{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Secure Service Catalog: Secure EC2 Instance with Logging.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "General Configuration" }, "Parameters": [ "VPC", "KeyPair", "RemoteAccessCIDR" ] }, { "Label": { "default": "Linux Instance Configuration" }, "Parameters": [ "LinuxInstanceType", "LinuxSubnet", "LinuxSSHPort", "LatestAmiId" ] } ], "ParameterLabels": { "VPC": { "default": "VPC" }, "KeyPair": { "default": "Key Pair" }, "RemoteAccessCIDR": { "default": "Remote Access CIDR Block" }, "LinuxInstanceType": { "default": "Linux Instance Type" }, "LinuxSubnet": { "default": "Linux Subnet" }, "LinuxSSHPort": { "default": "Linux SSH Port" }, "LatestAmiId": { "default": "SSM key to the latest Amazon linux AMI" } } } }, "Parameters": { "VPC": { "Type": "AWS::EC2::VPC::Id", "Description": "Select the VPC where the EC2 instances will be created", "ConstraintDescription": "must be an existing VPC" }, "LinuxSubnet": { "Type": "AWS::EC2::Subnet::Id", "Description": "Select subnet for Linux Instance", "ConstraintDescription": "must be an existing subnet" }, "RemoteAccessCIDR": { "Description": "CIDR block to allow access to linux instances", "Type": "String", "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x." }, "LinuxInstanceType": { "AllowedValues": [ "t3.nano", "t3.micro", "t3.small", "t3.medium", "t3.large", "t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large" ], "Default": "t3.micro", "Description": "Amazon EC2 Linux Instance Type", "Type": "String" }, "LinuxSSHPort": { "Description": "Linux SSH Port Number", "Type": "Number", "Default": 22, "ConstraintDescription": "must be 22 or a number from 1024 to 65535" }, "KeyPair": { "Description": "Name of existing EC2 key pair for Linux Instances", "Type": "AWS::EC2::KeyPair::KeyName" }, "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" } }, "Resources": { "InstancePatchingRole": { "Type": "AWS::IAM::Role", "Properties": { "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", "arn:aws:iam::aws:policy/AmazonSSMFullAccess" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } } }, "PatchingInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "InstancePatchingRole" } ] } }, "LinuxSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Enables SSH Access to Linux EC2 Instance", "VpcId": { "Ref": "VPC" }, "SecurityGroupIngress": [ { "Description":"allow SSH", "IpProtocol": "tcp", "FromPort": { "Ref": "LinuxSSHPort" }, "ToPort": { "Ref": "LinuxSSHPort" }, "CidrIp": { "Ref": "RemoteAccessCIDR" } }, { "Description":"allow icmp", "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "RemoteAccessCIDR" } } ], "SecurityGroupEgress":[ { "Description":"allow all outgoing", "IpProtocol" : "-1", "CidrIp" : "0.0.0.0/0" } ] } }, "LinuxInstance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Ref" : "LatestAmiId"}, "InstanceType": { "Ref": "LinuxInstanceType" }, "SubnetId": { "Ref": "LinuxSubnet" }, "SecurityGroupIds": [ { "Ref": "LinuxSecurityGroup" } ], "KeyName": { "Ref": "KeyPair" }, "IamInstanceProfile": { "Ref": "PatchingInstanceProfile" }, "Tags": [ { "Key": "Name", "Value": {"Fn::Sub":"SC-RA-Linux-${LinuxSubnet}"} }, { "Key": "Description", "Value": "Service-Catalog-EC2-Reference-Architecture" } ], "BlockDeviceMappings": [ { "DeviceName": "/dev/xvdh", "Ebs": { "Encrypted": true, "VolumeSize": "50" } } ] } }, "LinuxPatchBaseline": { "Type": "AWS::SSM::PatchBaseline", "Properties": { "OperatingSystem": "AMAZON_LINUX", "ApprovalRules": { "PatchRules": [ { "ApproveAfterDays": 