// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`test App Orchestrator Construct 1`] = ` { "Mappings": { "ServiceprincipalMap": { "af-south-1": { "states": "states.af-south-1.amazonaws.com", }, "ap-east-1": { "states": "states.ap-east-1.amazonaws.com", }, "ap-northeast-1": { "states": "states.ap-northeast-1.amazonaws.com", }, "ap-northeast-2": { "states": "states.ap-northeast-2.amazonaws.com", }, "ap-northeast-3": { "states": "states.ap-northeast-3.amazonaws.com", }, "ap-south-1": { "states": "states.ap-south-1.amazonaws.com", }, "ap-south-2": { "states": "states.ap-south-2.amazonaws.com", }, "ap-southeast-1": { "states": "states.ap-southeast-1.amazonaws.com", }, "ap-southeast-2": { "states": "states.ap-southeast-2.amazonaws.com", }, "ap-southeast-3": { "states": "states.ap-southeast-3.amazonaws.com", }, "ca-central-1": { "states": "states.ca-central-1.amazonaws.com", }, "cn-north-1": { "states": "states.cn-north-1.amazonaws.com", }, "cn-northwest-1": { "states": "states.cn-northwest-1.amazonaws.com", }, "eu-central-1": { "states": "states.eu-central-1.amazonaws.com", }, "eu-central-2": { "states": "states.eu-central-2.amazonaws.com", }, "eu-north-1": { "states": "states.eu-north-1.amazonaws.com", }, "eu-south-1": { "states": "states.eu-south-1.amazonaws.com", }, "eu-south-2": { "states": "states.eu-south-2.amazonaws.com", }, "eu-west-1": { "states": "states.eu-west-1.amazonaws.com", }, "eu-west-2": { "states": "states.eu-west-2.amazonaws.com", }, "eu-west-3": { "states": "states.eu-west-3.amazonaws.com", }, "me-central-1": { "states": "states.me-central-1.amazonaws.com", }, "me-south-1": { "states": "states.me-south-1.amazonaws.com", }, "sa-east-1": { "states": "states.sa-east-1.amazonaws.com", }, "us-east-1": { "states": "states.us-east-1.amazonaws.com", }, "us-east-2": { "states": "states.us-east-2.amazonaws.com", }, "us-gov-east-1": { "states": "states.us-gov-east-1.amazonaws.com", }, "us-gov-west-1": { "states": "states.us-gov-west-1.amazonaws.com", }, "us-iso-east-1": { "states": "states.amazonaws.com", }, "us-iso-west-1": { "states": "states.amazonaws.com", }, "us-isob-east-1": { "states": "states.amazonaws.com", }, "us-west-1": { "states": "states.us-west-1.amazonaws.com", }, "us-west-2": { "states": "states.us-west-2.amazonaws.com", }, }, }, "Parameters": { "ReuseOrchestratorLogGroup": { "AllowedValues": [ "yes", "no", ], "Default": "no", "Description": "Reuse existing Orchestrator Log Group? Choose "yes" if the log group already exists, else "no"", "Type": "String", }, }, "Resources": { "OrchestratorNestedLogStackNestedStackNestedLogStackNestedStackResource91223B3E": { "DeletionPolicy": "Delete", "Properties": { "Parameters": { "KmsKeyArn": { "Fn::GetAtt": [ "SHARRKeyC551FE02", "Value", ], }, "ReuseOrchestratorLogGroup": { "Ref": "ReuseOrchestratorLogGroup", }, }, "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/aws-sharr-orchestrator-log.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "OrchestratorRole9CF251DB": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "CloudWatch Logs permissions require resource * except for DescribeLogGroups, except for GovCloud, which only works with resource *", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "CloudWatch Logs permissions require resource * except for DescribeLogGroups, except for GovCloud, which only works with resource *", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": { "Fn::FindInMap": [ "ServiceprincipalMap", { "Ref": "AWS::Region", }, "states", ], }, }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups", ], "Effect": "Allow", "Resource": "*", }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":lambda:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":function:undefined", ], ], }, }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":kms:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":alias/bbb-SHARR-Key", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "BasePolicy", }, ], }, "Type": "AWS::IAM::Role", "UpdateReplacePolicy": "Retain", }, "OrchestratorSHARROrchestratorArnC8FB076A": { "Properties": { "Description": "Arn of the SHARR Orchestrator Step Function. This step function routes findings to remediation runbooks.", "Name": "/Solutions/bbb/OrchestratorArn", "Type": "String", "Value": { "Ref": "OrchestratorStateMachine1E795392", }, }, "Type": "AWS::SSM::Parameter", }, "OrchestratorStateMachine1E795392": { "DeletionPolicy": "Delete", "DependsOn": [ "OrchestratorNestedLogStackNestedStackNestedLogStackNestedStackResource91223B3E", "OrchestratorRole9CF251DB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-SF1", "reason": "False alarm. Logging configuration is overridden to log ALL.", }, { "id": "AwsSolutions-SF2", "reason": "X-Ray is not needed for this use case.", }, ], }, }, "Properties": { "DefinitionString": { "Fn::Join": [ "", [ "{"StartAt":"Get Finding Data from Input","States":{"Get Finding Data from Input":{"Type":"Pass","Comment":"Extract top-level data needed for remediation","Parameters":{"EventType.