// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Test if the Stack has all the resources. 1`] = ` { "Conditions": { "loadAFSBPCond": { "Fn::Equals": [ { "Ref": "LoadAFSBPAdminStack", }, "yes", ], }, "loadCIS120Cond": { "Fn::Equals": [ { "Ref": "LoadCIS120AdminStack", }, "yes", ], }, "loadCIS140Cond": { "Fn::Equals": [ { "Ref": "LoadCIS140AdminStack", }, "yes", ], }, "loadPCI321Cond": { "Fn::Equals": [ { "Ref": "LoadPCI321AdminStack", }, "yes", ], }, "loadSCCond": { "Fn::Equals": [ { "Ref": "LoadSCAdminStack", }, "yes", ], }, }, "Mappings": { "Solution": { "Data": { "AppRegistryApplicationName": "automated-security-response-on-aws", "ApplicationType": "AWS-Solutions", "ID": "SO0111", "SolutionName": "automated-security-response-on-aws", "Version": "v1.0.0", }, }, "SourceCode": { "General": { "KeyPrefix": "aws-security-hub-automated-response-and-remediation/v1.0.0", "S3Bucket": "solutions", }, }, "mappings": { "sendAnonymousMetrics": { "data": "Yes", }, }, }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Security Standard Playbooks", }, "Parameters": [ "LoadAFSBPAdminStack", "LoadCIS120AdminStack", "LoadCIS140AdminStack", "LoadPCI321AdminStack", "LoadSCAdminStack", ], }, ], }, }, "Parameters": { "LoadAFSBPAdminStack": { "AllowedValues": [ "yes", "no", ], "Default": "yes", "Description": "Load CloudWatch Event Rules for AFSBP?", "Type": "String", }, "LoadCIS120AdminStack": { "AllowedValues": [ "yes", "no", ], "Default": "yes", "Description": "Load CloudWatch Event Rules for CIS120?", "Type": "String", }, "LoadCIS140AdminStack": { "AllowedValues": [ "yes", "no", ], "Default": "yes", "Description": "Load CloudWatch Event Rules for CIS140?", "Type": "String", }, "LoadPCI321AdminStack": { "AllowedValues": [ "yes", "no", ], "Default": "yes", "Description": "Load CloudWatch Event Rules for PCI321?", "Type": "String", }, "LoadSCAdminStack": { "AllowedValues": [ "yes", "no", ], "Default": "yes", "Description": "Load CloudWatch Event Rules for SC?", "Type": "String", }, "ReuseOrchestratorLogGroup": { "AllowedValues": [ "yes", "no", ], "Default": "no", "Description": "Reuse existing Orchestrator Log Group? Choose "yes" if the log group already exists, else "no"", "Type": "String", }, }, "Resources": { "AppRegistry968496A3": { "Properties": { "Description": "Service Catalog application to track and manage all your resources for the solution automated-security-response-on-aws", "Name": { "Fn::Join": [ "-", [ { "Fn::FindInMap": [ "Solution", "Data", "AppRegistryApplicationName", ], }, { "Ref": "AWS::StackName", }, { "Ref": "AWS::Region", }, { "Ref": "AWS::AccountId", }, ], ], }, "Tags": { "Solutions:ApplicationType": { "Fn::FindInMap": [ "Solution", "Data", "ApplicationType", ], }, "Solutions:SolutionID": { "Fn::FindInMap": [ "Solution", "Data", "ID", ], }, "Solutions:SolutionName": { "Fn::FindInMap": [ "Solution", "Data", "SolutionName", ], }, "Solutions:SolutionVersion": { "Fn::FindInMap": [ "Solution", "Data", "Version", ], }, }, }, "Type": "AWS::ServiceCatalogAppRegistry::Application", }, "AppRegistryAssociation": { "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "AWS::StackId", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryAttributeGroupAssociation58e755b9eb72544DB135": { "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "AttributeGroup": { "Fn::GetAtt": [ "DefaultApplicationAttributesFC1CC26B", "Id", ], }, }, "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation", }, "AppRegistryResourceAssociation142839FB0": { "DependsOn": [ "orchestratorNestedLogStackNestedStackNestedLogStackNestedStackResourceE4E042A6", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "orchestratorNestedLogStackNestedStackNestedLogStackNestedStackResourceE4E042A6", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryResourceAssociation2BB1A3300": { "Condition": "loadAFSBPCond", "DependsOn": [ "PlaybookAdminStackAFSBP", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "PlaybookAdminStackAFSBP", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryResourceAssociation3BEAC7BB7": { "Condition": "loadCIS120Cond", "DependsOn": [ "PlaybookAdminStackCIS120", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "PlaybookAdminStackCIS120", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryResourceAssociation46F7B9873": { "Condition": "loadCIS140Cond", "DependsOn": [ "PlaybookAdminStackCIS140", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "PlaybookAdminStackCIS140", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryResourceAssociation5FAA30631": { "Condition": "loadPCI321Cond", "DependsOn": [ "PlaybookAdminStackPCI321", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "PlaybookAdminStackPCI321", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "AppRegistryResourceAssociation62B582FF5": { "Condition": "loadSCCond", "DependsOn": [ "PlaybookAdminStackSC", ], "Properties": { "Application": { "Fn::GetAtt": [ "AppRegistry968496A3", "Id", ], }, "Resource": { "Ref": "PlaybookAdminStackSC", }, "ResourceType": "CFN_STACK", }, "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation", }, "CreateCustomActionE7A973F5": { "DependsOn": [ "createCustomActionRoleF0047414", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. the lambda role allows write to CW Logs", }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency due to low request rate", }, ], }, }, "Properties": { "Code": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/action_target_provider.zip", }, "Description": "Custom resource to create an action target in Security Hub", "Environment": { "Variables": { "AWS_PARTITION": { "Ref": "AWS::Partition", }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v1.0.0", "log_level": "info", "sendAnonymousMetrics": { "Fn::FindInMap": [ "mappings", "sendAnonymousMetrics", "data", ], }, }, }, "FunctionName": "SO0111-SHARR-CustomAction", "Handler": "action_target_provider.lambda_handler", "Layers": [ { "Ref": "SharrLambdaLayer5BF8F147", }, ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "createCustomActionRoleF0047414", "Arn", ], }, "Runtime": "python3.9", "Timeout": 600, }, "Type": "AWS::Lambda::Function", }, "DefaultApplicationAttributesFC1CC26B": { "Properties": { "Attributes": { "applicationType": { "Fn::FindInMap": [ "Solution", "Data", "ApplicationType", ], }, "solutionID": { "Fn::FindInMap": [ "Solution", "Data", "ID", ], }, "solutionName": { "Fn::FindInMap": [ "Solution", "Data", "SolutionName", ], }, "version": { "Fn::FindInMap": [ "Solution", "Data", "Version", ], }, }, "Description": "Attribute group for solution information", "Name": { "Fn::Join": [ "", [ "ASR-", { "Ref": "AWS::StackName", }, ], ], }, }, "Type": "AWS::ServiceCatalogAppRegistry::AttributeGroup", }, "PlaybookAdminStackAFSBP": { "Condition": "loadAFSBPCond", "DeletionPolicy": "Delete", "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB", ], "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/playbooks/AFSBPStack.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "PlaybookAdminStackCIS120": { "Condition": "loadCIS120Cond", "DeletionPolicy": "Delete", "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB", ], "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/playbooks/CIS120Stack.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "PlaybookAdminStackCIS140": { "Condition": "loadCIS140Cond", "DeletionPolicy": "Delete", "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB", ], "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/playbooks/CIS140Stack.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "PlaybookAdminStackPCI321": { "Condition": "loadPCI321Cond", "DeletionPolicy": "Delete", "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB", ], "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/playbooks/PCI321Stack.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "PlaybookAdminStackSC": { "Condition": "loadSCCond", "DeletionPolicy": "Delete", "DependsOn": [ "orchestratorSHARROrchestratorArn0ACC7B05", "orchestratorStateMachine77C3F8FB", ], "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/playbooks/SCStack.