AWSTemplateFormatVersion: 2010-09-09 Description: (qs-1s6abjf80) Parameters: ProjectName: Description: Name of your project Type: String PermissionsBoundaryArn: Description: Will be attached to all created IAM Roles to satisfy security requirements Type: String Default: '' RolePath: Description: Will be attached to all created IAM Roles to satisfy security requirements Type: String Default: '' QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). The prefix should end with a forward slash (/). Default: quickstart-ammos-smallsat-toolkit/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String Conditions: RolePathProvided: !Not [!Equals ['', !Ref RolePath]] PermissionsBoundaryProvided: !Not [!Equals ['', !Ref PermissionsBoundaryArn]] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: LoggingLambdaRole: Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyWildcardResource: False positive Type: AWS::IAM::Role Properties: RoleName: !Sub '${ProjectName}-LoggingLambdaRole' Description: Grants permissions on various logging sources and destinations AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - logs.amazonaws.com - lambda.amazonaws.com - firehose.amazonaws.com Action: - sts:AssumeRole Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue] Policies: - PolicyName: cloudwatch-firehose PolicyDocument: Statement: - Effect: Allow Action: - firehose:CreateDeliveryStream - firehose:DeleteDeliveryStream - firehose:DescribeDeliveryStream - firehose:ListDeliveryStreams - firehose:ListTagsForDeliveryStream - firehose:PutRecord - firehose:PutRecordBatch - firehose:StartDeliveryStreamEncryption - firehose:StopDeliveryStreamEncryption - firehose:TagDeliveryStream - firehose:UntagDeliveryStream - firehose:UpdateDestination Resource: - !Sub arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${ProjectName}-DeliveryStream - PolicyName: firehose-s3 PolicyDocument: Statement: - Effect: Allow Action: - s3:AbortMultipartUpload - s3:GetBucketLocation - s3:GetObject - s3:ListBucket - s3:ListBucketMultipartUploads - s3:PutObject Resource: - !Sub arn:${AWS::Partition}:s3:::${ProjectName}-LogsBucket - !Sub arn:${AWS::Partition}:s3:::${ProjectName}-LogsBucket/* - PolicyName: firehose-ec2 PolicyDocument: Statement: - Effect: Allow Action: - ec2:DescribeVpcs - ec2:DescribeVpcAttribute - ec2:DescribeSubnets - ec2:DescribeSecurityGroups - ec2:DescribeNetworkInterfaces - ec2:CreateNetworkInterface - ec2:DeleteNetworkInterface - ec2:CreateNetworkInterfacePermission Resource: '*' - PolicyName: firehose-elasticsearch PolicyDocument: Statement: - Effect: Allow Action: - es:DescribeElasticsearchDomain - es:DescribeElasticsearchDomains - es:DescribeElasticsearchDomainConfig - es:ESHttpPost - es:ESHttpPut Resource: - !Sub arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${ProjectName}-logs - !Sub arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${ProjectName}-logs/* - PolicyName: firehose-cloudwatch-errors PolicyDocument: Statement: - Effect: Allow Action: - logs:PutLogEvents Resource: - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${ProjectName}/kinesisfirehose/logging-firehose:* - PolicyName: firehose-lambda-transform PolicyDocument: Statement: - Effect: Allow Action: - lambda:InvokeFunction - lambda:GetFunctionConfiguration Resource: - !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${ProjectName}-LoggingProcessor' ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole AitServerRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${ProjectName}-AitServerRole' Description: IAM Role to be used by the AIT Application Server AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ec2.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue] Policies: - PolicyName: ec2-ait-server PolicyDocument: Statement: - Action: cloudformation:SignalResource Effect: Allow Resource: !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/* - Action: - s3:GetBucketAcl - s3:GetBucketLocation - s3:GetObject - s3:GetObjectAcl - s3:GetObjectTagging - s3:GetObjectVersion - s3:ListBucket Effect: Allow Resource: - !Sub 'arn:${AWS::Partition}:s3:::${ProjectName}-config' - !Sub 'arn:${AWS::Partition}:s3:::${ProjectName}-config/*' - Action: - 's3:GetObject' - s3:ListBucket Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Effect: Allow EditorServerRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${ProjectName}-EditorServerRole' Description: IAM Role to be used by the Editor Application Server AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ec2.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue] Policies: - PolicyName: ec2-editor-server PolicyDocument: Statement: - Action: cloudformation:SignalResource Effect: Allow Resource: !