AWSTemplateFormatVersion: 2010-09-09 Description: This AWS CloudFormation template deploys a bastion host enrolled with Okta Advanced Server Access (qs-1rm280cl1) Metadata: LICENSE: Apache License, Version 2.0 QuickStartDocumentation: EntrypointName: "Parameters for deploying Okta ASA into an existing VPC" Order: "2" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - VPCID - PublicSubnet1ID - PublicSubnet2ID - RemoteAccessCIDR - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - EC2AMIOS - EC2InstanceType - RootVolumeSize - Label: default: Linux bastion configuration Parameters: - NumEC2Hosts - BastionHostName - EC2Tenancy - EnableBanner - EC2Banner - EnableTCPForwarding - EnableX11Forwarding - Label: default: Alternative configurations Parameters: - AlternativeInitializationScript - OSImageOverride - AlternativeIAMRole - EnvironmentVariables - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion - Label: default: "Okta Advanced Server Access parameters" Parameters: - EnrollmentToken ParameterLabels: AlternativeIAMRole: default: Alternative IAM role AlternativeInitializationScript: default: Alternative initialization script EC2AMIOS: default: Bastion AMI operating system BastionHostName: default: Bastion host name EC2Tenancy: default: Bastion tenancy EC2Banner: default: Banner text QSS3BucketRegion: default: Quick Start S3 bucket Region EC2InstanceType: default: Bastion instance type EnableBanner: default: Bastion banner EnableTCPForwarding: default: TCP forwarding EnableX11Forwarding: default: X11 forwarding EnvironmentVariables: default: Environment variables KeyPairName: default: Key pair name NumEC2Hosts: default: Number of bastion hosts OSImageOverride: default: Operating-system image override PublicSubnet1ID: default: Public subnet 1 ID PublicSubnet2ID: default: Public subnet 2 ID QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed bastion external access CIDR VPCID: default: VPC ID RootVolumeSize: default: Root volume size EnrollmentToken: default: Okta Advanced Server Access enrollment token cfn-lint: { config: { ignore_checks: [E9007] } } Parameters: EC2AMIOS: AllowedValues: - Ubuntu-Server-20.04-LTS-HVM - CentOS-7-HVM - SUSE-SLES-15-HVM - Amazon-Linux2-HVM Default: Amazon-Linux2-HVM Description: Linux distribution for the AMI to be used for the bastion instances. Type: String BastionHostName: Default: 'LinuxBastion' Description: Value used for the name tag of the bastion host. Type: String EC2Banner: Default: "" Description: Banner text to display upon login. Type: String EC2Tenancy: Description: 'VPC tenancy to launch the bastion in. To change from "default," choose "dedicated."' Type: String Default: default AllowedValues: - dedicated - default EC2InstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: t2.micro Description: Amazon EC2 instance type for the bastion instances. Type: String EnableBanner: AllowedValues: - 'true' - 'false' Default: 'false' Description: To display a banner when connecting to the bastion using SSH, choose "true." Type: String EnableTCPForwarding: Type: String Description: With TCP forwarding on a Linux bastion host, you can set up direct connections from outside of the VPC to services running in private subnets by routing the traffic through the bastion host. To disable TCP forwarding, choose "false." Default: 'true' AllowedValues: - 'true' - 'false' EnableX11Forwarding: Type: String Description: With X11 forwarding on a Linux bastion host, you can establish management connections to Linux instances using GUIs (as opposed to text-based SSH connections). To disable X11 forwarding, choose "false." Default: 'true' AllowedValues: - 'true' - 'false' KeyPairName: Description: Name of an existing public/private key pair. You use this name to securely connect to your instance after it launches. If you do not have one in this AWS Region, create one before continuing. Type: 'AWS::EC2::KeyPair::KeyName' NumEC2Hosts: AllowedValues: - '1' - '2' - '3' - '4' Default: '1' Description: Number of bastion hosts to create. The maximum number is four. Type: String PublicSubnet1ID: Description: ID of the public subnet 1 that you want to provision the first bastion into (e.g., subnet-a0246dcd). Type: 'AWS::EC2::Subnet::Id' PublicSubnet2ID: Description: ID of the public subnet 2 that you want to provision the second bastion into (e.g., subnet-e3246d8e). Type: 'AWS::EC2::Subnet::Id' QSS3BucketName: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String QSS3KeyPrefix: AllowedPattern: '^([0-9a-zA-Z-.]+/)*$' ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). The prefix should end with a forward slash (/). Default: quickstart-okta-asa/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: Allowed CIDR block for external SSH access to the bastions. Type: String VPCID: Description: 'ID of the VPC (e.g., vpc-0343606e).' Type: 'AWS::EC2::VPC::Id' AlternativeInitializationScript: AllowedPattern: ^http.*|^$ ConstraintDescription: URL must begin with http Description: Alternative initialization script to run during setup. Default: '' Type: String OSImageOverride: Description: Region-specific image to use for the instance. Type: String Default: '' AlternativeIAMRole: Description: Existing IAM role name to attach to the bastion. If kept blank, a new role will be created. Default: '' Type: String EnvironmentVariables: Description: Comma-separated list of environment variables for use in bootstrapping. Variables must be in the format KEY=VALUE. VALUE cannot contain commas. Type: String Default: '' RootVolumeSize: Description: Size in GB for the root EBS volume. Type: Number Default: '10' EnrollmentToken: Type: String Description: Okta Advanced Server Access enrollment token. MinLength: 24 ConstraintDescription: Must contain a valid ASA enrollment token. Rules: SubnetsInVPC: Assertions: - Assert: 'Fn::EachMemberIn': - 'Fn::ValueOfAll': - 'AWS::EC2::Subnet::Id' - VpcId - 'Fn::RefAll': 'AWS::EC2::VPC::Id' AssertDescription: All subnets must exist in the VPC. Mappings: AWSAMIRegionMap: af-south-1: AMZNLINUX2: ami-0bb140f2ff1df29fc US2004HVM: ami-012b8921f84acdd04 CENTOS7HVM: ami-0a2be7731769e6cc1 # SLES15HVM: ami-EXAMPLE ap-northeast-1: AMZNLINUX2: ami-00f045aed21a55240 US2004HVM: ami-0f2322bff98877761 CENTOS7HVM: ami-06a46da680048c8ae SLES15HVM: ami-056ac8ad44e6a7e1f ap-northeast-2: AMZNLINUX2: ami-03461b78fdba0ff9d US2004HVM: ami-0cd95d39e3d87eb40 CENTOS7HVM: ami-06e83aceba2cb0907 SLES15HVM: ami-0f81fff879bafe6b8 ap-south-1: AMZNLINUX2: ami-08f63db601b82ff5f US2004HVM: ami-07ab71173dc8c331e CENTOS7HVM: ami-026f33d38b6410e30 SLES15HVM: ami-01be89269d32f2a16 ap-southeast-1: AMZNLINUX2: ami-0d728fd4e52be968f US2004HVM: ami-086d2d413b385037d CENTOS7HVM: ami-07f65177cb990d65b SLES15HVM: ami-070356c21596ddc67 ap-southeast-2: AMZNLINUX2: ami-09f765d333a8ebb4b US2004HVM: ami-061c4c77197bf567a CENTOS7HVM: ami-0b2045146eb00b617 SLES15HVM: ami-0c4245381c67efb39 ca-central-1: AMZNLINUX2: ami-0fca0f98dc87d39df US2004HVM: ami-0d4ae853aceec6074 CENTOS7HVM: ami-04a25c39dc7a8aebb SLES15HVM: ami-0c97d9b588207dad6 eu-central-1: AMZNLINUX2: ami-0bd39c806c2335b95 US2004HVM: ami-0be656e75e69af1a9 CENTOS7HVM: ami-0e8286b71b81c3cc1 SLES15HVM: ami-05dfd265ea534a3e9 me-south-1: AMZNLINUX2: ami-0b38d62acce7fb76a US2004HVM: ami-0147ed463d9315c94 CENTOS7HVM: ami-011c71a894b10f35b SLES15HVM: ami-0252c6d3a59c7473b ap-east-1: AMZNLINUX2: ami-7284c903 US2004HVM: ami-34cf8245 CENTOS7HVM: ami-0e5c29e6c87a9644f SLES15HVM: ami-0ad6e15bcbb2dbe38 eu-north-1: AMZNLINUX2: ami-02511cb3673b49e04 US2004HVM: ami-0faf140cd5302841b CENTOS7HVM: ami-05788af9005ef9a93 SLES15HVM: ami-0741fa1a008af40ad eu-south-1: AMZNLINUX2: ami-08a2aed6e0a6f9c7d US2004HVM: ami-01eec6bdfa20f008e CENTOS7HVM: ami-0a84267606bcea16b SLES15HVM: ami-051cbea0e7660063d eu-west-1: AMZNLINUX2: ami-0ce1e3f77cd41957e US2004HVM: ami-055958ae2f796344b CENTOS7HVM: ami-0b850cf02cc00fdc8 SLES15HVM: ami-0a58a1b152ba55f1d eu-west-2: AMZNLINUX2: ami-08b993f76f42c3e2f US2004HVM: ami-09c4a4b013e66b291 CENTOS7HVM: ami-09e5afc68eed60ef4 SLES15HVM: ami-01497522185aaa4ee eu-west-3: AMZNLINUX2: ami-0e9c91a3fc56a0376 US2004HVM: ami-0b14b90c53fdbb103 CENTOS7HVM: ami-0cb72d2e599cffbf9 SLES15HVM: ami-0f238bd4c6fdbefb0 sa-east-1: AMZNLINUX2: ami-0096398577720a4a3 US2004HVM: ami-0f1aecac8376e25fe CENTOS7HVM: ami-0b30f38d939dd4b54 SLES15HVM: ami-0772af912976aa692 us-east-1: AMZNLINUX2: ami-04d29b6f966df1537 US2004HVM: ami-0be3f0371736d5394 CENTOS7HVM: ami-0affd4508a5d2481b SLES15HVM: ami-0b1764f3d7d2e2316 us-gov-west-1: AMZNLINUX2: ami-cb2a11aa SLES15HVM: ami-57c0ba36 us-gov-east-1: AMZNLINUX2: ami-c2e209b3 SLES15HVM: ami-05e4bedfad53425e9 us-east-2: AMZNLINUX2: ami-09558250a3419e7d0 US2004HVM: ami-0b289b3e97908e84e CENTOS7HVM: ami-01e36b7901e884a10 SLES15HVM: ami-05ea824317ffc0c20 us-west-1: AMZNLINUX2: ami-08d9a394ac1c2994c US2004HVM: ami-05ddb1bcba9ace858 CENTOS7HVM: ami-098f55b4287a885ba SLES15HVM: ami-00e34a7624e5a7107 us-west-2: AMZNLINUX2: ami-0e472933a1395e172 US2004HVM: ami-0c007ac192ba0744b CENTOS7HVM: ami-0bc06212a56393ee1 SLES15HVM: ami-0f1e3b3fb0fec0361 cn-north-1: AMZNLINUX2: ami-0cf913cef98c31648 CENTOS7HVM: ami-08c16f7e830c0e393 SLES15HVM: ami-021392849b6221a81 cn-northwest-1: AMZNLINUX2: ami-0a12cb9cd7fea53e7 CENTOS7HVM: ami-0f21aa96a61df8c44 SLES15HVM: ami-00e1de3ee6d0d28ea LinuxAMINameMap: Amazon-Linux2-HVM: Code: AMZNLINUX2 OS: Amazon CentOS-7-HVM: Code: CENTOS7HVM OS: CentOS Ubuntu-Server-18.04-LTS-HVM: Code: US1804HVM OS: Ubuntu Ubuntu-Server-20.04-LTS-HVM: Code: US2004HVM OS: Ubuntu SUSE-SLES-15-HVM: Code: SLES15HVM OS: SLES Conditions: 2BastionCondition: !Or - !Equals - !Ref NumEC2Hosts - '2' - !Condition 3BastionCondition - !Condition 4BastionCondition 3BastionCondition: !Or - !Equals - !Ref NumEC2Hosts - '3' - !Condition 4BastionCondition 4BastionCondition: !Equals - !Ref NumEC2Hosts - '4' UseAlternativeInitialization: !Not - !Equals - !Ref AlternativeInitializationScript - '' CreateIAMRole: !Equals - !Ref AlternativeIAMRole - '' UseOSImageOverride: !Not - !Equals - !Ref OSImageOverride - '' UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] DefaultBanner: !Equals [!Ref EC2Banner, ""] Resources: BastionMainLogGroup: Type: 'AWS::Logs::LogGroup' SSHMetricFilter: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: !Ref BastionMainLogGroup FilterPattern: ON FROM USER PWD MetricTransformations: - MetricName: SSHCommandCount MetricValue: '1' MetricNamespace: !Sub "AWSQuickStart/${AWS::StackName}" BastionHostRole: Condition: CreateIAMRole Type: 'AWS::IAM::Role' Properties: Path: / AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Principal: Service: - !Sub 'ec2.