$":"$.detail-type","Findings.$":"$.detail.findings"},"Next":"Process Findings"},"Process Findings":{"Type":"Map","Comment":"Process all findings in CloudWatch Event","Next":"EOJ","Parameters":{"Finding.$":"$$.Map.Item.Value","EventType.$":"$.EventType"},"Iterator":{"StartAt":"Finding Workflow State NEW?","States":{"Finding Workflow State NEW?":{"Type":"Choice","Choices":[{"Or":[{"Variable":"$.EventType","StringEquals":"Security Hub Findings - Custom Action"},{"And":[{"Variable":"$.Finding.Workflow.Status","StringEquals":"NEW"},{"Variable":"$.EventType","StringEquals":"Security Hub Findings - Imported"}]}],"Next":"Get Remediation Approval Requirement"}],"Default":"Finding Workflow State is not NEW"},"Finding Workflow State is not NEW":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Finding Workflow State is not NEW ({}).', $.Finding.Workflow.Status)","State.$":"States.Format('NOTNEW')"},"EventType.$":"$.EventType","Finding.$":"$.Finding"},"Next":"notify"},"notify":{"End":true,"Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","Comment":"Send notifications","TimeoutSeconds":300,"HeartbeatSeconds":60,"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"arn:aws:lambda:us-east-1:111122223333:function/foobar","Payload.$":"$"}},"Automation Document is not Active":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Automation Document ({}) is not active ({}) in the member account({}).', $.AutomationDocId, $.AutomationDocument.DocState, $.Finding.AwsAccountId)","State.$":"States.Format('REMEDIATIONNOTACTIVE')","updateSecHub":"yes"},"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion"},"Next":"notify"},"Automation Doc Active?":{"Type":"Choice","Choices":[{"Variable":"$.AutomationDocument.DocState","StringEquals":"ACTIVE","Next":"Execute Remediation"},{"Variable":"$.AutomationDocument.DocState","StringEquals":"NOTACTIVE","Next":"Automation Document is not Active"},{"Variable":"$.AutomationDocument.DocState","StringEquals":"NOTENABLED","Next":"Security Standard is not enabled"},{"Variable":"$.AutomationDocument.DocState","StringEquals":"NOTFOUND","Next":"No Remediation for Control"}],"Default":"check_ssm_doc_state Error"},"Get Automation Document State":{"Next":"Automation Doc Active?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Get the status of the remediation automation document in the target account","TimeoutSeconds":60,"ResultPath":"$.AutomationDocument","ResultSelector":{"DocState.$":"$.Payload.status","Message.$":"$.Payload.message","SecurityStandard.$":"$.Payload.securitystandard","SecurityStandardVersion.$":"$.Payload.securitystandardversion","SecurityStandardSupported.$":"$.Payload.standardsupported","ControlId.$":"$.Payload.controlid","AccountId.$":"$.Payload.accountid","RemediationRole.$":"$.Payload.remediationrole","AutomationDocId.$":"$.Payload.automationdocid","ResourceRegion.$":"$.Payload.resourceregion"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"arn:aws:lambda:us-east-1:111122223333:function/foobar","Payload.$":"$"}},"Get Remediation Approval Requirement":{"Next":"Get Automation Document State","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Determine whether the selected remediation requires manual approval","TimeoutSeconds":300,"ResultPath":"$.Workflow","ResultSelector":{"WorkflowDocument.$":"$.Payload.workflowdoc","WorkflowAccount.$":"$.Payload.workflowaccount","WorkflowRole.$":"$.Payload.workflowrole","WorkflowConfig.$":"$.Payload.workflow_data"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"arn:aws:lambda:us-east-1:111122223333:function/foobar","Payload.$":"$"}},"Orchestrator Failed":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Orchestrator failed: {}', $.Error)","State.$":"States.Format('LAMBDAERROR')","Details.$":"States.Format('Cause: {}', $.Cause)"},"Payload.$":"$"},"Next":"notify"},"Execute Remediation":{"Next":"Remediation Queued","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Execute the SSM Automation Document in the target account","TimeoutSeconds":300,"HeartbeatSeconds":60,"ResultPath":"$.SSMExecution","ResultSelector":{"ExecState.$":"$.Payload.status","Message.$":"$.Payload.message","ExecId.$":"$.Payload.executionid","Account.$":"$.Payload.executionaccount","Region.$":"$.Payload.executionregion"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"arn:aws:lambda:us-east-1:111122223333:function/foobar","Payload.$":"$"}},"Remediation Queued":{"Type":"Pass","Comment":"Set parameters for notification","Parameters":{"EventType.$":"$.EventType","Finding.$":"$.Finding","AutomationDocument.$":"$.AutomationDocument","SSMExecution.$":"$.SSMExecution","Notification":{"Message.$":"States.Format('Remediation queued for {} control {} in account {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId)","State.$":"States.Format('QUEUED')","ExecId.