AWSTemplateFormatVersion: 2010-09-09
Description: Version 6.05.002 - CloudFormation template for CloudStorageSec Console software.
Parameters:
VPC:
Type: AWS::EC2::VPC::Id
Description: The VPC in which to place the public facing Console
MinLength: 1
ConstraintDescription: VPC is a mandatory input parameter. Select an existing VPC ID.
SubnetA:
Type: AWS::EC2::Subnet::Id
Description: A subnet in your VPC in which the public facing Console can be placed. Ensure this subnet allows outbound internet traffic.
MinLength: 1
ConstraintDescription: SubnetA is a mandatory input parameter. Select existing subnet from the selected VPC.
SubnetB:
Type: AWS::EC2::Subnet::Id
Description: A subnet in your VPC in which the public facing Console can be placed. Ensure this subnet allows outbound internet traffic. **Subnet B must be different from Subnet A and should be in a different Availability Zones**
MinLength: 1
ConstraintDescription: SubnetB is a mandatory input parameter. Select existing subnet from the selected VPC.
ConsoleSecurityGroup:
Type: String
Default: "Created by CFT"
Description: The Security Group for the Console management website (Optional, leave blank to create a new security group).
ConsoleSecurityGroupCidrBlock:
Type: String
Description: The IP address range that can access the Console management website (e.g. X.X.X.X/32 for a single given IP, 0.0.0.0/0 for open access)
MinLength: 9
MaxLength: 18
AllowedPattern: ((\d{1,3})\.){3}\d{1,3}/\d{1,2}
ConstraintDescription: Must be valid CIDR notation of the form X.X.X.X/X
MinRunningAgents:
Type: Number
Default: 1
MinValue: 0
Description: Cannot be greater than Maximum Running Agents
MaxRunningAgents:
Type: Number
Default: 12
MinValue: 1
Description: Cannot be less than Minimum Running Agents
NumMessagesInQueueScalingThreshold:
Type: Number
Default: 1000
Description: The number of pending files to be scanned before adding or removing agents
ConsoleCpu:
Type: String
Default: 0.5vCPU
AllowedValues: ["0.5vCPU", "1vCPU", "2vCPU", "4vCPU"]
Description: The number of vCPU units for the Console (1024 vCPU units per 1 vCPU)
ConsoleMemory:
Type: String
Default: 1GB
AllowedValues: ["1GB", "2GB", "3GB", "4GB", "5GB", "6GB", "7GB", "8GB", "9GB", "10GB", "11GB", "12GB", "13GB", "14GB", "15GB", "16GB", "17GB", "18GB", "19GB", "20GB", "21GB", "22GB", "23GB", "24GB", "25GB", "26GB", "27GB", "28GB", "29GB", "30GB"]
Description: The amount of memory for the Console. Must be 2-8x the vCPU. i.e. 0.5 vCPU should have 1-4GB of memory.
ConsoleAutoAssignPublicIp:
Type: String
Default: "ENABLED"
AllowedValues: ["ENABLED", "DISABLED"]
Description: "Should a public IP be assigned to the Console? (WARNING: do not set to disabled unless you have configured your AWS VPC in a manner that would still allow access to the console.)"
EnableCloudTrailLake :
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Would you like to send audit logs to CloudTrail Lake?
CloudTrailLakeDataStoreName:
Type: String
Default: "default"
Description: Enter a CloudTrail Event Data Store name if you would like to use an existing one. Otherwise we will create a new one. If existing, must be in same region as this deployment.
CloudTrailLakeChannelName:
Type: String
Default: "default"
Description: Enter a CloudTrail Channel name if you would like to use an existing one. Otherwise we will create a new one. If existing, must be in same region as this deployment.
AgentCpu:
Type: String
Default: "1vCPU"
AllowedValues: ["1vCPU", "2vCPU", "4vCPU"]
Description: The number of vCPU units for the Agents (1024 vCPU units = 1 vCPU)
AgentMemory:
Type: String
Default: 3GB
AllowedValues: ["2GB", "3GB", "4GB", "5GB", "6GB", "7GB", "8GB", "9GB", "10GB", "11GB", "12GB", "13GB", "14GB", "15GB", "16GB", "17GB", "18GB", "19GB", "20GB", "21GB", "22GB", "23GB", "24GB", "25GB", "26GB", "27GB", "28GB", "29GB", "30GB"]
Description: The amount of memory for the scanning Agent. Must be 2-8x the vCPU. i.e. 2 vCPU should have 4-16GB of memory.
AgentScanningEngine:
Type: String
Default: "ClamAV"
AllowedValues: ["ClamAV", "Sophos"]
Description: "Choose the engine that should be used to scan files (See Marketplace listing for pricing differences)"
MultiEngineScanningMode:
Type: String
Default: "Disabled"
AllowedValues: ["Disabled", "All", "LargeFiles"]
Description: "Choose if you want to use multiple engines to scan files. All will scan every file with both engines, LargeFiles will scan files larger than 2GB with Sophos. Premium Engine pricing applies."
AgentDiskSize:
Type: Number
Default: 20
MinValue: 20
MaxValue: 200
Description: Choose a larger disk size (up to 200 GB) to enable scanning larger files, up to 5 GB fewer than the total disk size. This only applies when using the Sophos scanning engine.
EnableLargeFileScanning:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to have EC2 instances launched to scan files too large to be scanned by the normal agent
LargeFileDiskSize:
Type: Number
Default: 2000
MinValue: 20
MaxValue: 16300
Description: Choose a larger disk size (between 20 - 16,300 GB) to enable scanning larger files, up to 5 GB fewer than the total disk size. This only applies when using the Sophos scanning engine with EC2 large file scanning enabled.
LargeFileEC2Tags:
Type: String
Default: "CloudStorageSec-[appId]=EC2Instance"
Description: "Enter an optional comma-separated list of key=value tags to place on extra large file scanning EC2 instances (Note: if you use [appId] in your tag name, we will replace it with the CSS application ID. It is recommended to leave the default in order to identify resources from this product)"
AgentAutoAssignPublicIp:
Type: String
Default: "ENABLED"
AllowedValues: ["ENABLED", "DISABLED"]
Description: "Should public IPs be assigned to the Agents? (WARNING: do not set to disabled unless you have configured your AWS VPC in a manner that would still allow the agents to reach AWS services over the internet.)"
UserName:
Type: String
Description: Initial user name for the Console management website
MinLength: 1
MaxLength: 128
Default: admin
Email:
Type: String
Description: Email address for Console management website account
AllowedPattern: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$
ConstraintDescription: Must be a valid email address.
OnlyScanWhenQueueThresholdExceeded:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to only run scanning agents when the number of files waiting to be scanned exceeds the queue scaling threshold
QuarantineInPrimaryAccount:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to create quarantine buckets in the primary account only (if you utilize linked accounts, infected objects will be moved to the quarantine bucket(s) in the primary account)
AllowAccessToAllKmsKeys:
Type: String
Default: "Yes"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to give the scanner access to all KMS encrypted buckets
StorageAssessmentEnabled:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to enable Storage Assessment to run
UseLoadBalancer:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to use a load balancer for the console service. Note that in doing so you will not be able to use the custom DNS feature and would need to provide your own DNS and SSL certificate for the load balancer
ContainerSecurityGroupLB:
Type: String
Default: "Created by CFT"
Description: The Security Group for the Console Service (ECS Container) to allow connections from the Load Balancer (Optional, leave blank to create a new security group).
Certificate:
Type: String
Default: 'arn:aws:acm:region:123456789012:certificate/00000000-0000-0000-0000-000000000000'
Description: Enter the ARN for the certificate you wish to use for the load balancer. Only needed if using a load balancer.
LBScheme:
Type: String
Default: "internet-facing"
AllowedValues: ["internet-facing", "internal"]
Description: Should the load balancer be internet facing or internal only?
LBSubnetA:
Type: String
Default: enter-subnet-id
Description: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. ** Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. **
LBSubnetB:
Type: String
Default: enter-subnet-id
Description: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. **Subnet B must be different from Subnet A and should be in a different Availability Zones. Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. **
RegisterRoute53:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Pick Yes if you would like to add a dns entry in Route53. This is only for when using a load balancer.
HostedZoneName:
Type: String
Default: domain-for-your-ssl-cert.com
Description: "Enter the hosted zone domain name for adding an entry to Route53. Only needed if registering dns in Route53."
HostedZoneId:
Type: String
Default: ZXXXXDEFAULTXXXXXXXXX
Description: "Enter the hosted zone ID for adding an entry to Route53. Only needed if registering dns in Route53 (Optional, only needed if you have multiple zones with the same name)."
HostedSubdomain:
Type: String
Default: subdomain
Description: Enter the subdomain for adding an entry to Route53. Only needed if registering dns in Route53.
InfoOptOut:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Would you like to opt-out from sending information about your deployment? Selecting "Yes" will cause custom DNS registration and trial eligiblity checks to not work. Given this, you must use your own Load Balancer in order to opt-out. If you opt-out and would still like a trial, please contact support@cloudstoragesec.com.
CustomEcrAccount:
Type: String
Default: "default"
Description: If you would like to host the container images yourself in ECR, enter the AWS account ID here. Ensure you have copied the images to your repositories. Repository names are required to be cloudstoragesecurity/console and cloudstoragesecurity/agent.
DynamoTableNamePrefix:
Type: String
Default: '7-character-application-id.'
Description: Prefix for dynamo db tables.
DynamoPointInTimeRecoveryEnabled:
Type: String
Default: "No"
AllowedValues: ["Yes", "No"]
Description: Would you like to enable point in time recovery (PTIR) for DynamoDB tables?
QuarantineBucketNamePrefix:
Type: String
Default: 'cloudstoragesecquarantine-'
Description: Prefix for the quarantine bucket names.
MinLength: 4
MaxLength: 27
AppConfigApplicationPrefix:
Type: String
Default: 'CloudStorageSec-'
Description: Prefix for the AWS AppConfig application.
