{ "Description": "(SO0134) - The AWS CloudFormation template for deployment of the aws-centralized-waf-and-vpc-sg-management. Version v1.0.0", "AWSTemplateFormatVersion": "2010-09-09", "Mappings": { "FMSStackMap": { "SSMParameters": { "Region": "/FMS/Regions", "OUs": "/FMS/OUs", "Tags": "/FMS/Tags" }, "Metric": { "SendAnonymousMetric": "Yes", "MetricsEndpoint": "https://metrics.awssolutionsbuilder.com/generic" }, "Solution": { "SolutionId": "SO0134", "SolutionVersion": "v1.0.0" } } }, "Resources": { "FMSHelperFunctionServiceRoleA51F4DD9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/FMSHelperFunction/ServiceRole/Resource" } }, "FMSHelperFunction59933F0A": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/assete556590c657a65b97b0657a772205d78c37ca33283675191e5f92df4f2b64d71.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "FMSHelperFunctionServiceRoleA51F4DD9", "Arn" ] }, "Runtime": "nodejs12.x", "Description": "DO NOT DELETE - FMS helper function", "Environment": { "Variables": { "METRICS_ENDPOINT": { "Fn::FindInMap": [ "FMSStackMap", "Metric", "MetricsEndpoint" ] }, "SEND_METRIC": { "Fn::FindInMap": [ "FMSStackMap", "Metric", "SendAnonymousMetric" ] }, "LOG_LEVEL": "info" } }, "MemorySize": 512 }, "DependsOn": [ "FMSHelperFunctionServiceRoleA51F4DD9" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "helperProviderframeworkonEventServiceRoleFA06E8E2": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/helperProvider/framework-onEvent/ServiceRole/Resource" } }, "helperProviderframeworkonEventServiceRoleDefaultPolicy0DFC22B9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FMSHelperFunction59933F0A", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "helperProviderframeworkonEventServiceRoleDefaultPolicy0DFC22B9", "Roles": [ { "Ref": "helperProviderframeworkonEventServiceRoleFA06E8E2" } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/helperProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource" } }, "helperProviderframeworkonEvent35A99430": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/asset1ed82f549c7384dfae04a04440b3d1bf30653fde425e280dbb3ea03dbb3c96fc.zip" }, "Handler": "asset1ed82f549c7384dfae04a04440b3d1bf30653fde425e280dbb3ea03dbb3c96fc/framework.onEvent", "Role": { "Fn::GetAtt": [ "helperProviderframeworkonEventServiceRoleFA06E8E2", "Arn" ] }, "Runtime": "nodejs10.x", "Description": "AWS CDK resource provider framework - onEvent (PreReqStack/FMSStack/helperProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "FMSHelperFunction59933F0A", "Arn" ] } } }, "Timeout": 900 }, "DependsOn": [ "helperProviderframeworkonEventServiceRoleDefaultPolicy0DFC22B9", "helperProviderframeworkonEventServiceRoleFA06E8E2" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "CreateUUID": { "Type": "Custom::CreateUUID", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "helperProviderframeworkonEvent35A99430", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/CreateUUID/Default" } }, "FMSAdminCheck": { "Type": "Custom::FMSAdminCheck", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "helperProviderframeworkonEvent35A99430", "Arn" ] }, "Stack": "FMSStack", "Account": { "Ref": "AWS::AccountId" }, "Region": { "Ref": "AWS::Region" } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/FMSAdminCheck/Default" } }, "LaunchData": { "Type": "Custom::LaunchData", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "helperProviderframeworkonEvent35A99430", "Arn" ] }, "SolutionId": { "Fn::FindInMap": [ "FMSStackMap", "Solution", "SolutionId" ] }, "SolutionVersion": { "Fn::FindInMap": [ "FMSStackMap", "Solution", "SolutionVersion" ] }, "SolutionUuid": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] }, "Stack": "FMSStack" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/LaunchData/Default" } }, "FMSOUs9CEEEC1C": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "StringList", "Value": "NOP", "Description": "FMS parameter store for OUs", "Name": { "Fn::FindInMap": [ "FMSStackMap", "SSMParameters", "OUs" ] } }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/FMSOUs/Resource" } }, "FMSTags216E0D22": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "String", "Value": "NOP", "Description": "fms parameter for fms tags", "Name": { "Fn::FindInMap": [ "FMSStackMap", "SSMParameters", "Tags" ] } }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/FMSTags/Resource" } }, "FMSRegions39DF213B": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "StringList", "Value": "NOP", "Description": "fms parameter for fms regions", "Name": { "Fn::FindInMap": [ "FMSStackMap", "SSMParameters", "Region" ] } }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/FMSRegions/Resource" } }, "FMSTable84B8646C": { "Type": "AWS::DynamoDB::Table", "Properties": { "KeySchema": [ { "AttributeName": "PolicyName", "KeyType": "HASH" }, { "AttributeName": "Region", "KeyType": "RANGE" } ], "AttributeDefinitions": [ { "AttributeName": "PolicyName", "AttributeType": "S" }, { "AttributeName": "Region", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "SSESpecification": { "SSEEnabled": true } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/FMSTable/Resource" } }, "dlq09C78ACC": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs" }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/dlq/Resource" } }, "metricsQueue7DE0FE26": { "Type": "AWS::SQS::Queue", "Properties": { "KmsMasterKeyId": "alias/aws/sqs" }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/metricsQueue/Resource" } }, "policyManagerServiceRoleA056FB67": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/policyManager/ServiceRole/Resource" } }, "policyManagerServiceRoleDefaultPolicyC1FD49F0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "dlq09C78ACC", "Arn" ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FMSTable84B8646C", "Arn" ] }, { "Ref": "AWS::NoValue" } ] } ], "Version": "2012-10-17" }, "PolicyName": "policyManagerServiceRoleDefaultPolicyC1FD49F0", "Roles": [ { "Ref": "policyManagerServiceRoleA056FB67" } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/policyManager/ServiceRole/DefaultPolicy/Resource" } }, "policyManager07DE2620": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/asset1753eb2ed688cb2e45578ccea7ca470d3a22a9d067661daba375083dad25cc9c.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "policyManagerServiceRoleA056FB67", "Arn" ] }, "Runtime": "nodejs12.x", "DeadLetterConfig": { "TargetArn": { "Fn::GetAtt": [ "dlq09C78ACC", "Arn" ] } }, "Description": "Function to create/update/delete FMS security policies for the FMS solution", "Environment": { "Variables": { "FMS_OU": { "Ref": "FMSOUs9CEEEC1C" }, "FMS_TAGS": { "Ref": "FMSTags216E0D22" }, "FMS_REGIONS": { "Ref": "FMSRegions39DF213B" }, "FMS_TABLE": { "Ref": "FMSTable84B8646C" }, "SEND_METRIC": { "Fn::FindInMap": [ "FMSStackMap", "Metric", "SendAnonymousMetric" ] }, "LOG_LEVEL": "info", "SOLUTION_ID": { "Fn::FindInMap": [ "FMSStackMap", "Solution", "SolutionId" ] }, "SOLUTION_VERSION": { "Fn::FindInMap": [ "FMSStackMap", "Solution", "SolutionVersion" ] }, "UUID": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] }, "METRICS_QUEUE": { "Ref": "metricsQueue7DE0FE26" }, "DDB_TABLE_NAME": { "Ref": "FMSTable84B8646C" } } }, "MemorySize": 512, "Timeout": 900 }, "DependsOn": [ "policyManagerServiceRoleDefaultPolicyC1FD49F0", "policyManagerServiceRoleA056FB67" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "policyManagerEventInvokeConfig97660657": { "Type": "AWS::Lambda::EventInvokeConfig", "Properties": { "FunctionName": { "Ref": "policyManager07DE2620" }, "Qualifier": "$LATEST", "MaximumEventAgeInSeconds": 900, "MaximumRetryAttempts": 0 }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/policyManager/EventInvokeConfig/Resource" } }, "policyManagerLambdaInvokePermissionEFA37900": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "policyManager07DE2620", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "EventsRuleLambdaEventsRule0A996B52", "Arn" ] } }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/policyManager/LambdaInvokePermission" } }, "metricsManagerServiceRole762602DA": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/metricsManager/ServiceRole/Resource" } }, "metricsManagerServiceRoleDefaultPolicy3EEAEEE8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:GetQueueUrl", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "metricsQueue7DE0FE26", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "metricsManagerServiceRoleDefaultPolicy3EEAEEE8", "Roles": [ { "Ref": "metricsManagerServiceRole762602DA" } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/metricsManager/ServiceRole/DefaultPolicy/Resource" } }, "metricsManager57CF735C": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/assetb50417510d48bdba84e75e1148065d3ab1aabe323909cd93f0ff8944f5eeb847.