AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation template for deploying Linux bastion hosts in an auto-scaling group in an existing VPC. (qs-1qup6ra99) Metadata: QuickStartDocumentation: EntrypointName: Launch into an existing VPC Order: 2 LICENSE: Apache License, Version 2.0 LintSpellExclude: - onlyssmaccess AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - VPCID - PublicSubnet1ID - PublicSubnet2ID - RemoteAccessCIDR - Label: default: IAM configuration Parameters: - RolePath - PermissionsBoundaryArn - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - BastionAMIOS - BastionInstanceType - RootVolumeSize - Label: default: Linux bastion configuration Parameters: - NumBastionHosts - OndemandPercentage - BastionHostName - BastionTenancy - EnableBanner - BastionBanner - EnableTCPForwarding - EnableX11Forwarding - EC2MetadataPutResponseHopLimit - EC2MetadataHttpTokens - Label: default: Alternative configurations Parameters: - AlternativeInitializationScript - OSImageOverride - AlternativeIAMRole - EnvironmentVariables - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AlternativeIAMRole: default: Alternative IAM role AlternativeInitializationScript: default: Alternative initialization script URL BastionAMIOS: default: Bastion AMI operating system BastionHostName: default: Bastion host Name BastionTenancy: default: Bastion tenancy BastionBanner: default: SSH banner content file URL BastionInstanceType: default: Bastion instance type EnableBanner: default: Bastion banner EnableTCPForwarding: default: TCP forwarding EnableX11Forwarding: default: X11 forwarding EnvironmentVariables: default: Environment variables KeyPairName: default: Key pair name NumBastionHosts: default: Number of bastion hosts OndemandPercentage: default: On-demand percentage OSImageOverride: default: Operating system override PublicSubnet1ID: default: Public subnet 1 ID PublicSubnet2ID: default: Public subnet 2 ID QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed bastion external access CIDR VPCID: default: VPC ID RootVolumeSize: default: Root volume size PermissionsBoundaryArn: default: Permissions boundary ARN RolePath: default: Role path EC2MetadataPutResponseHopLimit: default: Amazon EC2 metadata put response hop limit EC2MetadataHttpTokens: default: Amazon EC2 metadata HTTP tokens Parameters: BastionAMIOS: Type: String Description: The Linux distribution for the AMI to be used for the bastion host instances. AllowedValues: - Amazon-Linux2-HVM - Amazon-Linux2-HVM-ARM - Amazon-Linux2022 - Amazon-Linux2022-ARM - Ubuntu-Server-20.04-LTS-HVM - Ubuntu-Server-22.04-LTS-HVM - Ubuntu-Server-22.04-LTS-HVM-ARM Default: Amazon-Linux2-HVM BastionHostName: Type: String Description: The value used for the name tag of the bastion host. Default: LinuxBastion BastionBanner: Type: String Description: >- Amazon S3 object URL for the text file with the content to display upon SSH login. The bastion host must have permission to download the file from the S3 bucket. AllowedPattern: ^(s3:\/\/[0-9a-z]+([0-9a-z-]*[0-9a-z])*/.+)?$ ConstraintDescription: >- Must be either a valid Amazon S3 object URL (example: s3://bucket/key/file.txt) or empty. Default: '' BastionTenancy: Type: String Description: Bastion VPC tenancy (dedicated or default). AllowedValues: [dedicated, default] Default: default BastionInstanceType: Type: String Description: Amazon EC2 instance type for the bastion instances. Default: t3.micro EnableBanner: Type: String Description: Choose "true" to display a banner when connecting to the bastion using SSH. AllowedValues: ['true', 'false'] Default: 'false' EnableTCPForwarding: Type: String Description: Choose "true" to enable TCP forwarding. AllowedValues: ['true', 'false'] Default: 'false' EnableX11Forwarding: Type: String