Conditions: CDKMetadataAvailable: Fn::Or: - Fn::Or: - Fn::Equals: - Ref: AWS::Region - af-south-1 - Fn::Equals: - Ref: AWS::Region - ap-east-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-1 - Fn::Equals: - Ref: AWS::Region - ap-northeast-2 - Fn::Equals: - Ref: AWS::Region - ap-south-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-1 - Fn::Equals: - Ref: AWS::Region - ap-southeast-2 - Fn::Equals: - Ref: AWS::Region - ca-central-1 - Fn::Equals: - Ref: AWS::Region - cn-north-1 - Fn::Equals: - Ref: AWS::Region - cn-northwest-1 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - eu-central-1 - Fn::Equals: - Ref: AWS::Region - eu-north-1 - Fn::Equals: - Ref: AWS::Region - eu-south-1 - Fn::Equals: - Ref: AWS::Region - eu-west-1 - Fn::Equals: - Ref: AWS::Region - eu-west-2 - Fn::Equals: - Ref: AWS::Region - eu-west-3 - Fn::Equals: - Ref: AWS::Region - me-south-1 - Fn::Equals: - Ref: AWS::Region - sa-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-1 - Fn::Equals: - Ref: AWS::Region - us-east-2 - Fn::Or: - Fn::Equals: - Ref: AWS::Region - us-west-1 - Fn::Equals: - Ref: AWS::Region - us-west-2 Description: AWS Biotech Blueprint CDK is an AWS Quick Start that helps Biotech companies deploy core AWS Infrastructure as well as CloudFormation templates for common ISV solutions. (qs-1of009lua) (ib-1of009lua) Parameters: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3BucketA00C8555: { Description: S3 bucket for asset "7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cd", Type: String} AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3VersionKey27C92598: { Description: S3 key for asset version "7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cd", Type: String} Resources: BlueprintServiceCatalogChemAxon00A4428F: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/ChemAxon Properties: Description: ChemAxon's Compound Registration is a system built on a set of web services, aiding users to register molecular structures into a compound database. The registration process spots unique compounds among a set of structures already contained within the database. Distributor: AWS Name: ChemAxon Compound Registry Owner: ChemAxon ProvisioningArtifactParameters: - Info: LoadTemplateFromURL: https://s3.amazonaws.com/aws-quickstart/quickstart-chemaxon-registry/templates/chemaxon-registry.template SupportDescription: You need to subscribe to the ChemAxon marketplace AMI before you can deploy this software. https://aws.amazon.com/marketplace/pp/B077F6VV3B?qid=1553611079631&sr=0-1&ref_=srh_res_product_title. SupportEmail: support@chemaxon.com SupportUrl: https://chemaxon.com/support Type: AWS::ServiceCatalog::CloudFormationProduct BlueprintServiceCatalogChemAxonAssociation8FDD4D57: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/ChemAxonAssociation Properties: PortfolioId: Ref: BlueprintServiceCatalogInformaticsCatalog2B70227E ProductId: Ref: BlueprintServiceCatalogChemAxon00A4428F Type: AWS::ServiceCatalog::PortfolioProductAssociation BlueprintServiceCatalogDotmatics7C3629F0: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/Dotmatics Properties: Description: Dotmatics Suite running on AWS. Please contact sales@dotmatics.com for licensing details. Distributor: Dotmatics Name: Dotmatics Suite Owner: Dotmatics ProvisioningArtifactParameters: - Info: LoadTemplateFromURL: https://aws-quickstart.s3.amazonaws.com/quickstart-dotmatics/templates/dotmatics.template SupportDescription: "Support is provided through our usual channels \u2013 please\ \ visit our support pages or drop us an email." SupportEmail: support@dotmatics.com SupportUrl: https://aws-quickstart.s3.amazonaws.com/quickstart-dotmatics/doc/dotmatics-suite-on-the-aws-cloud.pdf Type: AWS::ServiceCatalog::CloudFormationProduct BlueprintServiceCatalogDotmaticsAssociation19F858FD: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/DotmaticsAssociation Properties: PortfolioId: Ref: BlueprintServiceCatalogInformaticsCatalog2B70227E ProductId: Ref: BlueprintServiceCatalogDotmatics7C3629F0 Type: AWS::ServiceCatalog::PortfolioProductAssociation BlueprintServiceCatalogHailCluster2883A297: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/HailCluster Properties: Description: Deploys Hail 0.2, an open-source library for scalable genomic data exploration, on AWS EMR. Distributor: Broad Institute Name: Hail Cluster on AWS EMR Owner: AWS ProvisioningArtifactParameters: - Info: LoadTemplateFromURL: https://aws-quickstart.s3.amazonaws.com/quickstart-hail/templates/hail-core.template.yaml SupportUrl: https://aws-quickstart.github.io/quickstart-hail/ Type: AWS::ServiceCatalog::CloudFormationProduct BlueprintServiceCatalogHailClusterAssociation0C188407: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/HailClusterAssociation Properties: PortfolioId: Ref: BlueprintServiceCatalogInformaticsCatalog2B70227E ProductId: Ref: BlueprintServiceCatalogHailCluster2883A297 Type: AWS::ServiceCatalog::PortfolioProductAssociation BlueprintServiceCatalogHailNotebook8BAA992E: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/HailNotebook Properties: Description: Deploys an AWS SageMaker notebook that can integrate with with Hail 0.2 cluster on EMR. Distributor: Broad Institute Name: Hail Notebook on AWS SageMaker Owner: AWS ProvisioningArtifactParameters: - Info: LoadTemplateFromURL: https://aws-quickstart.s3.amazonaws.com/quickstart-hail/templates/hail-sagemaker.template.yaml SupportUrl: https://aws-quickstart.github.io/quickstart-hail/ Type: AWS::ServiceCatalog::CloudFormationProduct BlueprintServiceCatalogHailNotebookAssociationE8CC88BA: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/HailNotebookAssociation Properties: PortfolioId: Ref: BlueprintServiceCatalogInformaticsCatalog2B70227E ProductId: Ref: BlueprintServiceCatalogHailNotebook8BAA992E Type: AWS::ServiceCatalog::PortfolioProductAssociation BlueprintServiceCatalogInformaticsCatalog2B70227E: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/InformaticsCatalog Properties: Description: Collection of bio and chem informatics tools easily deployed into the Biotech Blueprint. DisplayName: Biotech Blueprint Informatics Catalog ProviderName: AWS Type: AWS::ServiceCatalog::Portfolio BlueprintServiceCatalogNextflowAssocation851EF07D: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/NextflowAssocation Properties: PortfolioId: Ref: BlueprintServiceCatalogInformaticsCatalog2B70227E ProductId: Ref: BlueprintServiceCatalogNextflowB4A674B7 Type: AWS::ServiceCatalog::PortfolioProductAssociation BlueprintServiceCatalogNextflowB4A674B7: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/Nextflow Properties: Description: Nextflow enables scalable and reproducible scientific workflows using software containers. It allows the adaptation of pipelines written in the most common scripting languages. Distributor: Comparative Bioinformatics group at the Barcelona Centre for Genomic Regulation (CRG). Name: Nextflow Owner: AWS ProvisioningArtifactParameters: - Info: LoadTemplateFromURL: https://s3.amazonaws.com/aws-genomics-workflows/templates/aws-genomics-root-novpc.template.yaml SupportUrl: https://docs.opendata.aws/genomics-workflows/orchestration/nextflow/nextflow-overview/ Type: AWS::ServiceCatalog::CloudFormationProduct BlueprintServiceCatalogTitianAssociation0A117A6A: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/TitianAssociation Properties: PortfolioId: Ref: BlueprintServiceCatalogInformaticsCatalog2B70227E ProductId: Ref: BlueprintServiceCatalogTitianE7AADF00 Type: AWS::ServiceCatalog::PortfolioProductAssociation BlueprintServiceCatalogTitianE7AADF00: Metadata: aws:cdk:path: AwsBiotechBlueprint/BlueprintServiceCatalog/Titian Properties: Description: 'Mosaic FreezerManagement is a comprehensive and cost-effective software solution for managing and tracking all types of sample inventory, backed by a full audit trail. It provides a flexible interface to define and record properties for any type of sample or container, and manages your entire hierarchy of storage including freezers, shelves, cupboards, etc. Other features include an intuitive search interface, and expiry date tracking. IMPORTANT NOTE: Please contact Titian at info@titian.co.uk for validation before you launch the template below, otherwise the template will fail.' Distributor: Titian Software Limited Name: Mosaic FreezerManagement Owner: Titian Software Limited ProvisioningArtifactParameters: - Info: LoadTemplateFromURL: https://aws-quickstart.s3.amazonaws.com/quickstart-titian-mosaic/templates/titian-mosaic.template SupportDescription: "Titian supports a worldwide customer base \u2013 including\ \ customer sites in Europe, USA and Asia. Support may be provided by email,\ \ telephone or shared Desktop sessions" SupportEmail: info@titian.co.uk SupportUrl: https://aws-quickstart.s3.amazonaws.com/quickstart-titian-mosaic/doc/titian-mosaic-freezermanagement-on-the-aws-cloud.pdf Type: AWS::ServiceCatalog::CloudFormationProduct CDKMetadata: Condition: CDKMetadataAvailable Metadata: {'aws:cdk:path': AwsBiotechBlueprint/CDKMetadata/Default} Properties: {Analytics: 'v2:deflate64:H4sIAAAAAAAA/11TTW/bMAz9Lb0rarN2Oy91P1agKIykyGE3RWYcNbYYUFSCzPB/H2W7dpATHx9pfjxTcz1/uNN3N7/NKcxssb9tLBLoZsXG7lWGPjBFy2oJASNZUIsQgCVaOl+qLAbGeoxlW3+Jc0OmBgZKjpQqHDv0rUqtGrA/dLM+2BRb55nK46ZydhU3HjhxE1piZPg0mwomfuJkHrTOpMpjcgLPb3kyH4ZfDcPJnFVO7ihwKvzmZTbB3wn9JIO3YFFgV4NnNTAy7LMvDug8D6lXbg5Aoops6sF2A63ARnJ8fiWMh276ayKrnLRYH/xlrZH8NFQCfwCfkPZXm45Ji8g7JPeviyxjL9MY7QRplTO1bpbYBzubo+jdLd2jVoV73TxGu+/VGVBvHk2AAU7fXfqtqky9KYxcjkhQAaN/ib5XYQTyzTdO3WYm3VLQ3UmpCsugm3csR21GLGDFBKYe2N5plUW/daVuhH2Cyh2BztnOiPrVcHESjdTrAnLXxXiKW6TaeAu5XHmrKGn0U7YfTuQPBobiL/pOrcmToYGOzoI1bGTernOOxFvRAHvZMRYvqXhqmhMW6fFcZg3cxc9sZZHuHc1oeDxBS9bRybit8liA/gq3x/kvPb/X85uv4NyMomdXg1729j/CFRtuxgMAAA=='} Type: AWS::CDK::Metadata ClientVpn0clientVpnEndpointAssociation8160B577: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/0-clientVpnEndpointAssociation Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC SubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Type: AWS::EC2::ClientVpnTargetNetworkAssociation ClientVpn0developmentRouteDE605129: DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/0-developmentRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Type: AWS::EC2::ClientVpnRoute ClientVpn0productionRoute7AD177DA: DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/0-productionRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Type: AWS::EC2::ClientVpnRoute ClientVpn1clientVpnEndpointAssociation19D93CB9: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/1-clientVpnEndpointAssociation Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC SubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E Type: AWS::EC2::ClientVpnTargetNetworkAssociation ClientVpn1developmentRouteBB456F2F: DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/1-developmentRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E Type: AWS::EC2::ClientVpnRoute ClientVpn1productionRouteE229C4FD: DependsOn: - ClientVpn0clientVpnEndpointAssociation8160B577 - ClientVpn1clientVpnEndpointAssociation19D93CB9 Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/1-productionRoute Properties: ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock TargetVpcSubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E Type: AWS::EC2::ClientVpnRoute ClientVpnClientVpnAccessLogGroup8491CD05: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/ClientVpnAccessLogGroup/Resource Properties: RetentionInDays: 180 Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain ClientVpnClientVpnAccessLogStream5480C352: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/ClientVpnAccessLogStream/Resource Properties: LogGroupName: Ref: ClientVpnClientVpnAccessLogGroup8491CD05 Type: AWS::Logs::LogStream UpdateReplacePolicy: Retain ClientVpnDevelopmentAuthorizationF2F84AF6: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/DevelopmentAuthorization Properties: AuthorizeAllGroups: true ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC Description: Allows VPN users access to Development VPC TargetNetworkCidr: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock Type: AWS::EC2::ClientVpnAuthorizationRule ClientVpnManagmentAuthorization5FD7AAA7: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/ManagmentAuthorization Properties: AuthorizeAllGroups: true ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC Description: Allows Transit VPN users access to Managment VPC TargetNetworkCidr: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock Type: AWS::EC2::ClientVpnAuthorizationRule ClientVpnProductionAuthorization8EEF0591: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/ProductionAuthorization Properties: AuthorizeAllGroups: true ClientVpnEndpointId: Ref: ClientVpnclientVpnEndpoint53D29AAC Description: Allows VPN users access to Production VPC TargetNetworkCidr: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock Type: AWS::EC2::ClientVpnAuthorizationRule ClientVpnVpnCertificateLambdaCustomResourceRole042AF384: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/VpnCertificateLambdaCustomResourceRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Type: AWS::IAM::Role ClientVpnVpnCertificateLambdaCustomResourceRoleDefaultPolicyBC6B56F1: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/VpnCertificateLambdaCustomResourceRole/DefaultPolicy/Resource cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource - EIAMPolicyActionWildcard ignore_reasons: EIAMPolicyActionWildcard: The policy action wildcards in this policy are generated by the AWS CDK, which the developers of this Quick Start have no control over. EIAMPolicyWildcardResource: This particular role gives permission to a custom resource to create a certificate. We cannot provide a specific certificate ARN at deployment time as it does not yet exist. Properties: PolicyDocument: Statement: - Action: - acm:ImportCertificate - acm:DeleteCertificate Effect: Allow Resource: '*' - Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Effect: Allow Resource: - Fn::GetAtt: - ClientVpnVpnConfigBucketF2E04B98 - Arn - Fn::Join: - '' - - Fn::GetAtt: - ClientVpnVpnConfigBucketF2E04B98 - Arn - /* - Action: sqs:SendMessage Effect: Allow Resource: Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambdaDeadLetterQueueFFAC7F20 - Arn Version: '2012-10-17' PolicyName: ClientVpnVpnCertificateLambdaCustomResourceRoleDefaultPolicyBC6B56F1 Roles: - Ref: ClientVpnVpnCertificateLambdaCustomResourceRole042AF384 Type: AWS::IAM::Policy ClientVpnVpnConfigBucketF2E04B98: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/VpnConfigBucket/Resource Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LoggingConfiguration: LogFilePrefix: vpnBucketAccessLogs/ VersioningConfiguration: Status: Enabled Type: AWS::S3::Bucket UpdateReplacePolicy: Retain ClientVpnVpnUsersSG5BB5DCBE: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/VpnUsersSG/Resource Properties: GroupDescription: Security group associated with VPN users accessing the network through the Client VPN Endpoint in the managment VPC. GroupName: VpnUsersSG SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: '-1' VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::SecurityGroup ClientVpnclientVpnEndpoint53D29AAC: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/clientVpnEndpoint Properties: AuthenticationOptions: - MutualAuthentication: ClientRootCertificateChainArn: Ref: ClientVpnvpnCertificate550A99D6 Type: certificate-authentication ClientCidrBlock: 10.71.0.0/16 ConnectionLogOptions: CloudwatchLogGroup: Ref: ClientVpnClientVpnAccessLogGroup8491CD05 CloudwatchLogStream: Ref: ClientVpnClientVpnAccessLogStream5480C352 Enabled: true Description: Internal VPN Endpoint DnsServers: - 10.70.0.2 SecurityGroupIds: - Fn::GetAtt: - ClientVpnVpnUsersSG5BB5DCBE - GroupId ServerCertificateArn: Ref: ClientVpnvpnCertificate550A99D6 SplitTunnel: true VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::ClientVpnEndpoint ClientVpnvpnCertificate550A99D6: DeletionPolicy: Delete Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/vpnCertificate/Default Properties: ServiceToken: Fn::GetAtt: - ClientVpnvpnCertificateProviderframeworkonEvent3C19EA05 - Arn VpnConfigBucket: Fn::Join: - '' - - s3:// - Ref: ClientVpnVpnConfigBucketF2E04B98 - / Type: AWS::CloudFormation::CustomResource UpdateReplacePolicy: Delete ClientVpnvpnCertificateProviderframeworkonEvent3C19EA05: DependsOn: [ClientVpnvpnCertificateProviderframeworkonEventServiceRoleDefaultPolicyE25CE498, ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0] Metadata: {'aws:asset:is-bundled': false, 'aws:asset:path': asset.7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cd, 'aws:asset:property': Code, 'aws:cdk:path': AwsBiotechBlueprint/ClientVpn/vpnCertificateProvider/framework-onEvent/Resource} Properties: Code: S3Bucket: {Ref: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3BucketA00C8555} S3Key: Fn::Join: - '' - - Fn::Select: - 0 - Fn::Split: - '||' - {Ref: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3VersionKey27C92598} - Fn::Select: - 1 - Fn::Split: - '||' - {Ref: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3VersionKey27C92598} Description: AWS CDK resource provider framework - onEvent (AwsBiotechBlueprint/ClientVpn/vpnCertificateProvider) Environment: Variables: USER_ON_EVENT_FUNCTION_ARN: Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambda14FF3DCC - Arn Handler: framework.onEvent Role: Fn::GetAtt: [ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0, Arn] Runtime: nodejs12.x Timeout: 900 Type: AWS::Lambda::Function ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/vpnCertificateProvider/framework-onEvent/ServiceRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Type: AWS::IAM::Role ClientVpnvpnCertificateProviderframeworkonEventServiceRoleDefaultPolicyE25CE498: Metadata: aws:cdk:path: AwsBiotechBlueprint/ClientVpn/vpnCertificateProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource Properties: PolicyDocument: Statement: - Action: lambda:InvokeFunction Effect: Allow Resource: Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambda14FF3DCC - Arn Version: '2012-10-17' PolicyName: ClientVpnvpnCertificateProviderframeworkonEventServiceRoleDefaultPolicyE25CE498 Roles: - Ref: ClientVpnvpnCertificateProviderframeworkonEventServiceRole60471AD0 Type: AWS::IAM::Policy ConfigEnabledPromiseConfigBucket2F967063: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigEnabledPromise/ConfigBucket/Resource Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LoggingConfiguration: LogFilePrefix: ConfigBucketAccessLogs/ VersioningConfiguration: Status: Enabled Type: AWS::S3::Bucket UpdateReplacePolicy: Retain ConfigEnabledPromiseConfigBucketPolicy2B9A439D: Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigEnabledPromise/ConfigBucket/Policy/Resource Properties: Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 PolicyDocument: Statement: - Action: s3:GetBucketAcl Effect: Allow Principal: AWS: Fn::Join: - '' - - 'arn:aws:iam::' - Ref: AWS::AccountId - :role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ConfigEnabledPromiseConfigBucket2F967063 Sid: AWSConfigConformsBucketPermissionsCheck - Action: s3:PutObject Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control Effect: Allow Principal: AWS: Fn::Join: - '' - - 'arn:aws:iam::' - Ref: AWS::AccountId - :role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ConfigEnabledPromiseConfigBucket2F967063 - /* Sid: AWSConfigConformsBucketDelivery - Action: s3:GetObject Effect: Allow Principal: AWS: Fn::Join: - '' - - 'arn:aws:iam::' - Ref: AWS::AccountId - :role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ConfigEnabledPromiseConfigBucket2F967063 - /* Sid: ' AWSConfigConformsBucketReadAccess' Version: '2012-10-17' Type: AWS::S3::BucketPolicy ConfigEnabledPromiseConfigDeliveryChannel84DA8CB8: Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigEnabledPromise/ConfigDeliveryChannel Properties: Name: BlueprintConfigDeliveryChannel S3BucketName: Ref: ConfigEnabledPromiseConfigBucket2F967063 Type: AWS::Config::DeliveryChannel ConfigEnabledPromiseConfigRecorder0A75B039: Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigEnabledPromise/ConfigRecorder Properties: Name: BlueprintConfigRecorder RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true RoleARN: Fn::GetAtt: - ConfigEnabledPromiseConfigRecorderRoleFC6F886B - Arn Type: AWS::Config::ConfigurationRecorder ConfigEnabledPromiseConfigRecorderRoleFC6F886B: Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigEnabledPromise/ConfigRecorderRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: config.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - :iam::aws:policy/service-role/AWSConfigRole Policies: - PolicyDocument: Statement: - Action: s3:PutObject Condition: StringLike: s3:x-amz-acl: bucket-owner-full-control Effect: Allow Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ConfigEnabledPromiseConfigBucket2F967063 - /* - Action: s3:GetBucketAcl Effect: Allow Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: ConfigEnabledPromiseConfigBucket2F967063 Version: '2012-10-17' PolicyName: configRecorderS3Access Type: AWS::IAM::Role ConfigPacksCPAWSControlTowerDetectiveGuardrailsConformancePack9184C90A: DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigPacks/CP-AWS-Control-Tower-Detective-Guardrails-Conformance-Pack Properties: ConformancePackInputParameters: [] ConformancePackName: AWS-Control-Tower-Detective-Guardrails-Conformance-Pack DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: AWS-Control-Tower-Detective-Guardrails-Conformance-Pack TemplateBody: "###################################################################################\n\ #\n# Conformance Pack:\n# AWS Control Tower Detective Guardrails Conformance\ \ Pack\n#\n# The AWS Control Tower detective guardrails conformance pack\ \ contains all of the \n# AWS Config Rules based guardrails from AWS Control\ \ Tower. Use this conformance \n# pack to apply AWS Control Tower detective\ \ guardrails to your existing accounts \n# prior to enrolling them in AWS\ \ Control Tower or to manage resources in your \n# accounts in regions\ \ not currently supported by AWS Control Tower.\n###################################################################################\n\ \nResources:\n CheckForEbsOptimizedInstance:\n Type: AWS::Config::ConfigRule\n\ \ Properties:\n ConfigRuleName: CheckForEbsOptimizedInstance\n\ \ Description: Disallow launch of EC2 instance types that are not EBS-optimized\ \ - Checks whether EBS optimization is enabled for your EC2 instances that\ \ can be EBS-optimized\n Source:\n Owner: AWS\n SourceIdentifier:\ \ EBS_OPTIMIZED_INSTANCE\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::Instance\n CheckForEc2VolumesInUse:\n Type:\ \ AWS::Config::ConfigRule\n Properties:\n ConfigRuleName: CheckForEc2VolumesInUs\n\ \ Description: Disallow EBS volumes that are unattached to an EC2 instance\ \ - Checks whether EBS volumes are attached to EC2 instances\n InputParameters:\n\ \ deleteOnTermination: true\n Source:\n Owner: AWS\n\ \ SourceIdentifier: EC2_VOLUME_INUSE_CHECK\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::EC2::Volume\n CheckForEncryptedVolumes:\n\ \ Type: AWS::Config::ConfigRule\n Properties:\n ConfigRuleName:\ \ CheckForEncryptedVolumes\n Description: Enable encryption for EBS\ \ volumes attached to EC2 instances - Checks whether EBS volumes that are\ \ in an attached state are encrypted.\n Source:\n Owner: AWS\n\ \ SourceIdentifier: ENCRYPTED_VOLUMES\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::EC2::Volume\n CheckForIAMUserMFA:\n\ \ Type: AWS::Config::ConfigRule\n Properties:\n ConfigRuleName:\ \ CheckForIAMUserMFA\n Description: Disallow access to IAM users without\ \ MFA - Checks whether the AWS Identity and Access Management users have multi-factor\ \ authentication (MFA) enabled. The rule is COMPLIANT if MFA is enabled.\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_MFA_ENABLED\n\ \ MaximumExecutionFrequency: One_Hour\n CheckForIAMUserConsoleMFA:\n\ \ Type: AWS::Config::ConfigRule\n Properties:\n ConfigRuleName:\ \ CheckForIAMUserConsoleMFA\n Description: Disallow console access\ \ to IAM users without MFA - Checks whether AWS Multi-Factor Authentication\ \ (MFA) is enabled for all AWS Identity and Access Management (IAM) users\ \ that use a console password. The rule is COMPLIANT if MFA is enabled.\n\ \ Source:\n Owner: AWS\n SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n\ \ MaximumExecutionFrequency: One_Hour\n CheckForRdsPublicAccess:\n\ \ Type: AWS::Config::ConfigRule\n Properties:\n ConfigRuleName:\ \ CheckForRdsPublicAccess\n Description: Disallow public access to\ \ RDS database instances - Checks whether the Amazon Relational Database Service\ \ (RDS) instances are not publicly accessible. The rule is non-compliant if\ \ the publiclyAccessible field is true in the instance configuration item.\n\ \ Source:\n Owner: AWS\n SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n\ \ CheckForPublicRdsSnapshots:\n Type: AWS::Config::ConfigRule\n \ \ Properties:\n ConfigRuleName: CheckForPublicRdsSnapshots\n \ \ Description: Disallow public access to RDS database snapshots - Checks\ \ if Amazon Relational Database Service (Amazon RDS) snapshots are public.\ \ The rule is non-compliant if any existing and new Amazon RDS snapshots are\ \ public.\n Source:\n Owner: AWS\n SourceIdentifier:\ \ RDS_SNAPSHOTS_PUBLIC_PROHIBITED\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::RDS::DBSnapshot\n CheckForRdsStorageEncryption:\n \ \ Type: AWS::Config::ConfigRule\n Properties:\n ConfigRuleName:\ \ CheckForRdsStorageEncryption\n Description: Disallow RDS database\ \ instances that are not storage encrypted - Checks whether storage encryption\ \ is enabled for your RDS DB instances.\n Source:\n Owner:\ \ AWS\n SourceIdentifier: RDS_STORAGE_ENCRYPTED\n Scope:\n\ \ ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n\ \ CheckForRestrictedCommonPortsPolicy:\n Type: AWS::Config::ConfigRule\n\ \ Properties:\n ConfigRuleName: CheckForRestrictedCommonPortsPolicy\n\ \ Description: Disallow internet connection through RDP - Checks whether\ \ security groups that are in use disallow unrestricted incoming TCP traffic\ \ to the specified ports.\n InputParameters:\n blockedPort1:\ \ 20\n blockedPort2: 21\n blockedPort3: 3389\n \ \ blockedPort4: 3306\n blockedPort5: 4333\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n \ \ Source:\n Owner: AWS\n SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC\n\ \ CheckForRestrictedSshPolicy:\n Type: AWS::Config::ConfigRule\n \ \ Properties:\n ConfigRuleName: CheckForRestrictedSshPolicy\n \ \ Description: Disallow internet connection through SSH - Checks whether\ \ security groups that are in use disallow unrestricted incoming SSH traffic.\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: INCOMING_SSH_DISABLED\n\ \ CheckForRootMfa:\n Type: AWS::Config::ConfigRule\n Properties:\n\ \ ConfigRuleName: CheckForRootMfa\n Description: Enable MFA\ \ for the root user - Checks whether the root user of your AWS account requires\ \ multi-factor authentication for console sign-in.\n Source:\n \ \ Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n\ \ MaximumExecutionFrequency: One_Hour\n CheckForS3PublicRead:\n\ \ Type: AWS::Config::ConfigRule\n Properties:\n ConfigRuleName:\ \ CheckForS3PublicRead\n Description: Disallow public read access to\ \ S3 buckets - Checks that your S3 buckets do not allow public read access.\ \ If an S3 bucket policy or bucket ACL allows public read access, the bucket\ \ is noncompliant.\n Source:\n Owner: AWS\n SourceIdentifier:\ \ S3_BUCKET_PUBLIC_READ_PROHIBITED\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::S3::Bucket\n CheckForS3PublicWrite:\n Type: AWS::Config::ConfigRule\n\ \ Properties:\n ConfigRuleName: CheckForS3PublicWrite\n \ \ Description: Disallow public write access to S3 buckets - Checks that your\ \ S3 buckets do not allow public write access. If an S3 bucket policy or bucket\ \ ACL allows public write access, the bucket is noncompliant.\n Source:\n\ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ CheckForS3VersioningEnabled:\n Type: AWS::Config::ConfigRule\n \ \ Properties:\n ConfigRuleName: CheckForS3VersioningEnabled\n \ \ Description: Disallow S3 buckets that are not versioning enabled -\ \ Checks whether versioning is enabled for your S3 buckets.\n Source:\n\ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\ \ " Type: AWS::Config::ConformancePack ConfigPacksCPOperationalBestPracticesForAWSIdentityAndAccessManagement7100FE82: DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigPacks/CP-Operational-Best-Practices-For-AWS-Identity-And-Access-Management Properties: ConformancePackInputParameters: [] ConformancePackName: Operational-Best-Practices-For-AWS-Identity-And-Access-Management DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-For-AWS-Identity-And-Access-Management TemplateBody: "################################################################################\n\ #\n# Conformance Pack:\n# Operational Best Practices for AWS Identity\ \ and Access Management\n#\n# See Parameters section for names and descriptions\ \ of required parameters.\n#\n################################################################################\n\ \nParameters:\n AccessKeysRotatedParameterMaxAccessKeyAge:\n Description:\ \ Maximum number of days without rotation. Default 90.\n Type: String\n\ \ Default: 90\n IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge:\n\ \ Description: Maximum number of days a credential cannot be used. The\ \ default value\n is 90 days.\n Type: String\n Default: 90\n\ Resources:\n AccessKeysRotated:\n Properties:\n ConfigRuleName:\ \ AccessKeysRotated\n Description: Checks whether the active access\ \ keys are rotated within the number\n of days specified in maxAccessKeyAge.\ \ The rule is non-compliant if the access\n keys have not been rotated\ \ for more than maxAccessKeyAge number of days.\n InputParameters:\n\ \ maxAccessKeyAge:\n Ref: AccessKeysRotatedParameterMaxAccessKeyAge\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ACCESS_KEYS_ROTATED\n\ \ Type: AWS::Config::ConfigRule\n IAMGroupHasUsersCheck:\n Properties:\n\ \ ConfigRuleName: IAMGroupHasUsersCheck\n Description: Checks\ \ whether IAM groups have at least one IAM user.\n Source:\n \ \ Owner: AWS\n SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK\n \ \ Type: AWS::Config::ConfigRule\n IAMPasswordPolicy:\n Properties:\n\ \ ConfigRuleName: IAMPasswordPolicy\n Description: Checks whether\ \ the account password policy for IAM users meets\n the specified\ \ requirements.\n Source:\n Owner: AWS\n SourceIdentifier:\ \ IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n IAMPolicyNoStatementsWithAdminAccess:\n\ \ Properties:\n ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess\n\ \ Description: 'Checks whether the default version of AWS Identity\ \ and Access\n Management (IAM) policies do not have administrator\ \ access. If any statement\n has \"Effect\": \"Allow\" with \"Action\"\ : \"*\" over \"Resource\": \"*\", the rule is\n non-compliant.'\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\n\ \ Type: AWS::Config::ConfigRule\n IAMRootAccessKeyCheck:\n Properties:\n\ \ ConfigRuleName: IAMRootAccessKeyCheck\n Description: Checks\ \ whether the root user access key is available. The rule\n is compliant\ \ if the user access key does not exist.\n Source:\n Owner:\ \ AWS\n SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK\n Type:\ \ AWS::Config::ConfigRule\n IAMUserGroupMembershipCheck:\n Properties:\n\ \ ConfigRuleName: IAMUserGroupMembershipCheck\n Description:\ \ Checks whether IAM users are members of at least one IAM group.\n \ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK\n\ \ Type: AWS::Config::ConfigRule\n IAMUserMFAEnabled:\n Properties:\n\ \ ConfigRuleName: IAMUserMFAEnabled\n Description: Checks whether\ \ the AWS Identity and Access Management users have\n multi-factor\ \ authentication (MFA) enabled.\n Source:\n Owner: AWS\n \ \ SourceIdentifier: IAM_USER_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ IAMUserNoPoliciesCheck:\n Properties:\n ConfigRuleName: IAMUserNoPoliciesCheck\n\ \ Description: Checks that none of your IAM users have policies attached.\ \ IAM\n users must inherit permissions from IAM groups or roles.\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_NO_POLICIES_CHECK\n\ \ Type: AWS::Config::ConfigRule\n IAMUserUnusedCredentialsCheck:\n\ \ Properties:\n ConfigRuleName: IAMUserUnusedCredentialsCheck\n\ \ Description: Checks whether your AWS Identity and Access Management\ \ (IAM) users\n have passwords or active access keys that have not\ \ been used within the specified\n number of days you provided.\n\ \ InputParameters:\n maxCredentialUsageAge:\n Ref:\ \ IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge\n Source:\n\ \ Owner: AWS\n SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n MFAEnabledForIAMConsoleAccess:\n\ \ Properties:\n ConfigRuleName: MFAEnabledForIAMConsoleAccess\n\ \ Description: Checks whether AWS Multi-Factor Authentication (MFA)\ \ is enabled\n for all AWS Identity and Access Management (IAM) users\ \ that use a console\n password. The rule is compliant if MFA is\ \ enabled.