{ "Description": "(SO0134-po) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.5", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Policy Configuration" }, "Parameters": [ "PolicyIdentifier" ] }, { "Label": { "default": "Shared Resource Configurations" }, "Parameters": [ "PolicyTable", "UUID", "MetricsQueue" ] } ], "ParameterLabels": { "PolicyTable": { "default": "Policy Table" }, "MetricsQueue": { "default": "Metric Queue" }, "UUID": { "default": "UUID" }, "PolicyIdentifier": { "default": "Policy Identifier" } } } }, "Parameters": { "PolicyTable": { "Type": "String", "Description": "DynamoDB table for policy metadata" }, "UUID": { "Type": "String", "Description": "UUID for primary stack deployment" }, "MetricsQueue": { "Type": "String", "Description": "Metrics queue for solution anonymized metrics" }, "PolicyIdentifier": { "Type": "String", "Description": "A unique string identifier for the policies" } }, "Mappings": { "PolicyStackMap": { "Metric": { "SendAnonymousMetric": "Yes" }, "Solution": { "SolutionId": "SO0134", "SolutionVersion": "v2.0.5", "UserAgentPrefix": "AwsSolution" } }, "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x" }, "ap-east-1": { "value": "nodejs16.x" }, "ap-northeast-1": { "value": "nodejs16.x" }, "ap-northeast-2": { "value": "nodejs16.x" }, "ap-northeast-3": { "value": "nodejs16.x" }, "ap-south-1": { "value": "nodejs16.x" }, "ap-south-2": { "value": "nodejs16.x" }, "ap-southeast-1": { "value": "nodejs16.x" }, "ap-southeast-2": { "value": "nodejs16.x" }, "ap-southeast-3": { "value": "nodejs16.x" }, "ca-central-1": { "value": "nodejs16.x" }, "cn-north-1": { "value": "nodejs16.x" }, "cn-northwest-1": { "value": "nodejs16.x" }, "eu-central-1": { "value": "nodejs16.x" }, "eu-central-2": { "value": "nodejs16.x" }, "eu-north-1": { "value": "nodejs16.x" }, "eu-south-1": { "value": "nodejs16.x" }, "eu-south-2": { "value": "nodejs16.x" }, "eu-west-1": { "value": "nodejs16.x" }, "eu-west-2": { "value": "nodejs16.x" }, "eu-west-3": { "value": "nodejs16.x" }, "me-central-1": { "value": "nodejs16.x" }, "me-south-1": { "value": "nodejs16.x" }, "sa-east-1": { "value": "nodejs16.x" }, "us-east-1": { "value": "nodejs16.x" }, "us-east-2": { "value": "nodejs16.x" }, "us-gov-east-1": { "value": "nodejs16.x" }, "us-gov-west-1": { "value": "nodejs16.x" }, "us-iso-east-1": { "value": "nodejs14.x" }, "us-iso-west-1": { "value": "nodejs14.x" }, "us-isob-east-1": { "value": "nodejs14.x" }, "us-west-1": { "value": "nodejs16.x" }, "us-west-2": { "value": "nodejs16.x" } } }, "Resources": { "FMSOUs9CEEEC1C": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "StringList", "Value": "NOP", "Description": "FMS parameter store for OUs", "Name": { "Fn::Join": [ "", [ "/FMS/", { "Ref": "PolicyIdentifier" }, "/OUs" ] ] } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/FMSOUs/Resource" } }, "FMSTags216E0D22": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "String", "Value": "NOP", "Description": "fms parameter for fms tags", "Name": { "Fn::Join": [ "", [ "/FMS/", { "Ref": "PolicyIdentifier" }, "/Tags" ] ] } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/FMSTags/Resource" } }, "FMSRegions39DF213B": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "StringList", "Value": "NOP", "Description": "fms parameter for fms regions", "Name": { "Fn::Join": [ "", [ "/FMS/", { "Ref": "PolicyIdentifier" }, "/Regions" ] ] } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/FMSRegions/Resource" } }, "AccessLogsBucket83982689": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LifecycleConfiguration": { "Rules": [ { "ExpirationInDays": 730, "Status": "Enabled", "Transitions": [ { "StorageClass": "STANDARD_IA", "TransitionInDays": 30 }, { "StorageClass": "GLACIER", "TransitionInDays": 