalResourceId"] detachPolicy = org.detach_policy( PolicyId=policyId, TargetId=accountNumber, ) print(detachPolicy) # # Delete policy deletePolicy = org.delete_policy( PolicyId=policyId ) print("SCP Policy Deleted") return {} def main(event, context): print("Received event: " + json.dumps(event, indent=2)) logger.info(event) if event['RequestType'] == 'Delete': return delete_scp(event, context) elif event['RequestType'] == 'Create': return create_scp(event, context) elif event['RequestType'] == 'Update': delete_scp(event, context) return create_scp(event, context) #print("Completed successfully") Role: Fn::GetAtt: - RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 - Arn Handler: index.main Runtime: python3.7 Timeout: 60 DependsOn: - RegionRestrictionscpPromiseSCPCustomResourceRoleDefaultPolicy7FCCD194 - RegionRestrictionscpPromiseSCPCustomResourceRoleBA81E678 Metadata: aws:cdk:path: AwsDiGavBlueprint/SingletonLambda123bhab284702aa5a2234235351d782/Resource SingletonLambdaenforceRegionalPermissionBoundaryLambda5331A8F9: Type: AWS::Lambda::Function Properties: Code: ZipFile: |- 'use strict';const aws=require('aws-sdk');const config=new aws.ConfigService();function checkDefined(reference,referenceName){if(!reference){throw new Error(`Error:${referenceName}is not defined`);} return reference;} function isOverSizedChangeNotification(messageType){checkDefined(messageType,'messageType');return messageType==='OversizedConfigurationItemChangeNotification';} function getConfiguration(resourceType,resourceId,configurationCaptureTime,callback){config.getResourceConfigHistory({resourceType,resourceId,laterTime:new Date(configurationCaptureTime),limit:1},(err,data)=>{if(err){callback(err,null);} const configurationItem=data.configurationItems[0];callback(null,configurationItem);});} function convertApiConfiguration(apiConfiguration){apiConfiguration.awsAccountId=apiConfiguration.accountId;apiConfiguration.ARN=apiConfiguration.arn;apiConfiguration.configurationStateMd5Hash=apiConfiguration.configurationItemMD5Hash;apiConfiguration.configurationItemVersion=apiConfiguration.version;apiConfiguration.configuration=JSON.parse(apiConfiguration.configuration);if({}.hasOwnProperty.call(apiConfiguration,'relationships')){for(let i=0;i{if(err){callback(err);} const configurationItem=convertApiConfiguration(apiConfigurationItem);callback(null,configurationItem);});}else{checkDefined(invokingEvent.configurationItem,'configurationItem');callback(null,invokingEvent.configurationItem);}} function isApplicable(configurationItem,event){checkDefined(configurationItem,'configurationItem');checkDefined(event,'event');const status=configurationItem.configurationItemStatus;const eventLeftScope=event.eventLeftScope;return(status==='OK'||status==='ResourceDiscovered')&&eventLeftScope===false;} function evaluateChangeNotificationCompliance(configurationItem,ruleParameters){checkDefined(configurationItem,'configurationItem');checkDefined(configurationItem.configuration,'configurationItem.configuration');checkDefined(ruleParameters,'ruleParameters');if(configurationItem.resourceType!=='AWS::IAM::Role'&&configurationItem.resourceType!=='AWS::IAM::User'){console.info('Resource NOT_APPLICABLE');return'NOT_APPLICABLE';} if(configurationItem.configuration.permissionsBoundary===null)return"NON_COMPLIANT";if(ruleParameters.desiredBoundaryPolicyArn===configurationItem.configuration.permissionsBoundary.permissionsBoundaryArn) {console.info('Resource Compliant');return'COMPLIANT';}else{console.info('Resource Non Compliant');return'NON_COMPLIANT';}} exports.handler=(event,context,callback)=>{console.info("EVENT\n"+JSON.stringify(event,null,2));checkDefined(event,'event');const invokingEvent=JSON.parse(event.invokingEvent);const ruleParameters=JSON.parse(event.ruleParameters);getConfigurationItem(invokingEvent,(err,configurationItem)=>{if(err){callback(err);} let compliance='NOT_APPLICABLE';const putEvaluationsRequest={};if(isApplicable(configurationItem,event)){compliance=evaluateChangeNotificationCompliance(configurationItem,ruleParameters);} putEvaluationsRequest.Evaluations=[{ComplianceResourceType:configurationItem.resourceType,ComplianceResourceId:configurationItem.resourceId,ComplianceType:compliance,OrderingTimestamp:configurationItem.configurationItemCaptureTime,},];putEvaluationsRequest.ResultToken=event.resultToken;config.putEvaluations(putEvaluationsRequest,(error,data)=>{if(error){callback(error,null);}else if(data.FailedEvaluations.length>0){callback(JSON.stringify(data),null);}else{callback(null,data);}});});}; Role: Fn::GetAtt: - RegionRestrictionenforceRegionConfigLambdaRole53D3D76E - Arn