AppConfigEnvironmentPrefix:
Type: String
Default: 'CloudStorageSecEnv-'
Description: Prefix for the AWS AppConfig Environment.
AppConfigDeploymentStrategyPrefix:
Type: String
Default: 'CloudStorageSecConfigDeploy-'
Description: Prefix for the AWS AppConfig Deployment Strategy.
AppConfigDocumentPrefix:
Type: String
Default: 'CloudStorageSecConfig-'
Description: Prefix for the AWS AppConfig Configuration Document.
AppConfigDocumentSchemaPrefix:
Type: String
Default: 'IGNORED'
Description: Deprecated parameter persisted for backwards compatibility.
AppConfigDocumentRolePrefix:
Type: String
Default: 'AppConfigAgentConfigurationDocumentRole-'
Description: Prefix for the AWS AppConfig Configuration Document IAM Role.
AppConfigDocumentPolicyPrefix:
Type: String
Default: 'AppConfigAgentConfigurationDocumentPolicy-'
Description: Prefix for the AWS AppConfig Configuration Document IAM Policy.
UserPoolPrefix:
Type: String
Default: 'CloudStorageSecUserPool-'
Description: Prefix for the AWS Cognito User Pool.
UserPoolClientPrefix:
Type: String
Default: 'CloudStorageSecUserPoolClient-'
Description: Prefix for the AWS Cognito User Pool Client.
UserPoolRolePrefix:
Type: String
Default: 'CloudStorageSecUserPoolRole-'
Description: Prefix for the AWS Cognito User Pool IAM Role.
UserPoolPolicyPrefix:
Type: String
Default: 'CloudStorageSecUserPoolPolicy-'
Description: Prefix for the AWS Cognito User Pool IAM Policy.
ConsoleTaskRolePrefix:
Type: String
Default: 'CloudStorageSecConsoleRole-'
Description: Prefix for the Console ECS Task IAM Role.
ConsoleTaskPolicyPrefix:
Type: String
Default: 'CloudStorageSecConsolePolicy-'
Description: Prefix for the Console ECS Task IAM Policy.
AgentTaskRolePrefix:
Type: String
Default: 'CloudStorageSecAgentRole-'
Description: Prefix for the Agent ECS Task IAM Role.
AgentTaskPolicyPrefix:
Type: String
Default: 'CloudStorageSecAgentPolicy-'
Description: Prefix for the Agent ECS Task IAM Policy.
CrossAccountRolePrefix:
Type: String
Default: 'CloudStorageSecRemoteRole-'
Description: Prefix for the Cross-Account Scanning Role.
CrossAccountPolicyPrefix:
Type: String
Default: 'CloudStorageSecRemotePolicy-'
Description: Prefix for the Cross-Account Scanning Policy.
CrossAccountEventBridgeRolePrefix:
Type: String
Default: 'CloudStorageSecEventBridgeRole-'
Description: Prefix for the Cross-Account Event Bridge Scanning Role.
CrossAccountEventBridgePolicyPrefix:
Type: String
Default: 'CloudStorageSecEventBridgePolicy-'
Description: Prefix for the Cross-Account Event Bridge Scanning Policy.
ExecutionRolePrefix:
Type: String
Default: 'CloudStorageSecExecutionRole-'
Description: Prefix for the ECS Execution Role.
Ec2ContainerRolePrefix:
Type: String
Default: 'CloudStorageSecEc2ContainerRole-'
Description: Prefix for the EC2 ECS Container Role.
Ec2ContainerPolicyPrefix:
Type: String
Default: 'CloudStorageSecEc2ContainerPolicy-'
Description: Prefix for the EC2 ECS Container Policy.
ClusterPrefix:
Type: String
Default: 'CloudStorageSecCluster-'
Description: Prefix for the ECS Cluster.
ServicePrefix:
Type: String
Default: 'CloudStorageSecConsoleService-'
Description: Prefix for the ECS Console Service.
TaskDefinitionPrefix:
Type: String
Default: 'CloudStorageSecConsole-'
Description: Prefix for the ECS Console Task Definition.
ConsoleSecurityGroupPrefix:
Type: String
Default: 'CloudStorageSecConsoleSecurityGroup-'
Description: Prefix for the Console Security Group.
LoadBalancerPrefix:
Type: String
Default: 'CloudStorageSecLB-'
Description: Prefix for the Load Balancer (if using a Load Balancer).
TargetGroupPrefix:
Type: String
Default: 'CloudStorageSecTG-'
Description: Prefix for the Load Balancer Target Group (if using a Load Balancer).
LoadBalancerGroupPrefix:
Type: String
Default: 'CloudStorageSecLBSecurityGroup-'
Description: Prefix for the Load Balancer Security Group (if using a Load Balancer).
ApiLoadBalancerPrefix:
Type: String
Default: 'CloudStorageSecApiLB-'
Description: Prefix for the API Load Balancer.
ApiTargetGroupPrefix:
Type: String
Default: 'CloudStorageSecApiTG-'
Description: Prefix for the API Load Balancer Target Group.
ParametersPrefix:
Type: String
Default: 'CloudStorageSecConsole-'
Description: Prefix for the Systems Manager Parameters.
NotificationsTopicPrefix:
Type: String
Default: 'CloudStorageSecNotificationsTopic-'
Description: Prefix for the notifications topic.
EventBasedScanTopicPrefix:
Type: String
Default: 'CloudStorageSecTopic-'
Description: Prefix for the event based scanning SNS Topic.
EventBasedScanQueuePrefix:
Type: String
Default: 'CloudStorageSecQueue-'
Description: Prefix for the event based scanning SQS Queue.
DcEventBasedScanQueuePrefix:
Type: String
Default: 'CloudStorageSecQueue-DC-'
Description: Prefix for the Data Classification event based scanning SQS Queue.
RetroScanQueuePrefix:
Type: String
Default: 'CloudStorageSecRetroQueue-'
Description: Prefix for the retro-active scanning SQS Queue.
EventAgentTaskPrefix:
Type: String
Default: 'CloudStorageSecAgent-'
Description: Prefix for the ECS Event Agent Task.
EventAgentServicePrefix:
Type: String
Default: 'CloudStorageSecAgentService-'
Description: Prefix for the ECS Event Agent Service.
DcEventAgentTaskPrefix:
Type: String
Default: 'CloudStorageSecAgent-DC-'
Description: Prefix for the ECS Data Classification Event Agent Task.
DcEventAgentServicePrefix:
Type: String
Default: 'CloudStorageSecAgentService-DC-'
Description: Prefix for the ECS Data Classification Event Agent Service.
LargeFileAgentTaskPrefix:
Type: String
Default: 'CloudStorageSecLargeFileAgent-'
Description: Prefix for the ECS Large File Agent Task
ApiAgentTaskPrefix:
Type: String
Default: 'CloudStorageSecApiAgent-'
Description: Prefix for the ECS API Agent Task.
ApiAgentServicePrefix:
Type: String
Default: 'CloudStorageSecApiAgentService-'
Description: Prefix for the ECS API Agent Service.
RetroAgentTaskPrefix:
Type: String
Default: 'CloudStorageSecRetroAgent-'
Description: Prefix for the ECS Retro Agent Task.
RetroAgentServicePrefix:
Type: String
Default: 'CloudStorageSecRetroAgentService-'
Description: Prefix for the ECS Retro Agent Service.
LargeEventQueueAlarmPrefix:
Type: String
Default: 'CloudStorageSecLargeQueue-'
Description: Prefix for the Alarm triggered when event queue is backed up.
SmallEventQueueAlarmPrefix:
Type: String
Default: 'CloudStorageSecSmallQueue-'
Description: Prefix for the Alarm triggered when event queue is within normal range.
DecreaseAgentsScalingPolicyPrefix:
Type: String
Default: 'DecreaseAgents-'
Description: Prefix for the AutoScaling policy to decrease running agent count.
IncreaseAgentsScalingPolicyPrefix:
Type: String
Default: 'IncreaseAgents-'
Description: Prefix for the AutoScaling policy to increase running agent count.
LargeDcEventQueueAlarmPrefix:
Type: String
Default: 'CloudStorageSecLargeQueue-DC-'
Description: Prefix for the Alarm triggered when Data Classification event queue is backed up.
SmallDcEventQueueAlarmPrefix:
Type: String
Default: 'CloudStorageSecSmallQueue-DC-'
Description: Prefix for the Alarm triggered when Data Classification event queue is within normal range.
DecreaseDcAgentsScalingPolicyPrefix:
Type: String
Default: 'DecreaseAgents-DC-'
Description: Prefix for the AutoScaling policy to decrease running Data Classification agent count.
IncreaseDcAgentsScalingPolicyPrefix:
Type: String
Default: 'IncreaseAgents-DC-'
Description: Prefix for the AutoScaling policy to increase running Data Classification agent count.
ApiRequestScalingPolicyPrefix:
Type: String
Default: 'ApiServiceRequestScaling-'
Description: Prefix for the AutoScaling policy for the API Service.
ApiCpuScalingPolicyPrefix:
Type: String
Default: 'ApiServiceCpuScaling-'
Description: Prefix for the AutoScaling policy for the API Service.
RetroQueueNotEmptyAlarmPrefix:
Type: String
Default: 'CloudStorageSecRetroQueueNotEmpty-'
Description: Prefix for the Alarm triggered when retro queue is not empty.
RetroQueueEmptyAlarmPrefix:
Type: String
Default: 'CloudStorageSecRetroQueueEmpty-'
Description: Prefix for the Alarm triggered when retro queue is empty.
RemoveRetroAgentsScalingPolicyPrefix:
Type: String
Default: 'RemoveRetroAgents-'
Description: Prefix for the AutoScaling policy to stop running retro agents.
SetRetroAgentsScalingPolicyPrefix:
Type: String
Default: 'SetRetroAgents-'
Description: Prefix for the AutoScaling policy to set running retro agent count.
AgentSecurityGroupPrefix:
Type: String
Default: 'CloudStorageSecAgentSecurityGroup-'
Description: Prefix for the security group used by scanning agents.