\n Source:\n Owner: AWS\n SourceIdentifier:\ \ MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n Type: AWS::Config::ConfigRule\n\ \ RootAccountHardwareMFAEnabled:\n Properties:\n ConfigRuleName:\ \ RootAccountHardwareMFAEnabled\n Description: Checks whether your\ \ AWS account is enabled to use multi-factor\n authentication (MFA)\ \ hardware device to sign in with root credentials.\n Source:\n \ \ Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n RootAccountMFAEnabled:\n Properties:\n\ \ ConfigRuleName: RootAccountMFAEnabled\n Description: Checks\ \ whether the root user of your AWS account requires multi-factor\n \ \ authentication for console sign-in.\n Source:\n Owner:\ \ AWS\n SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n Type: AWS::Config::ConfigRule" Type: AWS::Config::ConformancePack ConfigPacksCPOperationalBestPracticesForAmazonS30892D47D: DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigPacks/CP-Operational-Best-Practices-For-Amazon-S3 Properties: ConformancePackInputParameters: [] ConformancePackName: Operational-Best-Practices-For-Amazon-S3 DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-For-Amazon-S3 TemplateBody: "###############################################################################################\n\ #\n# Conformance Pack:\n# Operational Best Practices for Amazon S3\n\ #\n# This pack contains AWS Config rules based on the best practice guidelines\ \ for Amazon S3.\n#\n###############################################################################################\n\ \nResources:\n S3BucketPublicReadProhibited:\n Type: AWS::Config::ConfigRule\n\ \ Properties:\n ConfigRuleName: S3BucketPublicReadProhibited\n\ \ Description: >- \n Checks that your Amazon S3 buckets do\ \ not allow public read access.\n The rule checks the Block Public\ \ Access settings, the bucket policy, and the\n bucket access control\ \ list (ACL).\n Scope:\n ComplianceResourceTypes:\n \ \ - \"AWS::S3::Bucket\"\n Source:\n Owner: AWS\n \ \ SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED\n MaximumExecutionFrequency:\ \ Six_Hours\n S3BucketPublicWriteProhibited: \n Type: \"AWS::Config::ConfigRule\"\ \n Properties: \n ConfigRuleName: S3BucketPublicWriteProhibited\n\ \ Description: \"Checks that your Amazon S3 buckets do not allow public\ \ write access. The rule checks the Block Public Access settings, the bucket\ \ policy, and the bucket access control list (ACL).\"\n Scope: \n \ \ ComplianceResourceTypes: \n - \"AWS::S3::Bucket\"\n \ \ Source: \n Owner: AWS\n SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED\n\ \ MaximumExecutionFrequency: Six_Hours\n S3BucketReplicationEnabled:\ \ \n Type: \"AWS::Config::ConfigRule\"\n Properties: \n ConfigRuleName:\ \ S3BucketReplicationEnabled\n Description: \"Checks whether the Amazon\ \ S3 buckets have cross-region replication enabled.\"\n Scope: \n \ \ ComplianceResourceTypes: \n - \"AWS::S3::Bucket\"\n \ \ Source: \n Owner: AWS\n SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED\n\ \ S3BucketSSLRequestsOnly: \n Type: \"AWS::Config::ConfigRule\"\n\ \ Properties: \n ConfigRuleName: S3BucketSSLRequestsOnly\n \ \ Description: \"Checks whether S3 buckets have policies that require\ \ requests to use Secure Socket Layer (SSL).\"\n Scope: \n \ \ ComplianceResourceTypes: \n - \"AWS::S3::Bucket\"\n Source:\ \ \n Owner: AWS\n SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY\n\ \ ServerSideReplicationEnabled: \n Type: \"AWS::Config::ConfigRule\"\ \n Properties: \n ConfigRuleName: ServerSideReplicationEnabled\n\ \ Description: \"Checks that your Amazon S3 bucket either has S3 default\ \ encryption enabled or that the S3 bucket policy explicitly denies put-object\ \ requests without server side encryption.\"\n Scope: \n ComplianceResourceTypes:\ \ \n - \"AWS::S3::Bucket\"\n Source: \n Owner: AWS\n\ \ SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED\n \ \ S3BucketLoggingEnabled: \n Type: \"AWS::Config::ConfigRule\"\n \ \ Properties: \n ConfigRuleName: S3BucketLoggingEnabled\n \ \ Description: \"Checks whether logging is enabled for your S3 buckets.\"\n\ \ Scope: \n ComplianceResourceTypes: \n - \"AWS::S3::Bucket\"\ \n Source: \n Owner: AWS\n SourceIdentifier: S3_BUCKET_LOGGING_ENABLED" Type: AWS::Config::ConformancePack ConfigPacksCPOperationalBestPracticesforHIPAASecurity01583019: DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigPacks/CP-Operational-Best-Practices-for-HIPAA-Security cfn-lint: config: ignore_checks: - E9101 ignore_reasons: E9101: The references to master in this resource refer to EMR service naming. Until the EMR service changes its usage of the term, this needs to be an exception. Properties: ConformancePackInputParameters: [] ConformancePackName: Operational-Best-Practices-for-HIPAA-Security DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-for-HIPAA-Security TemplateBody: "##################################################################################\n\ #\n# Conformance Pack:\n# Operational Best Practices for HIPAA Security\n\ #\n# This conformance pack helps verify compliance with HIPAA Security requirements.\n\ #\n# See Parameters section for names and descriptions of required parameters.\ \ \n#\n##################################################################################\n\ \nParameters:\n AccessKeysRotatedParamMaxAccessKeyAge:\n Default: '90'\n\ \ Type: String\n CloudwatchAlarmActionCheckParamInsufficientDataActionRequired:\n\ \ Default: 'TRUE'\n Type: String\n CloudwatchAlarmActionCheckParamOkActionRequired:\n\ \ Default: 'FALSE'\n Type: String\n DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage:\n\ \ Default: '80'\n Type: String\n DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage:\n\ \ Default: '80'\n Type: String\n GuarddutyNonArchivedFindingsParamDaysHighSev:\n\ \ Default: '1'\n Type: String\n GuarddutyNonArchivedFindingsParamDaysLowSev:\n\ \ Default: '30'\n Type: String\n GuarddutyNonArchivedFindingsParamDaysMediumSev:\n\ \ Default: '7'\n Type: String\n IamPasswordPolicyParamMaxPasswordAge:\n\ \ Default: '90'\n Type: String\n IamPasswordPolicyParamMinimumPasswordLength:\n\ \ Default: '14'\n Type: String\n IamPasswordPolicyParamPasswordReusePrevention:\n\ \ Default: '24'\n Type: String\n IamPasswordPolicyParamRequireLowercaseCharacters:\n\ \ Default: 'TRUE'\n Type: String\n IamPasswordPolicyParamRequireNumbers:\n\ \ Default: 'TRUE'\n Type: String\n IamPasswordPolicyParamRequireSymbols:\n\ \ Default: 'TRUE'\n Type: String\n IamPasswordPolicyParamRequireUppercaseCharacters:\n\ \ Default: 'TRUE'\n Type: String\n IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:\n\ \ Default: '90'\n Type: String\n InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds:\n\ \ Default: ' '\n Type: String\n RestrictedIncomingTrafficParamBlockedPort1:\n\ \ Default: '20'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort2:\n\ \ Default: '21'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort3:\n\ \ Default: '3389'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort4:\n\ \ Default: '3306'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort5:\n\ \ Default: '4333'\n Type: String\n S3AccountLevelPublicAccessBlocksParamBlockPublicAcls:\n\ \ Default: 'True'\n Type: String\n S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy:\n\ \ Default: 'True'\n Type: String\n S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls:\n\ \ Default: 'True'\n Type: String\n S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets:\n\ \ Default: 'True'\n Type: String\nResources:\n AccessKeysRotated:\n\ \ Properties:\n ConfigRuleName: access-keys-rotated\n InputParameters:\n\ \ maxAccessKeyAge:\n Fn::If:\n - accessKeysRotatedParamMaxAccessKeyAge\n\ \ - Ref: AccessKeysRotatedParamMaxAccessKeyAge\n - Ref:\ \ AWS::NoValue\n Source:\n Owner: AWS\n SourceIdentifier:\ \ ACCESS_KEYS_ROTATED\n Type: AWS::Config::ConfigRule\n AlbHttpToHttpsRedirectionCheck:\n\ \ Properties:\n ConfigRuleName: alb-http-to-https-redirection-check\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK\n\ \ Type: AWS::Config::ConfigRule\n ApiGwCacheEnabledAndEncrypted:\n \ \ Properties:\n ConfigRuleName: api-gw-cache-enabled-and-encrypted\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::ApiGateway::Stage\n\ \ Source:\n Owner: AWS\n SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED\n\ \ Type: AWS::Config::ConfigRule\n ApiGwExecutionLoggingEnabled:\n Properties:\n\ \ ConfigRuleName: api-gw-execution-logging-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::ApiGateway::Stage\n \ \ - AWS::ApiGatewayV2::Stage\n Source:\n Owner: AWS\n \ \ SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ AutoscalingGroupElbHealthcheckRequired:\n Properties:\n ConfigRuleName:\ \ autoscaling-group-elb-healthcheck-required\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::AutoScaling::AutoScalingGroup\n Source:\n Owner:\ \ AWS\n SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED\n\ \ Type: AWS::Config::ConfigRule\n CloudTrailCloudWatchLogsEnabled:\n \ \ Properties:\n ConfigRuleName: cloud-trail-cloud-watch-logs-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudTrailEnabled:\n Properties:\n\ \ ConfigRuleName: cloudtrail-enabled\n Source:\n Owner: AWS\n\ \ SourceIdentifier: CLOUD_TRAIL_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ CloudTrailEncryptionEnabled:\n Properties:\n ConfigRuleName: cloud-trail-encryption-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudTrailLogFileValidationEnabled:\n\ \ Properties:\n ConfigRuleName: cloud-trail-log-file-validation-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudtrailS3DataeventsEnabled:\n \ \ Properties:\n ConfigRuleName: cloudtrail-s3-dataevents-enabled\n \ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudwatchAlarmActionCheck:\n Properties:\n\ \ ConfigRuleName: cloudwatch-alarm-action-check\n InputParameters:\n\ \ alarmActionRequired: 'TRUE'\n insufficientDataActionRequired:\n\ \ Ref: CloudwatchAlarmActionCheckParamInsufficientDataActionRequired\n\ \ okActionRequired:\n Ref: CloudwatchAlarmActionCheckParamOkActionRequired\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::CloudWatch::Alarm\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK\n\ \ Type: AWS::Config::ConfigRule\n CloudwatchLogGroupEncrypted:\n Properties:\n\ \ ConfigRuleName: cloudwatch-log-group-encrypted\n Source:\n \ \ Owner: AWS\n SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED\n\ \ Type: AWS::Config::ConfigRule\n CodebuildProjectEnvvarAwscredCheck:\n\ \ Properties:\n ConfigRuleName: codebuild-project-envvar-awscred-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::CodeBuild::Project\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK\n\ \ Type: AWS::Config::ConfigRule\n CodebuildProjectSourceRepoUrlCheck:\n\ \ Properties:\n ConfigRuleName: codebuild-project-source-repo-url-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::CodeBuild::Project\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK\n\ \ Type: AWS::Config::ConfigRule\n DbInstanceBackupEnabled:\n Properties:\n\ \ ConfigRuleName: db-instance-backup-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::RDS::DBInstance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ DmsReplicationNotPublic:\n Properties:\n ConfigRuleName: dms-replication-not-public\n\ \ Scope:\n ComplianceResourceTypes: []\n Source:\n \ \ Owner: AWS\n SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC\n Type:\ \ AWS::Config::ConfigRule\n DynamodbAutoscalingEnabled:\n Properties:\n\ \ ConfigRuleName: dynamodb-autoscaling-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::DynamoDB::Table\n Source:\n\ \ Owner: AWS\n SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n DynamodbPitrEnabled:\n Properties:\n\ \ ConfigRuleName: dynamodb-pitr-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::DynamoDB::Table\n Source:\n Owner: AWS\n \ \ SourceIdentifier: DYNAMODB_PITR_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ DynamodbThroughputLimitCheck:\n Properties:\n ConfigRuleName: dynamodb-throughput-limit-check\n\ \ InputParameters:\n accountRCUThresholdPercentage:\n \ \ Fn::If:\n - dynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage\n\ \ - Ref: DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage\n\ \ - Ref: AWS::NoValue\n accountWCUThresholdPercentage:\n \ \ Fn::If:\n - dynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage\n\ \ - Ref: DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage\n\ \ - Ref: AWS::NoValue\n Source:\n Owner: AWS\n \ \ SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK\n Type: AWS::Config::ConfigRule\n\ \ EbsSnapshotPublicRestorableCheck:\n Properties:\n ConfigRuleName:\ \ ebs-snapshot-public-restorable-check\n Source:\n Owner: AWS\n\ \ SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK\n Type:\ \ AWS::Config::ConfigRule\n Ec2EbsEncryptionByDefault:\n Properties:\n\ \ ConfigRuleName: ec2-ebs-encryption-by-default\n Source:\n \ \ Owner: AWS\n SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT\n\ \ Type: AWS::Config::ConfigRule\n Ec2InstanceNoPublicIp:\n Properties:\n\ \ ConfigRuleName: ec2-instance-no-public-ip\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::Instance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP\n Type: AWS::Config::ConfigRule\n\ \ Ec2StoppedInstance:\n Properties:\n ConfigRuleName: ec2-stopped-instance\n\ \ Source:\n Owner: AWS\n SourceIdentifier: EC2_STOPPED_INSTANCE\n\ \ Type: AWS::Config::ConfigRule\n EfsEncryptedCheck:\n Properties:\n\ \ ConfigRuleName: efs-encrypted-check\n Source:\n Owner:\ \ AWS\n SourceIdentifier: EFS_ENCRYPTED_CHECK\n Type: AWS::Config::ConfigRule\n\ \ ElasticacheRedisClusterAutomaticBackupCheck:\n Properties:\n ConfigRuleName:\ \ elasticache-redis-cluster-automatic-backup-check\n Source:\n \ \ Owner: AWS\n SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK\n\ \ Type: AWS::Config::ConfigRule\n ElasticsearchEncryptedAtRest:\n Properties:\n\ \ ConfigRuleName: elasticsearch-encrypted-at-rest\n Source:\n \ \ Owner: AWS\n SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST\n\ \ Type: AWS::Config::ConfigRule\n ElasticsearchInVpcOnly:\n Properties:\n\ \ ConfigRuleName: elasticsearch-in-vpc-only\n Source:\n Owner:\ \ AWS\n SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY\n Type: AWS::Config::ConfigRule\n\ \ ElbAcmCertificateRequired:\n Properties:\n ConfigRuleName: elb-acm-certificate-required\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::ElasticLoadBalancing::LoadBalancer\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED\n\ \ Type: AWS::Config::ConfigRule\n ElbDeletionProtectionEnabled:\n Properties:\n\ \ ConfigRuleName: elb-deletion-protection-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::ElasticLoadBalancingV2::LoadBalancer\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n ElbLoggingEnabled:\n Properties:\n\ \ ConfigRuleName: elb-logging-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::ElasticLoadBalancing::LoadBalancer\n - AWS::ElasticLoadBalancingV2::LoadBalancer\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELB_LOGGING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n EmrKerberosEnabled:\n Properties:\n\ \ ConfigRuleName: emr-kerberos-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: EMR_KERBEROS_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ EmrMasterNoPublicIp:\n Properties:\n ConfigRuleName: emr-master-no-public-ip\n\ \ Scope:\n ComplianceResourceTypes: []\n Source:\n \ \ Owner: AWS\n SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP\n Type:\ \ AWS::Config::ConfigRule\n EncryptedVolumes:\n Properties:\n ConfigRuleName:\ \ encrypted-volumes\n Scope:\n ComplianceResourceTypes:\n \ \ - AWS::EC2::Volume\n Source:\n Owner: AWS\n SourceIdentifier:\ \ ENCRYPTED_VOLUMES\n Type: AWS::Config::ConfigRule\n GuarddutyEnabledCentralized:\n\ \ Properties:\n ConfigRuleName: guardduty-enabled-centralized\n \ \ Source:\n Owner: AWS\n SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED\n\ \ Type: AWS::Config::ConfigRule\n GuarddutyNonArchivedFindings:\n Properties:\n\ \ ConfigRuleName: guardduty-non-archived-findings\n InputParameters:\n\ \ daysHighSev:\n Fn::If:\n - guarddutyNonArchivedFindingsParamDaysHighSev\n\ \ - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev\n \ \ - Ref: AWS::NoValue\n daysLowSev:\n Fn::If:\n -\ \ guarddutyNonArchivedFindingsParamDaysLowSev\n - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev\n\ \ - Ref: AWS::NoValue\n daysMediumSev:\n Fn::If:\n\ \ - guarddutyNonArchivedFindingsParamDaysMediumSev\n - Ref:\ \ GuarddutyNonArchivedFindingsParamDaysMediumSev\n - Ref: AWS::NoValue\n\ \ Source:\n Owner: AWS\n SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS\n\ \ Type: AWS::Config::ConfigRule\n IamGroupHasUsersCheck:\n Properties:\n\ \ ConfigRuleName: iam-group-has-users-check\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::IAM::Group\n Source:\n Owner: AWS\n SourceIdentifier:\ \ IAM_GROUP_HAS_USERS_CHECK\n Type: AWS::Config::ConfigRule\n IamPasswordPolicy:\n\ \ Properties:\n ConfigRuleName: iam-password-policy\n InputParameters:\n\ \ MaxPasswordAge:\n Fn::If:\n - iamPasswordPolicyParamMaxPasswordAge\n\ \ - Ref: IamPasswordPolicyParamMaxPasswordAge\n - Ref: AWS::NoValue\n\ \ MinimumPasswordLength:\n Fn::If:\n - iamPasswordPolicyParamMinimumPasswordLength\n\ \ - Ref: IamPasswordPolicyParamMinimumPasswordLength\n -\ \ Ref: AWS::NoValue\n PasswordReusePrevention:\n Fn::If:\n\ \ - iamPasswordPolicyParamPasswordReusePrevention\n - Ref:\ \ IamPasswordPolicyParamPasswordReusePrevention\n - Ref: AWS::NoValue\n\ \ RequireLowercaseCharacters:\n Fn::If:\n - iamPasswordPolicyParamRequireLowercaseCharacters\n\ \ - Ref: IamPasswordPolicyParamRequireLowercaseCharacters\n \ \ - Ref: AWS::NoValue\n RequireNumbers:\n Fn::If:\n \ \ - iamPasswordPolicyParamRequireNumbers\n - Ref: IamPasswordPolicyParamRequireNumbers\n\ \ - Ref: AWS::NoValue\n RequireSymbols:\n Fn::If:\n\ \ - iamPasswordPolicyParamRequireSymbols\n - Ref: IamPasswordPolicyParamRequireSymbols\n\ \ - Ref: AWS::NoValue\n RequireUppercaseCharacters:\n \ \ Fn::If:\n - iamPasswordPolicyParamRequireUppercaseCharacters\n\ \ - Ref: IamPasswordPolicyParamRequireUppercaseCharacters\n \ \ - Ref: AWS::NoValue\n Source:\n Owner: AWS\n SourceIdentifier:\ \ IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n IamPolicyNoStatementsWithAdminAccess:\n\ \ Properties:\n ConfigRuleName: iam-policy-no-statements-with-admin-access\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::IAM::Policy\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\n\ \ Type: AWS::Config::ConfigRule\n IamRootAccessKeyCheck:\n Properties:\n\ \ ConfigRuleName: iam-root-access-key-check\n Source:\n Owner:\ \ AWS\n SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK\n Type: AWS::Config::ConfigRule\n\ \ IamUserGroupMembershipCheck:\n Properties:\n ConfigRuleName: iam-user-group-membership-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::IAM::User\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK\n\ \ Type: AWS::Config::ConfigRule\n IamUserMfaEnabled:\n Properties:\n\ \ ConfigRuleName: iam-user-mfa-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: IAM_USER_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ IamUserNoPoliciesCheck:\n Properties:\n ConfigRuleName: iam-user-no-policies-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::IAM::User\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_NO_POLICIES_CHECK\n\ \ Type: AWS::Config::ConfigRule\n IamUserUnusedCredentialsCheck:\n \ \ Properties:\n ConfigRuleName: iam-user-unused-credentials-check\n \ \ InputParameters:\n maxCredentialUsageAge:\n Fn::If:\n\ \ - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge\n \ \ - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge\n \ \ - Ref: AWS::NoValue\n Source:\n Owner: AWS\n \ \ SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK\n Type: AWS::Config::ConfigRule\n\ \ IncomingSshDisabled:\n Properties:\n ConfigRuleName: restricted-ssh\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: INCOMING_SSH_DISABLED\n\ \ Type: AWS::Config::ConfigRule\n InstancesInVpc:\n Properties:\n \ \ ConfigRuleName: ec2-instances-in-vpc\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::Instance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: INSTANCES_IN_VPC\n Type: AWS::Config::ConfigRule\n\ \ InternetGatewayAuthorizedVpcOnly:\n Properties:\n ConfigRuleName:\ \ internet-gateway-authorized-vpc-only\n InputParameters:\n AuthorizedVpcIds:\n\ \ Fn::If:\n - internetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds\n\ \ - Ref: InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds\n\ \ - Ref: AWS::NoValue\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::InternetGateway\n Source:\n Owner: AWS\n\ \ SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY\n Type:\ \ AWS::Config::ConfigRule\n KmsCmkNotScheduledForDeletion:\n Properties:\n\ \ ConfigRuleName: kms-cmk-not-scheduled-for-deletion\n Scope:\n\ \ ComplianceResourceTypes:\n - AWS::KMS::Key\n Source:\n\ \ Owner: AWS\n SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION\n\ \ Type: AWS::Config::ConfigRule\n LambdaDlqCheck:\n Properties:\n \ \ ConfigRuleName: lambda-dlq-check\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::Lambda::Function\n Source:\n Owner: AWS\n \ \ SourceIdentifier: LAMBDA_DLQ_CHECK\n Type: AWS::Config::ConfigRule\n\ \ LambdaFunctionPublicAccessProhibited:\n Properties:\n ConfigRuleName:\ \ lambda-function-public-access-prohibited\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::Lambda::Function\n Source:\n Owner: AWS\n \ \ SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED\n Type:\ \ AWS::Config::ConfigRule\n LambdaInsideVpc:\n Properties:\n ConfigRuleName:\ \ lambda-inside-vpc\n Scope:\n ComplianceResourceTypes:\n \ \ - AWS::Lambda::Function\n Source:\n Owner: AWS\n SourceIdentifier:\ \ LAMBDA_INSIDE_VPC\n Type: AWS::Config::ConfigRule\n MfaEnabledForIamConsoleAccess:\n\ \ Properties:\n ConfigRuleName: mfa-enabled-for-iam-console-access\n\ \ Source:\n Owner: AWS\n SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n\ \ Type: AWS::Config::ConfigRule\n MultiRegionCloudTrailEnabled:\n Properties:\n\ \ ConfigRuleName: multi-region-cloudtrail-enabled\n Source:\n \ \ Owner: AWS\n SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n RdsInstancePublicAccessCheck:\n Properties:\n\ \ ConfigRuleName: rds-instance-public-access-check\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n Source:\n\ \ Owner: AWS\n SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n RdsMultiAzSupport:\n Properties:\n\ \ ConfigRuleName: rds-multi-az-support\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::RDS::DBInstance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: RDS_MULTI_AZ_SUPPORT\n Type: AWS::Config::ConfigRule\n\ \ RdsSnapshotEncrypted:\n Properties:\n ConfigRuleName: rds-snapshot-encrypted\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::RDS::DBSnapshot\n\ \ - AWS::RDS::DBClusterSnapshot\n Source:\n Owner: AWS\n\ \ SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED\n Type: AWS::Config::ConfigRule\n\ \ RdsSnapshotsPublicProhibited:\n Properties:\n ConfigRuleName: rds-snapshots-public-prohibited\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::RDS::DBSnapshot\n\ \ - AWS::RDS::DBClusterSnapshot\n Source:\n Owner: AWS\n\ \ SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED\n Type: AWS::Config::ConfigRule\n\ \ RdsStorageEncrypted:\n Properties:\n ConfigRuleName: rds-storage-encrypted\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n\ \ Source:\n Owner: AWS\n SourceIdentifier: RDS_STORAGE_ENCRYPTED\n\ \ Type: AWS::Config::ConfigRule\n RedshiftClusterConfigurationCheck:\n\ \ Properties:\n ConfigRuleName: redshift-cluster-configuration-check\n\ \ InputParameters:\n clusterDbEncrypted: 'TRUE'\n loggingEnabled:\ \ 'TRUE'\n Scope:\n ComplianceResourceTypes:\n - AWS::Redshift::Cluster\n\ \ Source:\n Owner: AWS\n SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK\n\ \ Type: AWS::Config::ConfigRule\n RedshiftClusterPublicAccessCheck:\n\ \ Properties:\n ConfigRuleName: redshift-cluster-public-access-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::Redshift::Cluster\n\ \ Source:\n Owner: AWS\n SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n RedshiftRequireTlsSsl:\n Properties:\n\ \ ConfigRuleName: redshift-require-tls-ssl\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::Redshift::Cluster\n Source:\n Owner: AWS\n \ \ SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL\n Type: AWS::Config::ConfigRule\n\ \ RestrictedIncomingTraffic:\n Properties:\n ConfigRuleName: restricted-common-ports\n\ \ InputParameters:\n blockedPort1:\n Fn::If:\n \ \ - restrictedIncomingTrafficParamBlockedPort1\n - Ref: RestrictedIncomingTrafficParamBlockedPort1\n\ \ - Ref: AWS::NoValue\n blockedPort2:\n Fn::If:\n\ \ - restrictedIncomingTrafficParamBlockedPort2\n - Ref:\ \ RestrictedIncomingTrafficParamBlockedPort2\n - Ref: AWS::NoValue\n\ \ blockedPort3:\n Fn::If:\n - restrictedIncomingTrafficParamBlockedPort3\n\ \ - Ref: RestrictedIncomingTrafficParamBlockedPort3\n -\ \ Ref: AWS::NoValue\n blockedPort4:\n Fn::If:\n -\ \ restrictedIncomingTrafficParamBlockedPort4\n - Ref: RestrictedIncomingTrafficParamBlockedPort4\n\ \ - Ref: AWS::NoValue\n blockedPort5:\n Fn::If:\n\ \ - restrictedIncomingTrafficParamBlockedPort5\n - Ref:\ \ RestrictedIncomingTrafficParamBlockedPort5\n - Ref: AWS::NoValue\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC\n\ \ Type: AWS::Config::ConfigRule\n RootAccountHardwareMfaEnabled:\n \ \ Properties:\n ConfigRuleName: root-account-hardware-mfa-enabled\n \ \ Source:\n Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n RootAccountMfaEnabled:\n Properties:\n\ \ ConfigRuleName: root-account-mfa-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ S3AccountLevelPublicAccessBlocks:\n Properties:\n ConfigRuleName:\ \ s3-account-level-public-access-blocks\n InputParameters:\n BlockPublicAcls:\n\ \ Fn::If:\n - s3AccountLevelPublicAccessBlocksParamBlockPublicAcls\n\ \ - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls\n \ \ - Ref: AWS::NoValue\n BlockPublicPolicy:\n Fn::If:\n\ \ - s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy\n \ \ - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy\n \ \ - Ref: AWS::NoValue\n IgnorePublicAcls:\n Fn::If:\n\ \ - s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls\n \ \ - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls\n \ \ - Ref: AWS::NoValue\n RestrictPublicBuckets:\n Fn::If:\n\ \ - s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets\n\ \ - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets\n\ \ - Ref: AWS::NoValue\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::S3::AccountPublicAccessBlock\n Source:\n Owner:\ \ AWS\n SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS\n \ \ Type: AWS::Config::ConfigRule\n S3BucketDefaultLockEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-default-lock-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n\ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketLoggingEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-logging-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::S3::Bucket\n Source:\n Owner: AWS\n SourceIdentifier:\ \ S3_BUCKET_LOGGING_ENABLED\n Type: AWS::Config::ConfigRule\n S3BucketPolicyGranteeCheck:\n\ \ Properties:\n ConfigRuleName: s3-bucket-policy-grantee-check\n \ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ Source:\n Owner: AWS\n SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK\n\ \ Type: AWS::Config::ConfigRule\n S3BucketPublicReadProhibited:\n Properties:\n\ \ ConfigRuleName: s3-bucket-public-read-prohibited\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n\ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketPublicWriteProhibited:\n \ \ Properties:\n ConfigRuleName: s3-bucket-public-write-prohibited\n \ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ Source:\n Owner: AWS\n SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketReplicationEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-replication-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n \ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketServerSideEncryptionEnabled:\n\ \ Properties:\n ConfigRuleName: s3-bucket-server-side-encryption-enabled\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ Source:\n Owner: AWS\n SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketSslRequestsOnly:\n Properties:\n\ \ ConfigRuleName: s3-bucket-ssl-requests-only\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n \ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY\n\ \ Type: AWS::Config::ConfigRule\n S3BucketVersioningEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-versioning-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n \ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n SagemakerEndpointConfigurationKmsKeyConfigured:\n\ \ Properties:\n ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED\n\ \ Type: AWS::Config::ConfigRule\n SagemakerNotebookInstanceKmsKeyConfigured:\n\ \ Properties:\n ConfigRuleName: sagemaker-notebook-instance-kms-key-configured\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED\n\ \ Type: AWS::Config::ConfigRule\n SagemakerNotebookNoDirectInternetAccess:\n\ \ Properties:\n ConfigRuleName: sagemaker-notebook-no-direct-internet-access\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS\n\ \ Type: AWS::Config::ConfigRule\n SecretsmanagerRotationEnabledCheck:\n\ \ Properties:\n ConfigRuleName: secretsmanager-rotation-enabled-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SecretsManager::Secret\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK\n\ \ Type: AWS::Config::ConfigRule\n SecurityhubEnabled:\n Properties:\n\ \ ConfigRuleName: securityhub-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: SECURITYHUB_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ SnsEncryptedKms:\n Properties:\n ConfigRuleName: sns-encrypted-kms\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SNS::Topic\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SNS_ENCRYPTED_KMS\n\ \ Type: AWS::Config::ConfigRule\n VpcFlowLogsEnabled:\n Properties:\n\ \ ConfigRuleName: vpc-flow-logs-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: VPC_FLOW_LOGS_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ VpcSgOpenOnlyToAuthorizedPorts:\n Properties:\n ConfigRuleName:\ \ vpc-sg-open-only-to-authorized-ports\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::SecurityGroup\n Source:\n Owner: AWS\n \ \ SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS\n Type: AWS::Config::ConfigRule\n\ \ VpcVpn2TunnelsUp:\n Properties:\n ConfigRuleName: vpc-vpn-2-tunnels-up\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::VPNConnection\n\ \ Source:\n Owner: AWS\n SourceIdentifier: VPC_VPN_2_TUNNELS_UP\n\ \ Type: AWS::Config::ConfigRule\nConditions:\n accessKeysRotatedParamMaxAccessKeyAge:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: AccessKeysRotatedParamMaxAccessKeyAge\n\ \ dynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: DynamodbThroughputLimitCheckParamAccountRCUThresholdPercentage\n\ \ dynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: DynamodbThroughputLimitCheckParamAccountWCUThresholdPercentage\n\ \ guarddutyNonArchivedFindingsParamDaysHighSev:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev\n \ \ guarddutyNonArchivedFindingsParamDaysLowSev:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev\n guarddutyNonArchivedFindingsParamDaysMediumSev:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev\n\ \ iamPasswordPolicyParamMaxPasswordAge:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: IamPasswordPolicyParamMaxPasswordAge\n iamPasswordPolicyParamMinimumPasswordLength:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamMinimumPasswordLength\n\ \ iamPasswordPolicyParamPasswordReusePrevention:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: IamPasswordPolicyParamPasswordReusePrevention\n\ \ iamPasswordPolicyParamRequireLowercaseCharacters:\n Fn::Not:\n -\ \ Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamRequireLowercaseCharacters\n\ \ iamPasswordPolicyParamRequireNumbers:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: IamPasswordPolicyParamRequireNumbers\n iamPasswordPolicyParamRequireSymbols:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamRequireSymbols\n\ \ iamPasswordPolicyParamRequireUppercaseCharacters:\n Fn::Not:\n -\ \ Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamRequireUppercaseCharacters\n\ \ iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge\n\ \ internetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds\n\ \ restrictedIncomingTrafficParamBlockedPort1:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort1\n restrictedIncomingTrafficParamBlockedPort2:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort2\n\ \ restrictedIncomingTrafficParamBlockedPort3:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort3\n restrictedIncomingTrafficParamBlockedPort4:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort4\n\ \ restrictedIncomingTrafficParamBlockedPort5:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort5\n s3AccountLevelPublicAccessBlocksParamBlockPublicAcls:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls\n\ \ s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy\n\ \ s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls\n\ \ s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets" Type: AWS::Config::ConformancePack ConfigPacksCPOperationalBestPracticesforNISTCSFB3E464EB: DependsOn: - ConfigEnabledPromiseConfigRecorder0A75B039 Metadata: aws:cdk:path: AwsBiotechBlueprint/ConfigPacks/CP-Operational-Best-Practices-for-NIST-CSF cfn-lint: config: ignore_checks: - E9101 ignore_reasons: E9101: The references to master in this resource refer to EMR service naming. Until the EMR service changes its usage of the term, this needs to be an exception. Properties: ConformancePackInputParameters: [] ConformancePackName: Operational-Best-Practices-for-NIST-CSF DeliveryS3Bucket: Ref: ConfigEnabledPromiseConfigBucket2F967063 DeliveryS3KeyPrefix: Operational-Best-Practices-for-NIST-CSF TemplateBody: "##################################################################################\n\ #\n# Conformance Pack:\n# Operational Best Practices for NIST CSF\n\ #\n# This conformance pack helps verify compliance with NIST CSF requirements.