0, "ComplianceLevel": "CRITICAL", "EnableNonSecurity": true, "PatchFilterGroup": { "PatchFilters": [ { "Key": "PRODUCT", "Values": [ "AmazonLinux2017.09" ] }, { "Key": "CLASSIFICATION", "Values": [ "Security", "Bugfix", "Enhancement", "Recommended" ] }, { "Key": "SEVERITY", "Values": [ "Critical", "Important", "Medium", "Low" ] } ] } } ] }, "Description": "Service Catalog EC2 Reference Architecture Patch Baseline for Amazon Linux instace", "Name": "sc-ec2-ra-linux-patch-baseline" } }, "MaintenanceWindowRole": { "Type": "AWS::IAM::Role", "Properties": { "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } } }, "MaintenanceWindow": { "Type": "AWS::SSM::MaintenanceWindow", "Properties": { "Description": "Maintenance window to allow for patching Amazon Linux instances", "AllowUnassociatedTargets": false, "Cutoff": 2, "Schedule": "cron(* 17 * * ? *)", "Duration": 6, "Name": "sc-ec2-ra-linux-maintenance-window" } }, "LinuxMainteanceWindowTarget": { "Type": "AWS::SSM::MaintenanceWindowTarget", "Properties": { "OwnerInformation": "Service Catalog EC2 Reference Architecture", "Description": "Service Catalog EC2 Reference Architecture - Patch Maintenance for Amazon Linux Instances", "WindowId": { "Ref": "MaintenanceWindow" }, "ResourceType": "INSTANCE", "Targets": [ { "Key": "InstanceIds", "Values": [ { "Ref": "LinuxInstance" } ] } ], "Name": "sc-ec2-ra-linux-patch-targets" } }, "LinuxMaintenanceWindowTaskScan": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "MaxErrors": 1, "Description": "Service Catalog EC2 Reference Architecture Maintenance Window Task: Scan for update for Amazon Linux Instance", "ServiceRoleArn": { "Fn::GetAtt": [ "MaintenanceWindowRole", "Arn" ] }, "Priority": 1, "MaxConcurrency": 1, "Targets": [ { "Key": "InstanceIds", "Values": [ { "Ref": "LinuxInstance" } ] } ], "Name": "patch-sc-ec2-ra-linux-instances", "TaskArn": "AWS-RunPatchBaseline", "WindowId": { "Ref": "MaintenanceWindow" }, "TaskParameters": { "Operation": { "Values": [ "Scan" ] } }, "TaskType": "RUN_COMMAND" } }, "LinuxMaintenanceWindowTaskInstall": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "MaxErrors": 1, "Description": "Service Catalog EC2 Reference Architecture Maintenance Window Task: Install update for Amazon Linux Instance", "ServiceRoleArn": { "Fn::GetAtt": [ "MaintenanceWindowRole", "Arn" ] }, "Priority": 2, "MaxConcurrency": 1, "Targets": [ { "Key": "InstanceIds", "Values": [ { "Ref": "LinuxInstance" } ] } ], "Name": "patch-sc-ec2-ra-linux-instances", "TaskArn": "AWS-RunPatchBaseline", "WindowId": { "Ref": "MaintenanceWindow" }, "TaskParameters": { "Operation": { "Values": [ "Install" ] } }, "TaskType": "RUN_COMMAND" } } }, "Outputs": { "AWSRegionName": { "Value": { "Ref": "AWS::Region" } }, "LinuxInstanceId": { "Value": { "Ref": "LinuxInstance" } }, "LinuxInstancePrivateIpAddress": { "Value": { "Fn::GetAtt": [ "LinuxInstance", "PrivateIp" ] } }, "LinuxInstanceAvailabilityZone": { "Value": { "Fn::GetAtt": [ "LinuxInstance", "AvailabilityZone" ] } }, "KeyPair": { "Value": { "Ref": "KeyPair" } }, "LinuxSSHPort": { "Value": { "Ref": "LinuxSSHPort" } }, "LinuxSubet": { "Value": { "Ref": "LinuxSubnet" } }, "LinuxInstanceType": { "Value": { "Ref": "LinuxInstanceType" } }, "RemoteAccessCIDR": { "Value": { "Ref": "RemoteAccessCIDR" } }, "VPC": { "Value": { "Ref": "VPC" } }, "IAMInstancePatchingRole": { "Value": { "Ref": "InstancePatchingRole" } }, "IAMPatchingInstanceProfile": { "Value": { "Ref": "PatchingInstanceProfile" } }, "SSMMaintenaceWindowRole": { "Value": { "Ref": "MaintenanceWindowRole" } }, "SSMLinuxPatchBaseline": { "Value": { "Ref": "LinuxPatchBaseline" } } } }