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "metricsManagerServiceRole762602DA", "Arn" ] }, "Runtime": "nodejs12.x", "Description": "Function to publish policy metrics to aws-solutions", "Environment": { "Variables": { "METRICS_ENDPOINT": { "Fn::FindInMap": [ "FMSStackMap", "Metric", "MetricsEndpoint" ] }, "LOG_LEVEL": "info" } }, "MemorySize": 128, "ReservedConcurrentExecutions": 1, "Timeout": 15 }, "DependsOn": [ "metricsManagerServiceRoleDefaultPolicy3EEAEEE8", "metricsManagerServiceRole762602DA" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "metricsManagerSqsEventSourcePreReqStackFMSStackmetricsQueue22451F36B65D713C": { "Type": "AWS::Lambda::EventSourceMapping", "Properties": { "EventSourceArn": { "Fn::GetAtt": [ "metricsQueue7DE0FE26", "Arn" ] }, "FunctionName": { "Ref": "metricsManager57CF735C" }, "BatchSize": 1 }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/metricsManager/SqsEventSource:PreReqStackFMSStackmetricsQueue22451F36/Resource" } }, "EventsRuleLambdaEventsRule0A996B52": { "Type": "AWS::Events::Rule", "Properties": { "EventPattern": { "source": [ "aws.ssm" ], "detail-type": [ "Parameter Store Change" ], "resources": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSOUs9CEEEC1C" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSTags216E0D22" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter", { "Ref": "FMSRegions39DF213B" } ] ] } ] }, "Name": "FMSPolicyRule", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "policyManager07DE2620", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/EventsRuleLambda/EventsRule/Resource" } }, "PolicyMangerLogGroupE410035C": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Join": [ "", [ "/aws/lambda/", { "Ref": "policyManager07DE2620" } ] ] }, "RetentionInDays": 7 }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack/PolicyMangerLogGroup/Resource" } }, "helperPolicy08B4DDB1": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "fms:GetAdminAccount", "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor1" } ], "Version": "2012-10-17" }, "PolicyName": "FMS-Helper-Policy", "Roles": [ { "Ref": "FMSHelperFunctionServiceRoleA51F4DD9" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for IAM actions that do not support resource level permissions" } ] } } }, "LambdaIAMpolicyManagerPolicyBD1016BE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeRegions", "wafv2:*", "shield:GetSubscriptionState" ], "Effect": "Allow", "Resource": "*", "Sid": "FMSEC2Read0" }, { "Action": [ "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FMSTable84B8646C", "Arn" ] }, "Sid": "FMSDDBWrite01" }, { "Action": [ "fms:PutPolicy", "fms:DeletePolicy" ], "Effect": "Allow", "Resource": "arn:aws:fms:*:*:policy/*", "Sid": "FMSSecurityPolicyWrite02" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "PolicyMangerLogGroupE410035C", "Arn" ] }, "Sid": "FMSCloudWatchLogsWrite03" }, { "Action": "sqs:SendMessage", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "dlq09C78ACC", "Arn" ] }, { "Fn::GetAtt": [ "metricsQueue7DE0FE26", "Arn" ] } ], "Sid": "FMSSQSWrite04" }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/FMS/OUs" ] ] }, { "Fn::Join": [ "", [ "arn:aws:ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/FMS/Regions" ] ] }, { "Fn::Join": [ "", [ "arn:aws:ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/FMS/Tags" ] ] } ], "Sid": "FMSSecurityPolicyRead05" } ], "Version": "2012-10-17" }, "PolicyName": "FMS-PolicyManager-Policy", "Roles": [ { "Ref": "policyManagerServiceRoleA056FB67" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "* needed for ec2:DescribeRegions, does no support resource level permissions" }, { "id": "F4", "reason": "Read & Write permissions needed to create WAFv2 policies" } ] } } } }, "Outputs": { "OUParameter": { "Description": "SSM Parameter for OUs", "Value": { "Fn::FindInMap": [ "FMSStackMap", "SSMParameters", "OUs" ] } }, "RegionParameter": { "Description": "SSM Parameter for Regions", "Value": { "Fn::FindInMap": [ "FMSStackMap", "SSMParameters", "Region" ] } }, "TagParameter": { "Description": "SSM Parameter for Tags", "Value": { "Fn::FindInMap": [ "FMSStackMap", "SSMParameters", "Tags" ] } }, "UUID": { "Description": "UUID for FMS Stack", "Value": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] } } }, "Parameters": {} }