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "RemediateWithSharrCustomActionABE4122A": { "DeletionPolicy": "Delete", "DependsOn": [ "CreateCustomActionE7A973F5", "createCustomActionPolicyE424E925", ], "Properties": { "Description": "Submit the finding to AWS Security Hub Automated Response and Remediation", "Id": "ASRRemediation", "Name": "Remediate with ASR", "ServiceToken": { "Fn::GetAtt": [ "CreateCustomActionE7A973F5", "Arn", ], }, }, "Type": "Custom::ActionTarget", "UpdateReplacePolicy": "Delete", }, "RemediateWithSharrEventsRuleRole4BE0B6FF": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "RemediateWithSharrEventsRuleRoleDefaultPolicy44783695": { "Properties": { "PolicyDocument": { "Statement": [ { "Action": "states:StartExecution", "Effect": "Allow", "Resource": { "Ref": "orchestratorStateMachine77C3F8FB", }, }, ], "Version": "2012-10-17", }, "PolicyName": "RemediateWithSharrEventsRuleRoleDefaultPolicy44783695", "Roles": [ { "Ref": "RemediateWithSharrEventsRuleRole4BE0B6FF", }, ], }, "Type": "AWS::IAM::Policy", }, "RemediateWithSharrRemediateCustomAction40B496D2": { "Properties": { "Description": "Remediate with ASR", "EventPattern": { "detail": { "findings": { "Compliance": { "Status": [ "FAILED", "WARNING", ], }, }, }, "detail-type": [ "Security Hub Findings - Custom Action", ], "resources": [ { "Fn::GetAtt": [ "RemediateWithSharrCustomActionABE4122A", "Arn", ], }, ], "source": [ "aws.securityhub", ], }, "Name": "Remediate_with_SHARR_CustomAction", "State": "ENABLED", "Targets": [ { "Arn": { "Ref": "orchestratorStateMachine77C3F8FB", }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "RemediateWithSharrEventsRuleRole4BE0B6FF", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "SHARRKeyC551FE02": { "Properties": { "Description": "KMS Customer Managed Key that SHARR will use to encrypt data", "Name": "/Solutions/SO0111/CMK_ARN", "Type": "String", "Value": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn", ], }, }, "Type": "AWS::SSM::Parameter", }, "SHARRSNSTopicB940F479": { "Properties": { "Description": "SNS Topic ARN where SHARR will send status messages. This topic can be useful for driving additional actions, such as email notifications, trouble ticket updates.", "Name": "/Solutions/SO0111/SNS_Topic_ARN", "Type": "String", "Value": { "Ref": "SHARRTopic229CFB9E", }, }, "Type": "AWS::SSM::Parameter", }, "SHARRSendAnonymousMetricsCDAE439D": { "Properties": { "Description": "Flag to enable or disable sending anonymous metrics.", "Name": "/Solutions/SO0111/sendAnonymousMetrics", "Type": "String", "Value": { "Fn::FindInMap": [ "mappings", "sendAnonymousMetrics", "data", ], }, }, "Type": "AWS::SSM::Parameter", }, "SHARRTopic229CFB9E": { "Properties": { "DisplayName": "SHARR Playbook Topic (SO0111)", "KmsMasterKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn", ], }, "TopicName": "SO0111-SHARR_Topic", }, "Type": "AWS::SNS::Topic", }, "SHARRkeyAlias37E34763": { "Properties": { "AliasName": "alias/SO0111-SHARR-Key", "TargetKeyId": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn", ], }, }, "Type": "AWS::KMS::Alias", }, "SHARRkeyE6BD0F56": { "DeletionPolicy": "Retain", "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*", ], "Condition": { "ArnEquals": { "kms:EncryptionContext:aws:logs:arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:eu-west-1:111111111111:log-group:SO0111-SHARR-*", ], ], }, }, }, "Effect": "Allow", "Principal": { "Service": [ "sns.amazonaws.com", { "Fn::Join": [ "", [ "logs.", { "Ref": "AWS::URLSuffix", }, ], ], }, ], }, "Resource": "*", }, { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::111111111111:root", ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "SHARRversionAC0E4F96": { "Properties": { "Description": "Solution version for metrics.", "Name": "/Solutions/SO0111/version", "Type": "String", "Value": "v1.0.0", }, "Type": "AWS::SSM::Parameter", }, "SharrLambdaLayer5BF8F147": { "Properties": { "CompatibleRuntimes": [ "python3.9", ], "Content": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/layer.zip", }, "Description": "SO0111 SHARR Common functions used by the solution", "LicenseInfo": "https://www.apache.org/licenses/LICENSE-2.0", }, "Type": "AWS::Lambda::LayerVersion", }, "checkSSMDocState06AC440F": { "DependsOn": [ "orchestratorRole46A9F242", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy", }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency", }, ], }, }, "Properties": { "Code": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/check_ssm_doc_state.py.zip", }, "Description": "Checks the status of an SSM Automation