\n\ # \ \ \n# This Conformance Pack has been designed for compatibility\ \ with the majority of AWS \n# regions and to not require setting of any\ \ Parameters. Additional managed rules that \n# require parameters to be\ \ set for your environment and/or for your specific region can \n# be found\ \ at https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html\n\ #\n# See Parameters section for names and descriptions of required parameters.\ \ \n#\n##################################################################################\n\ \nParameters:\n AccessKeysRotatedParamMaxAccessKeyAge:\n Default: '90'\n\ \ Type: String\n AcmCertificateExpirationCheckParamDaysToExpiration:\n\ \ Default: '90'\n Type: String\n GuarddutyNonArchivedFindingsParamDaysHighSev:\n\ \ Default: '1'\n Type: String\n GuarddutyNonArchivedFindingsParamDaysLowSev:\n\ \ Default: '30'\n Type: String\n GuarddutyNonArchivedFindingsParamDaysMediumSev:\n\ \ Default: '7'\n Type: String\n IamPasswordPolicyParamMaxPasswordAge:\n\ \ Default: '90'\n Type: String\n IamPasswordPolicyParamMinimumPasswordLength:\n\ \ Default: '14'\n Type: String\n IamPasswordPolicyParamPasswordReusePrevention:\n\ \ Default: '24'\n Type: String\n IamPasswordPolicyParamRequireLowercaseCharacters:\n\ \ Default: 'TRUE'\n Type: String\n IamPasswordPolicyParamRequireNumbers:\n\ \ Default: 'TRUE'\n Type: String\n IamPasswordPolicyParamRequireSymbols:\n\ \ Default: 'TRUE'\n Type: String\n IamPasswordPolicyParamRequireUppercaseCharacters:\n\ \ Default: 'TRUE'\n Type: String\n IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:\n\ \ Default: '90'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort1:\n\ \ Default: '20'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort2:\n\ \ Default: '21'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort3:\n\ \ Default: '3389'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort4:\n\ \ Default: '3306'\n Type: String\n RestrictedIncomingTrafficParamBlockedPort5:\n\ \ Default: '4333'\n Type: String\n S3AccountLevelPublicAccessBlocksParamBlockPublicAcls:\n\ \ Default: 'True'\n Type: String\n S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy:\n\ \ Default: 'True'\n Type: String\n S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls:\n\ \ Default: 'True'\n Type: String\n S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets:\n\ \ Default: 'True'\n Type: String\nResources:\n AccessKeysRotated:\n\ \ Properties:\n ConfigRuleName: access-keys-rotated\n InputParameters:\n\ \ maxAccessKeyAge:\n Fn::If:\n - accessKeysRotatedParamMaxAccessKeyAge\n\ \ - Ref: AccessKeysRotatedParamMaxAccessKeyAge\n - Ref:\ \ AWS::NoValue\n Source:\n Owner: AWS\n SourceIdentifier:\ \ ACCESS_KEYS_ROTATED\n Type: AWS::Config::ConfigRule\n AcmCertificateExpirationCheck:\n\ \ Properties:\n ConfigRuleName: acm-certificate-expiration-check\n\ \ InputParameters:\n daysToExpiration:\n Fn::If:\n \ \ - acmCertificateExpirationCheckParamDaysToExpiration\n -\ \ Ref: AcmCertificateExpirationCheckParamDaysToExpiration\n - Ref:\ \ AWS::NoValue\n Scope:\n ComplianceResourceTypes:\n -\ \ AWS::ACM::Certificate\n Source:\n Owner: AWS\n SourceIdentifier:\ \ ACM_CERTIFICATE_EXPIRATION_CHECK\n Type: AWS::Config::ConfigRule\n AlbHttpToHttpsRedirectionCheck:\n\ \ Properties:\n ConfigRuleName: alb-http-to-https-redirection-check\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK\n\ \ Type: AWS::Config::ConfigRule\n ApiGwCacheEnabledAndEncrypted:\n \ \ Properties:\n ConfigRuleName: api-gw-cache-enabled-and-encrypted\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::ApiGateway::Stage\n\ \ Source:\n Owner: AWS\n SourceIdentifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED\n\ \ Type: AWS::Config::ConfigRule\n ApiGwExecutionLoggingEnabled:\n Properties:\n\ \ ConfigRuleName: api-gw-execution-logging-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::ApiGateway::Stage\n \ \ - AWS::ApiGatewayV2::Stage\n Source:\n Owner: AWS\n \ \ SourceIdentifier: API_GW_EXECUTION_LOGGING_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ AutoscalingGroupElbHealthcheckRequired:\n Properties:\n ConfigRuleName:\ \ autoscaling-group-elb-healthcheck-required\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::AutoScaling::AutoScalingGroup\n Source:\n Owner:\ \ AWS\n SourceIdentifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED\n\ \ Type: AWS::Config::ConfigRule\n CloudTrailCloudWatchLogsEnabled:\n \ \ Properties:\n ConfigRuleName: cloud-trail-cloud-watch-logs-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudTrailEnabled:\n Properties:\n\ \ ConfigRuleName: cloudtrail-enabled\n Source:\n Owner: AWS\n\ \ SourceIdentifier: CLOUD_TRAIL_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ CloudTrailEncryptionEnabled:\n Properties:\n ConfigRuleName: cloud-trail-encryption-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUD_TRAIL_ENCRYPTION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudTrailLogFileValidationEnabled:\n\ \ Properties:\n ConfigRuleName: cloud-trail-log-file-validation-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudtrailS3DataeventsEnabled:\n \ \ Properties:\n ConfigRuleName: cloudtrail-s3-dataevents-enabled\n \ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n CloudwatchAlarmActionCheck:\n Properties:\n\ \ ConfigRuleName: cloudwatch-alarm-action-check\n InputParameters:\n\ \ alarmActionRequired: 'TRUE'\n insufficientDataActionRequired:\ \ 'TRUE'\n okActionRequired: 'FALSE'\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::CloudWatch::Alarm\n Source:\n Owner: AWS\n \ \ SourceIdentifier: CLOUDWATCH_ALARM_ACTION_CHECK\n Type: AWS::Config::ConfigRule\n\ \ CloudwatchLogGroupEncrypted:\n Properties:\n ConfigRuleName: cloudwatch-log-group-encrypted\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED\n\ \ Type: AWS::Config::ConfigRule\n CodebuildProjectEnvvarAwscredCheck:\n\ \ Properties:\n ConfigRuleName: codebuild-project-envvar-awscred-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::CodeBuild::Project\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK\n\ \ Type: AWS::Config::ConfigRule\n CodebuildProjectSourceRepoUrlCheck:\n\ \ Properties:\n ConfigRuleName: codebuild-project-source-repo-url-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::CodeBuild::Project\n\ \ Source:\n Owner: AWS\n SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK\n\ \ Type: AWS::Config::ConfigRule\n DbInstanceBackupEnabled:\n Properties:\n\ \ ConfigRuleName: db-instance-backup-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::RDS::DBInstance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: DB_INSTANCE_BACKUP_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ DmsReplicationNotPublic:\n Properties:\n ConfigRuleName: dms-replication-not-public\n\ \ Scope:\n ComplianceResourceTypes: []\n Source:\n \ \ Owner: AWS\n SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC\n Type:\ \ AWS::Config::ConfigRule\n DynamodbAutoscalingEnabled:\n Properties:\n\ \ ConfigRuleName: dynamodb-autoscaling-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::DynamoDB::Table\n Source:\n\ \ Owner: AWS\n SourceIdentifier: DYNAMODB_AUTOSCALING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n DynamodbPitrEnabled:\n Properties:\n\ \ ConfigRuleName: dynamodb-pitr-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::DynamoDB::Table\n Source:\n Owner: AWS\n \ \ SourceIdentifier: DYNAMODB_PITR_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ DynamodbThroughputLimitCheck:\n Properties:\n ConfigRuleName: dynamodb-throughput-limit-check\n\ \ Source:\n Owner: AWS\n SourceIdentifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK\n\ \ Type: AWS::Config::ConfigRule\n EbsOptimizedInstance:\n Properties:\n\ \ ConfigRuleName: ebs-optimized-instance\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::Instance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: EBS_OPTIMIZED_INSTANCE\n Type: AWS::Config::ConfigRule\n\ \ EbsSnapshotPublicRestorableCheck:\n Properties:\n ConfigRuleName:\ \ ebs-snapshot-public-restorable-check\n Source:\n Owner: AWS\n\ \ SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK\n Type:\ \ AWS::Config::ConfigRule\n Ec2InstanceDetailedMonitoringEnabled:\n Properties:\n\ \ ConfigRuleName: ec2-instance-detailed-monitoring-enabled\n Scope:\n\ \ ComplianceResourceTypes:\n - AWS::EC2::Instance\n Source:\n\ \ Owner: AWS\n SourceIdentifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n Ec2InstanceManagedBySsm:\n Properties:\n\ \ ConfigRuleName: ec2-instance-managed-by-systems-manager\n Scope:\n\ \ ComplianceResourceTypes:\n - AWS::EC2::Instance\n -\ \ AWS::SSM::ManagedInstanceInventory\n Source:\n Owner: AWS\n\ \ SourceIdentifier: EC2_INSTANCE_MANAGED_BY_SSM\n Type: AWS::Config::ConfigRule\n\ \ Ec2InstanceNoPublicIp:\n Properties:\n ConfigRuleName: ec2-instance-no-public-ip\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::Instance\n\ \ Source:\n Owner: AWS\n SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP\n\ \ Type: AWS::Config::ConfigRule\n Ec2ManagedinstanceAssociationComplianceStatusCheck:\n\ \ Properties:\n ConfigRuleName: ec2-managedinstance-association-compliance-status-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SSM::AssociationCompliance\n\ \ Source:\n Owner: AWS\n SourceIdentifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n Ec2ManagedinstancePatchComplianceStatusCheck:\n\ \ Properties:\n ConfigRuleName: ec2-managedinstance-patch-compliance-status-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SSM::PatchCompliance\n\ \ Source:\n Owner: AWS\n SourceIdentifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n Ec2SecurityGroupAttachedToEni:\n \ \ Properties:\n ConfigRuleName: ec2-security-group-attached-to-eni\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI\n\ \ Type: AWS::Config::ConfigRule\n Ec2StoppedInstance:\n Properties:\n\ \ ConfigRuleName: ec2-stopped-instance\n Source:\n Owner:\ \ AWS\n SourceIdentifier: EC2_STOPPED_INSTANCE\n Type: AWS::Config::ConfigRule\n\ \ Ec2VolumeInuseCheck:\n Properties:\n ConfigRuleName: ec2-volume-inuse-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::Volume\n\ \ Source:\n Owner: AWS\n SourceIdentifier: EC2_VOLUME_INUSE_CHECK\n\ \ Type: AWS::Config::ConfigRule\n EfsEncryptedCheck:\n Properties:\n\ \ ConfigRuleName: efs-encrypted-check\n Source:\n Owner:\ \ AWS\n SourceIdentifier: EFS_ENCRYPTED_CHECK\n Type: AWS::Config::ConfigRule\n\ \ EipAttached:\n Properties:\n ConfigRuleName: eip-attached\n \ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::EIP\n \ \ Source:\n Owner: AWS\n SourceIdentifier: EIP_ATTACHED\n\ \ Type: AWS::Config::ConfigRule\n ElasticacheRedisClusterAutomaticBackupCheck:\n\ \ Properties:\n ConfigRuleName: elasticache-redis-cluster-automatic-backup-check\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK\n\ \ Type: AWS::Config::ConfigRule\n ElasticsearchEncryptedAtRest:\n Properties:\n\ \ ConfigRuleName: elasticsearch-encrypted-at-rest\n Source:\n \ \ Owner: AWS\n SourceIdentifier: ELASTICSEARCH_ENCRYPTED_AT_REST\n\ \ Type: AWS::Config::ConfigRule\n ElasticsearchInVpcOnly:\n Properties:\n\ \ ConfigRuleName: elasticsearch-in-vpc-only\n Source:\n Owner:\ \ AWS\n SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY\n Type: AWS::Config::ConfigRule\n\ \ ElbAcmCertificateRequired:\n Properties:\n ConfigRuleName: elb-acm-certificate-required\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::ElasticLoadBalancing::LoadBalancer\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELB_ACM_CERTIFICATE_REQUIRED\n\ \ Type: AWS::Config::ConfigRule\n ElbDeletionProtectionEnabled:\n Properties:\n\ \ ConfigRuleName: elb-deletion-protection-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::ElasticLoadBalancingV2::LoadBalancer\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELB_DELETION_PROTECTION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n ElbLoggingEnabled:\n Properties:\n\ \ ConfigRuleName: elb-logging-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::ElasticLoadBalancing::LoadBalancer\n - AWS::ElasticLoadBalancingV2::LoadBalancer\n\ \ Source:\n Owner: AWS\n SourceIdentifier: ELB_LOGGING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n EmrKerberosEnabled:\n Properties:\n\ \ ConfigRuleName: emr-kerberos-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: EMR_KERBEROS_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ EmrMasterNoPublicIp:\n Properties:\n ConfigRuleName: emr-master-no-public-ip\n\ \ Scope:\n ComplianceResourceTypes: []\n Source:\n \ \ Owner: AWS\n SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP\n Type:\ \ AWS::Config::ConfigRule\n EncryptedVolumes:\n Properties:\n ConfigRuleName:\ \ encrypted-volumes\n Scope:\n ComplianceResourceTypes:\n \ \ - AWS::EC2::Volume\n Source:\n Owner: AWS\n SourceIdentifier:\ \ ENCRYPTED_VOLUMES\n Type: AWS::Config::ConfigRule\n GuarddutyEnabledCentralized:\n\ \ Properties:\n ConfigRuleName: guardduty-enabled-centralized\n \ \ Source:\n Owner: AWS\n SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED\n\ \ Type: AWS::Config::ConfigRule\n GuarddutyNonArchivedFindings:\n Properties:\n\ \ ConfigRuleName: guardduty-non-archived-findings\n InputParameters:\n\ \ daysHighSev:\n Fn::If:\n - guarddutyNonArchivedFindingsParamDaysHighSev\n\ \ - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev\n \ \ - Ref: AWS::NoValue\n daysLowSev:\n Fn::If:\n -\ \ guarddutyNonArchivedFindingsParamDaysLowSev\n - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev\n\ \ - Ref: AWS::NoValue\n daysMediumSev:\n Fn::If:\n\ \ - guarddutyNonArchivedFindingsParamDaysMediumSev\n - Ref:\ \ GuarddutyNonArchivedFindingsParamDaysMediumSev\n - Ref: AWS::NoValue\n\ \ Source:\n Owner: AWS\n SourceIdentifier: GUARDDUTY_NON_ARCHIVED_FINDINGS\n\ \ Type: AWS::Config::ConfigRule\n IamGroupHasUsersCheck:\n Properties:\n\ \ ConfigRuleName: iam-group-has-users-check\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::IAM::Group\n Source:\n Owner: AWS\n SourceIdentifier:\ \ IAM_GROUP_HAS_USERS_CHECK\n Type: AWS::Config::ConfigRule\n IamPasswordPolicy:\n\ \ Properties:\n ConfigRuleName: iam-password-policy\n InputParameters:\n\ \ MaxPasswordAge:\n Fn::If:\n - iamPasswordPolicyParamMaxPasswordAge\n\ \ - Ref: IamPasswordPolicyParamMaxPasswordAge\n - Ref: AWS::NoValue\n\ \ MinimumPasswordLength:\n Fn::If:\n - iamPasswordPolicyParamMinimumPasswordLength\n\ \ - Ref: IamPasswordPolicyParamMinimumPasswordLength\n -\ \ Ref: AWS::NoValue\n PasswordReusePrevention:\n Fn::If:\n\ \ - iamPasswordPolicyParamPasswordReusePrevention\n - Ref:\ \ IamPasswordPolicyParamPasswordReusePrevention\n - Ref: AWS::NoValue\n\ \ RequireLowercaseCharacters:\n Fn::If:\n - iamPasswordPolicyParamRequireLowercaseCharacters\n\ \ - Ref: IamPasswordPolicyParamRequireLowercaseCharacters\n \ \ - Ref: AWS::NoValue\n RequireNumbers:\n Fn::If:\n \ \ - iamPasswordPolicyParamRequireNumbers\n - Ref: IamPasswordPolicyParamRequireNumbers\n\ \ - Ref: AWS::NoValue\n RequireSymbols:\n Fn::If:\n\ \ - iamPasswordPolicyParamRequireSymbols\n - Ref: IamPasswordPolicyParamRequireSymbols\n\ \ - Ref: AWS::NoValue\n RequireUppercaseCharacters:\n \ \ Fn::If:\n - iamPasswordPolicyParamRequireUppercaseCharacters\n\ \ - Ref: IamPasswordPolicyParamRequireUppercaseCharacters\n \ \ - Ref: AWS::NoValue\n Source:\n Owner: AWS\n SourceIdentifier:\ \ IAM_PASSWORD_POLICY\n Type: AWS::Config::ConfigRule\n IamPolicyNoStatementsWithAdminAccess:\n\ \ Properties:\n ConfigRuleName: iam-policy-no-statements-with-admin-access\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::IAM::Policy\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS\n\ \ Type: AWS::Config::ConfigRule\n IamRootAccessKeyCheck:\n Properties:\n\ \ ConfigRuleName: iam-root-access-key-check\n Source:\n Owner:\ \ AWS\n SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK\n Type: AWS::Config::ConfigRule\n\ \ IamUserGroupMembershipCheck:\n Properties:\n ConfigRuleName: iam-user-group-membership-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::IAM::User\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK\n\ \ Type: AWS::Config::ConfigRule\n IamUserMfaEnabled:\n Properties:\n\ \ ConfigRuleName: iam-user-mfa-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: IAM_USER_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ IamUserNoPoliciesCheck:\n Properties:\n ConfigRuleName: iam-user-no-policies-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::IAM::User\n\ \ Source:\n Owner: AWS\n SourceIdentifier: IAM_USER_NO_POLICIES_CHECK\n\ \ Type: AWS::Config::ConfigRule\n IamUserUnusedCredentialsCheck:\n \ \ Properties:\n ConfigRuleName: iam-user-unused-credentials-check\n \ \ InputParameters:\n maxCredentialUsageAge:\n Fn::If:\n\ \ - iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge\n \ \ - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge\n \ \ - Ref: AWS::NoValue\n Source:\n Owner: AWS\n \ \ SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK\n Type: AWS::Config::ConfigRule\n\ \ IncomingSshDisabled:\n Properties:\n ConfigRuleName: restricted-ssh\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: INCOMING_SSH_DISABLED\n\ \ Type: AWS::Config::ConfigRule\n InstancesInVpc:\n Properties:\n \ \ ConfigRuleName: ec2-instances-in-vpc\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::Instance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: INSTANCES_IN_VPC\n Type: AWS::Config::ConfigRule\n\ \ InternetGatewayAuthorizedVpcOnly:\n Properties:\n ConfigRuleName:\ \ internet-gateway-authorized-vpc-only\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::InternetGateway\n Source:\n Owner: AWS\n\ \ SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY\n Type:\ \ AWS::Config::ConfigRule\n KmsCmkNotScheduledForDeletion:\n Properties:\n\ \ ConfigRuleName: kms-cmk-not-scheduled-for-deletion\n Scope:\n\ \ ComplianceResourceTypes:\n - AWS::KMS::Key\n Source:\n\ \ Owner: AWS\n SourceIdentifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION\n\ \ Type: AWS::Config::ConfigRule\n LambdaConcurrencyCheck:\n Properties:\n\ \ ConfigRuleName: lambda-concurrency-check\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::Lambda::Function\n Source:\n Owner: AWS\n \ \ SourceIdentifier: LAMBDA_CONCURRENCY_CHECK\n Type: AWS::Config::ConfigRule\n\ \ LambdaDlqCheck:\n Properties:\n ConfigRuleName: lambda-dlq-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::Lambda::Function\n\ \ Source:\n Owner: AWS\n SourceIdentifier: LAMBDA_DLQ_CHECK\n\ \ Type: AWS::Config::ConfigRule\n LambdaFunctionPublicAccessProhibited:\n\ \ Properties:\n ConfigRuleName: lambda-function-public-access-prohibited\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::Lambda::Function\n\ \ Source:\n Owner: AWS\n SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED\n\ \ Type: AWS::Config::ConfigRule\n LambdaInsideVpc:\n Properties:\n\ \ ConfigRuleName: lambda-inside-vpc\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::Lambda::Function\n Source:\n Owner: AWS\n \ \ SourceIdentifier: LAMBDA_INSIDE_VPC\n Type: AWS::Config::ConfigRule\n\ \ MfaEnabledForIamConsoleAccess:\n Properties:\n ConfigRuleName:\ \ mfa-enabled-for-iam-console-access\n Source:\n Owner: AWS\n\ \ SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS\n Type: AWS::Config::ConfigRule\n\ \ MultiRegionCloudTrailEnabled:\n Properties:\n ConfigRuleName: multi-region-cloudtrail-enabled\n\ \ Source:\n Owner: AWS\n SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n RdsEnhancedMonitoringEnabled:\n Properties:\n\ \ ConfigRuleName: rds-enhanced-monitoring-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n Source:\n\ \ Owner: AWS\n SourceIdentifier: RDS_ENHANCED_MONITORING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n RdsInstancePublicAccessCheck:\n Properties:\n\ \ ConfigRuleName: rds-instance-public-access-check\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n Source:\n\ \ Owner: AWS\n SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n RdsMultiAzSupport:\n Properties:\n\ \ ConfigRuleName: rds-multi-az-support\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::RDS::DBInstance\n Source:\n Owner: AWS\n \ \ SourceIdentifier: RDS_MULTI_AZ_SUPPORT\n Type: AWS::Config::ConfigRule\n\ \ RdsSnapshotsPublicProhibited:\n Properties:\n ConfigRuleName: rds-snapshots-public-prohibited\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::RDS::DBSnapshot\n\ \ - AWS::RDS::DBClusterSnapshot\n Source:\n Owner: AWS\n\ \ SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED\n Type: AWS::Config::ConfigRule\n\ \ RdsStorageEncrypted:\n Properties:\n ConfigRuleName: rds-storage-encrypted\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::RDS::DBInstance\n\ \ Source:\n Owner: AWS\n SourceIdentifier: RDS_STORAGE_ENCRYPTED\n\ \ Type: AWS::Config::ConfigRule\n RedshiftClusterConfigurationCheck:\n\ \ Properties:\n ConfigRuleName: redshift-cluster-configuration-check\n\ \ InputParameters:\n clusterDbEncrypted: 'TRUE'\n loggingEnabled:\ \ 'TRUE'\n Scope:\n ComplianceResourceTypes:\n - AWS::Redshift::Cluster\n\ \ Source:\n Owner: AWS\n SourceIdentifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK\n\ \ Type: AWS::Config::ConfigRule\n RedshiftClusterPublicAccessCheck:\n\ \ Properties:\n ConfigRuleName: redshift-cluster-public-access-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::Redshift::Cluster\n\ \ Source:\n Owner: AWS\n SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n RedshiftRequireTlsSsl:\n Properties:\n\ \ ConfigRuleName: redshift-require-tls-ssl\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::Redshift::Cluster\n Source:\n Owner: AWS\n \ \ SourceIdentifier: REDSHIFT_REQUIRE_TLS_SSL\n Type: AWS::Config::ConfigRule\n\ \ RestrictedIncomingTraffic:\n Properties:\n ConfigRuleName: restricted-common-ports\n\ \ InputParameters:\n blockedPort1:\n Fn::If:\n \ \ - restrictedIncomingTrafficParamBlockedPort1\n - Ref: RestrictedIncomingTrafficParamBlockedPort1\n\ \ - Ref: AWS::NoValue\n blockedPort2:\n Fn::If:\n\ \ - restrictedIncomingTrafficParamBlockedPort2\n - Ref:\ \ RestrictedIncomingTrafficParamBlockedPort2\n - Ref: AWS::NoValue\n\ \ blockedPort3:\n Fn::If:\n - restrictedIncomingTrafficParamBlockedPort3\n\ \ - Ref: RestrictedIncomingTrafficParamBlockedPort3\n -\ \ Ref: AWS::NoValue\n blockedPort4:\n Fn::If:\n -\ \ restrictedIncomingTrafficParamBlockedPort4\n - Ref: RestrictedIncomingTrafficParamBlockedPort4\n\ \ - Ref: AWS::NoValue\n blockedPort5:\n Fn::If:\n\ \ - restrictedIncomingTrafficParamBlockedPort5\n - Ref:\ \ RestrictedIncomingTrafficParamBlockedPort5\n - Ref: AWS::NoValue\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC\n\ \ Type: AWS::Config::ConfigRule\n RootAccountHardwareMfaEnabled:\n \ \ Properties:\n ConfigRuleName: root-account-hardware-mfa-enabled\n \ \ Source:\n Owner: AWS\n SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n RootAccountMfaEnabled:\n Properties:\n\ \ ConfigRuleName: root-account-mfa-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ S3AccountLevelPublicAccessBlocks:\n Properties:\n ConfigRuleName:\ \ s3-account-level-public-access-blocks\n InputParameters:\n BlockPublicAcls:\n\ \ Fn::If:\n - s3AccountLevelPublicAccessBlocksParamBlockPublicAcls\n\ \ - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls\n \ \ - Ref: AWS::NoValue\n BlockPublicPolicy:\n Fn::If:\n\ \ - s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy\n \ \ - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy\n \ \ - Ref: AWS::NoValue\n IgnorePublicAcls:\n Fn::If:\n\ \ - s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls\n \ \ - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls\n \ \ - Ref: AWS::NoValue\n RestrictPublicBuckets:\n Fn::If:\n\ \ - s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets\n\ \ - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets\n\ \ - Ref: AWS::NoValue\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::S3::AccountPublicAccessBlock\n Source:\n Owner:\ \ AWS\n SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS\n \ \ Type: AWS::Config::ConfigRule\n S3BucketDefaultLockEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-default-lock-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n\ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_DEFAULT_LOCK_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketLoggingEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-logging-enabled\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::S3::Bucket\n Source:\n Owner: AWS\n SourceIdentifier:\ \ S3_BUCKET_LOGGING_ENABLED\n Type: AWS::Config::ConfigRule\n S3BucketPolicyGranteeCheck:\n\ \ Properties:\n ConfigRuleName: s3-bucket-policy-grantee-check\n \ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ Source:\n Owner: AWS\n SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK\n\ \ Type: AWS::Config::ConfigRule\n S3BucketPublicReadProhibited:\n Properties:\n\ \ ConfigRuleName: s3-bucket-public-read-prohibited\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n\ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketPublicWriteProhibited:\n \ \ Properties:\n ConfigRuleName: s3-bucket-public-write-prohibited\n \ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ Source:\n Owner: AWS\n SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketReplicationEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-replication-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n \ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_REPLICATION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketServerSideEncryptionEnabled:\n\ \ Properties:\n ConfigRuleName: s3-bucket-server-side-encryption-enabled\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::S3::Bucket\n\ \ Source:\n Owner: AWS\n SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n S3BucketSslRequestsOnly:\n Properties:\n\ \ ConfigRuleName: s3-bucket-ssl-requests-only\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n \ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY\n\ \ Type: AWS::Config::ConfigRule\n S3BucketVersioningEnabled:\n Properties:\n\ \ ConfigRuleName: s3-bucket-versioning-enabled\n Scope:\n \ \ ComplianceResourceTypes:\n - AWS::S3::Bucket\n Source:\n \ \ Owner: AWS\n SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED\n\ \ Type: AWS::Config::ConfigRule\n SagemakerEndpointConfigurationKmsKeyConfigured:\n\ \ Properties:\n ConfigRuleName: sagemaker-endpoint-configuration-kms-key-configured\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED\n\ \ Type: AWS::Config::ConfigRule\n SagemakerNotebookInstanceKmsKeyConfigured:\n\ \ Properties:\n ConfigRuleName: sagemaker-notebook-instance-kms-key-configured\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED\n\ \ Type: AWS::Config::ConfigRule\n SagemakerNotebookNoDirectInternetAccess:\n\ \ Properties:\n ConfigRuleName: sagemaker-notebook-no-direct-internet-access\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS\n\ \ Type: AWS::Config::ConfigRule\n SecretsmanagerRotationEnabledCheck:\n\ \ Properties:\n ConfigRuleName: secretsmanager-rotation-enabled-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SecretsManager::Secret\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SECRETSMANAGER_ROTATION_ENABLED_CHECK\n\ \ Type: AWS::Config::ConfigRule\n SecretsmanagerScheduledRotationSuccessCheck:\n\ \ Properties:\n ConfigRuleName: secretsmanager-scheduled-rotation-success-check\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SecretsManager::Secret\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK\n\ \ Type: AWS::Config::ConfigRule\n SecurityhubEnabled:\n Properties:\n\ \ ConfigRuleName: securityhub-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: SECURITYHUB_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ SnsEncryptedKms:\n Properties:\n ConfigRuleName: sns-encrypted-kms\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::SNS::Topic\n\ \ Source:\n Owner: AWS\n SourceIdentifier: SNS_ENCRYPTED_KMS\n\ \ Type: AWS::Config::ConfigRule\n VpcDefaultSecurityGroupClosed:\n \ \ Properties:\n ConfigRuleName: vpc-default-security-group-closed\n \ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::SecurityGroup\n\ \ Source:\n Owner: AWS\n SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED\n\ \ Type: AWS::Config::ConfigRule\n VpcFlowLogsEnabled:\n Properties:\n\ \ ConfigRuleName: vpc-flow-logs-enabled\n Source:\n Owner:\ \ AWS\n SourceIdentifier: VPC_FLOW_LOGS_ENABLED\n Type: AWS::Config::ConfigRule\n\ \ VpcSgOpenOnlyToAuthorizedPorts:\n Properties:\n ConfigRuleName:\ \ vpc-sg-open-only-to-authorized-ports\n Scope:\n ComplianceResourceTypes:\n\ \ - AWS::EC2::SecurityGroup\n Source:\n Owner: AWS\n \ \ SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS\n Type: AWS::Config::ConfigRule\n\ \ VpcVpn2TunnelsUp:\n Properties:\n ConfigRuleName: vpc-vpn-2-tunnels-up\n\ \ Scope:\n ComplianceResourceTypes:\n - AWS::EC2::VPNConnection\n\ \ Source:\n Owner: AWS\n SourceIdentifier: VPC_VPN_2_TUNNELS_UP\n\ \ Type: AWS::Config::ConfigRule\nConditions:\n accessKeysRotatedParamMaxAccessKeyAge:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: AccessKeysRotatedParamMaxAccessKeyAge\n\ \ acmCertificateExpirationCheckParamDaysToExpiration:\n Fn::Not:\n \ \ - Fn::Equals:\n - ''\n - Ref: AcmCertificateExpirationCheckParamDaysToExpiration\n\ \ guarddutyNonArchivedFindingsParamDaysHighSev:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: GuarddutyNonArchivedFindingsParamDaysHighSev\n \ \ guarddutyNonArchivedFindingsParamDaysLowSev:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: GuarddutyNonArchivedFindingsParamDaysLowSev\n guarddutyNonArchivedFindingsParamDaysMediumSev:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: GuarddutyNonArchivedFindingsParamDaysMediumSev\n\ \ iamPasswordPolicyParamMaxPasswordAge:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: IamPasswordPolicyParamMaxPasswordAge\n iamPasswordPolicyParamMinimumPasswordLength:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamMinimumPasswordLength\n\ \ iamPasswordPolicyParamPasswordReusePrevention:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: IamPasswordPolicyParamPasswordReusePrevention\n\ \ iamPasswordPolicyParamRequireLowercaseCharacters:\n Fn::Not:\n -\ \ Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamRequireLowercaseCharacters\n\ \ iamPasswordPolicyParamRequireNumbers:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: IamPasswordPolicyParamRequireNumbers\n iamPasswordPolicyParamRequireSymbols:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamRequireSymbols\n\ \ iamPasswordPolicyParamRequireUppercaseCharacters:\n Fn::Not:\n -\ \ Fn::Equals:\n - ''\n - Ref: IamPasswordPolicyParamRequireUppercaseCharacters\n\ \ iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge\n\ \ restrictedIncomingTrafficParamBlockedPort1:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort1\n restrictedIncomingTrafficParamBlockedPort2:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort2\n\ \ restrictedIncomingTrafficParamBlockedPort3:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort3\n restrictedIncomingTrafficParamBlockedPort4:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort4\n\ \ restrictedIncomingTrafficParamBlockedPort5:\n Fn::Not:\n - Fn::Equals:\n\ \ - ''\n - Ref: RestrictedIncomingTrafficParamBlockedPort5\n s3AccountLevelPublicAccessBlocksParamBlockPublicAcls:\n\ \ Fn::Not:\n - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicAcls\n\ \ s3AccountLevelPublicAccessBlocksParamBlockPublicPolicy:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamBlockPublicPolicy\n\ \ s3AccountLevelPublicAccessBlocksParamIgnorePublicAcls:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamIgnorePublicAcls\n\ \ s3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets:\n Fn::Not:\n\ \ - Fn::Equals:\n - ''\n - Ref: S3AccountLevelPublicAccessBlocksParamRestrictPublicBuckets" Type: AWS::Config::ConformancePack DnsHostedZone9A2A44DA: Metadata: aws:cdk:path: AwsBiotechBlueprint/Dns/HostedZone/Resource Properties: Name: corp. VPCs: - VPCId: Ref: VpcCoreManagment030DB556 VPCRegion: Ref: AWS::Region - VPCId: Ref: VpcCoreProductionD971AE3A VPCRegion: Ref: AWS::Region - VPCId: Ref: VpcCoreDevelopment37E2B994 VPCRegion: Ref: AWS::Region Type: AWS::Route53::HostedZone LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A: DependsOn: - VpcCoreretentionRoleDefaultPolicyEEAA8B99 - VpcCoreretentionRole1BA39518 Metadata: aws:asset:is-bundled: false aws:asset:path: asset.c13434f8f1aa2ea30fa577b2feb208a41368b11787b752e10bfc71fe8eb919d5 aws:asset:property: Code aws:cdk:path: AwsBiotechBlueprint/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Resource Properties: Code: S3Bucket: Ref: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3BucketA00C8555 S3Key: Fn::Join: - '' - - Fn::Select: - 0 - Fn::Split: - '||' - Ref: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3VersionKey27C92598 - Fn::Select: - 1 - Fn::Split: - '||' - Ref: AssetParameters7ef22dac3421fb2d25175b3386053dbc5bdc110e87cbd58600263bf70a6324cdS3VersionKey27C92598 Handler: index.handler Role: Fn::GetAtt: - VpcCoreretentionRole1BA39518 - Arn Runtime: nodejs14.x Type: AWS::Lambda::Function SingletonLambdaCreateVpnCertificateLambda14FF3DCC: DependsOn: - ClientVpnVpnCertificateLambdaCustomResourceRoleDefaultPolicyBC6B56F1 - ClientVpnVpnCertificateLambdaCustomResourceRole042AF384 Metadata: aws:cdk:path: AwsBiotechBlueprint/SingletonLambdaCreateVpnCertificateLambda/Resource Properties: Code: ZipFile: "S=True\nR='/tmp/'\nQ='ErrorMessage'\nP='responseData'\nO='VpnConfigBucket'\n\ N='ResourceProperties'\nM=Exception\nL='PhysicalResourceId'\nK=False\nimport\ \ subprocess as D,os,sys,boto3 as B,logging as G,json,traceback\nT=B.client('ec2')\n\ U=B.client('ssm')\nH=B.client('acm')\nA=G.getLogger()\nA.setLevel(G.INFO)\n\ E={}\ndef I(event,context,isUpdate=K):\n\tD=event\n\ttry:\n\t\tE['Complete']='True';F=D[L];B=D[N][O];I=['aws\ \ s3 rm {0}ca.crt'.format(B),'aws s3 rm {0}server.crt'.format(B),'aws s3\ \ rm {0}server.key'.format(B),'aws s3 rm {0}client1.domain.tld.crt'.format(B),'aws\ \ s3 rm {0}client1.domain.tld.key'.format(B)];R=C(I);H.delete_certificate(CertificateArn=F)\n\ \t\tif isUpdate==K:return{L:F,P:E}\n\texcept M as G:A.error(G);J=G.args[0];S={Q:J};return\ \ K\ndef J(event,context):\n\ttry:A.info('Starting to create certificate');B=event[N][O];I=['curl\ \ -L https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz\ \ -O','mkdir /tmp/easyrsa','mkdir /tmp/vpndetails','tar -xvzf /tmp/EasyRSA-unix-v3.0.6.tgz\ \ -C /tmp/easyrsa','ls /tmp/easyrsa'];C(I);J=['/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa\ \ init-pki','/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-ca nopass','/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa\ \ build-server-full server nopass','/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa\ \ build-client-full client1.domain.tld nopass','cp /tmp/pki/ca.crt /tmp/vpndetails/ca.crt','cp\ \ /tmp/pki/issued/server.crt /tmp/vpndetails/server.crt','cp /tmp/pki/private/server.key\ \ /tmp/vpndetails/server.key','cp /tmp/pki/issued/client1.domain.tld.crt\ \ /tmp/vpndetails/client1.domain.tld.crt','cp /tmp/pki/private/client1.domain.tld.key\ \ /tmp/vpndetails/client1.domain.tld.key'];C(J,'/tmp/easy-rsa/EasyRSA-v3.0.6');D=H.import_certificate(Certificate=F('/tmp/vpndetails/server.crt'),PrivateKey=F('/tmp/vpndetails/server.key'),CertificateChain=F('/tmp/vpndetails/ca.crt'));A.info(D);K=['aws\ \ s3 cp /tmp/vpndetails/ca.crt {0}ca.crt'.format(B),'aws s3 cp /tmp/vpndetails/server.crt\ \ {0}server.crt'.format(B),'aws s3 cp /tmp/vpndetails/server.key {0}server.key'.format(B),'aws\ \ s3 cp /tmp/vpndetails/client1.domain.tld.crt {0}client1.domain.tld.crt'.format(B),'aws\ \ s3 cp /tmp/vpndetails/client1.domain.tld.key {0}client1.domain.tld.key'.format(B)];C(K);return{P:E,L:D['CertificateArn']}\n\ \texcept M as G:A.error(G);R={Q:G};return R\ndef C(commands,workDir=R):\n\ \tI='PATH';B=os.environ.copy();B[I]='/tmp/bin:'+B[I];B['PYTHONPATH']='/tmp/:';B['EASYRSA_BATCH']='1';C=[]\n\ \tfor E in commands:G=D.Popen([E],env=B,cwd=R,shell=S,stdout=D.PIPE,stderr=D.PIPE);F,H=G.communicate();A.info(E);A.info(F);A.info(H);C.append(F)\n\ \treturn C\ndef F(filename):return open(filename,'rb').read()\ndef main(event,context):\n\ \tE='RequestType';D=context;B=event;A.info(B);F=['pip3 install awscli --upgrade\ \ --no-cache-dir --ignore-installed --target=/tmp/'];C(F)\n\tif B[E]=='Delete':return\ \ I(B,D)\n\telif B[E]=='Create':return J(B,D)\n\telif B[E]=='Update':I(B,D,S);return\ \ J(B,D)" DeadLetterConfig: TargetArn: Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambdaDeadLetterQueueFFAC7F20 - Arn Handler: index.main MemorySize: 1024 Role: Fn::GetAtt: - ClientVpnVpnCertificateLambdaCustomResourceRole042AF384 - Arn Runtime: python3.7 Timeout: 300 VpcConfig: SecurityGroupIds: - Fn::GetAtt: - SingletonLambdaCreateVpnCertificateLambdaSecurityGroupC03A5216 - GroupId SubnetIds: - Ref: VpcCoreManagmentApplicationSubnet1Subnet1DE5C8C4 - Ref: VpcCoreManagmentApplicationSubnet2SubnetF1B8CE48 Type: AWS::Lambda::Function SingletonLambdaCreateVpnCertificateLambdaDeadLetterQueueFFAC7F20: DeletionPolicy: Delete Metadata: aws:cdk:path: AwsBiotechBlueprint/SingletonLambdaCreateVpnCertificateLambda/DeadLetterQueue/Resource Properties: MessageRetentionPeriod: 1209600 Type: AWS::SQS::Queue UpdateReplacePolicy: Delete SingletonLambdaCreateVpnCertificateLambdaSecurityGroupC03A5216: Metadata: aws:cdk:path: AwsBiotechBlueprint/SingletonLambdaCreateVpnCertificateLambda/SecurityGroup/Resource Properties: GroupDescription: Automatic security group for Lambda Function AwsBiotechBlueprintSingletonLambdaCreateVpnCertificateLambdaDED33AFA SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: '-1' VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::SecurityGroup VpcCoreDevLogRtention28DE857A: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/DevLogRtention/Resource Properties: LogGroupName: Ref: VpcCoreDevVpcLogGroupB93F8F61 RetentionInDays: 3 SdkRetry: base: 1800000 maxRetries: 3 ServiceToken: Fn::GetAtt: - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A - Arn Type: Custom::LogRetention VpcCoreDevVpcLogGroupB93F8F61: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/DevVpcLogGroup/Resource Properties: RetentionInDays: 731 Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain VpcCoreDevelopment37E2B994: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/Resource Properties: CidrBlock: 10.60.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development Type: AWS::EC2::VPC VpcCoreDevelopmentApplicationSubnet1DefaultRoute1731A859: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreDevelopmentDMZSubnet1NATGatewayD5175E96 RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 Type: AWS::EC2::Route VpcCoreDevelopmentApplicationSubnet1RouteTableAssociationFD1A2A22: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 SubnetId: Ref: VpcCoreDevelopmentApplicationSubnet1Subnet5A750B62 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet1 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::RouteTable VpcCoreDevelopmentApplicationSubnet1Subnet5A750B62: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.60.4.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet1 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::Subnet VpcCoreDevelopmentApplicationSubnet2DefaultRouteA9C5EE12: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreDevelopmentDMZSubnet1NATGatewayD5175E96 RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 Type: AWS::EC2::Route VpcCoreDevelopmentApplicationSubnet2RouteTableAssociation7C43FB1B: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 SubnetId: Ref: VpcCoreDevelopmentApplicationSubnet2Subnet3230F190 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet2 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::RouteTable VpcCoreDevelopmentApplicationSubnet2Subnet3230F190: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.60.6.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/ApplicationSubnet2 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::Subnet VpcCoreDevelopmentDMZSubnet1DefaultRouteC1A58F2B: DependsOn: - VpcCoreDevelopmentVPCGW9558AC45 Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreDevelopmentIGWAD83048D RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC Type: AWS::EC2::Route VpcCoreDevelopmentDMZSubnet1EIP58CD3212: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1/EIP Properties: Domain: vpc Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1 Type: AWS::EC2::EIP VpcCoreDevelopmentDMZSubnet1NATGatewayD5175E96: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1/NATGateway Properties: AllocationId: Fn::GetAtt: - VpcCoreDevelopmentDMZSubnet1EIP58CD3212 - AllocationId SubnetId: Ref: VpcCoreDevelopmentDMZSubnet1SubnetD48B44F5 Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1 Type: AWS::EC2::NatGateway VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::RouteTable VpcCoreDevelopmentDMZSubnet1RouteTableAssociationB1D7A6B7: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC SubnetId: Ref: VpcCoreDevelopmentDMZSubnet1SubnetD48B44F5 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreDevelopmentDMZSubnet1SubnetD48B44F5: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.60.0.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet1 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::Subnet VpcCoreDevelopmentDMZSubnet2DefaultRoute705CC16F: DependsOn: - VpcCoreDevelopmentVPCGW9558AC45 Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreDevelopmentIGWAD83048D RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 Type: AWS::EC2::Route VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet2 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::RouteTable VpcCoreDevelopmentDMZSubnet2RouteTableAssociationAD80DA52: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 SubnetId: Ref: VpcCoreDevelopmentDMZSubnet2SubnetD5020296 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreDevelopmentDMZSubnet2SubnetD5020296: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.60.2.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DMZSubnet2 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::Subnet VpcCoreDevelopmentDatabaseSubnet1RouteTableAssociation386F1245: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62 SubnetId: Ref: VpcCoreDevelopmentDatabaseSubnet1Subnet08D67DFC Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet1 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::RouteTable VpcCoreDevelopmentDatabaseSubnet1Subnet08D67DFC: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.60.8.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet1 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::Subnet VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet2 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::RouteTable VpcCoreDevelopmentDatabaseSubnet2RouteTableAssociation43E36BB0: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265 SubnetId: Ref: VpcCoreDevelopmentDatabaseSubnet2Subnet05D038F0 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreDevelopmentDatabaseSubnet2Subnet05D038F0: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.60.10.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development/DatabaseSubnet2 VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::Subnet VpcCoreDevelopmentIGWAD83048D: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/IGW Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Development Type: AWS::EC2::InternetGateway VpcCoreDevelopmentS37F7BBD0F: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/S3/Resource Properties: RouteTableIds: - Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 - Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 - Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC - Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 - Ref: VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62 - Ref: VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265 ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .s3 VpcEndpointType: Gateway VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::VPCEndpoint VpcCoreDevelopmentVPCGW9558AC45: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Development/VPCGW Properties: InternetGatewayId: Ref: VpcCoreDevelopmentIGWAD83048D VpcId: Ref: VpcCoreDevelopment37E2B994 Type: AWS::EC2::VPCGatewayAttachment VpcCoreDevlowLogFlowLog6008C134: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/DevlowLog/FlowLog Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VpcCorevpcLogGroupRole0DE2B7DA - Arn LogDestinationType: cloud-watch-logs LogGroupName: Ref: VpcCoreDevVpcLogGroupB93F8F61 ResourceId: Ref: VpcCoreDevelopment37E2B994 ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog VpcCoreManagment030DB556: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/Resource Properties: CidrBlock: 10.70.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment Type: AWS::EC2::VPC VpcCoreManagmentApplicationSubnet1DefaultRoute2CE87E61: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreManagmentDMZSubnet1NATGatewayC5BFB186 RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 Type: AWS::EC2::Route VpcCoreManagmentApplicationSubnet1RouteTable12C52E22: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet1 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::RouteTable VpcCoreManagmentApplicationSubnet1RouteTableAssociation06F8E2E2: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 SubnetId: Ref: VpcCoreManagmentApplicationSubnet1Subnet1DE5C8C4 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreManagmentApplicationSubnet1Subnet1DE5C8C4: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.70.4.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet1 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::Subnet VpcCoreManagmentApplicationSubnet2DefaultRoute05B09043: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreManagmentDMZSubnet1NATGatewayC5BFB186 RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 Type: AWS::EC2::Route VpcCoreManagmentApplicationSubnet2RouteTableAssociationD38A75C2: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 SubnetId: Ref: VpcCoreManagmentApplicationSubnet2SubnetF1B8CE48 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet2 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::RouteTable VpcCoreManagmentApplicationSubnet2SubnetF1B8CE48: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.70.6.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/ApplicationSubnet2 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::Subnet VpcCoreManagmentDMZSubnet1DefaultRouteB7ED8FC9: DependsOn: - VpcCoreManagmentVPCGW52A2E34D Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreManagmentIGWE905604F RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 Type: AWS::EC2::Route VpcCoreManagmentDMZSubnet1EIP7EFCA2AF: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1/EIP Properties: Domain: vpc Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1 Type: AWS::EC2::EIP VpcCoreManagmentDMZSubnet1NATGatewayC5BFB186: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1/NATGateway Properties: AllocationId: Fn::GetAtt: - VpcCoreManagmentDMZSubnet1EIP7EFCA2AF - AllocationId SubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1 Type: AWS::EC2::NatGateway VpcCoreManagmentDMZSubnet1RouteTableA3569583: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::RouteTable VpcCoreManagmentDMZSubnet1RouteTableAssociationCB71CE11: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 SubnetId: Ref: VpcCoreManagmentDMZSubnet1Subnet3D4DB21E Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreManagmentDMZSubnet1Subnet3D4DB21E: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.70.0.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet1 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::Subnet VpcCoreManagmentDMZSubnet2DefaultRoute05771B64: DependsOn: - VpcCoreManagmentVPCGW52A2E34D Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreManagmentIGWE905604F RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 Type: AWS::EC2::Route VpcCoreManagmentDMZSubnet2RouteTable6C5999E3: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet2 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::RouteTable VpcCoreManagmentDMZSubnet2RouteTableAssociation642ADD19: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 SubnetId: Ref: VpcCoreManagmentDMZSubnet2SubnetB133424E Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreManagmentDMZSubnet2SubnetB133424E: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.70.2.