--- AWSTemplateFormatVersion: 2010-09-09 Description: This master template creates a VPC infrastructure for a multi-AZ, multi-tier deployment of SIOS Protection Suite for Linux on AWS EC2. It deploys a VPC with bastions and the SIOS Protection Suite for Linux solution. **WARNING** This template creates EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. SIOS Protection Suite for Linux is licensed separately. Please contact SIOS at support@us.sios.com or visit https://us.sios.com/demo-request/ for demo licenses. (qs-1oqirsqja) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC and bastion host Configuration Parameters: - AvailabilityZones - RemoteAccessCIDR - KeyPairName - BastionAMIOS - BastionInstanceType - NumBastionHosts - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - Label: default: SIOS Protection Suite instance configuration Parameters: - SPSLInstanceNamePrefix - SPSLInstanceType - HomeVolumeType - HomeSize - HomeIops - HomeDeleteOnTermination - MirrorVolumeType - MirrorSize - MirrorIops - MirrorDeleteOnTermination - NewRootPassword - SIOSAMIType - SIOSLicenseKeyFtpURL - Node1PrivateIP - Node2PrivateIP - WindowsJumpboxInstanceType - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: RemoteAccessCIDR: default: Allowed bastion external access CIDR AvailabilityZones: default: Availability zones BastionAMIOS: default: Bastion AMI operating system BastionInstanceType: default: Bastion instance type NumBastionHosts: default: Number of bastion hosts. VPCCIDR: default: Global CIDR block for entire VPC PrivateSubnet1CIDR: default: CIDR block for private subnet 1A PrivateSubnet2CIDR: default: CIDR block for private subnet 2A PublicSubnet1CIDR: default: CIDR block for public subnet 1 PublicSubnet2CIDR: default: CIDR block for public subnet 2 SPSLInstanceNamePrefix: default: SIOS Protection Suite instance name SPSLInstanceType: default: SIOS Protection Suite instance type HomeDeleteOnTermination: default: Delete home on termination HomeIops: default: Home directory IOPS HomeVolumeType: default: Home directory volume type HomeSize: default: Home directory size MirrorDeleteOnTermination: default: Delete mirror on termination MirrorIops: default: Mirror directory IOPS MirrorVolumeType: default: Mirror directory volume type MirrorSize: default: Mirror directory size Node1PrivateIP: default: Node 1 private IP address Node2PrivateIP: default: Node 2 private IP address KeyPairName: default: Key pair name NewRootPassword: default: new root password SIOSAMIType: default: License model for SIOS AMI SIOSLicenseKeyFtpURL: default: SIOS Protection Suite license URL WindowsJumpboxInstanceType: default: Optional Windows jumpbox instance type QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: CIDR IP range that is permitted to access the SIOS Protection Suite server via the Bastion Server. We recommend that you set this value to a trusted IP range. Type: String AvailabilityZones: Description: List of Availability Zones to use for the subnets in the VPC. The Quick Start uses two Availability Zones from your list and preserves the logical order you specify. Type: List BastionAMIOS: AllowedValues: - Amazon-Linux2-HVM - CentOS-7-HVM - Ubuntu-Server-20.04-LTS-HVM - SUSE-SLES-15-HVM Default: Amazon-Linux2-HVM Description: Linux distribution for the AMI to be used for the bastion instances. Type: String BastionInstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: t2.micro Description: Amazon EC2 instance type for the bastion instances. Type: String WindowsJumpboxInstanceType: AllowedValues: - None - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: None Description: Amazon EC2 instance type for an optional Windows Jumpbox. Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: Global CIDR IP range for entire VPC. Default: 10.0.0.0/16 Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: CIDR IP range for the private subnet located in Availability Zone 1. Default: 10.0.0.0/19 Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: CIDR IP range for the private subnet located in Availability Zone 2. Default: 10.0.32.0/19 Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: CIDR IP range for the public (DMZ) subnet located in Availability Zone 1. Default: 10.0.128.0/20 Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: CIDR IP range for the public (DMZ) subnet located in Availability Zone 2. Default: 10.0.144.0/20 Type: String SPSLInstanceType: Description: Amazon EC2 instance type for the SIOS Protection Suite servers. Type: String Default: t2.medium AllowedValues: - t2.medium - t2.large - t2.xlarge - t2.2xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.12xlarge - m5.24xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - x1.16xlarge - x1.32xlarge - x1e.xlarge - x1e.2xlarge - x1e.4xlarge - x1e.8xlarge - x1e.16xlarge - x1e.32xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - r4.large - r4.xlarge - r4.2xlarge - r4.4xlarge - r4.8xlarge - r4.16xlarge - p2.xlarge - p2.8xlarge - p2.16xlarge - p3.2xlarge - p3.8xlarge - p3.16xlarge - g2.2xlarge - g2.8xlarge - g3.4xlarge - g3.8xlarge - g3.16xlarge - h1.2xlarge - h1.4xlarge - h1.8xlarge - h1.16xlarge - i2.xlarge - i2.2xlarge - i2.4xlarge - i2.8xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - d2.xlarge - d2.2xlarge - d2.4xlarge - d2.8xlarge ConstraintDescription: must be a valid EC2 instance type. HomeDeleteOnTermination: Description: Delete home directory volume when the SIOS Protection Suite server instance is terminated. Keep the default setting of true to delete the home directory when the instance is terminated. If true, you must back up your data before terminating your instance. Set to false to keep the home directory volume upon termination. Type: String Default: "true" AllowedValues: [true, false] ConstraintDescription: Must be 'true' or 'false'. HomeIops: Description: IOPS for the home directory. This value is used only when the Home volume type parameter is set to Provisioned IOPS. Allowed range is 100-20,000. The ratio of IOPS to volume size must be 50 or less. For example, if you set this parameter to 5000 IOPS, the home directory size must be at least 100 GiB. Type: Number Default: 1000 MinValue: 100 MaxValue: 20000 ConstraintDescription: Must be in the range 100 - 20000. HomeSize: Description: Storage size for the home directory, in GiB. Allowed range is 100 - 16,384. Type: Number Default: 100 MinValue: 100 MaxValue: 16384 ConstraintDescription: Must be in the range 100 - 16384. HomeVolumeType: Description: Volume type for the home directory. Type: String Default: "General Purpose (SSD)" AllowedValues: ["General Purpose (SSD)", "Provisioned IOPS"] ConstraintDescription: Must be 'General Purpose (SSD)' or 'Provisioned IOPS'. MirrorDeleteOnTermination: Description: Delete the replicated volume when the SIOS Protection Suite server instance is terminated. Keep the default setting of true to delete the home directory when the instance is terminated. If true, you must back up your data before terminating your instance. Set to false to keep the replicated volume upon termination. Type: String Default: "true" AllowedValues: [true, false] ConstraintDescription: Must be 'true' or 'false'. MirrorIops: Description: IOPS for the mirror volume. This value is used only when the Mirror volume type parameter is set to Provisioned IOPS. Allowed range is 100 - 20,000. The ratio of IOPS to volume size must be 50 or less. For example, if you set this parameter to 5000 IOPS, the home directory size must be at least 100 GiB. Type: Number Default: 1000 MinValue: 100 MaxValue: 20000 ConstraintDescription: Must be in the range 100 - 20000. MirrorSize: Description: Storage size for the replicated volume, in GiB. Allowed range is 100 - 16,384. Type: Number Default: 100 MinValue: 100 MaxValue: 16384 ConstraintDescription: Must be in the range 100 - 16384. MirrorVolumeType: Description: Volume type for the replicated data directory. Type: String Default: "General Purpose (SSD)" AllowedValues: ["General Purpose (SSD)", "Provisioned IOPS"] ConstraintDescription: Must be 'General Purpose (SSD)' or 'Provisioned IOPS'. Node1PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ ConstraintDescription: IPv4 address parameter must be in the form x.x.x.x Description: Primary private IP for the cluster node located in Availability Zone 1. Default: 10.0.0.100 Type: String Node2PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ ConstraintDescription: IPv4 address parameter must be in the form x.x.x.x Description: Primary private IP for the cluster node located in Availability Zone 2. Default: 10.0.32.100 Type: String KeyPairName: Description: Public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region. Type: AWS::EC2::KeyPair::KeyName NumBastionHosts: AllowedValues: - "1" - "2" - "3" - "4" Default: "1" Description: "Enter the number of bastion hosts to create" Type: "String" NewRootPassword: Description: Password for predefined admin user used to administer SIOS Protection Suite (Min. Length of 8 Characters, Max Length of 16 Characters). Type: String MinLength: 8 MaxLength: 16 NoEcho: true SIOSAMIType: Description: SIOS Protection Suite AMI license model to use for cluster nodes. Type: String Default: PAYG AllowedValues: - BYOL - PAYG SIOSLicenseKeyFtpURL: Description: URL used to obtain license key for SIOS Protection Suite for Linux software. Type: String SPSLInstanceNamePrefix: Description: Name prefix for the SIOS Protection Suite servers. Type: String Default: SPSL QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket where the Quick Start templates and scripts are installed. Use this parameter to specify the S3 bucket name you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-sios-protection-suite/ Description: The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes, and should end with a forward slash. Type: String Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: Fn::Join: - ',' - Ref: AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: Ref: PrivateSubnet1CIDR PrivateSubnet2ACIDR: Ref: PrivateSubnet2CIDR PublicSubnet1CIDR: Ref: PublicSubnet1CIDR PublicSubnet2CIDR: Ref: PublicSubnet2CIDR VPCCIDR: Ref: VPCCIDR BastionStack: DependsOn: VPCStack Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: BastionAMIOS: Ref: BastionAMIOS BastionInstanceType: Ref: BastionInstanceType EnableBanner: true EnableTCPForwarding: true EnableX11Forwarding: true KeyPairName: Ref: KeyPairName NumBastionHosts: Ref: NumBastionHosts PublicSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet2ID QSS3BucketName: Ref: QSS3BucketName QSS3BucketRegion: Ref: QSS3BucketRegion QSS3KeyPrefix: Fn::Sub: ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ RemoteAccessCIDR: Ref: RemoteAccessCIDR VPCID: Fn::GetAtt: - VPCStack - Outputs.VPCID SPSStack: DependsOn: BastionStack Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/sios-protection-suite.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: RemoteAccessSecurityGroupID: Fn::GetAtt: - BastionStack - Outputs.BastionSecurityGroupID RemoteAccessCIDR: Ref: RemoteAccessCIDR SPSLInstanceNamePrefix: Ref: SPSLInstanceNamePrefix SPSLInstanceType: Ref: SPSLInstanceType KeyPairName: Ref: KeyPairName NewRootPassword: Ref: NewRootPassword SIOSAMIType: Ref: SIOSAMIType SIOSLicenseKeyFtpURL: Ref: SIOSLicenseKeyFtpURL VPCID: Fn::GetAtt: - VPCStack - Outputs.VPCID PrivateSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet1AID PrivateSubnet1CIDR: Ref: PrivateSubnet1CIDR Node1PrivateIP: Ref: Node1PrivateIP Node2PrivateIP: Ref: Node2PrivateIP PrivateSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet2AID PrivateSubnet2CIDR: Ref: PrivateSubnet2CIDR PublicSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet2ID HomeVolumeType: Ref: HomeVolumeType HomeIops: Ref: HomeIops HomeSize: Ref: HomeSize HomeDeleteOnTermination: Ref: HomeDeleteOnTermination MirrorVolumeType: Ref: MirrorVolumeType MirrorIops: Ref: MirrorIops MirrorSize: Ref: MirrorSize MirrorDeleteOnTermination: Ref: MirrorDeleteOnTermination WindowsJumpboxInstanceType: Ref: WindowsJumpboxInstanceType LatestWindowsAmiId: /aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base QSS3BucketName: Ref: QSS3BucketName QSS3BucketRegion: Ref: QSS3BucketRegion QSS3KeyPrefix: Ref: QSS3KeyPrefix