{ "Description": "(SO0134N) - The AWS CloudFormation template for deployment of the aws-centralized-waf-and-vpc-sg-management. Version v1.0.0", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Pre-Requisite Configuration" }, "Parameters": [ "FMSAdmin", "EnableConfig" ] } ], "ParameterLabels": { "FMSAdmin": { "default": "FMS Admin Account" }, "EnableConfig": { "default": "Enable Config" } } } }, "Parameters": { "FMSAdmin": { "Type": "String", "AllowedPattern": "^[0-9]{1}\\d{11}$", "Description": "AWS Account Id for Firewall Manager admin account" }, "EnableConfig": { "Type": "String", "Default": "Yes", "AllowedValues": [ "Yes", "No" ], "Description": "Do you want to enable AWS Config across your AWS Organization? You may chose 'No' if you are already using Config" } }, "Mappings": { "FMSMap": { "Metric": { "SendAnonymousMetric": "Yes", "MetricsEndpoint": "https://metrics.awssolutionsbuilder.com/generic" }, "Solution": { "SolutionId": "SO0134N", "SolutionVersion": "v1.0.0", "GlobalStackSetName": "FMS-EnableConfig-Global", "RegionalStackSetName": "FMS-EnableConfig-Regional" } } }, "Conditions": { "accountCheck": { "Fn::Equals": [ { "Ref": "FMSAdmin" }, { "Ref": "AWS::AccountId" } ] }, "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } ] } }, "Resources": { "FMSHelperFunctionServiceRoleA51F4DD9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/FMSHelperFunction/ServiceRole/Resource" } }, "FMSHelperFunction59933F0A": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/assete556590c657a65b97b0657a772205d78c37ca33283675191e5f92df4f2b64d71.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "FMSHelperFunctionServiceRoleA51F4DD9", "Arn" ] }, "Runtime": "nodejs12.x", "Description": "DO NOT DELETE - FMS helper function", "Environment": { "Variables": { "METRICS_ENDPOINT": { "Fn::FindInMap": [ "FMSMap", "Metric", "MetricsEndpoint" ] }, "SEND_METRIC": { "Fn::FindInMap": [ "FMSMap", "Metric", "SendAnonymousMetric" ] }, "LOG_LEVEL": "info" } }, "MemorySize": 512 }, "DependsOn": [ "FMSHelperFunctionServiceRoleA51F4DD9" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "helperProviderframeworkonEventServiceRoleFA06E8E2": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/helperProvider/framework-onEvent/ServiceRole/Resource" } }, "helperProviderframeworkonEventServiceRoleDefaultPolicy0DFC22B9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FMSHelperFunction59933F0A", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "helperProviderframeworkonEventServiceRoleDefaultPolicy0DFC22B9", "Roles": [ { "Ref": "helperProviderframeworkonEventServiceRoleFA06E8E2" } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/helperProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource" } }, "helperProviderframeworkonEvent35A99430": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/asset1ed82f549c7384dfae04a04440b3d1bf30653fde425e280dbb3ea03dbb3c96fc.zip" }, "Handler": "asset1ed82f549c7384dfae04a04440b3d1bf30653fde425e280dbb3ea03dbb3c96fc/framework.onEvent", "Role": { "Fn::GetAtt": [ "helperProviderframeworkonEventServiceRoleFA06E8E2", "Arn" ] }, "Runtime": "nodejs10.x", "Description": "AWS CDK resource provider framework - onEvent (PreReqStack/helperProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "FMSHelperFunction59933F0A", "Arn" ] } } }, "Timeout": 900 }, "DependsOn": [ "helperProviderframeworkonEventServiceRoleDefaultPolicy0DFC22B9", "helperProviderframeworkonEventServiceRoleFA06E8E2" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "CreateUUID": { "Type": "Custom::CreateUUID", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "helperProviderframeworkonEvent35A99430", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/CreateUUID/Default" } }, "LaunchData": { "Type": "Custom::LaunchData", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "helperProviderframeworkonEvent35A99430", "Arn" ] }, "SolutionId": { "Fn::FindInMap": [ "FMSMap", "Solution", "SolutionId" ] }, "SolutionVersion": { "Fn::FindInMap": [ "FMSMap", "Solution", "SolutionVersion" ] }, "SolutionUuid": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] }, "Stack": "PreReqStack" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/LaunchData/Default" } }, "preReqManagerServiceRole44CAD82C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/preReqManager/ServiceRole/Resource" } }, "preReqManagerDEBEFD41": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/asset82b379860623a91bf4abe6bb1118a6def3e0153ab6124c1f682a8d9ec80cfe78.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "preReqManagerServiceRole44CAD82C", "Arn" ] }, "Runtime": "nodejs12.x", "Description": "Function to validate and install pre-requisites for the FMS solution", "Environment": { "Variables": { "METRICS_ENDPOINT": { "Fn::FindInMap": [ "FMSMap", "Metric", "MetricsEndpoint" ] }, "SEND_METRIC": { "Fn::FindInMap": [ "FMSMap", "Metric", "SendAnonymousMetric" ] }, "LOG_LEVEL": "info" } }, "MemorySize": 512, "Timeout": 900 }, "DependsOn": [ "preReqManagerServiceRole44CAD82C" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "preReqManagerPolicyA60032FD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:CreateStackInstances", "cloudformation:DeleteStackInstances" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:cloudformation:*:*:*/", { "Fn::FindInMap": [ "FMSMap", "Solution", "GlobalStackSetName" ] }, ":*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:cloudformation:*:*:*/", { "Fn::FindInMap": [ "FMSMap", "Solution", "RegionalStackSetName" ] }, ":*" ] ] }, "arn:aws:cloudformation:*::type/resource/AWS-IAM-Role", "arn:aws:cloudformation:*::type/resource/AWS-SNS-Topic", "arn:aws:cloudformation:*::type/resource/AWS-S3-Bucket", "arn:aws:cloudformation:*::type/resource/AWS-SNS-TopicPolicy", "arn:aws:cloudformation:*::type/resource/AWS-SNS-Subscription", "arn:aws:cloudformation:*::type/resource/AWS-S3-BucketPolicy", "arn:aws:cloudformation:*::type/resource/AWS-Config-ConfigurationRecorder", "arn:aws:cloudformation:*::type/resource/AWS-Config-DeliveryChannel" ], "Sid": "VisualEditor0" }, { "Action": [ "fms:AssociateAdminAccount", "organizations:ListRoots", "organizations:EnableAWSServiceAccess", "organizations:DescribeAccount", "organizations:DescribeOrganization", "ec2:DescribeRegions", "fms:GetAdminAccount", "cloudformation:CreateStackSet" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor1" } ], "Version": "2012-10-17" }, "PolicyName": "FMS-PreReqManager-Policy", "Roles": [ { "Ref": "preReqManagerServiceRole44CAD82C" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for IAM actions that do not support resource level permissions" } ] } } }, "PreReqProviderframeworkonEventServiceRoleF7D67BDC": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/PreReqProvider/framework-onEvent/ServiceRole/Resource" } }, "PreReqProviderframeworkonEventServiceRoleDefaultPolicy28F45022": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "preReqManagerDEBEFD41", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "PreReqProviderframeworkonEventServiceRoleDefaultPolicy28F45022", "Roles": [ { "Ref": "PreReqProviderframeworkonEventServiceRoleF7D67BDC" } ] }, "Metadata": { "aws:cdk:path": "PreReqStack/PreReqProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource" } }, "PreReqProviderframeworkonEvent743144DE": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "aws-centralized-waf-and-vpc-sg-management/v1.0.0/asset1ed82f549c7384dfae04a04440b3d1bf30653fde425e280dbb3ea03dbb3c96fc.zip" }, "Handler": "asset1ed82f549c7384dfae04a04440b3d1bf30653fde425e280dbb3ea03dbb3c96fc/framework.onEvent", "Role": { "Fn::GetAtt": [ "PreReqProviderframeworkonEventServiceRoleF7D67BDC", "Arn" ] }, "Runtime": "nodejs10.x", "Description": "AWS CDK resource provider framework - onEvent (PreReqStack/PreReqProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "preReqManagerDEBEFD41", "Arn" ] } } }, "Timeout": 900 }, "DependsOn": [ "PreReqProviderframeworkonEventServiceRoleDefaultPolicy28F45022", "PreReqProviderframeworkonEventServiceRoleF7D67BDC" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W58", "reason": "CloudWatch logs write permissions added with managed role AWSLambdaBasicExecutionRole" } ] } } }, "PreReqManager": { "Type": "Custom::PreReqChecker", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "PreReqProviderframeworkonEvent743144DE", "Arn" ] }, "FMSAdmin": { "Ref": "FMSAdmin" }, "EnableConfig": { "Ref": "EnableConfig" }, "AccountId": { "Ref": "AWS::AccountId" }, "Region": { "Ref": "AWS::Region" }, "GlobalStackSetName": { "Fn::FindInMap": [ "FMSMap", "Solution", "GlobalStackSetName" ] }, "RegionalStackSetName": { "Fn::FindInMap": [ "FMSMap", "Solution", "RegionalStackSetName" ] }, "SolutionId": { "Fn::FindInMap": [ "FMSMap", "Solution", "SolutionId" ] }, "SolutionVersion": { "Fn::FindInMap": [ "FMSMap", "Solution", "SolutionVersion" ] }, "SolutionUuid": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "PreReqStack/PreReqManager/Default" } }, "FMSStackNestedStackFMSStackNestedStackResource119B89CC": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-centralized-waf-and-vpc-sg-management/v1.0.0/aws-centralized-waf-and-vpc-security-group-management.template" }, "DependsOn": [ "PreReqManager" ], "Metadata": { "aws:cdk:path": "PreReqStack/FMSStack.NestedStack/FMSStack.NestedStackResource" }, "Condition": "accountCheck" }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Modules": "aws-cdk=1.64.1,@aws-cdk/assets=1.64.1,@aws-cdk/aws-apigateway=1.64.1,@aws-cdk/aws-applicationautoscaling=1.64.1,@aws-cdk/aws-autoscaling-common=1.64.1,@aws-cdk/aws-certificatemanager=1.64.1,@aws-cdk/aws-cloudfront=1.64.1,@aws-cdk/aws-cloudwatch=1.64.1,@aws-cdk/aws-codeguruprofiler=1.64.1,@aws-cdk/aws-cognito=1.64.1,@aws-cdk/aws-dynamodb=1.64.1,@aws-cdk/aws-ec2=1.64.1,@aws-cdk/aws-elasticsearch=1.64.1,@aws-cdk/aws-events=1.64.1,@aws-cdk/aws-iam=1.64.1,@aws-cdk/aws-kinesis=1.64.1,@aws-cdk/aws-kinesisanalytics=1.64.1,@aws-cdk/aws-kms=1.64.1,@aws-cdk/aws-lambda=1.64.1,@aws-cdk/aws-lambda-event-sources=1.64.1,@aws-cdk/aws-logs=1.64.1,@aws-cdk/aws-s3=1.64.1,@aws-cdk/aws-s3-assets=1.64.1,@aws-cdk/aws-s3-notifications=1.64.1,@aws-cdk/aws-sns=1.64.1,@aws-cdk/aws-sns-subscriptions=1.64.1,@aws-cdk/aws-sqs=1.64.1,@aws-cdk/aws-ssm=1.64.1,@aws-cdk/aws-stepfunctions=1.64.1,@aws-cdk/cloud-assembly-schema=1.64.1,@aws-cdk/core=1.64.1,@aws-cdk/custom-resources=1.64.1,@aws-cdk/cx-api=1.64.1,@aws-cdk/region-info=1.64.1,@aws-solutions-constructs/aws-cloudfront-s3=1.64.1,@aws-solutions-constructs/aws-events-rule-lambda=1.64.1,@aws-solutions-constructs/aws-lambda-dynamodb=1.64.1,@aws-solutions-constructs/core=1.64.1,jsii-runtime=node.js/v10.19.0" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "UUID": { "Description": "UUID for deployment", "Value": { "Fn::GetAtt": [ "CreateUUID", "UUID" ] } } } }