CloudTrailLakeEventDataStorePrefix:
Type: String
Default: 'CloudStorageSecCloudTrailLake-'
Description: Prefix for the event data store for CloudTrail Lake -- only used if you don't specify your own data store above.
CloudTrailLakeChannelPrefix:
Type: String
Default: 'CloudStorageSecCloudTrailLake-'
Description: Prefix for the ingestion channel for CloudTrail Lake.
QuarantineBucketDaysToExpire:
Type: Number
Default: 0
MinValue: 0
MaxValue: 1000
Description: Number of days the quarantined files will be retained before deletion. For infinite retention, leave it at zero.
AutoProtectBucketTagKey:
Type: String
Default: 'default'
Description: Key of the bucket tag that indicates that protection must be automatically turned on for the bucket ("default" = CloudStorageSecAutoProtect-{7 character application id})
ConsoleTaskRoleArn:
Type: String
Default: 'Created by CFT'
Description: Role ARN for the Console ECS Task
ConsoleTaskRoleName:
Type: String
Default: 'Created by CFT'
Description: Role name for the Console ECS Task
AgentTaskRoleName:
Type: String
Default: 'Created by CFT'
Description: Role name for the Agent ECS Task
AgentTaskRoleArn:
Type: String
Default: 'Created by CFT'
Description: Role ARN for the Agent ECS Task
ExecutionRoleArn:
Type: String
Default: 'Created by CFT'
Description: Role ARN for AWS ECS execution
Ec2ContainerInstanceProfileArn:
Type: String
Default: 'Created by CFT'
Description: Instance Profile ARN for AWS ECS EC2 execution
Ec2ContainerInstanceRoleName:
Type: String
Default: 'Created by CFT'
Description: Role Name for AWS ECS EC2 execution
AppConfigAgentConfigurationDocumentRoleName:
Type: String
Default: 'Created by CFT'
Description: Role name for the AWS AppConfig Config Document
AppConfigAgentConfigurationDocumentRoleArn:
Type: String
Default: 'Created by CFT'
Description: Role ARN for the AWS AppConfig Config Document
UserPoolSnsRoleName:
Type: String
Default: 'Created by CFT'
Description: Role name for the AWS Cognito User Pool SNS for MFA
UserPoolSnsRoleArn:
Type: String
Default: 'Created by CFT'
Description: Role ARN for the AWS Cognito User Pool SNS for MFA
EnsureAutoScalingRoleExists:
Type: String
Default: "Yes"
AllowedValues: ["Yes", "No"]
Description: Would you like us to ensure the ECS Autoscaling Role exists (by registering the console as an AutoScalingGroup)?
ProxyHost:
Type: String
Default: 'none'
Description: URL for proxy server
ProxyPort:
Type: String
Default: 'none'
Description: Port for proxy server
ProductMode:
Type: String
Default: 'AV'
AllowedValues: ['AV', 'Classification']
Description: Initial product mode for this deployment. Do not modify this value.
Rules:
SubnetsInVPC:
Assertions:
- AssertDescription: All subnets must belong to the VPC selected
Assert: !EachMemberIn [ !ValueOfAll ["AWS::EC2::Subnet::Id", "VpcId"], !RefAll "AWS::EC2::VPC::Id" ]
SubnetsMustDiffer:
Assertions:
- AssertDescription: Subnet A and Subnet B must be different
Assert: !Not [!Equals [!Ref SubnetA, !Ref SubnetB]]
CheckConsoleCPUAndMem:
Assertions:
- AssertDescription: Console Memory needs to be in range (2x to 8x) of Console vCPU. If you select 0.5vCPU, then memory must be set between 1GB and 4GB.
Assert:
!Or [
!And [ !Equals [!Ref ConsoleCpu, "0.5vCPU"], !Contains [["1GB", "2GB", "3GB", "4GB"], !Ref ConsoleMemory]],
!And [ !Equals [!Ref ConsoleCpu, "1vCPU"], !Contains [["2GB","3GB","4GB","5GB","6GB","7GB","8GB"], !Ref ConsoleMemory]],
!And [ !Equals [!Ref ConsoleCpu, "2vCPU"], !Contains [["4GB","5GB","6GB","7GB","8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB"], !Ref ConsoleMemory]],
!And [ !Equals [!Ref ConsoleCpu, "4vCPU"], !Contains [["8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB","17GB","18GB","19GB","20GB","21GB","22GB","23GB","24GB","25GB","26GB","27GB","28GB","29GB","30GB"], !Ref ConsoleMemory]]
]
CheckAgentCPUAndMem:
Assertions:
- AssertDescription: Agent Memory needs to be in range (2x to 8x) of Agent vCPU. If you select 2vCPU, then memory must be set between 4GB and 16GB.
Assert:
!Or [
!And [ !Equals [!Ref AgentCpu, "1vCPU"], !Contains [["2GB", "3GB","4GB","5GB","6GB","7GB","8GB"], !Ref AgentMemory]],
!And [ !Equals [!Ref AgentCpu, "2vCPU"], !Contains [["4GB","5GB","6GB","7GB","8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB"], !Ref AgentMemory]],
!And [ !Equals [!Ref AgentCpu, "4vCPU"], !Contains [["8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB","17GB","18GB","19GB","20GB","21GB","22GB","23GB","24GB","25GB","26GB","27GB","28GB","29GB","30GB"], !Ref AgentMemory]]
]
CheckMinAgentsWhenScanningOnlyWhenQueueThresholdExceeded:
Assertions:
- AssertDescription: Minimum Number of Agents must be 0 when only scanning when queue threshold is exceeded, or greater than 0 otherwise
Assert:
!Or [
!And [ !Equals [!Ref OnlyScanWhenQueueThresholdExceeded, "Yes"], !Equals [!Ref MinRunningAgents, "0"]],
!And [ !Equals [!Ref OnlyScanWhenQueueThresholdExceeded, "No"], !Not [ !Equals [!Ref MinRunningAgents, "0"]]]
]
CheckSslCertWhenUsingLoadBalancer:
Assertions:
- AssertDescription: SSL Certificate ARN must be specified when using a Load Balancer
Assert:
!Or [
!Equals [!Ref UseLoadBalancer, "No"],
!Not [ !Equals [!Ref Certificate, "arn:aws:acm:region:123456789012:certificate/00000000-0000-0000-0000-000000000000"]]
]
LBSubnetsMustDiffer:
Assertions:
- AssertDescription: Load Balancer Subnet A and Subnet B must be different
Assert:
!Or [
!Equals [!Ref UseLoadBalancer, "No"],
!Or [
!Equals [!Ref LBSubnetA, "enter-subnet-id"],
!Not [!Equals [!Ref LBSubnetA, !Ref LBSubnetB]]
]
]
OptOutOnlyWithLB:
Assertions:
- AssertDescription: Cannot opt-out from sending info if you are not using a Load Balancer
Assert:
!Or [
!Equals [!Ref UseLoadBalancer, "Yes"],
!Equals [!Ref InfoOptOut, "No"]
]
CheckHostedZoneNameWhenUsingRoute53:
Assertions:
- AssertDescription: Must specify a hosted zone name or ID when using Route53
Assert:
!Or [
!Equals [!Ref RegisterRoute53, "No"],
!And [
!Not [ !Equals [!Ref HostedZoneName, "domain-for-your-ssl-cert.com"]],
!Not [ !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"]]
],
!And [
!Not [ !Equals [!Ref HostedZoneName, "domain-for-your-ssl-cert.com"]],
!Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"]
]
]
CheckSubdomainWhenUsingRoute53:
Assertions:
- AssertDescription: Must specify a hosted subdomain when using Route53
Assert:
!Or [
!Equals [!Ref RegisterRoute53, "No"],
!Not [ !Equals [!Ref HostedSubdomain, "subdomain"]]
]
CheckUsingSophosIfEc2ScanningEnabled:
Assertions:
- AssertDescription: Must use Sophos engine to enable EC2 large file scanning
Assert:
!Or [
!And [
!Equals [!Ref EnableLargeFileScanning, "Yes"],
!Equals [!Ref AgentScanningEngine, "Sophos"]
],
!Equals [!Ref EnableLargeFileScanning, "No"],
]
Conditions:
BlanketKmsAccess: !Equals [!Ref AllowAccessToAllKmsKeys, "Yes"]
UseLB: !Equals [!Ref UseLoadBalancer, "Yes"]
DontUseLB: !Equals [!Ref UseLoadBalancer, "No"]
UseRoute53: !And [ !Equals [!Ref UseLoadBalancer, "Yes"], !Equals [!Ref RegisterRoute53, "Yes"]]
UseHostedZoneId:
!And
- Condition: UseRoute53
- !Not [ !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"]]
UseHostedZoneName:
!And
- Condition: UseRoute53
- !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"]
UseLBSubnetA: !Not [ !Equals [!Ref LBSubnetA, "enter-subnet-id"]]
UseLBSubnetB: !Not [ !Equals [!Ref LBSubnetB, "enter-subnet-id"]]
UseDefaultDynamoPrefix: !Equals [!Ref DynamoTableNamePrefix, "7-character-application-id."]