Document in the target account", "Environment": { "Variables": { "AWS_PARTITION": { "Ref": "AWS::Partition", }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v1.0.0", "log_level": "info", }, }, "FunctionName": "SO0111-SHARR-checkSSMDocState", "Handler": "check_ssm_doc_state.lambda_handler", "Layers": [ { "Ref": "SharrLambdaLayer5BF8F147", }, ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn", ], }, "Runtime": "python3.9", "Timeout": 600, }, "Type": "AWS::Lambda::Function", }, "createCustomActionPolicyE424E925": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource * is required for CloudWatch Logs policies used on Lambda functions.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for CloudWatch Logs policies used on Lambda functions.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:PutMetricData", "Effect": "Allow", "Resource": "*", }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "securityhub:CreateActionTarget", "securityhub:DeleteActionTarget", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:*:111111111111:parameter/Solutions/SO0111/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "SO0111-SHARR_Custom_Action", "Roles": [ { "Ref": "createCustomActionRoleF0047414", }, ], }, "Type": "AWS::IAM::Policy", }, "createCustomActionRoleF0047414": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with playbook templates", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Lambda role to allow creation of Security Hub Custom Actions", }, "Type": "AWS::IAM::Role", }, "execAutomation5D89E251": { "DependsOn": [ "orchestratorRole46A9F242", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy", }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency", }, ], }, }, "Properties": { "Code": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/exec_ssm_doc.py.zip", }, "Description": "Executes an SSM Automation Document in a target account", "Environment": { "Variables": { "AWS_PARTITION": { "Ref": "AWS::Partition", }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v1.0.0", "log_level": "info", }, }, "FunctionName": "SO0111-SHARR-execAutomation", "Handler": "exec_ssm_doc.lambda_handler", "Layers": [ { "Ref": "SharrLambdaLayer5BF8F147", }, ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn", ], }, "Runtime": "python3.9", "Timeout": 600, }, "Type": "AWS::Lambda::Function", }, "getApprovalRequirementE7F50E54": { "DependsOn": [ "orchestratorRole46A9F242", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy", }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency", }, ], }, }, "Properties": { "Code": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/get_approval_requirement.py.zip", }, "Description": "Determines if a manual approval is required for remediation", "Environment": { "Variables": { "AWS_PARTITION": { "Ref": "AWS::Partition", }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v1.0.0", "WORKFLOW_RUNBOOK": "", "log_level": "info", }, }, "FunctionName": "SO0111-SHARR-getApprovalRequirement", "Handler": "get_approval_requirement.lambda_handler", "Layers": [ { "Ref": "SharrLambdaLayer5BF8F147", }, ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn", ], }, "Runtime": "python3.9", "Timeout": 600, }, "Type": "AWS::Lambda::Function", }, "monitorSSMExecStateB496B8AF": { "DependsOn": [ "orchestratorRole46A9F242", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy", }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency", }, ], }, }, "Properties": { "Code": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/check_ssm_execution.py.zip", }, "Description": "Checks the status of an SSM automation document execution", "Environment": { "Variables": { "AWS_PARTITION": { "Ref": "AWS::Partition", }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v1.0.0", "log_level": "info", }, }, "FunctionName": "SO0111-SHARR-monitorSSMExecState", "Handler": "check_ssm_execution.lambda_handler", "Layers": [ { "Ref": "SharrLambdaLayer5BF8F147", }, ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "orchestratorRole46A9F242", "Arn", ], }, "Runtime": "python3.9", "Timeout": 600, }, "Type": "AWS::Lambda::Function", }, "notifyPolicy320847DC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource * is required for CloudWatch Logs and Security Hub policies used by core solution Lambda function for notifications.