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment/DMZSubnet2 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::Subnet VpcCoreManagmentIGWE905604F: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/IGW Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Managment Type: AWS::EC2::InternetGateway VpcCoreManagmentToDevelopmentPeering3A7C248E: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/ManagmentToDevelopmentPeering Properties: PeerVpcId: Ref: VpcCoreDevelopment37E2B994 VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::VPCPeeringConnection VpcCoreManagmentToProductionPeering22C33F18: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/ManagmentToProductionPeering Properties: PeerVpcId: Ref: VpcCoreProductionD971AE3A VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::VPCPeeringConnection VpcCoreManagmentVPCGW52A2E34D: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Managment/VPCGW Properties: InternetGatewayId: Ref: VpcCoreManagmentIGWE905604F VpcId: Ref: VpcCoreManagment030DB556 Type: AWS::EC2::VPCGatewayAttachment VpcCoreMgmtFlowLogF6131196: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/MgmtFlowLog/FlowLog Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VpcCorevpcLogGroupRole0DE2B7DA - Arn LogDestinationType: cloud-watch-logs LogGroupName: Ref: VpcCoreMgmtVpcLogGroup57411704 ResourceId: Ref: VpcCoreManagment030DB556 ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog VpcCoreMgmtLogRtention363D019E: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/MgmtLogRtention/Resource Properties: LogGroupName: Ref: VpcCoreMgmtVpcLogGroup57411704 RetentionInDays: 14 SdkRetry: base: 1800000 maxRetries: 3 ServiceToken: Fn::GetAtt: - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A - Arn Type: Custom::LogRetention VpcCoreMgmtVpcLogGroup57411704: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/MgmtVpcLogGroup/Resource Properties: RetentionInDays: 731 Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain VpcCoreProdFlowLog514212F0: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/ProdFlowLog/FlowLog Properties: DeliverLogsPermissionArn: Fn::GetAtt: - VpcCorevpcLogGroupRole0DE2B7DA - Arn LogDestinationType: cloud-watch-logs LogGroupName: Ref: VpcCoreProductionVpcLogGroup8B46D99C ResourceId: Ref: VpcCoreProductionD971AE3A ResourceType: VPC TrafficType: ALL Type: AWS::EC2::FlowLog VpcCoreProdLogRetention4C6205DA: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/ProdLogRetention/Resource Properties: LogGroupName: Ref: VpcCoreProductionVpcLogGroup8B46D99C RetentionInDays: 30 SdkRetry: base: 1800000 maxRetries: 3 ServiceToken: Fn::GetAtt: - LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A - Arn Type: Custom::LogRetention VpcCoreProductionApplicationSubnet1DefaultRouteA2D6D34E: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreProductionDMZSubnet1NATGatewayC224625E RouteTableId: Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 Type: AWS::EC2::Route VpcCoreProductionApplicationSubnet1RouteTableAssociation7EDAC97B: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 SubnetId: Ref: VpcCoreProductionApplicationSubnet1SubnetE209B72D Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet1 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::RouteTable VpcCoreProductionApplicationSubnet1SubnetE209B72D: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.50.4.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet1 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::Subnet VpcCoreProductionApplicationSubnet2DefaultRoute115CEEEB: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: VpcCoreProductionDMZSubnet1NATGatewayC224625E RouteTableId: Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C Type: AWS::EC2::Route VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet2 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::RouteTable VpcCoreProductionApplicationSubnet2RouteTableAssociation7D462ED9: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C SubnetId: Ref: VpcCoreProductionApplicationSubnet2SubnetFF60B9F3 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreProductionApplicationSubnet2SubnetFF60B9F3: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.50.6.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Application - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/ApplicationSubnet2 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::Subnet VpcCoreProductionD971AE3A: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/Resource Properties: CidrBlock: 10.50.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production Type: AWS::EC2::VPC VpcCoreProductionDMZSubnet1DefaultRoute078E8974: DependsOn: - VpcCoreProductionVPCGW30B6BDB2 Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreProductionIGW5A93E1A8 RouteTableId: Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B Type: AWS::EC2::Route VpcCoreProductionDMZSubnet1EIP624812A4: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1/EIP Properties: Domain: vpc Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1 Type: AWS::EC2::EIP VpcCoreProductionDMZSubnet1NATGatewayC224625E: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1/NATGateway Properties: AllocationId: Fn::GetAtt: - VpcCoreProductionDMZSubnet1EIP624812A4 - AllocationId SubnetId: Ref: VpcCoreProductionDMZSubnet1Subnet8CB63360 Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1 Type: AWS::EC2::NatGateway VpcCoreProductionDMZSubnet1RouteTable93117E8B: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::RouteTable VpcCoreProductionDMZSubnet1RouteTableAssociation4C99EF6F: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B SubnetId: Ref: VpcCoreProductionDMZSubnet1Subnet8CB63360 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreProductionDMZSubnet1Subnet8CB63360: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.50.0.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet1 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::Subnet VpcCoreProductionDMZSubnet2DefaultRoute3F9FD113: DependsOn: - VpcCoreProductionVPCGW30B6BDB2 Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: VpcCoreProductionIGW5A93E1A8 RouteTableId: Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 Type: AWS::EC2::Route VpcCoreProductionDMZSubnet2RouteTable280A8E86: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet2 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::RouteTable VpcCoreProductionDMZSubnet2RouteTableAssociation1698D572: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 SubnetId: Ref: VpcCoreProductionDMZSubnet2Subnet544A7F20 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreProductionDMZSubnet2Subnet544A7F20: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.50.2.0/23 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: DMZ - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DMZSubnet2 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::Subnet VpcCoreProductionDatabaseSubnet1RouteTable4189D151: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet1/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet1 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::RouteTable VpcCoreProductionDatabaseSubnet1RouteTableAssociationD1A8D4E9: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDatabaseSubnet1RouteTable4189D151 SubnetId: Ref: VpcCoreProductionDatabaseSubnet1Subnet09EF33D9 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreProductionDatabaseSubnet1Subnet09EF33D9: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.50.8.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet1 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::Subnet VpcCoreProductionDatabaseSubnet2RouteTable72412D1A: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet2/RouteTable Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet2 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::RouteTable VpcCoreProductionDatabaseSubnet2RouteTableAssociation63113979: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: VpcCoreProductionDatabaseSubnet2RouteTable72412D1A SubnetId: Ref: VpcCoreProductionDatabaseSubnet2Subnet128DE8A2 Type: AWS::EC2::SubnetRouteTableAssociation VpcCoreProductionDatabaseSubnet2Subnet128DE8A2: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.50.10.0/23 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Database - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production/DatabaseSubnet2 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::Subnet VpcCoreProductionIGW5A93E1A8: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/IGW Properties: Tags: - Key: Name Value: AwsBiotechBlueprint/VpcCore/Production Type: AWS::EC2::InternetGateway VpcCoreProductionS39B8E42EB: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/S3/Resource Properties: RouteTableIds: - Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 - Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C - Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B - Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 - Ref: VpcCoreProductionDatabaseSubnet1RouteTable4189D151 - Ref: VpcCoreProductionDatabaseSubnet2RouteTable72412D1A ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .s3 VpcEndpointType: Gateway VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::VPCEndpoint VpcCoreProductionVPCGW30B6BDB2: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/Production/VPCGW Properties: InternetGatewayId: Ref: VpcCoreProductionIGW5A93E1A8 VpcId: Ref: VpcCoreProductionD971AE3A Type: AWS::EC2::VPCGatewayAttachment VpcCoreProductionVpcLogGroup8B46D99C: DeletionPolicy: Retain Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/ProductionVpcLogGroup/Resource Properties: RetentionInDays: 731 Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain VpcCoredevIsolatedToMgmt06FAE198F: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/devIsolatedToMgmt-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet1RouteTableB0F16F62 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoredevIsolatedToMgmt1D9C968A0: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/devIsolatedToMgmt-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreDevelopmentDatabaseSubnet2RouteTable07847265 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoredevPrivateToMgmt015322763: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/devPrivateToMgmt-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet1RouteTableD5BB8081 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoredevPrivateToMgmt18C0769D9: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/devPrivateToMgmt-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreDevelopmentApplicationSubnet2RouteTableFDC2C351 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoredevPublicToMgmt0A0CBE086: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/devPublicToMgmt-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet1RouteTable8E3AF8CC VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoredevPublicToMgmt17BB06B4B: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/devPublicToMgmt-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreDevelopmentDMZSubnet2RouteTable1EB1E7D2 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoremgmtPrivateToDev0786AB1D9: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPrivateToDev-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoremgmtPrivateToDev19BBE4CA7: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPrivateToDev-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoremgmtPrivateToProd02E427081: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPrivateToProd-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock RouteTableId: Ref: VpcCoreManagmentApplicationSubnet1RouteTable12C52E22 VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoremgmtPrivateToProd190B37EA5: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPrivateToProd-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock RouteTableId: Ref: VpcCoreManagmentApplicationSubnet2RouteTableFD53ABE8 VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoremgmtPublicToDev00CE2841B: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPublicToDev-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoremgmtPublicToDev11C8BD95A: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPublicToDev-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreDevelopment37E2B994 - CidrBlock RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 VpcPeeringConnectionId: Ref: VpcCoreManagmentToDevelopmentPeering3A7C248E Type: AWS::EC2::Route VpcCoremgmtPublicToProd09E91CB4A: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPublicToProd-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock RouteTableId: Ref: VpcCoreManagmentDMZSubnet1RouteTableA3569583 VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoremgmtPublicToProd13B87535A: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/mgmtPublicToProd-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreProductionD971AE3A - CidrBlock RouteTableId: Ref: VpcCoreManagmentDMZSubnet2RouteTable6C5999E3 VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoreprodPrivateToMgmt0A8B14018: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/prodPrivateToMgmt-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreProductionApplicationSubnet1RouteTableC5D4BB39 VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoreprodPrivateToMgmt1C6119F45: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/prodPrivateToMgmt-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreProductionApplicationSubnet2RouteTable4DF63A0C VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoreprodPublicToMgmt0A4005CA8: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/prodPublicToMgmt-0 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreProductionDMZSubnet1RouteTable93117E8B VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoreprodPublicToMgmt1EC8240AC: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/prodPublicToMgmt-1 Properties: DestinationCidrBlock: Fn::GetAtt: - VpcCoreManagment030DB556 - CidrBlock RouteTableId: Ref: VpcCoreProductionDMZSubnet2RouteTable280A8E86 VpcPeeringConnectionId: Ref: VpcCoreManagmentToProductionPeering22C33F18 Type: AWS::EC2::Route VpcCoreretentionRole1BA39518: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/retentionRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role VpcCoreretentionRoleDefaultPolicyEEAA8B99: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/retentionRole/DefaultPolicy/Resource cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource - EIAMPolicyActionWildcard ignore_reasons: EIAMPolicyActionWildcard: The policy action wildcards in this policy are generated by the AWS CDK, which the developers of this Quick Start have no control over. EIAMPolicyWildcardResource: This particular role gives permission to a custom resource to create a certificate. We cannot provide a specific certificate ARN at deployment time as it does not yet exist. Properties: PolicyDocument: Statement: - Action: logs:CreateLogGroup Effect: Allow Resource: '*' - Action: - logs:PutRetentionPolicy - logs:DeleteRetentionPolicy Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: VpcCoreretentionRoleDefaultPolicyEEAA8B99 Roles: - Ref: VpcCoreretentionRole1BA39518 Type: AWS::IAM::Policy VpcCorevpcLogGroupRole0DE2B7DA: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/vpcLogGroupRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: vpc-flow-logs.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role VpcCorevpcLogGroupRoleDefaultPolicyCEA46C79: Metadata: aws:cdk:path: AwsBiotechBlueprint/VpcCore/vpcLogGroupRole/DefaultPolicy/Resource Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams Effect: Allow Resource: Fn::GetAtt: - VpcCoreProductionVpcLogGroup8B46D99C - Arn - Action: iam:PassRole Effect: Allow Resource: Fn::GetAtt: - VpcCorevpcLogGroupRole0DE2B7DA - Arn - Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams Effect: Allow Resource: Fn::GetAtt: - VpcCoreMgmtVpcLogGroup57411704 - Arn - Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams Effect: Allow Resource: Fn::GetAtt: - VpcCoreDevVpcLogGroupB93F8F61 - Arn Version: '2012-10-17' PolicyName: VpcCorevpcLogGroupRoleDefaultPolicyCEA46C79 Roles: - Ref: VpcCorevpcLogGroupRole0DE2B7DA Type: AWS::IAM::Policy