IsAntivirus: !Equals [!Ref ProductMode, 'AV']
IsGovCloud: !Equals [!Ref AWS::Region, "us-gov-west-1"]
UseDefaultEcrAccount: !Equals [!Ref CustomEcrAccount, "default"]
UseProxy: !Not [ !Equals [!Ref ProxyHost, "none"]]
CreateConsoleRole: !Equals [!Ref ConsoleTaskRoleArn, "Created by CFT"]
CreateConsoleSecurityGroup: !Equals [!Ref ConsoleSecurityGroup, "Created by CFT"]
UseExistingConsoleSecurityGroup: !Not [ !Equals [!Ref ConsoleSecurityGroup, "Created by CFT"]]
CreateConsoleSecurityGroupNoLB:
!And
- Condition: DontUseLB
- Condition: CreateConsoleSecurityGroup
CreateConsoleSecurityGroupLB:
!And
- Condition: UseLB
- Condition: CreateConsoleSecurityGroup
CreateContainerSecurityGroupLB:
!And
- Condition: UseLB
- !Equals [!Ref ContainerSecurityGroupLB, "Created by CFT"]
UseExistingContainerSecurityGroupLB:
!And
- Condition: UseLB
- !Not [ !Equals [!Ref ContainerSecurityGroupLB, "Created by CFT"]]
CreateAgentRole: !Equals [!Ref AgentTaskRoleArn, "Created by CFT"]
CreateExecutionRole: !Equals [!Ref ExecutionRoleArn, "Created by CFT"]
CreateEc2ContainerRole: !Equals [!Ref Ec2ContainerInstanceProfileArn, "Created by CFT"]
CreateAppConfigDocRole: !Equals [!Ref AppConfigAgentConfigurationDocumentRoleArn, "Created by CFT"]
CreateUserPoolSnsRole: !Equals [!Ref UserPoolSnsRoleArn, "Created by CFT"]
CreateAutoScalingRole: !Equals [!Ref EnsureAutoScalingRoleExists, "Yes"]
CreateAutoScalingRoleWithLb: !And [!Condition CreateAutoScalingRole, !Condition UseLB]
CreateAutoScalingRoleWithoutLb: !And [!Condition CreateAutoScalingRole, !Condition DontUseLB]
UseDefaultAutoProtectBucketTagKey: !Equals [!Ref AutoProtectBucketTagKey, "default"]
UseDefaultCloudTrailLakeEventDataStoreName: !Equals [!Ref CloudTrailLakeDataStoreName, "default"]
UseDefaultCloudTrailLakeChannelName: !Equals [!Ref CloudTrailLakeChannelName, "default"]
Mappings:
yesNoToBool:
"Yes":
"value": true
"No":
"value": false
vCPUvalues:
"0.5vCPU":
"size": 512
"1vCPU":
"size": 1024
"2vCPU":
"size": 2048
"4vCPU":
"size": 4096
MemValues:
"1GB":
"size": 1024
"2GB":
"size": 2048
"3GB":
"size": 3072
"4GB":
"size": 4096
"5GB":
"size": 5120
"6GB":
"size": 6144
"7GB":
"size": 7168
"8GB":
"size": 8192
"9GB":
"size": 9216
"10GB":
"size": 10240
"11GB":
"size": 11264
"12GB":
"size": 12288
"13GB":
"size": 13312
"14GB":
"size": 14336
"15GB":
"size": 15360
"16GB":
"size": 16384
"17GB":
"size": 17408
"18GB":
"size": 18432
"19GB":
"size": 19456
"20GB":
"size": 20480
"21GB":
"size": 21504
"22GB":
"size": 22528
"23GB":
"size": 23552
"24GB":
"size": 24576
"25GB":
"size": 25600
"26GB":
"size": 26624
"27GB":
"size": 27648
"28GB":
"size": 28672
"29GB":
"size": 29696
"30GB":
"size": 30720
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Please refer to the 'How to Deploy' section of the documentation for further information.
- Label:
default: "."
- Parameters:
- VPC
- SubnetA
- SubnetB
- ConsoleSecurityGroup
- ConsoleSecurityGroupCidrBlock
Label:
default: Network Configuration
- Parameters:
- ConsoleCpu
- ConsoleMemory
- UserName
- Email
- ConsoleAutoAssignPublicIp
- EnableCloudTrailLake
- DynamoPointInTimeRecoveryEnabled
- StorageAssessmentEnabled
Label:
default: Console Configuration
- Parameters:
- AgentCpu
- AgentMemory
- AgentScanningEngine
- MultiEngineScanningMode
- AgentDiskSize
- EnableLargeFileScanning
- LargeFileDiskSize
- LargeFileEC2Tags
- AllowAccessToAllKmsKeys
- AgentAutoAssignPublicIp
- QuarantineInPrimaryAccount
- QuarantineBucketDaysToExpire
- AutoProtectBucketTagKey
Label:
default: Agent Configuration
- Parameters:
- OnlyScanWhenQueueThresholdExceeded
- MinRunningAgents
- MaxRunningAgents
- NumMessagesInQueueScalingThreshold
Label:
default: Agent Auto-Scaling Configuration
- Parameters:
- UseLoadBalancer
- ContainerSecurityGroupLB
- Certificate
- LBScheme
- LBSubnetA
- LBSubnetB
- RegisterRoute53
- HostedZoneName
- HostedZoneId
- HostedSubdomain
- InfoOptOut
Label:
default: Optional Load Balancer Configuration
- Parameters:
- CustomEcrAccount
Label:
default: Optional custom hosting of docker container images
- Parameters:
- DynamoTableNamePrefix
- QuarantineBucketNamePrefix
- AppConfigApplicationPrefix
- AppConfigEnvironmentPrefix
- AppConfigDeploymentStrategyPrefix
- AppConfigDocumentPrefix
- AppConfigDocumentSchemaPrefix
- AppConfigDocumentRolePrefix
- AppConfigDocumentPolicyPrefix
- UserPoolPrefix
- UserPoolClientPrefix
- UserPoolRolePrefix
- UserPoolPolicyPrefix
- ConsoleTaskRolePrefix
- ConsoleTaskPolicyPrefix
- AgentTaskRolePrefix
- AgentTaskPolicyPrefix
- CrossAccountRolePrefix
- CrossAccountPolicyPrefix
- CrossAccountEventBridgeRolePrefix
- CrossAccountEventBridgePolicyPrefix
- ExecutionRolePrefix
- Ec2ContainerRolePrefix
- Ec2ContainerPolicyPrefix
- ClusterPrefix
- ServicePrefix
- TaskDefinitionPrefix
- ConsoleSecurityGroupPrefix
- LoadBalancerPrefix
- TargetGroupPrefix
- LoadBalancerGroupPrefix
- ApiLoadBalancerPrefix
- ApiTargetGroupPrefix
- ParametersPrefix
- NotificationsTopicPrefix
- EventBasedScanTopicPrefix
- EventBasedScanQueuePrefix
- DcEventBasedScanQueuePrefix
- RetroScanQueuePrefix
- EventAgentTaskPrefix
- EventAgentServicePrefix
- DcEventAgentTaskPrefix
- DcEventAgentServicePrefix
- LargeFileAgentTaskPrefix
- ApiAgentTaskPrefix
- ApiAgentServicePrefix
- RetroAgentTaskPrefix
- RetroAgentServicePrefix
- LargeEventQueueAlarmPrefix
- SmallEventQueueAlarmPrefix
- DecreaseAgentsScalingPolicyPrefix
- IncreaseAgentsScalingPolicyPrefix
- LargeDcEventQueueAlarmPrefix
- SmallDcEventQueueAlarmPrefix
- DecreaseDcAgentsScalingPolicyPrefix
- IncreaseDcAgentsScalingPolicyPrefix
- ApiRequestScalingPolicyPrefix
- ApiCpuScalingPolicyPrefix
- RetroQueueNotEmptyAlarmPrefix
- RetroQueueEmptyAlarmPrefix
- RemoveRetroAgentsScalingPolicyPrefix
- SetRetroAgentsScalingPolicyPrefix
- AgentSecurityGroupPrefix
- CloudTrailLakeEventDataStorePrefix
- CloudTrailLakeChannelPrefix
Label:
default: 'Optional AWS Resource Renaming (WARNING: do not change after initial deployment)'
- Parameters:
- ConsoleTaskRoleArn
- ConsoleTaskRoleName
- AgentTaskRoleArn
- AgentTaskRoleName
- ExecutionRoleArn
- Ec2ContainerInstanceProfileArn
- Ec2ContainerInstanceRoleName
- AppConfigAgentConfigurationDocumentRoleArn
- AppConfigAgentConfigurationDocumentRoleName
- UserPoolSnsRoleArn
- UserPoolSnsRoleName
- EnsureAutoScalingRoleExists
Label:
default: 'Optional pre-existing role specification. These roles must exist before deployment and the trust relationships must match those in this template. Do not change these values if you would like the deployment to create roles'
- Parameters:
- ProxyHost
- ProxyPort
Label:
default: 'Optional proxy configuration for AWS services that do not have available VPC Endpoints.'
- Parameters:
- ProductMode
Label:
default: 'Deployment specific settings. These should be left at default values.'
ParameterLabels:
VPC:
default: Virtual Private Cloud (VPC) ID
SubnetA:
default: Subnet A ID
SubnetB:
default: Subnet B ID
ConsoleSecurityGroup:
default: Console Security Group ID
ConsoleSecurityGroupCidrBlock:
default: Console Security Group CIDR Block
ConsoleCpu:
default: Console vCPU
ConsoleMemory:
default: Console Memory
ConsoleAutoAssignPublicIp:
default: Console Auto Assign Public IP
EnableCloudTrailLake:
default: Enable CloudTrail Lake
AgentCpu:
default: Agent vCPU
AgentMemory:
default: Agent Memory
AgentScanningEngine:
default: Agent Scanning Engine
MultiEngineScanningMode:
default: Multi-Engine Scanning Mode
AgentDiskSize:
default: Agent Disk Size
EnableLargeFileScanning:
default: Enable Large File Scanning
LargeFileDiskSize:
default: Extra Large File Disk Size
LargeFileEC2Tags:
default: Extra Large File EC2 Tags
AgentAutoAssignPublicIp:
default: Agent Auto Assign Public IP
MinRunningAgents:
default: Minimum Number of Running Agents Per Region
MaxRunningAgents:
default: Maximum Number of Running Agents Per Region
NumMessagesInQueueScalingThreshold:
default: Number of Messages in Queue to Trigger Agent Auto-Scaling
OnlyScanWhenQueueThresholdExceeded:
default: Only Run Scanning Agents When Files Are In Queue?
QuarantineInPrimaryAccount:
default: Quarantine objects into the primary account for infections in linked accounts?
QuarantineBucketDaysToExpire:
default: Expire (delete) quarantined objects after a specified number of days?