90 } ] } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "access logging disabled, its a logging bucket" }, { "id": "W51", "reason": "permission given for log delivery" } ] } } }, "AccessLogsBucketPolicy7F77476F": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "AccessLogsBucket83982689" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "AccessLogsBucket83982689", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AccessLogsBucket83982689", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "ManifestBucket46C412A5", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AccessLogsBucket83982689", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/AccessLogsBucket/Policy/Resource" } }, "ManifestBucket46C412A5": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "AccessLogsBucket83982689" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W51", "reason": "permission given to lambda to get policy manifest" } ] } } }, "ManifestBucketPolicy82948026": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "ManifestBucket46C412A5" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "ManifestBucket46C412A5", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ManifestBucket46C412A5", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/ManifestBucket/Policy/Resource" } }, "CopyManifest652A9A13": { "Type": "Custom::AWS", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AWS679f53fac002430cb0da5b7982bd22872D164C4C", "Arn" ] }, "Create": { "Fn::Join": [ "", [ "{\"service\":\"S3\",\"action\":\"copyObject\",\"parameters\":{\"Bucket\":\"", { "Ref": "ManifestBucket46C412A5" }, "\",\"CopySource\":\"solutions-reference/aws-firewall-manager-automations-for-aws-organizations/v2.0.5/policy_manifest.json\",\"Key\":\"policy_manifest.json\"},\"physicalResourceId\":{\"id\":\"1685737722912\"}}" ] ] }, "InstallLatestAwsSdk": true }, "DependsOn": [ "CopyManifestCustomResourcePolicy37D7914D" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/CopyManifest/Resource/Default" } }, "CopyManifestCustomResourcePolicy37D7914D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "s3:GetObject", "Effect": "Allow", "Resource": "arn:aws:s3:::solutions-reference/*", "Sid": "S3Get" }, { "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ManifestBucket46C412A5", "Arn" ] }, "/*" ] ] }, "Sid": "S3Put" } ], "Version": "2012-10-17" }, "PolicyName": "CopyManifestCustomResourcePolicy37D7914D", "Roles": [ { "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/CopyManifest/CustomResourcePolicy/Resource" } }, "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource" } }, "AWS679f53fac002430cb0da5b7982bd22872D164C4C": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.5/assetbb459fac5f6b4b052aac9803443226d161a5cfe96f4648b21f9e4912c698bf30.zip" }, "Role": { "Fn::GetAtt": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2", "Arn" ] }, "Handler": "index.handler", "Runtime": { "Fn::FindInMap": [ "DefaultCrNodeVersionMap", { "Ref": "AWS::Region" }, "value" ] }, "Timeout": 120 }, "DependsOn": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" ], "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/AWS679f53fac002430cb0da5b7982bd2287/Resource", "aws:asset:path": "asset.bb459fac5f6b4b052aac9803443226d161a5cfe96f4648b21f9e4912c698bf30", "aws:asset:is-bundled": false, "aws:asset:property": "Code" } }, "DLQ581697C4": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/DLQ/Resource" } }, "QueuePolicyBEFD7452": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Sid": "AllowPublishThroughSSLOnly" } ], "Version": "2012-10-17" }, "Queues": [ { "Ref": "DLQ581697C4" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/QueuePolicy/Resource" } }, "PolicyManagerServiceRoleC35CBD54": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/PolicyManager/ServiceRole/Resource" } }, "PolicyManagerServiceRoleDefaultPolicy373BF1EC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DLQ581697C4", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "PolicyManagerServiceRoleDefaultPolicy373BF1EC", "Roles": [ { "Ref": "PolicyManagerServiceRoleC35CBD54" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/PolicyManager/ServiceRole/DefaultPolicy/Resource" } }, "PolicyManager16647975": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.5/assetc441e06e248f52dd548cba7275f7a1aa6e62a5fb382a8acd0dd0f71d522be5ab.zip" }, "Role": { "Fn::GetAtt": [ "PolicyManagerServiceRoleC35CBD54", "Arn" ] }, "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "DLQ581697C4", "Arn" ] } }, "Description": { "Fn::Join": [ "", [ { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "SolutionId" ] }, " - Function to create/update/delete FMS security policies" ] ] }, "Environment": { "Variables": { "FMS_OU": { "Ref": "FMSOUs9CEEEC1C" }, "FMS_TAG": { "Ref": "FMSTags216E0D22" }, "FMS_REGION": { "Ref": "FMSRegions39DF213B" }, "FMS_TABLE": { "Ref": "PolicyTable" }, "POLICY_MANIFEST": { "Fn::Join": [ "", [ { "Ref": "ManifestBucket46C412A5" }, "|policy_manifest.json" ] ] }, "POLICY_IDENTIFIER": { "Ref": "PolicyIdentifier" }, "SEND_METRIC": { "Fn::FindInMap": [ "PolicyStackMap", "Metric", "SendAnonymousMetric" ] }, "LOG_LEVEL": "info", "SOLUTION_ID": { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "SolutionId" ] }, "SOLUTION_VERSION": { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "SolutionVersion" ] }, "MAX_ATTEMPTS": "10", "UUID": { "Ref": "UUID" }, "METRICS_QUEUE": { "Fn::Join": [ "", [ "https://sqs.", { "Ref": "AWS::Region" }, ".amazonaws.com/", { "Ref": "AWS::AccountId" }, "/", { "Ref": "MetricsQueue" } ] ] }, "USER_AGENT_PREFIX": { "Fn::FindInMap": [ "PolicyStackMap", "Solution", "UserAgentPrefix" ] } } }, "Handler": "index.handler", "MemorySize": 512, "Runtime": "nodejs16.x", "Timeout": 900 }, "DependsOn": [ "PolicyManagerServiceRoleDefaultPolicy373BF1EC", "PolicyManagerServiceRoleC35CBD54" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" }, { "id": "W89", "reason": "Not a valid use case for Lambda functions to be deployed inside a VPC" }, { "id": "W92", "reason": "Lambda ReservedConcurrentExecutions not needed" } ] } } }, "PolicyManagerEventInvokeConfig535D4AF9": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "PolicyManager16647975" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 900, "MaximumRetryAttempts": 0 }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/PolicyManager/EventInvokeConfig/Resource" } }, "PolicyManagerAwsEventsLambdaInvokePermission14D2321A4": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "PolicyManager16647975", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "EventsRuleLambdaEventsRule0A996B52", "Arn" ] } }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/PolicyManager/AwsEventsLambdaInvokePermission-1" } }, "EventsRuleLambdaEventsRule0A996B52": { "Type": "AWS::Events::Rule", "Properties": { "EventPattern": { "source": [ "aws.ssm" ], "detail-type": [ "Parameter Store Change" ], "resources": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSOUs9CEEEC1C" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSTags216E0D22" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSRegions39DF213B" } ] ] } ] }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "PolicyManager16647975", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/EventsRuleLambda/EventsRule/Resource" } }, "PolicyMangerLogGroupE410035C": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "PolicyManager16647975" } ] ] }, "RetentionInDays": 7 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W84", "reason": "Using service default