Description: Choose "true" to enable X11 forwarding. AllowedValues: ['true', 'false'] Default: 'false' KeyPairName: Type: String Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, please create it before continuing. If left empty, AWS Systems Manager Session Manager can still be used to connect to the instance. Default: '' NumBastionHosts: Type: String Description: The number of bastion hosts to create. The maximum number is four. AllowedValues: [1, 2, 3, 4] Default: 1 OndemandPercentage: Type: Number Description: >- Percentage of on-demand instances versus spot instances. With the default of 100, the ratio will be 100% on-demand instances and 0% spot instances. Default: 100 PublicSubnet1ID: Type: AWS::EC2::Subnet::Id Description: >- ID of the public subnet 1 that you want to provision the first bastion into (for example, subnet-a0246dcd). If RemoteAccessCIDR is set to 'disabled-onlyssmaccess', enter the ID of a private subnet instead. PublicSubnet2ID: Type: AWS::EC2::Subnet::Id Description: >- ID of the public subnet 2 that you want to provision the second bastion into (for example, subnet-e3246d8e). If RemoteAccessCIDR is set to 'disabled-onlyssmaccess', enter the ID of a private subnet instead. EC2MetadataPutResponseHopLimit: Type: String Description: >- The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Default: 2 EC2MetadataHttpTokens: Type: String Description: >- If set to "optional" instances will be able to use their IAM instance profile. If set to "required" amd "EC2MetadataPutResponseHopLimit" is set to 1, instances will not be able to access the IAM role. If set to "required" amd "EC2MetadataPutResponseHopLimit" is set greater than 1 instances must send a signed token header with any instance metadata retrieval requests. AllowedValues: [optional, required] Default: required QSS3BucketName: Type: String Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. MinLength: 3 MaxLength: 63 AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart QSS3BucketRegion: Type: String Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. Default: us-east-1 QSS3KeyPrefix: Type: String Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-linux-bastion/ RemoteAccessCIDR: Type: String Description: >- Allowed CIDR block or prefix list for external SSH access to the bastions. AllowedPattern: ^disabled-onlyssmaccess$|^pl-([0-9a-f]{8}|[0-9a-f]{17})$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be disabled-onlyssmaccess or in the format "x.x.x.x/x". Default: disabled-onlyssmaccess VPCID: Type: AWS::EC2::VPC::Id Description: ID of the VPC (for example, vpc-0343606e). AlternativeInitializationScript: Type: String Description: >- HTTPS format Amazon S3 object URL for your custom initialization script to run during setup. The bastion host must have permission to download the file from the S3 bucket. AllowedPattern: ^https.*|^$ ConstraintDescription: >- Must be either a valid Amazon S3 object URL (example: https://bucket/key/file.txt) or empty. Default: '' OSImageOverride: Type: String Description: The Region-specific image to use for the instance. Default: '' AlternativeIAMRole: Type: String Description: An existing IAM role name to attach to the bastion. If left blank, a new role will be created. Default: '' EnvironmentVariables: Type: String Description: A comma-separated list of environment variables for use in bootstrapping. Variables must be in the format "key=value". "Value" cannot contain commas. Default: '' RootVolumeSize: Type: Number Description: The size in GB for the root EBS volume. Default: 10 PermissionsBoundaryArn: Type: String Description: Will be attached to all created IAM roles to satisfy security requirements. Default: '' RolePath: Type: String Description: Will be attached to all created