${AWS::URLSuffix}' Effect: Allow Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' BastionHostPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: BastionPolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Effect: Allow - Action: - 'logs:CreateLogStream' - 'logs:GetLogEvents' - 'logs:PutLogEvents' - 'logs:DescribeLogGroups' - 'logs:DescribeLogStreams' - 'logs:PutRetentionPolicy' - 'logs:PutMetricFilter' - 'logs:CreateLogGroup' Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*" Effect: Allow - Action: - 'ec2:AssociateAddress' - 'ec2:DescribeAddresses' Resource: '*' Effect: Allow Roles: - !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole BastionHostProfile: DependsOn: BastionHostPolicy Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole Path: / EIP1: Type: 'AWS::EC2::EIP' Properties: Domain: vpc EIP2: Type: 'AWS::EC2::EIP' Condition: 2BastionCondition Properties: Domain: vpc EIP3: Type: 'AWS::EC2::EIP' Condition: 3BastionCondition Properties: Domain: vpc EIP4: Type: 'AWS::EC2::EIP' Condition: 4BastionCondition Properties: Domain: vpc BastionAutoScalingGroup: Type: 'AWS::AutoScaling::AutoScalingGroup' Properties: LaunchConfigurationName: !Ref BastionLaunchConfiguration VPCZoneIdentifier: - !Ref PublicSubnet1ID - !Ref PublicSubnet2ID MinSize: !Ref NumEC2Hosts MaxSize: !Ref NumEC2Hosts Cooldown: '900' DesiredCapacity: !Ref NumEC2Hosts Tags: - Key: Name Value: !Ref BastionHostName PropagateAtLaunch: true CreationPolicy: ResourceSignal: Count: !Ref NumEC2Hosts Timeout: PT60M AutoScalingCreationPolicy: MinSuccessfulInstancesPercent: 100 UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: true BastionLaunchConfiguration: Type: 'AWS::AutoScaling::LaunchConfiguration' Metadata: 'AWS::CloudFormation::Authentication': S3AccessCreds: type: S3 roleName: !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole buckets: - !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 'AWS::CloudFormation::Init': config: files: /tmp/install_asa_bastion.sh: source: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/install_asa_bastion.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] mode: '000550' owner: root group: root authentication: S3AccessCreds /tmp/auditd.rules: mode: '000550' owner: root group: root content: | -a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve /tmp/auditing_configure.sh: source: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/auditing_configure.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] mode: '000550' owner: root group: root authentication: S3AccessCreds /tmp/bastion_bootstrap.sh: source: !If - UseAlternativeInitialization - !Ref AlternativeInitializationScript - !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] mode: '000550' owner: root group: root authentication: S3AccessCreds commands: a-add_auditd_rules: cwd: '/tmp/' env: BASTION_OS: !FindInMap [LinuxAMINameMap, !Ref EC2AMIOS, OS] command: "./auditing_configure.sh" # command: # - !If [ ] # - "cat /tmp/auditd.rules >> /etc/audit/rules.d/audit.rules && service auditd restart" b-bootstrap: cwd: '/tmp/' env: REGION: !Sub ${AWS::Region} URL_SUFFIX: !Sub ${AWS::URLSuffix} BANNER_REGION: !If [ UsingDefaultBucket, !Ref 'AWS::Region', !Ref 'QSS3BucketRegion' ] command: !Sub - "./bastion_bootstrap.sh --banner ${BannerUrl} --enable ${EnableBanner} --tcp-forwarding ${EnableTCPForwarding} --x11-forwarding ${EnableX11Forwarding}" - BannerUrl: !If - DefaultBanner - !Sub - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/banner_message.txt - S3Bucket: !If [ UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref 'QSS3BucketName' ] - !Ref EC2Banner c-install_asa: cwd: '/tmp/' env: BASTION_OS: !FindInMap [LinuxAMINameMap, !Ref EC2AMIOS, OS] ENROLLMENT_TOKEN: !Ref EnrollmentToken BASTION_HOSTNAME: !Ref BastionHostName command: "./install_asa_bastion.sh" Properties: AssociatePublicIpAddress: true PlacementTenancy: !Ref EC2Tenancy KeyName: !Ref KeyPairName IamInstanceProfile: !Ref BastionHostProfile ImageId: !If - UseOSImageOverride - !Ref OSImageOverride - !