encryption https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/data-protection.html" } ] } } }, "LambdaIAMFMSPolicyRead3CBC9BF1": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeRegions", "Effect": "Allow", "Resource": "*", "Sid": "EC2Read0" }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSRegions39DF213B" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSOUs9CEEEC1C" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSTags216E0D22" } ] ] } ], "Sid": "SSMRead05" }, { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ManifestBucket46C412A5", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ManifestBucket46C412A5", "Arn" ] }, "/*" ] ] } ], "Sid": "S3Read06" }, { "Action": [ "route53resolver:ListFirewallDomainLists", "route53resolver:ListFirewallRuleGroups", "ram:ListResources" ], "Effect": "Allow", "Resource": "*", "Sid": "DNSRAMRead10" } ], "Version": "2012-10-17" }, "PolicyName": "LambdaIAMFMSPolicyRead3CBC9BF1", "Roles": [ { "Ref": "PolicyManagerServiceRoleC35CBD54" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "* needed for [ec2:DescribeRegions, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallRuleGroups, ram:ListResources], does no support resource level permissions" } ] } } }, "LambdaIAMFMSPolicyWrite3D1AAE35": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:dynamodb:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":table/", { "Ref": "PolicyTable" } ] ] }, "Sid": "DDBWrite01" }, { "Action": [ "fms:PutPolicy", "fms:DeletePolicy" ], "Effect": "Allow", "Resource": "arn:aws:fms:*:*:policy/*", "Sid": "FMSWrite021" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "PolicyMangerLogGroupE410035C", "Arn" ] }, "Sid": "CloudWatchLogsWrite03" }, { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DLQ581697C4", "Arn" ] }, { "Fn::Join": [ "", [ "arn:aws:sqs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "MetricsQueue" } ] ] } ], "Sid": "SQSWrite04" }, { "Action": [ "wafv2:*", "shield:GetSubscriptionState" ], "Effect": "Allow", "Resource": "*", "Sid": "WAFWrite07" }, { "Action": [ "route53resolver:CreateFirewallRule", "route53resolver:CreateFirewallRuleGroup", "route53resolver:DeleteFirewallRuleGroup", "route53resolver:ListFirewallRules", "route53resolver:DeleteFirewallRule", "route53resolver:GetFirewallRuleGroup" ], "Effect": "Allow", "Resource": "*", "Sid": "DNSWrite08" }, { "Action": "ram:DeleteResourceShare", "Condition": { "StringEquals": { "aws:ResourceTag/FMManaged": "true" } }, "Effect": "Allow", "Resource": "*", "Sid": "RAMWrite09" } ], "Version": "2012-10-17" }, "PolicyName": "LambdaIAMFMSPolicyWrite3D1AAE35", "Roles": [ { "Ref": "PolicyManagerServiceRoleC35CBD54" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "* resource used for fms and route53resolver actions, resources are created/deleted as part of solution" }, { "id": "F4", "reason": "Read & Write permissions needed to create WAFv2 policies" } ] } } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/21STU/DMAz9LdzT7EtCcAOmgZAGjI77lKVelbVNSpxsQlX/O07atYC4xO+92I4de86bmxmfXokzJjIrklLtefMK6CDbOiELtjzojbCiAgc2kBdR10rnjAJ2DWLFm62zJKwVul+OI+kcBt4yXPDmwcsCXHDsUWc2plTya5R73pEHgdCyUlT7TNC7lLQEZ/Sj19Ipo9kAKHzAqxNo96xPpoCl0QeVh9t/xQ3YSiFSUMuUoM7GYnqUmhICDTa0sROI4JDfB8PwE3nz7sFHnw7Ec8zzg7YMQhEUkvo+qw9ZS5OTtjb5kzW+DvoFty2THp2pdhbQeCuBXj7jMmppL7G/lPJe8ABivTTfPEySPN68q30cBv1Gplz8gsUt7cVdWAw0pQ8arQgdznrpcBIuYgd7q7Ickn4sq1H6MOuotUybDPgRJ6fZNZ9PKe0RlUqs105VwNPOfgP4EImyiwIAAA==" }, "Metadata": { "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "PolicyManifestBucket": { "Description": "S3 Bucket with policy manifest file", "Value": { "Fn::Join": [ "", [ "s3://", { "Ref": "ManifestBucket46C412A5" } ] ] } } }, "Conditions": { "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } ] } } }