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for CloudWatch Logs and Security Hub policies used by core solution Lambda function for notifications.", }, { "id": "W58", "reason": "False positive. Access is provided via a policy", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": "*", }, { "Action": "securityhub:BatchUpdateFindings", "Effect": "Allow", "Resource": "*", }, { "Action": [ "ssm:GetParameter", "ssm:PutParameter", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:eu-west-1:111111111111:parameter/Solutions/SO0111/*", ], ], }, }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SHARRkeyE6BD0F56", "Arn", ], }, }, { "Action": "sns:Publish", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":sns:eu-west-1:111111111111:SO0111-SHARR_Topic", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "SO0111-SHARR_Orchestrator_Notifier", "Roles": [ { "Ref": "orchestratorRole46A9F242", }, { "Ref": "notifyRole40298120", }, ], }, "Type": "AWS::IAM::Policy", }, "notifyRole40298120": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with playbook orchestrator step functions.", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Lambda role to perform notification and logging from orchestrator step function", }, "Type": "AWS::IAM::Role", }, "orchestratorNestedLogStackNestedStackNestedLogStackNestedStackResourceE4E042A6": { "DeletionPolicy": "Delete", "Properties": { "Parameters": { "KmsKeyArn": { "Fn::GetAtt": [ "SHARRKeyC551FE02", "Value", ], }, "ReuseOrchestratorLogGroup": { "Ref": "ReuseOrchestratorLogGroup", }, }, "TemplateURL": { "Fn::Join": [ "", [ "https://", { "Fn::FindInMap": [ "SourceCode", "General", "S3Bucket", ], }, "-reference.s3.amazonaws.com/", { "Fn::FindInMap": [ "SourceCode", "General", "KeyPrefix", ], }, "/aws-sharr-orchestrator-log.template", ], ], }, }, "Type": "AWS::CloudFormation::Stack", "UpdateReplacePolicy": "Delete", }, "orchestratorPolicy8045810D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Resource * is required for read-only policies used by orchestrator Lambda functions.", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for read-only policies used by orchestrator Lambda functions.", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": "*", }, { "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":ssm:*:111111111111:parameter/Solutions/SO0111/*", ], ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::*:role/SO0111-SHARR-Orchestrator-Member", ], ], }, }, { "Action": "organizations:ListTagsForResource", "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "SO0111-SHARR_Orchestrator", "Roles": [ { "Ref": "orchestratorRole46A9F242", }, ], }, "Type": "AWS::IAM::Policy", }, "orchestratorRole12B410FD": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "CloudWatch Logs permissions require resource * except for DescribeLogGroups, except for GovCloud, which only works with resource *", }, ], }, "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "CloudWatch Logs permissions require resource * except for DescribeLogGroups, except for GovCloud, which only works with resource *", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "states.eu-west-1.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups", ], "Effect": "Allow", "Resource": "*", }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":lambda:eu-west-1:111111111111:function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "checkSSMDocState06AC440F", "Arn", ], }, ], }, ], }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":lambda:eu-west-1:111111111111:function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "execAutomation5D89E251", "Arn", ], }, ], }, ], }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":lambda:eu-west-1:111111111111:function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "monitorSSMExecStateB496B8AF", "Arn", ], }, ], }, ], }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":lambda:eu-west-1:111111111111:function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn", ], }, ], }, ], }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":lambda:eu-west-1:111111111111:function:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "getApprovalRequirementE7F50E54", "Arn", ], }, ], }, ], }, ], ], }, ], }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":kms:eu-west-1:111111111111:alias/SO0111-SHARR-Key", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "BasePolicy", }, ], }, "Type": "AWS::IAM::Role", "UpdateReplacePolicy": "Retain", }, "orchestratorRole46A9F242": { "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide easy integration with playbook orchestrator step functions.", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Lambda role to allow cross account read-only SHARR orchestrator functions", "RoleName": "SO0111-SHARR-Orchestrator-Admin", }, "Type": "AWS::IAM::Role", }, "orchestratorSHARROrchestratorArn0ACC7B05": { "Properties": { "Description": "Arn of the SHARR Orchestrator Step Function. This step function routes findings to remediation runbooks.", "Name": "/Solutions/SO0111/OrchestratorArn", "Type": "String", "Value": { "Ref": "orchestratorStateMachine77C3F8FB", }, }, "Type": "AWS::SSM::Parameter", }, "orchestratorStateMachine77C3F8FB": { "DeletionPolicy": "Delete", "DependsOn": [ "orchestratorNestedLogStackNestedStackNestedLogStackNestedStackResourceE4E042A6", "orchestratorRole12B410FD", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-SF1", "reason": "False alarm. Logging configuration is overridden to log ALL.", }, { "id": "AwsSolutions-SF2", "reason": "X-Ray is not needed for this use case.", }, ], }, }, "Properties": { "DefinitionString": { "Fn::Join": [ "", [ "{"StartAt":"Get Finding Data from Input","States":{"Get Finding Data from Input":{"Type":"Pass","Comment":"Extract top-level data needed for remediation","Parameters":{"EventType.$":"$.detail-type","Findings.$":"$.detail.findings"},"Next":"Process Findings"},"Process Findings":{"Type":"Map","Comment":"Process all findings in CloudWatch Event","Next":"EOJ","Parameters":{"Finding.$":"$$.Map.Item.Value","EventType.$":"$.EventType"},"Iterator":{"StartAt":"Finding Workflow State NEW?","States":{"Finding Workflow State NEW?":{"Type":"Choice","Choices":[{"Or":[{"Variable":"$.EventType","StringEquals":"Security Hub Findings - Custom Action"},{"And":[{"Variable":"$.Finding.Workflow.Status","StringEquals":"NEW"},{"Variable":"$.EventType","StringEquals":"Security Hub Findings - Imported"}]}],"Next":"Get Remediation Approval Requirement"}],"Default":"Finding Workflow State is not NEW"},"Finding Workflow State is not NEW":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Finding Workflow State is not NEW ({}).', $.Finding.Workflow.Status)","State.$":"States.Format('NOTNEW')"},"EventType.$":"$.EventType","Finding.$":"$.Finding"},"Next":"notify"},"notify":{"End":true,"Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","Comment":"Send notifications","TimeoutSeconds":300,"HeartbeatSeconds":60,"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"", { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn", ], }, "","Payload.$":"$"}},"Automation Document is not Active":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Automation Document ({}) is not active ({}) in the member account({}).', $.AutomationDocId, $.AutomationDocument.DocState, $.Finding.AwsAccountId)","State.$":"States.Format('REMEDIATIONNOTACTIVE')","updateSecHub":"yes"},"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion"},"Next":"notify"},"Automation Doc Active?":{"Type":"Choice","Choices":[{"Variable":"$.AutomationDocument.DocState","StringEquals":"ACTIVE","Next":"Execute Remediation"},{"Variable":"$.AutomationDocument.DocState","StringEquals":"NOTACTIVE","Next":"Automation Document is not Active"},{"Variable":"$.AutomationDocument.DocState","StringEquals":"NOTENABLED","Next":"Security Standard is not enabled"},{"Variable":"$.AutomationDocument.DocState","StringEquals":"NOTFOUND","Next":"No Remediation for Control"}],"Default":"check_ssm_doc_state Error"},"Get Automation Document State":{"Next":"Automation Doc Active?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Get the status of the remediation automation document in the target account","TimeoutSeconds":60,"ResultPath":"$.AutomationDocument","ResultSelector":{"DocState.$":"$.Payload.status","Message.$":"$.Payload.message","SecurityStandard.