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - !FindInMap - LinuxAMINameMap - !Ref EC2AMIOS - Code SecurityGroups: - !Ref BastionSecurityGroup InstanceType: !Ref EC2InstanceType BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeSize: !Ref RootVolumeSize VolumeType: gp2 Encrypted: true DeleteOnTermination: true UserData: Fn::Base64: !Sub - | #!/bin/bash set -x for e in $(echo "${EnvironmentVariables}" | tr ',' ' '); do export $e done export PATH=$PATH:/usr/local/bin #cfn signaling functions yum install git -y || apt-get install -y git || zypper -n install git function cfn_fail { cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup exit 1 } function cfn_success { cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup exit 0 } until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done cd /quickstart-linux-utilities; source quickstart-cfn-tools.source; qs_update-os || qs_err; qs_bootstrap_pip || qs_err " pip bootstrap failed "; qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed "; EIP_LIST="${EIP1},${EIP2},${EIP3},${EIP4}" CLOUDWATCHGROUP=${BastionMainLogGroup} cfn-init -v --stack '${AWS::StackName}' --resource BastionLaunchConfiguration --region ${AWS::Region} || cfn_fail [ $(qs_status) == 0 ] && cfn_success || cfn_fail - EIP2: !If - 2BastionCondition - !Ref EIP2 - 'Null' EIP3: !If - 3BastionCondition - !Ref EIP3 - 'Null' EIP4: !If - 4BastionCondition - !Ref EIP4 - 'Null' BastionSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Enables SSH Access to Bastion Hosts VpcId: !Ref VPCID SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref RemoteAccessCIDR - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref RemoteAccessCIDR Outputs: BastionAutoScalingGroup: Description: Auto Scaling Group Reference ID Value: !Ref BastionAutoScalingGroup Export: Name: !Sub '${AWS::StackName}-BastionAutoScalingGroup' EIP1: Description: Elastic IP 1 for Bastion Value: !Ref EIP1 Export: Name: !Sub '${AWS::StackName}-EIP1' EIP2: Condition: 2BastionCondition Description: Elastic IP 2 for Bastion Value: !Ref EIP2 Export: Name: !Sub '${AWS::StackName}-EIP2' EIP3: Condition: 3BastionCondition Description: Elastic IP 3 for Bastion Value: !Ref EIP3 Export: Name: !Sub '${AWS::StackName}-EIP3' EIP4: Condition: 4BastionCondition Description: Elastic IP 4 for Bastion Value: !Ref EIP4 Export: Name: !Sub '${AWS::StackName}-EIP4' CloudWatchLogs: Description: CloudWatch Logs GroupName. Your SSH logs will be stored here. Value: !Ref BastionMainLogGroup Export: Name: !Sub '${AWS::StackName}-CloudWatchLogs' BastionSecurityGroupID: Description: Bastion Security Group ID Value: !Ref BastionSecurityGroup Export: Name: !Sub '${AWS::StackName}-BastionSecurityGroupID' BastionHostRole: Description: Bastion IAM role name Value: !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole Export: Name: !Sub '${AWS::StackName}-BastionHostRole' Postdeployment: Description: To test your deployment, see the procedure in the deployment guide. Value: https://fwd.aws/3EYzN