IAM roles to satisfy security requirements. Default: '' Rules: SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll [AWS::EC2::Subnet::Id, VpcId] - !RefAll AWS::EC2::VPC::Id AssertDescription: All subnets must exist in the VPC. ArmInstance: RuleCondition: !Contains - - Amazon-Linux2-HVM-ARM - Amazon-Linux2022-ARM - Ubuntu-Server-22.04-LTS-HVM-ARM - !Ref BastionAMIOS Assertions: - Assert: !Contains - - t4g.nano - t4g.micro - t4g.small - t4g.medium - t4g.large - t4g.xlarge - t4g.2xlarge - m6g.medium - m6g.large - m6g.xlarge - m6g.2xlarge - !Ref BastionInstanceType AssertDescription: >- You selected an ARM AMI operating system, so you must also enter an ARM instance type, such as t4g.micro. For additional details, see https://aws.amazon.com/ec2/instance-types/. X86_64Instance: RuleCondition: !Not - !Contains - - Amazon-Linux2-HVM-ARM - Amazon-Linux2022-ARM - Ubuntu-Server-22.04-LTS-HVM-ARM - !Ref BastionAMIOS Assertions: - Assert: !Not - !Contains - - t4g.nano - t4g.micro - t4g.small - t4g.medium - t4g.large - t4g.xlarge - t4g.2xlarge - m6g.medium - m6g.large - m6g.xlarge - m6g.2xlarge - !Ref BastionInstanceType AssertDescription: >- You selected a x86_64 AMI operating system, so you must also enter a x86_64 instance type, such as t3.micro. For additional details, see https://aws.amazon.com/ec2/instance-types/. Mappings: AWSAMIRegionMap: af-south-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-east-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-northeast-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-northeast-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-northeast-3: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-south-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-south-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-southeast-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-southeast-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-southeast-3: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ap-southeast-4: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' ca-central-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-central-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-central-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-north-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-south-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-south-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-west-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-west-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' eu-west-3: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' me-central-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' me-south-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' sa-east-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' us-east-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' us-east-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' us-west-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' us-west-2: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' US2204HVMARM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/arm64/hvm/ebs-gp2/ami-id}}' us-gov-east-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: ami-0cfbbbb41dd6a9cad US2204HVM: ami-0c4bea13c0e0c588f US2204HVMARM: ami-0dbcf7fc866b67aed us-gov-west-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: ami-0b152eed9cb83f2bd US2204HVM: ami-0585fd40760ad42a3 US2204HVMARM: ami-0f0aac22ded9e2425 cn-north-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: ami-0ee5d3b4bc88442f4 US2204HVM: ami-05739266c542f05d5 US2204HVMARM: ami-0d41564e295b1064e cn-northwest-1: AMZNLINUX2: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' AMZNLINUX2ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2}}' AMZNLINUX2022: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-x86_64}}' AMZNLINUX2022ARM: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2022-ami-kernel-default-arm64}}' US2004HVM: ami-05de738393a8dcebf US2204HVM: ami-0528ba5522b075ac5 US2204HVMARM: ami-076f450c832df8f9b LinuxAMINameMap: Amazon-Linux2-HVM: Code: AMZNLINUX2 OS: Amazon Amazon-Linux2-HVM-ARM: Code: AMZNLINUX2ARM OS: Amazon Amazon-Linux2022: Code: AMZNLINUX2022 OS: Amazon Amazon-Linux2022-ARM: Code: AMZNLINUX2022ARM OS: Amazon Ubuntu-Server-20.04-LTS-HVM: Code: US2004HVM OS: Ubuntu Ubuntu-Server-22.04-LTS-HVM: Code: US2204HVM OS: Ubuntu Ubuntu-Server-22.04-LTS-HVM-ARM: Code: US2204HVMARM OS: Ubuntu Conditions: RolePathProvided: !Not [!Equals ['', !Ref RolePath]] PermissionsBoundaryProvided: !Not [!Equals ['', !Ref PermissionsBoundaryArn]] 2BastionConditionHost: !Or [!Equals [!Ref NumBastionHosts, 2], !Condition 3BastionCondition, !Condition 4BastionCondition] 3BastionConditionHost: !Or [!Equals [!Ref NumBastionHosts, 3], !Condition 4BastionCondition] 4BastionConditionHost: !Equals [!Ref NumBastionHosts, 4] 2BastionCondition: !And [!Condition NeedsEip, !Condition 2BastionConditionHost] 3BastionCondition: !And [!Condition NeedsEip, !Condition 3BastionConditionHost] 4BastionCondition: !And [!Condition NeedsEip, !Condition 4BastionConditionHost] HasRemoteCIDR: !And - !Not [!Equals [!Ref RemoteAccessCIDR, disabled-onlyssmaccess]] - !Not [!Condition HasPrefixList] HasPrefixList: !Equals [!Select [0, !Split ['-', !Ref RemoteAccessCIDR]], pl] NeedsEip: !Or [!Condition HasRemoteCIDR, !Condition HasPrefixList] UseAlternativeInitialization: !Not [!Equals [!Ref AlternativeInitializationScript, '']] CreateIAMRole: !Equals [!Ref AlternativeIAMRole, ''] UseOSImageOverride: !Not [!Equals [!Ref OSImageOverride, '']] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart] DefaultBanner: !Equals [!Ref BastionBanner, ''] UseKeyPair: !Not [!Equals [!Ref KeyPairName, '']] Resources: BastionMainLogGroup: Type: AWS::Logs::LogGroup SSHMetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: !Ref BastionMainLogGroup FilterPattern: ON FROM USER PWD MetricTransformations: - MetricName: SSHCommandCount MetricValue: 1 MetricNamespace: !Sub AWSQuickStart/${AWS::StackName} BastionHostRole: Condition: CreateIAMRole Type: AWS::IAM::Role Properties: Path: !If [RolePathProvided, !Ref RolePath, !Ref AWS::NoValue] PermissionsBoundary: !If [PermissionsBoundaryProvided, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue] AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - !Sub ec2.${AWS::URLSuffix} ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy BastionHostPolicy: Type: AWS::IAM::Policy Condition: CreateIAMRole Properties: PolicyName: BastionPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: ListQSS3BucketObjects Effect: Allow Action: s3:ListBucket Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket} - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Sid: GetQSS3Objects Effect: Allow Action: - s3:GetObject - s3:GetObjectVersion Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Sid: WriteToCloudWatchLogs Effect: Allow Action: - logs:CreateLogStream - logs:GetLogEvents - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutRetentionPolicy - logs:PutMetricFilter - logs:CreateLogGroup Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:* - Sid: Global Effect: Allow Action: - ec2:DescribeAddresses Resource: '*' - !If - NeedsEip - Sid: AssociateStackEips Effect: Allow Action: ec2:AssociateAddress Resource: '*' Condition: StringEquals: ec2:ResourceTag/aws:cloudformation:stack-id: !Ref AWS::StackId - !Ref AWS::NoValue Roles: - !If [CreateIAMRole, !Ref BastionHostRole, !Ref AlternativeIAMRole] BastionHostProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !If [CreateIAMRole, !Ref BastionHostRole, !Ref AlternativeIAMRole] Path: !If [CreateIAMRole, /, /account-managed/] EIP1: Type: AWS::EC2::EIP Condition: NeedsEip Properties: Domain: vpc EIP2: Type: AWS::EC2::EIP Condition: 2BastionCondition Properties: Domain: vpc EIP3: Type: AWS::EC2::EIP Condition: 3BastionCondition Properties: Domain: vpc EIP4: Type: AWS::EC2::EIP Condition: 4BastionCondition Properties: Domain: vpc BastionAutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: VPCZoneIdentifier: [!Ref PublicSubnet1ID, !Ref PublicSubnet2ID] MinSize: !Ref NumBastionHosts MaxSize: !Ref NumBastionHosts Cooldown: 900 DesiredCapacity: !Ref NumBastionHosts MixedInstancesPolicy: LaunchTemplate: LaunchTemplateSpecification: LaunchTemplateId: !Ref BastionLaunchTemplate Version: !GetAtt BastionLaunchTemplate.LatestVersionNumber InstancesDistribution: OnDemandPercentageAboveBaseCapacity: !Ref OndemandPercentage SpotInstancePools: 1 Tags: - Key: Name Value: !Ref BastionHostName PropagateAtLaunch: true CreationPolicy: ResourceSignal: Count: !Ref NumBastionHosts Timeout: PT60M AutoScalingCreationPolicy: MinSuccessfulInstancesPercent: 100 UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: true BastionLaunchTemplate: Type: AWS::EC2::LaunchTemplate Metadata: AWS::CloudFormation::Authentication: S3AccessCreds: type: S3 roleName: !If [CreateIAMRole, !Ref BastionHostRole, !Ref AlternativeIAMRole] buckets: - !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] AWS::CloudFormation::Init: config: files: /tmp/auditd.rules: mode: 000550 owner: root group: root content: | -a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve /tmp/auditing_configure.sh: source: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/auditing_configure.sh - S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] mode: 000550 owner: root group: root authentication: S3AccessCreds /tmp/bastion_bootstrap.sh: source: !If - UseAlternativeInitialization - !Ref AlternativeInitializationScript - !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh - S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] mode: 000550 owner: root group: root authentication: S3AccessCreds commands: a-add_auditd_rules: cwd: /tmp/ env: BASTION_OS: !FindInMap [LinuxAMINameMap, !Ref BastionAMIOS, OS] command: ./auditing_configure.sh b-bootstrap: cwd: /tmp/ env: REGION: !Sub ${AWS::Region} URL_SUFFIX: !Sub ${AWS::URLSuffix} BANNER_REGION: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] command: !Sub - ./bastion_bootstrap.sh --banner ${BannerUrl} --enable ${EnableBanner} --tcp-forwarding ${EnableTCPForwarding} --x11-forwarding ${EnableX11Forwarding} - BannerUrl: !If - DefaultBanner - !Sub - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/banner_message.txt - S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref QSS3BucketName] - !Ref BastionBanner Properties: LaunchTemplateData: Placement: Tenancy: !Ref BastionTenancy KeyName: !If [UseKeyPair, !Ref KeyPairName, !Ref AWS::NoValue] ImageId: !If - UseOSImageOverride - !Ref OSImageOverride - !FindInMap [AWSAMIRegionMap, !Ref AWS::Region, !FindInMap [LinuxAMINameMap, !Ref BastionAMIOS, Code]] InstanceType: !Ref BastionInstanceType IamInstanceProfile: Arn: !GetAtt BastionHostProfile.Arn NetworkInterfaces: - DeviceIndex: 0 AssociatePublicIpAddress: !If [NeedsEip, true, false] Groups: - !Ref BastionSecurityGroup BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeSize: !Ref RootVolumeSize VolumeType: gp2 Encrypted: true DeleteOnTermination: true UserData: Fn::Base64: !Sub - | #!