AutoProtectBucketTagKey:
default: Bucket auto protection tag key
DynamoPointInTimeRecoveryEnabled:
default: DynamoDB Point In Time Recovery
AllowAccessToAllKmsKeys:
default: Allow Access To All KMS Keys?
EnableStorageAssessment:
default: Allow Console To Run Storage Assessment?
UseLoadBalancer:
default: Use a Load Balancer for the Console?
ContainerSecurityGroupLB:
default: Container Security Group ID
Certificate:
default: SSL Certificate ARN
LBScheme:
default: Load Balancer Scheme
LBSubnetA:
default: Load Balancer Subnet A ID
LBSubnetB:
default: Load Balancer Subnet B ID
RegisterRoute53:
default: Register a subdomain on Route53?
HostedZoneName:
default: Hosted Zone Name
HostedZoneId:
default: Hosted Zone ID
HostedSubdomain:
default: Subdomain
InfoOptOut:
default: Info Opt-Out
CustomEcrAccount:
default: Custom ECR Account
ProxyHost:
default: Proxy Host
ProxyPort:
default: Proxy Port
ProductMode:
default: Product Mode
Resources:
AppConfigAgentApplication:
Type: AWS::AppConfig::Application
Properties:
Description: AppConfig Application for CloudStorageSec Agents
Name: !Join
- ''
- - !Ref AppConfigApplicationPrefix
- !Select
- 0
- !Split
- '-'
- !Select
- 2
- !Split
- '/'
- !Ref AWS::StackId
AppConfigAgentEnvironment:
Type: AWS::AppConfig::Environment
Properties:
ApplicationId: !Ref AppConfigAgentApplication
Name: !Sub '${AppConfigEnvironmentPrefix}${AppConfigAgentApplication}'
Description: "AppConfig Environment for CloudStorageSec Agents"
AppConfigAgentConfigurationDocumentRole:
Type: AWS::IAM::Role
Condition: CreateAppConfigDocRole
Properties:
RoleName: !Sub '${AppConfigDocumentRolePrefix}${AppConfigAgentApplication}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: 'appconfig.amazonaws.com'
Action: 'sts:AssumeRole'
AppConfigAgentConfigurationDocumentPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Sub '${AppConfigDocumentPolicyPrefix}${AppConfigAgentApplication}'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ssm:GetDocument
Resource:
- !Sub 'arn:${AWS::Partition}:ssm:*:*:document/${AppConfigDocument}'
Roles:
- !If [CreateAppConfigDocRole, !Ref AppConfigAgentConfigurationDocumentRole, !Ref AppConfigAgentConfigurationDocumentRoleName]
AppConfigAgentDeploymentStrategy:
Type: AWS::AppConfig::DeploymentStrategy
DependsOn: AppConfigAgentApplication
Properties:
Name: !Sub '${AppConfigDeploymentStrategyPrefix}${AppConfigAgentApplication}'
Description: "AppConfig Deployment Strategy for CloudStorageSec Agents"
DeploymentDurationInMinutes: 0
FinalBakeTimeInMinutes: 0
GrowthFactor: 100
GrowthType: LINEAR
ReplicateTo: NONE
AppConfigDocumentSchema:
Type: 'AWS::SSM::Document'
DependsOn: ConsoleTaskPolicy
Properties:
DocumentType: ApplicationConfigurationSchema
DocumentFormat: JSON
Content: '{"$schema":"http://json-schema.org/draft-07/schema#","description":"Configuration for CloudStorageScan","type":"object","required":["objectTagKeys","quarantine","scanList","skipList","classifyList","classifySkipList","scanTaggingEnabled","scanTagsExcluded","classificationTaggingEnabled","classificationTagsExcluded"],"properties":{"scanTaggingEnabled":{"type":"boolean","description":"Indicates whether tags should be added to the scanned objects."},"scanTagsExcluded":{"type":"array","description":"Scan tags to not be added to scanned objects","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"classificationTaggingEnabled":{"type":"boolean","description":"Indicates whether tags should be added to the classified objects."},"classificationTagsExcluded":{"type":"array","description":"Classification tags to not be added to classified objects","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"avEventProtectedBuckets":{"type":"array","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"avScheduledBuckets":{"type":"array","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"dcEventBucketRuleSets":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"classificationRuleSets":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"objectTagKeys":{"type":"object","required":["result","dateScanned","virusName","virusUploadedBy","errorMessage","classificationResult","dateClassified","classificationMatches","classificationErrorMessage"],"properties":{"result":{"type":"string","description":"The tag key for scan results."},"dateScanned":{"type":"string","description":"The tag key for the scan date."},"virusName":{"type":"string","description":"The tag key for the virus name."},"virusUploadedBy":{"type":"string","description":"The tag key for who uploaded the virus."},"errorMessage":{"type":"string","description":"The tag key for the error message."},"classificationResult":{"type":"string","description":"The tag key for classification results."},"dateClassified":{"type":"string","description":"The tag key for the classification date."},"classificationMatches":{"type":"string","description":"The tag key for the list of classification matches found."},"classificationErrorMessage":{"type":"string","description":"The tag key for the classification error message."}}},"quarantine":{"type":"object","required":["action","moveBucketPrefix"],"properties":{"action":{"type":"string","pattern":"Keep|Move|Delete","description":"Action to take on an object upon a virus being detected."},"moveBucketPrefix":{"type":"string","description":"Bucket to move infected objects to."}}},"scanList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"skipList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"classifyList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"classifySkipList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}}},"additionalProperties":false}'
Name: !Sub '${AppConfigDocumentPrefix}Schema-${AppConfigAgentApplication}'
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConfigSchema'
UpdateMethod: NewVersion
AppConfigDocument:
Type: 'AWS::SSM::Document'
DependsOn: AppConfigDocumentSchema
Properties:
DocumentType: ApplicationConfiguration
DocumentFormat: JSON
Content: !Sub '{"scanTaggingEnabled":true,"scanTagsExcluded":[],"classificationTaggingEnabled":true,"classificationTagsExcluded":[],"objectTagKeys":{"result":"scan-result","dateScanned":"date-scanned","virusName":"virus-name","virusUploadedBy":"uploaded-by","errorMessage":"message","classificationResult":"classification-result","dateClassified":"date-classified","classificationMatches":"classification-matches","classificationErrorMessage":"classification-message"},"quarantine":{"action":"Move","moveBucketPrefix":"${QuarantineBucketNamePrefix}${AppConfigAgentApplication}"},"scanList":{},"skipList":{},"classifyList":{},"classifySkipList":{}}'
Name: !Sub '${AppConfigDocumentPrefix}Doc-${AppConfigAgentApplication}'
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConfigDoc'
Requires:
- Name: !Ref AppConfigDocumentSchema
Version: $LATEST
UpdateMethod: NewVersion
AppConfigProfile:
Type: 'AWS::AppConfig::ConfigurationProfile'
DependsOn: AppConfigAgentConfigurationDocumentPolicy
Properties:
ApplicationId: !Ref AppConfigAgentApplication
Description: 'AppConfig profile for CloudStorageSec Agents'
Name: !Sub '${AppConfigDocumentPrefix}Profile-${AppConfigAgentApplication}'
LocationUri: !Sub 'ssm-document://${AppConfigDocument}'
RetrievalRoleArn: !If [CreateAppConfigDocRole, !GetAtt AppConfigAgentConfigurationDocumentRole.Arn, !Ref AppConfigAgentConfigurationDocumentRoleArn]
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConfigProfile'
Type: AWS.Freeform
AppConfigAgentDeployment:
Type: AWS::AppConfig::Deployment
Properties:
ApplicationId: !Ref AppConfigAgentApplication
EnvironmentId: !Ref AppConfigAgentEnvironment
ConfigurationProfileId: !Ref AppConfigProfile
DeploymentStrategyId: !Ref AppConfigAgentDeploymentStrategy
ConfigurationVersion: 1
Description: "AppConfig Deployment for CloudStorageSec Agents"
BucketsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Name"
AttributeType: "S"
KeySchema:
- AttributeName: "Name"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Buckets'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
SubnetsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Region"
AttributeType: "S"
KeySchema:
- AttributeName: "Region"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Subnets'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
StorageAnalysisTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "BucketName"
AttributeType: "S"
- AttributeName: "ScanDate"
AttributeType: "S"
- AttributeName: "TrackerFlag"
AttributeType: "N"
KeySchema:
- AttributeName: "BucketName"
KeyType: "HASH"
- AttributeName: "ScanDate"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: DateIndex
KeySchema:
- AttributeName: "TrackerFlag"
KeyType: "HASH"
- AttributeName: "ScanDate"
KeyType: "RANGE"
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}StorageAnalysis'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
FileCountTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "ScanDate"
AttributeType: "S"
- AttributeName: "Guid"
AttributeType: "S"
- AttributeName: "TrackerFlag"
AttributeType: "N"
KeySchema:
- AttributeName: "ScanDate"
KeyType: "HASH"
- AttributeName: "Guid"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: DateIndex
KeySchema:
- AttributeName: "TrackerFlag"
KeyType: "HASH"
- AttributeName: "ScanDate"
KeyType: "RANGE"
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}FileCount'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
ConsoleTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "ApplicationId"
AttributeType: "S"
KeySchema:
- AttributeName: "ApplicationId"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Console'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
AgentsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "AgentId"
AttributeType: "S"
- AttributeName: "DeactivationDate"
AttributeType: "S"
- AttributeName: "Active"
AttributeType: "N"
KeySchema:
- AttributeName: "AgentId"
KeyType: "HASH"
GlobalSecondaryIndexes:
- IndexName: ActiveAndDeactivationDateIndex
KeySchema:
- AttributeName: Active
KeyType: HASH
- AttributeName: DeactivationDate
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Agents'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
AgentDataTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "AgentId"
AttributeType: "S"
- AttributeName: "Tstp"
AttributeType: "N"
- AttributeName: "TrackerFlag"
AttributeType: "N"
KeySchema:
- AttributeName: "AgentId"
KeyType: "HASH"