$":"$.SSMExecution.ExecId"}},"Next":"Queued Notification"},"Queued Notification":{"Next":"execMonitor","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","Comment":"Send notification that a remediation has queued","TimeoutSeconds":300,"HeartbeatSeconds":60,"ResultPath":"$.notificationResult","Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"arn:aws:lambda:us-east-1:111122223333:function/foobar","Payload.$":"$"}},"execMonitor":{"Next":"Remediation completed?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Monitor the remediation execution until done","TimeoutSeconds":300,"HeartbeatSeconds":60,"ResultPath":"$.Remediation","ResultSelector":{"ExecState.$":"$.Payload.status","ExecId.$":"$.Payload.executionid","RemediationState.$":"$.Payload.remediation_status","Message.$":"$.Payload.message","LogData.$":"$.Payload.logdata","AffectedObject.$":"$.Payload.affected_object"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"arn:aws:lambda:us-east-1:111122223333:function/foobar","Payload.$":"$"}},"Wait for Remediation":{"Type":"Wait","Seconds":15,"Next":"execMonitor"},"Remediation completed?":{"Type":"Choice","Choices":[{"Variable":"$.Remediation.RemediationState","StringEquals":"Failed","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Success","Next":"Remediation Succeeded"},{"Variable":"$.Remediation.ExecState","StringEquals":"TimedOut","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Cancelling","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Cancelled","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Failed","Next":"Remediation Failed"}],"Default":"Wait for Remediation"},"Remediation Failed":{"Type":"Pass","Comment":"Set parameters for notification","Parameters":{"EventType.$":"$.EventType","Finding.$":"$.Finding","SSMExecution.$":"$.SSMExecution","AutomationDocument.$":"$.AutomationDocument","Notification":{"Message.$":"States.Format('Remediation failed for {} control {} in account {}: {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId, $.Remediation.Message)","State.$":"$.Remediation.ExecState","Details.$":"$.Remediation.LogData","ExecId.$":"$.Remediation.ExecId","AffectedObject.$":"$.Remediation.AffectedObject"}},"Next":"notify"},"Remediation Succeeded":{"Type":"Pass","Comment":"Set parameters for notification","Parameters":{"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion","Notification":{"Message.$":"States.Format('Remediation succeeded for {} control {} in account {}: {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId, $.Remediation.Message)","State.$":"States.Format('SUCCESS')","Details.$":"$.Remediation.LogData","ExecId.$":"$.Remediation.ExecId","AffectedObject.$":"$.Remediation.AffectedObject"}},"Next":"notify"},"check_ssm_doc_state Error":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('check_ssm_doc_state returned an error: {}', $.AutomationDocument.Message)","State.$":"States.Format('LAMBDAERROR')"},"EventType.$":"$.EventType","Finding.$":"$.Finding"},"Next":"notify"},"Security Standard is not enabled":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Security Standard ({}) v{} is not enabled.', $.AutomationDocument.SecurityStandard, $.AutomationDocument.SecurityStandardVersion)","State.$":"States.Format('STANDARDNOTENABLED')","updateSecHub":"yes"},"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion"},"Next":"notify"},"No Remediation for Control":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Security Standard {} v{} control {} has no automated remediation.', $.AutomationDocument.SecurityStandard, $.AutomationDocument.SecurityStandardVersion, $.AutomationDocument.ControlId)","State.$":"States.Format('NOREMEDIATION')","updateSecHub":"yes"},"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion"},"Next":"notify"}}},"ItemsPath":"$.Findings"},"EOJ":{"Type":"Pass","Comment":"END-OF-JOB","End":true}},"TimeoutSeconds":900}", ], ], }, "LoggingConfiguration": { "Destinations": [ { "CloudWatchLogsLogGroup": { "LogGroupArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:ORCH_LOG_GROUP:*", ], ], }, }, }, ], "IncludeExecutionData": true, "Level": "ALL", }, "RoleArn": { "Fn::GetAtt": [ "OrchestratorRole9CF251DB", "Arn", ], }, "StateMachineName": "bbb-SHARR-Orchestrator", }, "Type": "AWS::StepFunctions::StateMachine", "UpdateReplacePolicy": "Delete", }, "SHARRKeyC551FE02": { "Properties": { "Description": "KMS Customer Managed Key that SHARR will use to encrypt data", "Name": "/Solutions/SO0111/CMK_ARN", "Type": "String", "Value": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn", ], }, }, "Type": "AWS::SSM::Parameter", }, "SHARRkeyAlias37E34763": { "Properties": { "AliasName": "alias/TO0111-SHARR-Key", "TargetKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn", ], }, }, "Type": "AWS::KMS::Alias", }, "SHARRkeyE6BD0F56": { "DeletionPolicy": "Retain", "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*", ], "Effect": "Allow", "Principal": { "Service": [ "sns.amazonaws.com", { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::URLSuffix", }, ], ], }, ], }, "Resource": "*", }, { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, }, } `;