$":"$.Payload.securitystandard","SecurityStandardVersion.$":"$.Payload.securitystandardversion","SecurityStandardSupported.$":"$.Payload.standardsupported","ControlId.$":"$.Payload.controlid","AccountId.$":"$.Payload.accountid","RemediationRole.$":"$.Payload.remediationrole","AutomationDocId.$":"$.Payload.automationdocid","ResourceRegion.$":"$.Payload.resourceregion"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"", { "Fn::GetAtt": [ "checkSSMDocState06AC440F", "Arn", ], }, "","Payload.$":"$"}},"Get Remediation Approval Requirement":{"Next":"Get Automation Document State","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Determine whether the selected remediation requires manual approval","TimeoutSeconds":300,"ResultPath":"$.Workflow","ResultSelector":{"WorkflowDocument.$":"$.Payload.workflowdoc","WorkflowAccount.$":"$.Payload.workflowaccount","WorkflowRole.$":"$.Payload.workflowrole","WorkflowConfig.$":"$.Payload.workflow_data"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"", { "Fn::GetAtt": [ "getApprovalRequirementE7F50E54", "Arn", ], }, "","Payload.$":"$"}},"Orchestrator Failed":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Orchestrator failed: {}', $.Error)","State.$":"States.Format('LAMBDAERROR')","Details.$":"States.Format('Cause: {}', $.Cause)"},"Payload.$":"$"},"Next":"notify"},"Execute Remediation":{"Next":"Remediation Queued","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Execute the SSM Automation Document in the target account","TimeoutSeconds":300,"HeartbeatSeconds":60,"ResultPath":"$.SSMExecution","ResultSelector":{"ExecState.$":"$.Payload.status","Message.$":"$.Payload.message","ExecId.$":"$.Payload.executionid","Account.$":"$.Payload.executionaccount","Region.$":"$.Payload.executionregion"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"", { "Fn::GetAtt": [ "execAutomation5D89E251", "Arn", ], }, "","Payload.$":"$"}},"Remediation Queued":{"Type":"Pass","Comment":"Set parameters for notification","Parameters":{"EventType.$":"$.EventType","Finding.$":"$.Finding","AutomationDocument.$":"$.AutomationDocument","SSMExecution.$":"$.SSMExecution","Notification":{"Message.$":"States.Format('Remediation queued for {} control {} in account {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId)","State.$":"States.Format('QUEUED')","ExecId.$":"$.SSMExecution.ExecId"}},"Next":"Queued Notification"},"Queued Notification":{"Next":"execMonitor","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Type":"Task","Comment":"Send notification that a remediation has queued","TimeoutSeconds":300,"HeartbeatSeconds":60,"ResultPath":"$.notificationResult","Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"", { "Fn::GetAtt": [ "sendNotifications1367638A", "Arn", ], }, "","Payload.$":"$"}},"execMonitor":{"Next":"Remediation completed?","Retry":[{"ErrorEquals":["Lambda.ServiceException","Lambda.AWSLambdaException","Lambda.SdkClientException"],"IntervalSeconds":2,"MaxAttempts":6,"BackoffRate":2}],"Catch":[{"ErrorEquals":["States.ALL"],"Next":"Orchestrator Failed"}],"Type":"Task","Comment":"Monitor the remediation execution until done","TimeoutSeconds":300,"HeartbeatSeconds":60,"ResultPath":"$.Remediation","ResultSelector":{"ExecState.$":"$.Payload.status","ExecId.$":"$.Payload.executionid","RemediationState.$":"$.Payload.remediation_status","Message.$":"$.Payload.message","LogData.$":"$.Payload.logdata","AffectedObject.$":"$.Payload.affected_object"},"Resource":"arn:", { "Ref": "AWS::Partition", }, ":states:::lambda:invoke","Parameters":{"FunctionName":"", { "Fn::GetAtt": [ "monitorSSMExecStateB496B8AF", "Arn", ], }, "","Payload.$":"$"}},"Wait for Remediation":{"Type":"Wait","Seconds":15,"Next":"execMonitor"},"Remediation completed?":{"Type":"Choice","Choices":[{"Variable":"$.Remediation.RemediationState","StringEquals":"Failed","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Success","Next":"Remediation Succeeded"},{"Variable":"$.Remediation.ExecState","StringEquals":"TimedOut","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Cancelling","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Cancelled","Next":"Remediation Failed"},{"Variable":"$.Remediation.ExecState","StringEquals":"Failed","Next":"Remediation Failed"}],"Default":"Wait for Remediation"},"Remediation Failed":{"Type":"Pass","Comment":"Set parameters for notification","Parameters":{"EventType.