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/* - Action: - s3:GetBucketAcl - s3:GetBucketLocation - s3:GetObject - s3:GetObjectAcl - s3:GetObjectTagging - s3:GetObjectVersion - s3:ListBucket Effect: Allow Resource: - !Sub 'arn:${AWS::Partition}:s3:::${ProjectName}-config' - !Sub 'arn:${AWS::Partition}:s3:::${ProjectName}-config/*' - Action: - 's3:GetObject' - s3:ListBucket Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Effect: Allow CognitoInspectRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}-CognitoInspectRole AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue] Policies: - PolicyDocument: Statement: - Action: cognito-idp:DescribeUserPoolClient Effect: Allow Resource: !Sub arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/* Version: "2012-10-17" PolicyName: cognito-client-describe DeploymentHelperRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}-DeploymentHelperRole AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue] Policies: - PolicyDocument: Statement: - Action: iam:GetRole Effect: Allow Resource: Fn::Join: - "" - - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role - !If [RolePathProvided, !Ref RolePath, /] - !Sub ${ProjectName} - "-*" Version: "2012-10-17" PolicyName: role-checker BastionHostRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub ${ProjectName}-BastionHostRole Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [ PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue, ] AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Principal: Service: - !Sub 'ec2.${AWS::URLSuffix}' Effect: Allow Version: 2012-10-17 Policies: - PolicyName: BastionPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: GetAssetsS3 Action: - 's3:GetObject' Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Effect: Allow - Sid: Logging Action: - 'logs:CreateLogStream' - 'logs:GetLogEvents' - 'logs:PutLogEvents' - 'logs:DescribeLogGroups' - 'logs:DescribeLogStreams' - 'logs:PutRetentionPolicy' - 'logs:PutMetricFilter' - 'logs:CreateLogGroup' Resource: '*' Effect: Allow - Sid: DescribeAddress Action: - 'ec2:DescribeAddresses' Resource: '*' Effect: Allow - Sid: AssociateAddress Effect: Allow Action: - 'ec2:AssociateAddress' Resource: '*' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' CopyZipsRole: Type: AWS::IAM::Role Properties: Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [ PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue, ] AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: ConfigPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: Logging Effect: Allow Action: - logs:StartQuery - logs:DeleteLogGroup - logs:CreateLogStream - logs:DisassociateKmsKey - logs:StopQuery - logs:UntagLogGroup - logs:PutResourcePolicy - logs:GetLogGroupFields - logs:GetLogDelivery - logs:TagLogGroup - logs:DeleteRetentionPolicy - logs:PutQueryDefinition - logs:UpdateLogDelivery - logs:FilterLogEvents - logs:PutRetentionPolicy - logs:PutMetricFilter - logs:DescribeQueryDefinitions - logs:PutDestination - logs:GetLogRecord - logs:PutLogEvents - logs:ListLogDeliveries - logs:DescribeExportTasks - logs:DescribeLogStreams - logs:CreateLogGroup - logs:DeleteMetricFilter - logs:CancelExportTask - logs:DescribeMetricFilters - logs:DeleteSubscriptionFilter - logs:DescribeResourcePolicies - logs:DescribeSubscriptionFilters - logs:GetQueryResults - logs:DeleteQueryDefinition - logs:DeleteResourcePolicy - logs:DeleteLogStream - logs:CreateExportTask - logs:DeleteLogDelivery - logs:DescribeLogGroups - logs:CreateLogDelivery - logs:PutDestinationPolicy - logs:GetLogEvents - logs:DescribeQueries - logs:DescribeDestinations - logs:PutSubscriptionFilter - logs:DeleteDestination - logs:TestMetricFilter - logs:ListTagsLogGroup Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:* - Sid: S3Get Effect: Allow Action: - s3:GetObject Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Sid: S3Put Effect: Allow Action: - s3:PutObject - s3:DeleteObject Resource: !Sub - arn:${AWS::Partition}:s3:::${DestBucket}/* - DestBucket: !Sub ${ProjectName}-config Outputs: DeploymentHelperRoleArn: Export: Name: !Sub ${ProjectName}-DeploymentHelperRoleArn Description: ARN of the LoggingLambdaRole created for AST deployment Value: !GetAtt DeploymentHelperRole.Arn LoggingLambdaRoleArn: Description: ARN of the LoggingLambdaRole created for AST deployment Value: !GetAtt LoggingLambdaRole.Arn CognitoInspectRoleArn: Description: ARN of the CognitoInspectRole created for AST deployment Value: !GetAtt CognitoInspectRole.Arn AitServerRoleArn: Description: ARN of the AitServerRole created for AST deployment Value: !GetAtt AitServerRole.Arn AitServerRoleName: Description: Name of the AitServerRole created for AST deployment Value: !Ref AitServerRole EditorServerRoleArn: Description: ARN of the EditorServerRole created for AST deployment Value: !GetAtt EditorServerRole.Arn EditorServerRoleName: Description: Name of the EditorServerRole created for AST deployment Value: !Ref EditorServerRole BastionHostRoleArn: Description: ARN of the BastionHostRole created for AST deployment Value: !GetAtt BastionHostRole.Arn BastionHostRoleName: Description: Name of the BastionHostRole created for AST deployment Value: !Ref BastionHostRole CopyZipsRoleArn: Description: ARN of the CopyZipsRole created for AST deployment Value: !GetAtt CopyZipsRole.Arn CopyZipsRoleName: Description: Name of the CopyZipsRole created for AST deployment Value: !Ref CopyZipsRole