- AttributeName: "Tstp"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: TstpIndex
KeySchema:
- AttributeName: TrackerFlag
KeyType: HASH
- AttributeName: Tstp
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}AgentData'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
BucketScanStatisticsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "BucketName"
AttributeType: "S"
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "TrackerFlag"
AttributeType: "N"
KeySchema:
- AttributeName: "BucketName"
KeyType: "HASH"
- AttributeName: "Date"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: DateIndex
KeySchema:
- AttributeName: TrackerFlag
KeyType: HASH
- AttributeName: Date
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}BucketScanStatistics'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
BucketClassificationStatisticsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "BucketName"
AttributeType: "S"
- AttributeName: "Date"
AttributeType: "S"
KeySchema:
- AttributeName: "BucketName"
KeyType: "HASH"
- AttributeName: "Date"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: DateIndex
KeySchema:
- AttributeName: Date
KeyType: HASH
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}BucketClassificationStatistics'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
SophosTapDataTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "Tstp"
AttributeType: "N"
KeySchema:
- AttributeName: "Date"
KeyType: "HASH"
- AttributeName: "Tstp"
KeyType: "RANGE"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}SophosTapData'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
DailyScanStatisticsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "AccountId"
AttributeType: "S"
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "ScanType"
AttributeType: "S"
- AttributeName: "ScanEngine"
AttributeType: "S"
- AttributeName: "TrackerFlag"
AttributeType: "N"
KeySchema:
- AttributeName: "AccountId"
KeyType: "HASH"
- AttributeName: "Date"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: ScanTypeAndScanEngine
KeySchema:
- AttributeName: ScanType
KeyType: HASH
- AttributeName: ScanEngine
KeyType: RANGE
Projection:
ProjectionType: ALL
- IndexName: LastRecordDate
KeySchema:
- AttributeName: TrackerFlag
KeyType: HASH
- AttributeName: Date
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}DailyScanStatistics'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
MonthlyScanStatisticsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "AccountId"
AttributeType: "S"
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "TrackerFlag"
AttributeType: "N"
- AttributeName: "ScanType"
AttributeType: "S"
- AttributeName: "ScanEngine"
AttributeType: "S"
KeySchema:
- AttributeName: "AccountId"
KeyType: "HASH"
- AttributeName: "Date"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: ScanTypeAndScanEngine
KeySchema:
- AttributeName: ScanType
KeyType: HASH
- AttributeName: ScanEngine
KeyType: RANGE
Projection:
ProjectionType: ALL
- IndexName: LastRecordDate
KeySchema:
- AttributeName: TrackerFlag
KeyType: HASH
- AttributeName: Date
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}MonthlyScanStatistics'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
ProblemFilesTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Guid"
AttributeType: "S"
- AttributeName: "DateScanned"
AttributeType: "S"
- AttributeName: "AccountId"
AttributeType: "S"
- AttributeName: "AccountIdResult"
AttributeType: "S"
KeySchema:
- AttributeName: "Guid"
KeyType: "HASH"
- AttributeName: "DateScanned"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: AccountIdAndDateScanned
KeySchema:
- AttributeName: AccountId
KeyType: HASH
- AttributeName: DateScanned
KeyType: RANGE
Projection:
ProjectionType: ALL
- IndexName: AccountIdResultAndDateScanned
KeySchema:
- AttributeName: AccountIdResult
KeyType: HASH
- AttributeName: DateScanned
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ProblemFiles'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
ClassificationResultsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "Guid"
AttributeType: "S"
- AttributeName: "AccountId"
AttributeType: "S"
KeySchema:
- AttributeName: "Date"
KeyType: "HASH"
- AttributeName: "Guid"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: AccountIdAndGuid
KeySchema:
- AttributeName: AccountId
KeyType: HASH
- AttributeName: Guid
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ClassificationResults'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
AllowedInfectedFilesTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "BucketAndKey"
AttributeType: "S"
- AttributeName: "VirusName"
AttributeType: "S"
- AttributeName: "DateAdded"
AttributeType: "S"
- AttributeName: "Active"
AttributeType: "N"
KeySchema:
- AttributeName: "BucketAndKey"
KeyType: "HASH"
- AttributeName: "VirusName"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: ActiveAndDateAdded
KeySchema:
- AttributeName: Active
KeyType: HASH
- AttributeName: DateAdded
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}AllowedInfectedFiles'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
LinkedAccountsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "AccountId"
AttributeType: "S"
KeySchema:
- AttributeName: "AccountId"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}LinkedAccounts'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
WorkDocsConnectionsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "OrganizationId"
AttributeType: "S"
KeySchema:
- AttributeName: "OrganizationId"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}WorkDocsConnections'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
GroupsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Id"
AttributeType: "S"
KeySchema:
- AttributeName: "Id"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Groups'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
GroupMembershipTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "ParentGroupId"
AttributeType: "S"
- AttributeName: "ChildGroupId"
AttributeType: "S"
KeySchema:
- AttributeName: "ParentGroupId"
KeyType: "HASH"
- AttributeName: "ChildGroupId"
KeyType: "RANGE"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}GroupMembership'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
JobsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Type"
AttributeType: "S"
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "Status"
AttributeType: "N"
- AttributeName: "ParentJobId"
AttributeType: "S"
KeySchema:
- AttributeName: "Type"
KeyType: "HASH"
- AttributeName: "Date"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: Status
KeySchema:
- AttributeName: Status
KeyType: HASH
Projection:
ProjectionType: ALL
- IndexName: TypeAndParentJobId
KeySchema:
- AttributeName: Type
KeyType: HASH
- AttributeName: ParentJobId
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Jobs'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
LinkedAccountMembershipTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "GroupId"
AttributeType: "S"
- AttributeName: "AccountId"
AttributeType: "S"
KeySchema:
- AttributeName: "GroupId"
KeyType: "HASH"
- AttributeName: "AccountId"
KeyType: "RANGE"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}LinkedAccountMembership'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
VisibleGroupsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Username"
AttributeType: "S"
KeySchema:
- AttributeName: "Username"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}VisibleGroups'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
ScheduledScansTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "ScheduleName"
AttributeType: "S"
KeySchema:
- AttributeName: "ScheduleName"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ScheduledScans'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
ScheduledClassificationsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Name"
AttributeType: "S"
KeySchema:
- AttributeName: "Name"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ScheduledClassifications'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
LicenseFileHistoryTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Type"
AttributeType: "S"
- AttributeName: "DateApplied"
AttributeType: "S"
KeySchema:
- AttributeName: "Type"
KeyType: "HASH"
- AttributeName: "DateApplied"
KeyType: "RANGE"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}LicenseFileHistory'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
DeploymentStatusTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Region"
AttributeType: "S"
KeySchema:
- AttributeName: "Region"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}DeploymentStatus'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
NotificationsTable:
Type: AWS::DynamoDB::Table
DependsOn: ConsoleTaskPolicy
Properties:
AttributeDefinitions:
- AttributeName: "Guid"
AttributeType: "S"
- AttributeName: "Date"
AttributeType: "S"
- AttributeName: "AccountId"
AttributeType: "S"
- AttributeName: "Read"
AttributeType: "N"
KeySchema:
- AttributeName: "Guid"
KeyType: "HASH"
- AttributeName: "Date"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: AccountIdAndDate
KeySchema:
- AttributeName: AccountId
KeyType: HASH
- AttributeName: Date
KeyType: RANGE
Projection:
ProjectionType: ALL
- IndexName: ReadAndDate
KeySchema:
- AttributeName: Read
KeyType: HASH
- AttributeName: Date
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Notifications'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'DynamoTable'
UserPoolSnsRole:
Type: AWS::IAM::Role
Condition: CreateUserPoolSnsRole
Properties:
RoleName: !Sub '${UserPoolRolePrefix}${AppConfigAgentApplication}'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: !Sub '${UserPoolPolicyPrefix}${AppConfigAgentApplication}'
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sns:publish"
Resource: "*"
UserPool:
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
InviteMessageTemplate:
EmailSubject: !Sub
- '${PRODUCTDESC} for Amazon S3 - Console Account Information'
- PRODUCTDESC: !If [IsAntivirus, 'Antivirus', 'Data Classification']
EmailMessage: !Sub
- 'A new account has been created for you in the ${PRODUCTDESC} for Amazon S3 Console.
Your account credentials are provided below:
User Name: {username}
Temporary Password: {####}
This temporary password will expire in 7 days.
Sign in at ${URL} to change your password.