/usr/bin/env bash set -x for e in $(echo "${EnvironmentVariables}" | tr ',' ' '); do export $e echo "$e" >> /root/.bashrc done export PATH=$PATH:/usr/local/bin yum install -y git unzip wget curl || apt-get install -y git unzip wget curl || zypper -n install git unzip wget curl #cfn signaling functions cfn_fail() { cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup exit 1 } cfn_success() { cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup exit 0 } pushd /tmp if [[ "a$(which aws)" == "a" ]] then echo "Installing AWS CLI..." uname=$(uname -m) wget -nv -O "./awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-$uname.zip" unzip -q ./awscliv2.zip ./aws/install fi for (( i=0; i<=5; i++ )) do aws s3 cp --no-progress --region ${AWS::Region} "s3://${S3Bucket}/${QSS3KeyPrefix}scripts/cfn-tools.sh" . if [ $? -ne 0 ] then echo "Retrying..." fi done source ./cfn-tools.sh popd /tmp qs_update-os || qs_err; qs_bootstrap_pip || qs_err " pip bootstrap failed "; qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed "; EIP_LIST="${EIP1},${EIP2},${EIP3},${EIP4}" CLOUDWATCHGROUP=${BastionMainLogGroup} cfn-init -v --stack '${AWS::StackName}' --resource BastionLaunchTemplate --region ${AWS::Region} || cfn_fail [ $(qs_status) == 0 ] && cfn_success || cfn_fail - EIP1: !If [NeedsEip, !Ref EIP1, 'Null'] EIP2: !If [2BastionCondition, !Ref EIP2, 'Null'] EIP3: !If [3BastionCondition, !Ref EIP3, 'Null'] EIP4: !If [4BastionCondition, !Ref EIP4, 'Null'] S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref QSS3BucketName] MetadataOptions: HttpEndpoint: enabled HttpPutResponseHopLimit: !Ref EC2MetadataPutResponseHopLimit HttpTokens: !Ref EC2MetadataHttpTokens BastionSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enables access to bastion hosts VpcId: !Ref VPCID BastionSecurityGroupCidrSshIngress: Type: AWS::EC2::SecurityGroupIngress Condition: HasRemoteCIDR Properties: GroupId: !Ref BastionSecurityGroup CidrIp: !Ref RemoteAccessCIDR IpProtocol: tcp FromPort: 22 ToPort: 22 BastionSecurityGroupCidrIcmpIngress: Type: AWS::EC2::SecurityGroupIngress Condition: HasRemoteCIDR Properties: GroupId: !Ref BastionSecurityGroup CidrIp: !Ref RemoteAccessCIDR IpProtocol: icmp FromPort: -1 ToPort: -1 BastionSecurityGroupPrefixListSshIngress: Type: AWS::EC2::SecurityGroupIngress Condition: HasPrefixList Properties: GroupId: !Ref BastionSecurityGroup SourcePrefixListId: !Ref RemoteAccessCIDR IpProtocol: tcp FromPort: 22 ToPort: 22 BastionSecurityGroupPrefixListIcmpIngress: Type: AWS::EC2::SecurityGroupIngress Condition: HasPrefixList Properties: GroupId: !Ref BastionSecurityGroup SourcePrefixListId: !Ref RemoteAccessCIDR IpProtocol: icmp FromPort: -1 ToPort: -1 Outputs: BastionAutoScalingGroup: Description: Auto Scaling group reference ID. Value: !Ref BastionAutoScalingGroup Export: Name: !Sub ${AWS::StackName}-BastionAutoScalingGroup EIP1: Condition: NeedsEip Description: Elastic IP 1 for bastion. Value: !Ref EIP1 Export: Name: !Sub ${AWS::StackName}-EIP1 EIP2: Condition: 2BastionCondition Description: Elastic IP 2 for bastion. Value: !Ref EIP2 Export: Name: !Sub ${AWS::StackName}-EIP2 EIP3: Condition: 3BastionCondition Description: Elastic IP 3 for bastion. Value: !Ref EIP3 Export: Name: !Sub ${AWS::StackName}-EIP3 EIP4: Condition: 4BastionCondition Description: Elastic IP 4 for bastion. Value: !Ref EIP4 Export: Name: !Sub ${AWS::StackName}-EIP4 CloudWatchLogs: Description: CloudWatch Logs GroupName. Your SSH logs will be stored here. Value: !Ref BastionMainLogGroup Export: Name: !Sub ${AWS::StackName}-CloudWatchLogs BastionSecurityGroupID: Description: Bastion security group ID. Value: !Ref BastionSecurityGroup Export: Name: !Sub ${AWS::StackName}-BastionSecurityGroupID BastionHostRole: Description: Bastion IAM role name. Value: !If [CreateIAMRole, !Ref BastionHostRole, !Ref AlternativeIAMRole] Export: Name: !Sub ${AWS::StackName}-BastionHostRole Postdeployment: Description: See the deployment guide for post-deployment steps. Value: https://fwd.aws/YqpXk?