AWSTemplateFormatVersion: 2010-09-09 Description: >- VPC Traffic Mirroring primary template. Template creates VPC Traffic Mirroring target in a new VPC with Suricata installed on the Amazon Linux 2 instance(s) (qs-1s0om7h3r). Metadata: QuickStartDocumentation: EntrypointName: "Parameters for deploying into a new VPC" Order: 1 LICENSE: Apache License, Version 2.0 LintSpellExclude: - Linux - Amazon - VPC - Traffic Mirroring - Network Load Balancer - CIDR - DMZ - GB - Region - S3 - AmazonS3 - QSS3BucketName - Quick Start - SSH - ENI - customizing - TrafficMirrorTargetType - NumTargetEC2Instances 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - RemoteAccessCIDR - VPCTenancy - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - BastionAMIOS - BastionInstanceType - Label: default: Linux bastion configuration Parameters: - NumBastionHosts - BastionHostName - BastionTenancy - EnableBanner - BastionBanner - EnableTCPForwarding - EnableX11Forwarding - Label: default: Amazon VPC Traffic Mirroring target configuration Parameters: - TrafficMirrorTargetType - NumTargetEC2Instances - TargetEC2InstanceType - TargetEC2InstanceRootVolumeSize - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AvailabilityZones: default: Availability Zones BastionAMIOS: default: Bastion AMI operating system BastionHostName: default: Bastion hostname BastionTenancy: default: Bastion tenancy BastionBanner: default: Banner text BastionInstanceType: default: Bastion instance type QSS3BucketRegion: default: Quick Start S3 bucket Region EnableBanner: default: Bastion banner EnableTCPForwarding: default: TCP forwarding EnableX11Forwarding: default: X11 forwarding KeyPairName: default: Key pair name NumBastionHosts: default: Number of bastion hosts TrafficMirrorTargetType: default: Traffic mirror target type NumTargetEC2Instances: default: Number of target EC2 instances TargetEC2InstanceType: default: Target EC2 instance type TargetEC2InstanceRootVolumeSize: default: Target EC2 instance disk size PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR VPCTenancy: default: VPC tenancy QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed bastion external access CIDR VPCCIDR: default: VPC CIDR cfn-lint: { config: { ignore_checks: [W9901] } } Parameters: AvailabilityZones: Description: List of Availability Zones to use for the subnets in the VPC. Type: 'List' BastionAMIOS: AllowedValues: - Amazon-Linux2-HVM - CentOS-7-HVM - Ubuntu-Server-20.04-LTS-HVM - SUSE-SLES-15-HVM Default: Amazon-Linux2-HVM Description: The Linux distribution for the AMI used for the bastion instances. Type: String BastionHostName: Default: 'LinuxBastion' Description: The value used for the name tag of the bastion host. Type: String BastionBanner: Default: "" Description: Banner text to display upon login. Type: String BastionTenancy: Description: Bastion VPC tenancy (dedicated or default). Type: String Default: default AllowedValues: - dedicated - default BastionInstanceType: Description: Amazon EC2 instance type for the bastion instances. Type: String Default: t2.micro AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge EnableBanner: AllowedValues: - 'true' - 'false' Default: 'false' Description: Choose *true* to display a banner when connecting via SSH to the bastion. Type: String EnableTCPForwarding: Type: String Description: To enable TCP forwarding, choose *true*. Default: 'false' AllowedValues: - 'true' - 'false' EnableX11Forwarding: Type: String Description: To enable X11 forwarding, choose *true*. Default: 'false' AllowedValues: - 'true' - 'false' KeyPairName: Description: Name of an existing public/private key pair, which allows you to securely connect to your instance after it launches. Type: 'AWS::EC2::KeyPair::KeyName' NumBastionHosts: AllowedValues: - '1' - '2' - '3' - '4' Default: '1' Description: The number of bastion hosts to create. The maximum number is four. Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/19 Description: CIDR block for private subnet 1, located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.32.0/19 Description: CIDR block for private subnet 2, located in Availability Zone 2. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.128.0/20 Description: CIDR block for the public DMZ subnet 1, located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.144.0/20 Description: CIDR block for the public DMZ subnet 2, located in Availability Zone 2. Type: String TrafficMirrorTargetType: Description: 'Choose NLB to deploy a Network Load Balancer and a target group with Suricata instances. For limited scale deployments, choose ENI and set NumTargetEC2Instances as 1. This deploys Suricata on a single EC2 instance as your Traffic Mirroring target.' Type: String Default: NLB AllowedValues: ['NLB', 'ENI'] ConstraintDescription: Must be a valid traffic mirror target type. NumTargetEC2Instances: AllowedValues: - '1' - '2' - '3' - '4' Default: '2' Description: The number of targets to create. The maximum number is four. Type: String TargetEC2InstanceType: Description: Amazon EC2 instance type for the target instances associated with NLB. Type: String Default: c5n.large AllowedValues: - t2.medium - t2.large - t2.xlarge - t2.2xlarge - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5n.large - m5n.xlarge - m5n.2xlarge - m5n.4xlarge - m5n.8xlarge - m5n.12xlarge - m5n.16xlarge - m5n.24xlarge - c5n.large - c5n.xlarge - c5n.2xlarge - c5n.4xlarge - c5n.9xlarge - c5n.18xlarge TargetEC2InstanceRootVolumeSize: Description: Target instance disk size in GB. Default is set to 8 GB. Default: 8 Type: Number ConstraintDescription: Must be a valid instance size in GB. VPCTenancy: AllowedValues: ['default', 'dedicated'] Default: default Description: The allowed tenancy of instances launched into the VPC. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: >- Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-amazon-vpc-traffic-mirroring/ Description: >- S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: Allowed CIDR block for external SSH access to the bastion hosts. Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/16 Description: CIDR Block for the VPC. Type: String Conditions: UsingDefaultBucket: !Equals - !Ref QSS3BucketName - 'aws-quickstart' Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref 'QSS3BucketName'] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR VPCTenancy: !Ref VPCTenancy BastionStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] Parameters: BastionAMIOS: !Ref BastionAMIOS BastionHostName: !Ref BastionHostName BastionBanner: !Ref BastionBanner BastionInstanceType: !Ref BastionInstanceType BastionTenancy: !Ref BastionTenancy EnableBanner: !Ref EnableBanner EnableTCPForwarding: !Ref EnableTCPForwarding EnableX11Forwarding: !Ref EnableX11Forwarding KeyPairName: !Ref KeyPairName NumBastionHosts: !Ref NumBastionHosts VPCID: !GetAtt [VPCStack, Outputs.VPCID] PublicSubnet1ID: !GetAtt [VPCStack, Outputs.PublicSubnet1ID] PublicSubnet2ID: !GetAtt [VPCStack, Outputs.PublicSubnet2ID] QSS3BucketRegion: !Ref QSS3BucketRegion QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix RemoteAccessCIDR: !Ref RemoteAccessCIDR TrafficMirrorTargetStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/vpc-traffic-mirroring-target.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] Parameters: VPCID: !GetAtt [VPCStack, Outputs.VPCID] VPCCIDR: !GetAtt [VPCStack, Outputs.VPCCIDR] Subnet1ID: !GetAtt [VPCStack, Outputs.PrivateSubnet1AID] Subnet2ID: !GetAtt [VPCStack, Outputs.PrivateSubnet2AID] NumTargetEC2Instances: !Ref NumTargetEC2Instances TargetEC2InstanceType: !Ref TargetEC2InstanceType TargetEC2InstanceRootVolumeSize: !Ref TargetEC2InstanceRootVolumeSize KeyPairName: !Ref KeyPairName BastionSecurityGroupID: !GetAtt [BastionStack, Outputs.BastionSecurityGroupID] TrafficMirrorTargetType: !Ref TrafficMirrorTargetType Outputs: Postdeployment: Description: See the deployment guide for post-deployment steps. Value: https://aws-quickstart.github.io/amazon-vpc-traffic-mirroring/ TargetInstanceASG: Description: Suricata instances Auto Scaling group. Value: !GetAtt TrafficMirrorTargetStack.Outputs.TargetInstanceASG