Have Fun,
Cloud Storage Security
support@cloudstoragesec.com
801-410-0408'
- PRODUCTDESC: !If [IsAntivirus, 'Antivirus', 'Data Classification']
URL: !If [UseLB, !If [UseRoute53, !Sub 'https://${HostedSubdomain}.${HostedZoneName}', 'the address provided by your application administrator'], !Sub 'https://${SubdomainParameter.Value}.cloudstoragesecapp.com']
UserPoolName: !Sub '${UserPoolPrefix}${AppConfigAgentApplication}'
MfaConfiguration: OPTIONAL
EnabledMfas: [SOFTWARE_TOKEN_MFA, SMS_MFA]
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
AutoVerifiedAttributes:
- phone_number
- email
SmsConfiguration:
ExternalId: !Join ['-', [CloudStorageSecUserPoolExternal, !Ref AppConfigAgentApplication]]
SnsCallerArn: !If [CreateUserPoolSnsRole, !GetAtt UserPoolSnsRole.Arn, !Ref UserPoolSnsRoleArn]
Policies:
PasswordPolicy:
MinimumLength: 12
RequireLowercase: true
RequireUppercase: true
RequireNumbers: true
RequireSymbols: true
TemporaryPasswordValidityDays: 7
Schema:
- AttributeDataType: Number
Mutable: true
Name: hide_welcome_msg
NumberAttributeConstraints:
MinValue: 0
MaxValue: 1
- AttributeDataType: Number
Mutable: true
Name: hide_trial_msg
NumberAttributeConstraints:
MinValue: 0
MaxValue: 1
- AttributeDataType: Number
Mutable: true
Name: user_disabled
NumberAttributeConstraints:
MinValue: 0
MaxValue: 1
- AttributeDataType: String
Mutable: true
Name: aws_account_id
StringAttributeConstraints:
MinLength: 12
MaxLength: 12
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: !Sub '${UserPoolClientPrefix}${AppConfigAgentApplication}'
GenerateSecret: true
UserPoolId: !Ref UserPool
UserPoolAdminGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: Accounts with Admin level access
GroupName: Admins
UserPoolId: !Ref UserPool
UserPoolUserGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: Accounts with user level access
GroupName: Users
UserPoolId: !Ref UserPool
UserPoolApiGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: Accounts with API level access
GroupName: Api
UserPoolId: !Ref UserPool
UserPoolReadOnlyGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: Accounts with ReadOnly level access
GroupName: ReadOnly
UserPoolId: !Ref UserPool
UserPoolPrimaryGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: Accounts with access to the Primary group
GroupName: Primary
UserPoolId: !Ref UserPool
UserPoolUser:
Type: AWS::Cognito::UserPoolUser
Properties:
DesiredDeliveryMediums: [EMAIL]
Username: !Ref UserName
UserPoolId: !Ref UserPool
UserAttributes:
- Name: email
Value: !Ref Email
- Name: email_verified
Value: true
UserPoolUserAdminGroupAttachment:
Type: AWS::Cognito::UserPoolUserToGroupAttachment
DependsOn:
- UserPoolUserGroup
- UserPoolUser
Properties:
GroupName: Admins
Username: !Ref UserName
UserPoolId: !Ref UserPool
ConsoleTaskRole:
Type: AWS::IAM::Role
Condition: CreateConsoleRole
Properties:
RoleName: !Sub '${ConsoleTaskRolePrefix}${AppConfigAgentApplication}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ConsoleTaskPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: !Sub 'AllResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- acm:DescribeCertificate
- acm:RequestCertificate
- application-autoscaling:*ScalableTarget*
- application-autoscaling:PutScalingPolicy
- aws-marketplace:MeterUsage
- cloudwatch:GetMetricStatistics
- ec2:DeleteVolume
- ec2:DescribeInternetGateways
- ec2:DescribeNetwork*
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVolumes
- ec2:DescribeVpcs
- ecs:CreateCluster
- ecs:*TaskDefinition*
- ecs:ListTasks
- ecs:RunTask
- workdocs:*Document*
- workdocs:*Labels
- workdocs:*Metadata
- workdocs:*NotificationSubscription
Resource: "*"
- Sid: !Sub 'AllResourcesInService${AppConfigAgentApplication}'
Effect: Allow
Action:
- cloudwatch:DescribeAlarms
- ec2:AuthorizeSecurityGroupIngress
- ec2:*SecurityGroup
- ec2:CreateTags
- ec2:RevokeSecurityGroupIngress
- ec2:RunInstances
- ec2:TerminateInstances
- logs:CreateLogStream
- logs:DescribeLog*
- logs:FilterLogEvents
- logs:GetLog*
- logs:GetQueryResults
- logs:PutLogEvents
- logs:*Query
- s3:CreateBucket
- s3:GetBucket*
- s3:Get*Configuration
- s3:GetObject*
- s3:ListAllMyBuckets
- s3:ListBucket
- s3:PutBucket*
- s3:PutObject*
- s3:Put*Configuration
- sns:ListSubscriptions*
- sns:ListTopics
- sns:Subscribe
- sns:Unsubscribe
- sqs:ListQueues
Resource:
- !Sub 'arn:${AWS::Partition}:cloudwatch:*:*:alarm:*'
- !Sub 'arn:${AWS::Partition}:ec2:*::image/*'
- !Sub 'arn:${AWS::Partition}:ec2:*:*:*'
- !Sub 'arn:${AWS::Partition}:logs:*:*:*'
- !Sub 'arn:${AWS::Partition}:s3:::*'
- !Sub 'arn:${AWS::Partition}:sns:*:*:*'
- !Sub 'arn:${AWS::Partition}:sqs:*:*:*'
- Sid: !Sub 'RestrictedResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- appconfig:*Profile*
- appconfig:*Deployment
- appconfig:TagResource
- appconfig:UpdateDeploymentStrategy
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudwatch:DeleteAlarms
- cloudwatch:DescribeAlarms
- cloudwatch:PutMetricAlarm
- cloudwatch:TagResource
- cognito-idp:*
- dynamodb:BatchWriteItem
- dynamodb:CreateTable
- dynamodb:DeleteItem
- dynamodb:DeleteTable
- dynamodb:DescribeContinuousBackups
- dynamodb:DescribeTable
- dynamodb:GetItem
- dynamodb:ListTagsOfResource
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:Scan
- dynamodb:TagResource
- dynamodb:UpdateContinuousBackups
- dynamodb:UpdateItem
- dynamodb:UpdateTable
- ecr:ListImages
- ecs:CreateService
- ecs:DeleteCluster
- ecs:DeleteService
- ecs:Describe*
- ecs:ListContainerInstances
- ecs:ListTagsForResource
- ecs:StopTask
- ecs:TagResource
- ecs:UpdateService
- events:*Bus
- events:*Permission
- events:*Rule
- events:*Targets
- events:*agResource
- iam:*InstanceProfile
- iam:*RolePolicy
- iam:CreateRole
- iam:DeleteRole
- iam:GetRole
- iam:PassRole
- s3:PutEncryptionConfiguration
- s3:PutLifecycleConfiguration
- s3:DeleteBucket*
- s3:DeleteObject*
- securityhub:*Findings*
- sns:AddPermission
- sns:*Topic
- sns:*Attributes
- sns:ListSubscriptionsByTopic
- sns:Publish
- sns:TagResource
- sqs:*Queue
- sqs:*Message
- sqs:*Attributes
- ssm:AddTagsToResource
- ssm:ListTagsForResource
- ssm:*Document*
- ssm:*Parameter*
Resource:
- !If [CreateAgentRole, !GetAtt AgentTaskRole.Arn, !Ref AgentTaskRoleArn]
- !If [CreateAppConfigDocRole, !GetAtt AppConfigAgentConfigurationDocumentRole.Arn, !Ref AppConfigAgentConfigurationDocumentRoleArn]
- !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn]
- !If [CreateEc2ContainerRole, !Sub 'arn:${AWS::Partition}:iam::*:role/${Ec2ContainerRolePrefix}${AppConfigAgentApplication}', !Ref Ec2ContainerInstanceProfileArn]
- !If [CreateEc2ContainerRole, !Sub 'arn:${AWS::Partition}:iam::*:instance-profile/${Ec2ContainerRolePrefix}${AppConfigAgentApplication}', !Ref Ec2ContainerInstanceProfileArn]
- !If [CreateExecutionRole, !GetAtt ExecutionRole.Arn, !Ref ExecutionRoleArn]
- !If [CreateUserPoolSnsRole, !GetAtt UserPoolSnsRole.Arn, !Ref UserPoolSnsRoleArn]
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:deploymentstrategy/${AppConfigAgentDeploymentStrategy}'
- !Sub 'arn:${AWS::Partition}:cognito-idp:*:*:userpool/${UserPool}'
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:*:stack/${AWS::StackName}/*'
- !Sub 'arn:${AWS::Partition}:cloudwatch:*:*:alarm:*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:cloudwatch:*:*:alarm:TargetTracking-service/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:dynamodb:${AWS::Region}:*:table/${DynamoTableNamePrefixParameter.Value}*'
- !Sub 'arn:${AWS::Partition}:ecs:*:*:service/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:ecs:*:*:cluster/*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:ecs:*:*:task/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:events:*:*:*/*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
- !Sub 'arn:${AWS::Partition}:s3:::*${AppConfigAgentApplication}-*'
- !Sub 'arn:${AWS::Partition}:s3:::*${AppConfigAgentApplication}-*/*'
- !Sub 'arn:${AWS::Partition}:sns:*:*:*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:sqs:*:*:*${AppConfigAgentApplication}*'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:document/*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:ecr:${AWS::Region}:${EcrAccountIdParameter.Value}:repository/cloudstoragesecurity/*'
- !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/cloud-storage-security/antivirus-for-amazon-s3'
- !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:*:product-subscription/cloud-storage-security/antivirus-for-amazon-s3'
- !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:*:hub/default'
- Sid: !Sub 'Logs${AppConfigAgentApplication}'
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:DeleteLogGroup
- logs:PutRetentionPolicy
Resource:
- !Sub 'arn:${AWS::Partition}:logs:*:*:log-group:CloudStorageSecurity.*'
- !Sub 'arn:${AWS::Partition}:logs:*:*:log-group:CloudStorageSecurity.*:*'
- Sid: !Sub 'CrossAccount${AppConfigAgentApplication}'
Effect: Allow
Action: sts:AssumeRole
Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/*${AppConfigAgentApplication}'
- Sid: !Sub 'KmsConsole${AppConfigAgentApplication}'
Effect: Allow
Condition:
StringLike:
kms:ViaService: !Sub s3.*.${AWS::URLSuffix}
Action:
- kms:Decrypt
- kms:Encrypt
- kms:GenerateDataKey
Resource: !If [BlanketKmsAccess, '*', !Sub 'arn:${AWS::Partition}:kms:::key/no-blanket-kms-access']
Roles:
- !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName]
ConsoleTaskPolicyApiLb:
Type: AWS::IAM::Policy
DependsOn: ConsoleTaskPolicy
Properties:
PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}-ApiLb'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: !Sub 'AllResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- ec2:DescribeAccountAttributes
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTargetGroups
Resource: "*"
- Sid: !Sub 'RestrictedResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- elasticloadbalancing:Create*
