{ "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations compliance reporter resources. Version v2.0.5", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Shared Resource Configurations" }, "Parameters": [ "UUID", "MetricsQueue" ] } ], "ParameterLabels": { "MetricsQueue": { "default": "Metric Queue" }, "UUID": { "default": "UUID" } } } }, "Parameters": { "UUID": { "Type": "String", "Description": "UUID for primary stack deployment" }, "MetricsQueue": { "Type": "String", "Description": "Metrics queue for solution anonymized metrics" } }, "Mappings": { "PolicyStackMap": { "Metric": { "SendAnonymousMetric": "Yes" }, "Solution": { "SolutionId": "SO0134", "SolutionVersion": "v2.0.5", "UserAgentPrefix": "AwsSolution" } } }, "Resources": { "AccessLogsBucket83982689": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": 730, "Status": "Enabled", "Transitions": [ { "StorageClass": "STANDARD_IA", "TransitionInDays": 30 }, { "StorageClass": "GLACIER", "TransitionInDays": 90 } ] } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "access logging disabled, its a logging bucket" }, { "id": "W51", "reason": "permission given for log delivery" } ] } } }, "AccessLogsBucketPolicy7F77476F": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "AccessLogsBucket83982689" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "AccessLogsBucket83982689", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AccessLogsBucket83982689", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "ComplianceReportBucketC209518B", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AccessLogsBucket83982689", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/AccessLogsBucket/Policy/Resource" } }, "ComplianceReportBucketC209518B": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "AccessLogsBucket83982689" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W51", "reason": "permission given to lambda to put compliance reports" } ] } } }, "ComplianceReportBucketPolicy00A36248": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "ComplianceReportBucketC209518B" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "ComplianceReportBucketC209518B", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ComplianceReportBucketC209518B", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceReportBucket/Policy/Resource" } }, "TopicBFC7AF6E": { "Type": "AWS::SNS::Topic", "Properties": { "DisplayName": "FMS compliance report generator subscription topic", "KmsMasterKeyId": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":alias/aws/sns" ] ] }, "TopicName": "FMS_Compliance_Generator_Topic" }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/Topic/Resource" } }, "TopicPolicyA24B096F": { "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:Publish", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": { "Ref": "TopicBFC7AF6E" }, "Sid": "AllowPublishThroughSSLOnly" } ], "Version": "2012-10-17" }, "Topics": [ { "Ref": "TopicBFC7AF6E" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/TopicPolicy/Resource" } }, "DLQ581697C4": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/DLQ/Resource" } }, "QueuePolicyBEFD7452": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Sid": "AllowPublishThroughSSLOnly" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "DLQ581697C4" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/QueuePolicy/Resource" } }, "ComplianceGeneratorServiceRoleA6DF4428": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceGenerator/ServiceRole/Resource" } }, "ComplianceGeneratorServiceRoleDefaultPolicy2C6A35DA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DLQ581697C4", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "ComplianceGeneratorServiceRoleDefaultPolicy2C6A35DA", "Roles": [ { "Ref": "ComplianceGeneratorServiceRoleA6DF4428" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceGenerator/ServiceRole/DefaultPolicy/Resource" } }, "ComplianceGeneratorAF34739A": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.5/asset738d410bd06b89003de777add46019407797681fbd3f108c2e93f72586460f7a.zip" }, "Role": { "Fn::GetAtt": [ "ComplianceGeneratorServiceRoleA6DF4428", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "DLQ581697C4", "Arn" ] } }, "Description": "SO0134 - Function to generate compliance reports for FMS policies", "Environment": { "Variables": { "FMS_REPORT_BUCKET": { "Ref": "ComplianceReportBucketC209518B" }, "EXCLUDED_POLICIES": "NOP", "FMS_TOPIC_ARN": { "Ref": "TopicBFC7AF6E" }, "FMS_TOPIC_REGION": { "Ref": "AWS::Region" }, "SEND_METRIC": { "Fn::FindInMap": [ "PolicyStackMap", "Metric", "SendAnonymousMetric" ] }, "LOG_LEVEL": "info", "SOLUTION_ID": { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "SolutionId" ] }, "SOLUTION_VERSION": { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "SolutionVersion" ] }, "MAX_ATTEMPTS": "10", "UUID": { "Ref": "UUID" }, "METRICS_QUEUE": { "Fn::Join": [ "", [ "https://sqs.", { "Ref": "AWS::Region" }, ".amazonaws.com/", { "Ref": "AWS::AccountId" }, "/", { "Ref": "MetricsQueue" } ] ] }, "USER_AGENT_PREFIX": { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "UserAgentPrefix" ] } } }, "Handler": "index.handler", "MemorySize": 256, "ReservedConcurrentExecutions": 200, "Runtime": "nodejs16.x", "Timeout": 300 }, "DependsOn": [ "ComplianceGeneratorServiceRoleDefaultPolicy2C6A35DA", "ComplianceGeneratorServiceRoleA6DF4428" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" }, { "id": "W89", "reason": "Not a valid use case for Lambda functions to be deployed inside a VPC" } ] } } }, "ComplianceGeneratorAllowInvokeCommonResourceStackComplianceGeneratorStackTopicD894EECE54E62669": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "ComplianceGeneratorAF34739A", "Arn" ] }, "Principal": "sns.amazonaws.com", "SourceArn": { "Ref": "TopicBFC7AF6E" } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceGenerator/AllowInvoke:CommonResourceStackComplianceGeneratorStackTopicD894EECE" } }, "ComplianceGeneratorTopic955E6B6A": { "Type": "AWS::SNS::Subscription", "Properties": { "Protocol": "lambda", "TopicArn": { "Ref": "TopicBFC7AF6E" }, "Endpoint": { "Fn::GetAtt": [ "ComplianceGeneratorAF34739A", "Arn" ] } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceGenerator/Topic/Resource" } }, "ComplianceGeneratorRule363B956C": { "Type": "AWS::Events::Rule", "Properties": { "Name": "FMS-Compliance-Generator", "ScheduleExpression": "rate(1 day)", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "ComplianceGeneratorAF34739A", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceGeneratorRule/Resource" } }, "ComplianceGeneratorRuleAllowEventRuleCommonResourceStackComplianceGeneratorStackComplianceGeneratorDE343EA1FD0D888E": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "ComplianceGeneratorAF34739A", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "ComplianceGeneratorRule363B956C", "Arn" ] } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/ComplianceGeneratorRule/AllowEventRuleCommonResourceStackComplianceGeneratorStackComplianceGeneratorDE343EA1" } }, "ComplianceGeneratorPolicy3F946C4F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "fms:ListComplianceStatus", "fms:GetComplianceDetail", "fms:ListPolicies" ], "Effect": "Allow", "Resource": "*", "Sid": "FMSRead" }, { "Action": "ec2:DescribeRegions", "Effect": "Allow", "Resource": "*", "Sid": "EC2Read" }, { "Action": "sns:Publish", "Effect": "Allow", "Resource": { "Ref": "TopicBFC7AF6E" }, "Sid": "SNSWrite" }, { "Action": "s3:PutObject", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ComplianceReportBucketC209518B", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ComplianceReportBucketC209518B", "Arn" ] }, "/*" ] ] } ], "Sid": "S3Write" }, { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:sqs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "MetricsQueue" } ] ] }, "Sid": "SQSWrite" } ], "Version": "2012-10-17" }, "PolicyName": "FMS-ComplianceGeneratorPolicy", "Roles": [ { "Ref": "ComplianceGeneratorServiceRoleA6DF4428" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for IAM Read actions (fms:ListComplianceStatus,fms:GetComplianceDetail,fms:ListPolicies) to be performed on multiple FMS policies in different regions" } ] } } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/02Ry27DIBBFv6V7TPOQqm6bSN2ldZzuI4yn0cQ2OAykqpD/vTyc2hvuvczMkRg2/HXNV0/ihwrZtEWHNfcfQBaakxWyZftvVQojerBgYjiIYUB1YWHg7GnL/c7JFmwsTS5LqTuUv/P1lHPYCYKRkSLuv/SAMrZlk855dhlPriZpcLCoVawtc4DdAuzowEGsZZPOGbaII+tEXzeC+3en5IO49CWYHokSG0XPfaW7hE46Qx882p4FEVjib1EY3EGF4Cs3jQUdR1YBaWcksNQVVnyJywz1T2cHl9b43xL8XqsG8wOVboBf6fm+fuGbVfiyKyEWximLPfAq6x9YUz12zgEAAA==" }, "Metadata": { "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "ReportBucket": { "Description": "Bucket with compliance reports", "Value": { "Fn::Join": [ "", [ "s3://", { "Ref": "ComplianceReportBucketC209518B" } ] ] } } }, "Conditions": { "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } ] } } }