$":"$.EventType","Finding.$":"$.Finding","SSMExecution.$":"$.SSMExecution","AutomationDocument.$":"$.AutomationDocument","Notification":{"Message.$":"States.Format('Remediation failed for {} control {} in account {}: {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId, $.Remediation.Message)","State.$":"$.Remediation.ExecState","Details.$":"$.Remediation.LogData","ExecId.$":"$.Remediation.ExecId","AffectedObject.$":"$.Remediation.AffectedObject"}},"Next":"notify"},"Remediation Succeeded":{"Type":"Pass","Comment":"Set parameters for notification","Parameters":{"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion","Notification":{"Message.$":"States.Format('Remediation succeeded for {} control {} in account {}: {}', $.AutomationDocument.SecurityStandard, $.AutomationDocument.ControlId, $.AutomationDocument.AccountId, $.Remediation.Message)","State.$":"States.Format('SUCCESS')","Details.$":"$.Remediation.LogData","ExecId.$":"$.Remediation.ExecId","AffectedObject.$":"$.Remediation.AffectedObject"}},"Next":"notify"},"check_ssm_doc_state Error":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('check_ssm_doc_state returned an error: {}', $.AutomationDocument.Message)","State.$":"States.Format('LAMBDAERROR')"},"EventType.$":"$.EventType","Finding.$":"$.Finding"},"Next":"notify"},"Security Standard is not enabled":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Security Standard ({}) v{} is not enabled.', $.AutomationDocument.SecurityStandard, $.AutomationDocument.SecurityStandardVersion)","State.$":"States.Format('STANDARDNOTENABLED')","updateSecHub":"yes"},"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion"},"Next":"notify"},"No Remediation for Control":{"Type":"Pass","Parameters":{"Notification":{"Message.$":"States.Format('Security Standard {} v{} control {} has no automated remediation.', $.AutomationDocument.SecurityStandard, $.AutomationDocument.SecurityStandardVersion, $.AutomationDocument.ControlId)","State.$":"States.Format('NOREMEDIATION')","updateSecHub":"yes"},"EventType.$":"$.EventType","Finding.$":"$.Finding","AccountId.$":"$.AutomationDocument.AccountId","AutomationDocId.$":"$.AutomationDocument.AutomationDocId","RemediationRole.$":"$.AutomationDocument.RemediationRole","ControlId.$":"$.AutomationDocument.ControlId","SecurityStandard.$":"$.AutomationDocument.SecurityStandard","SecurityStandardVersion.$":"$.AutomationDocument.SecurityStandardVersion"},"Next":"notify"}}},"ItemsPath":"$.Findings"},"EOJ":{"Type":"Pass","Comment":"END-OF-JOB","End":true}},"TimeoutSeconds":900}", ], ], }, "LoggingConfiguration": { "Destinations": [ { "CloudWatchLogsLogGroup": { "LogGroupArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:eu-west-1:111111111111:log-group:ORCH_LOG_GROUP:*", ], ], }, }, }, ], "IncludeExecutionData": true, "Level": "ALL", }, "RoleArn": { "Fn::GetAtt": [ "orchestratorRole12B410FD", "Arn", ], }, "StateMachineName": "SO0111-SHARR-Orchestrator", }, "Type": "AWS::StepFunctions::StateMachine", "UpdateReplacePolicy": "Delete", }, "sendNotifications1367638A": { "DependsOn": [ "notifyRole40298120", ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "False positive. Access is provided via a policy", }, { "id": "W89", "reason": "There is no need to run this lambda in a VPC", }, { "id": "W92", "reason": "There is no need for Reserved Concurrency due to low request rate", }, ], }, }, "Properties": { "Code": { "S3Bucket": "solutions-eu-west-1", "S3Key": "aws-security-hub-automated-response-and-remediation/v1.0.0/lambda/send_notifications.py.zip", }, "Description": "Sends notifications and log messages", "Environment": { "Variables": { "AWS_PARTITION": { "Ref": "AWS::Partition", }, "SOLUTION_ID": "SO0111", "SOLUTION_VERSION": "v1.0.0", "log_level": "info", }, }, "FunctionName": "SO0111-SHARR-sendNotifications", "Handler": "send_notifications.lambda_handler", "Layers": [ { "Ref": "SharrLambdaLayer5BF8F147", }, ], "MemorySize": 256, "Role": { "Fn::GetAtt": [ "notifyRole40298120", "Arn", ], }, "Runtime": "python3.9", "Timeout": 600, }, "Type": "AWS::Lambda::Function", }, }, } `;