Handler: index.handler Runtime: nodejs12.x Timeout: 60 DependsOn: - RegionRestrictionenforceRegionConfigLambdaRole53D3D76E Metadata: aws:cdk:path: AwsDiGavBlueprint/SingletonLambdaenforceRegionalPermissionBoundaryLambda/Resource SingletonLambdaenforceRegionalPermissionBoundaryLambdaInvokectWrouK8UBH6gnyK2fQdFfIftiCEoGJ7mhyLPAYA9936DA1: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - SingletonLambdaenforceRegionalPermissionBoundaryLambda5331A8F9 - Arn Principal: config.amazonaws.com Metadata: aws:cdk:path: AwsDiGavBlueprint/SingletonLambdaenforceRegionalPermissionBoundaryLambda/InvokectWrouK8U+BH6gnyK2fQ--dFfIfti--CEoGJ7m+hyLPAY= SingletonLambdaenforceRegionalPermissionBoundaryLambdaPermission8E815139: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - SingletonLambdaenforceRegionalPermissionBoundaryLambda5331A8F9 - Arn Principal: config.amazonaws.com SourceAccount: Ref: AWS::AccountId Metadata: aws:cdk:path: AwsDiGavBlueprint/SingletonLambdaenforceRegionalPermissionBoundaryLambda/Permission CDKMetadata: Type: AWS::CDK::Metadata Properties: Analytics: v2:deflate64:H4sIAAAAAAAA/11TTW/bMAz9Lbsr6rphxY5Lva4rsBaGU+SwmyIzjhpLNPSRIDP830dJjp3kpMdHUSSfyHt+//Cdf/70QxzdQtb7u16iBd6vvJB7VqBx3gbpWQUOg5XAls6BJ2+jTMOK4DzqyVdszSUuhRUaPNho0FO18gpNNF5F11H8wGLWHuQX3q87GT3rsmBl2LRKrsLGgI/cjCoMHt7FpoWZnzkqDaUS5yTJEcHTSxmPN+GfhYejOLHSqgPB+eEXQ2USPl/IlYzW0pMYOw3Gs5GhYp9M3aEyfrx6Y5YAlhqkpg3IVNAKZLDKn54thi5Vf0sUraIU685cvjWR78I24N/AH9HubzqdLi2D36FV/5KnClmmyZsEGZgSmvcVZmc6SyS9U9MjehVGNFDP/BUxMPeV949B7rN4I8rHHHNlZ+NROCqgFXpTC5oxUqgFj+ZXMFmkCVD4JS7BauUcWTH3QsQZdDyNImuxcbz/g80k5IQJrLwFoUc2GwOTaLaq4T2xP6FVB7CnYifoq9pxUskbbBYRaB/qaYS3aLUwEsq0HXn6zzKnsLNVgYY6/9DVewOz8Re+kYDjEP5G56H+iybFzRZ16jSPJaIMcfio7pRwYccdc7y0eFBU3cAM1sA/3N3h/oE2mhb6wym1sMF4pYFX+fwPiICD1O0DAAA= Metadata: aws:cdk:path: AwsDiGavBlueprint/CDKMetadata/Default Condition: CDKMetadataAvailable Parameters: AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3Bucket766250D8: Type: String Description: S3 bucket for asset "3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671" AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671S3VersionKey850D9181: Type: String Description: S3 key for asset version "3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671" AssetParameters3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671ArtifactHashC40EE1D5: Type: String Description: Artifact hash for asset "3b263c2ad043fd069ef446753788c36e595c82b51a70478e58258c8ef7471671" Conditions: CDKMetadataAvailable: Fn::Or: - Fn::Or: - Fn::Equals: - Ref: AWS::Region - af-south-1 - Fn::Equals: - Ref: AWS::Region - ap-east-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-2 - Fn::Equals: - Ref: AWS::Region - ap-south-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-2 - Fn::Equals: - Ref: AWS::Region - ca-central-1 - Fn::Equals: - Ref: AWS::Region - cn-north-1 - Fn::Equals: - Ref: AWS::Region - cn-northwest-1 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - eu-central-1 - Fn::Equals: - Ref: AWS::Region - eu-north-1 - Fn::Equals: - Ref: AWS::Region - eu-south-1 - Fn::Equals: - Ref: AWS::Region - eu-west-1 - Fn::Equals: - Ref: AWS::Region - eu-west-2 - Fn::Equals: - Ref: AWS::Region - eu-west-3 - Fn::Equals: - Ref: AWS::Region - me-south-1 - Fn::Equals: - Ref: AWS::Region - sa-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-2 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - us-west-1 - Fn::Equals: - Ref: AWS::Region - us-west-2 Mappings: ServiceprincipalMap: af-south-1: ssm: ssm.af-south-1.amazonaws.com ap-east-1: ssm: ssm.ap-east-1.amazonaws.com ap-northeast-1: ssm: ssm.amazonaws.com ap-northeast-2: ssm: ssm.amazonaws.com ap-northeast-3: ssm: ssm.amazonaws.com ap-south-1: ssm: ssm.amazonaws.com ap-southeast-1: ssm: ssm.amazonaws.com ap-southeast-2: ssm: ssm.amazonaws.com ap-southeast-3: ssm: ssm.ap-southeast-3.amazonaws.com ca-central-1: ssm: ssm.amazonaws.com cn-north-1: ssm: ssm.amazonaws.com cn-northwest-1: ssm: ssm.amazonaws.com eu-central-1: ssm: ssm.amazonaws.com eu-north-1: ssm: ssm.amazonaws.com eu-south-1: ssm: ssm.eu-south-1.amazonaws.com eu-south-2: ssm: ssm.eu-south-2.amazonaws.com eu-west-1: ssm: ssm.amazonaws.com eu-west-2: ssm: ssm.amazonaws.com eu-west-3: ssm: ssm.amazonaws.com me-south-1: ssm: ssm.me-south-1.amazonaws.com sa-east-1: ssm: ssm.amazonaws.com us-east-1: ssm: ssm.amazonaws.com us-east-2: ssm: ssm.amazonaws.com us-gov-east-1: ssm: ssm.amazonaws.com us-gov-west-1: ssm: ssm.amazonaws.com us-iso-east-1: ssm: ssm.amazonaws.com us-iso-west-1: ssm: ssm.us-iso-west-1.amazonaws.com us-isob-east-1: ssm: ssm.amazonaws.com us-west-1: ssm: ssm.amazonaws.com us-west-2: ssm: ssm.amazonaws.com