- elasticloadbalancing:Delete*
- elasticloadbalancing:Modify*
- elasticloadbalancing:SetSubnets
- iam:CreateServiceLinkedRole
Resource:
- !Sub 'arn:${AWS::Partition}:elasticloadbalancing:*:*:listener/*/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:elasticloadbalancing:*:*:loadbalancer/*/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:elasticloadbalancing:*:*:targetgroup/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing'
Roles:
- !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName]
ConsoleTaskPolicyAwsLicensing:
Type: AWS::IAM::Policy
DependsOn: ConsoleTaskPolicy
Properties:
PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}-AwsLicensing'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: !Sub 'AllResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- license-manager:CheckoutLicense
- license-manager:ListReceivedLicenses
Resource: "*"
Roles:
- !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName]
CloudTrailLakePolicy:
Type: AWS::IAM::Policy
DependsOn: ConsoleTaskPolicy
Properties:
PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}-CloudTrailLake'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CloudTrail
Effect: Allow
Action:
- cloudtrail:*DataStore*
- cloudtrail:*Quer*
- cloudtrail:*Channel*
- cloudtrail-data:*Audit*
- iam:ListRoles
- iam:GetRolePolicy
- iam:GetUser
Resource: "*"
- Sid: PassRole
Effect: Allow
Action:
- iam:PassRole
Resource: "*"
Condition:
StringEquals:
iam:PassedToService: cloudtrail.amazonaws.com
Roles:
- !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName]
AgentTaskRole:
Type: AWS::IAM::Role
Condition: CreateAgentRole
Properties:
RoleName: !Sub '${AgentTaskRolePrefix}${AppConfigAgentApplication}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
AWS: !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn]
Action: 'sts:AssumeRole'
AgentTaskPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Sub '${AgentTaskPolicyPrefix}${AppConfigAgentApplication}'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: !Sub 'AllResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- aws-marketplace:MeterUsage
- ec2:DescribeVpcs
- workdocs:*Document*
- workdocs:*Labels
- workdocs:*Metadata
Resource: "*"
- Sid: !Sub 'AllResourcesInService${AppConfigAgentApplication}'
Effect: Allow
Action:
- appconfig:ListApplications
- appconfig:ListDeploymentStrategies
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:GetObject*
- s3:GetEncryptionConfiguration
- s3:ListBucket
- s3:PutObject*
- s3:PutEncryptionConfiguration
- ssm:ListDocuments
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::*'
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:*'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:*'
- Sid: !Sub 'RestrictedResources${AppConfigAgentApplication}'
Effect: Allow
Action:
- appconfig:GetApplication
- appconfig:GetConfiguration*
- appconfig:GetDeploymentStrategy
- appconfig:GetEnvironment
- appconfig:ListConfigurationProfiles
- appconfig:ListDeployments
- appconfig:ListEnvironments
- cognito-idp:*
- dynamodb:DeleteItem
- dynamodb:DescribeTable
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:BatchWriteItem
- dynamodb:Query
- dynamodb:Scan
- dynamodb:UpdateItem
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:PutLogEvents
- securityhub:BatchImportFindings
- sns:ConfirmSubscription
- sns:Publish
- sqs:*Message
- sqs:GetQueueAttributes
- ssm:GetDocument
- ssm:GetParameters
- ssm:GetParametersByPath
Resource:
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}/configurationprofile/*'
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}/environment/${AppConfigAgentEnvironment}'
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:appconfig:*:*:deploymentstrategy/${AppConfigAgentDeploymentStrategy}'
- !Sub 'arn:${AWS::Partition}:cognito-idp:*:*:userpool/${UserPool}'
- !Sub 'arn:${AWS::Partition}:dynamodb:${AWS::Region}:*:table/${DynamoTableNamePrefixParameter.Value}*'
- !Sub 'arn:${AWS::Partition}:logs:*:*:*'
- !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/cloud-storage-security/antivirus-for-amazon-s3'
- !Sub 'arn:${AWS::Partition}:sns:*:*:awsworkdocs*'
- !Sub 'arn:${AWS::Partition}:sns:*:*:*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:sqs:*:*:*${AppConfigAgentApplication}*'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:document/*${AppConfigAgentApplication}'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}/*'
- !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}'
- Sid: !Sub 'Logs${AppConfigAgentApplication}'
Effect: Allow
Action: logs:CreateLogGroup
Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
- Sid: !Sub 'CrossAccount${AppConfigAgentApplication}'
Effect: Allow
Action: sts:AssumeRole
Resource:
- !Sub 'arn:${AWS::Partition}:iam::*:role/*${AppConfigAgentApplication}'
- Sid: !Sub 'Kms${AppConfigAgentApplication}'
Effect: Allow
Condition:
StringLike:
kms:ViaService: !Sub s3.*.${AWS::URLSuffix}
Action:
- kms:Decrypt
- kms:Encrypt
- kms:GenerateDataKey
Resource: !If [BlanketKmsAccess, '*', !Sub 'arn:${AWS::Partition}:kms:::key/no-blanket-kms-access']
Roles:
- !If [CreateAgentRole, !Ref AgentTaskRole, !Ref AgentTaskRoleName]
ExecutionRole:
Type: AWS::IAM::Role
Condition: CreateExecutionRole
Properties:
RoleName: !Sub '${ExecutionRolePrefix}${AppConfigAgentApplication}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
Ec2ContainerRole:
Type: AWS::IAM::Role
DependsOn: ConsoleTaskPolicy
Condition: CreateEc2ContainerRole
Properties:
RoleName: !Sub '${Ec2ContainerRolePrefix}${AppConfigAgentApplication}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role'
Ec2ContainerPolicy:
Type: 'AWS::IAM::Policy'
DependsOn: ConsoleTaskPolicy
Properties:
PolicyName: !Sub '${Ec2ContainerPolicyPrefix}${AppConfigAgentApplication}'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllResources
Effect: Allow
Action:
- ec2:AttachVolume
- ec2:CopySnapshot
- ec2:CreateSnapshot
- ec2:CreateTags
- ec2:CreateVolume
- ec2:DeleteSnapshot
- ec2:DeleteVolume
- ec2:DescribeAvailabilityZones
- ec2:DescribeInstances
- ec2:DescribeSnapshotAttribute
- ec2:DescribeSnapshots
- ec2:DescribeTags
- ec2:DescribeVolumeAttribute
- ec2:DescribeVolumes
- ec2:DescribeVolumeStatus
- ec2:DetachVolume
- ec2:DetachVolume
- ec2:ModifySnapshotAttribute
- ec2:ModifyVolumeAttribute
Resource: '*'
Roles:
- !If [CreateEc2ContainerRole, !Ref Ec2ContainerRole, !Ref Ec2ContainerInstanceRoleName]
Ec2ContainerInstanceProfile:
Type: AWS::IAM::InstanceProfile
DependsOn: ConsoleTaskPolicy
Condition: CreateEc2ContainerRole
Properties:
InstanceProfileName: !Sub '${Ec2ContainerRolePrefix}${AppConfigAgentApplication}'
Roles:
- !Ref Ec2ContainerRole
ContainerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Condition: CreateConsoleSecurityGroupNoLB
DependsOn: ConsoleTaskPolicy
Properties:
GroupDescription: !Sub '${ConsoleSecurityGroupPrefix}${AppConfigAgentApplication}'
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: !Ref ConsoleSecurityGroupCidrBlock
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !Ref ConsoleSecurityGroupCidrBlock
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'SecurityGroup'
ExistingConsoleSecurityGroupIngressPort80:
Type: 'AWS::EC2::SecurityGroupIngress'
Condition: UseExistingConsoleSecurityGroup
Properties:
GroupId: !Ref ConsoleSecurityGroup
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: !Ref ConsoleSecurityGroupCidrBlock
ExistingConsoleSecurityGroupIngressPort443:
Type: 'AWS::EC2::SecurityGroupIngress'
Condition: UseExistingConsoleSecurityGroup
Properties:
GroupId: !Ref ConsoleSecurityGroup
IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !Ref ConsoleSecurityGroupCidrBlock
ContainerSecurityGroupWithLB:
Type: AWS::EC2::SecurityGroup
Condition: CreateContainerSecurityGroupLB
DependsOn: ConsoleTaskPolicy
Properties:
GroupDescription: !Sub '${ConsoleSecurityGroupPrefix}${AppConfigAgentApplication}'
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup]
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup]
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'SecurityGroup'
ExistingContainerSecurityGroupIngressPort80:
Type: 'AWS::EC2::SecurityGroupIngress'
Condition: UseExistingContainerSecurityGroupLB
Properties:
GroupId: !Ref ContainerSecurityGroupLB
IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup]
ExistingContainerSecurityGroupIngressPort443:
Type: 'AWS::EC2::SecurityGroupIngress'
Condition: UseExistingContainerSecurityGroupLB
Properties:
GroupId: !Ref ContainerSecurityGroupLB
IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup]
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Condition: CreateConsoleSecurityGroupLB
DependsOn: ConsoleTaskPolicy
Properties:
GroupDescription: !Sub '${LoadBalancerGroupPrefix}${AppConfigAgentApplication}'
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: !Ref ConsoleSecurityGroupCidrBlock
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !Ref ConsoleSecurityGroupCidrBlock
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'SecurityGroup'
CloudwatchLogsGroup:
Type: 'AWS::Logs::LogGroup'
DependsOn: ConsoleTaskPolicy
Properties:
LogGroupName: !Sub 'CloudStorageSecurity.ECS.${AppConfigAgentApplication}.Console'
RetentionInDays: 7
Cluster:
Type: AWS::ECS::Cluster
DependsOn: ConsoleTaskPolicy
Properties:
ClusterName: !Sub '${ClusterPrefix}${AppConfigAgentApplication}'
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConsoleCluster'
Service:
Type: AWS::ECS::Service
Condition: DontUseLB
Properties:
ServiceName: !Sub '${ServicePrefix}${AppConfigAgentApplication}'
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DeploymentConfiguration:
MinimumHealthyPercent: 100
MaximumPercent: 200
DesiredCount: 1
LaunchType: FARGATE
PlatformVersion: 1.4.0
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: !Ref ConsoleAutoAssignPublicIp
Subnets:
- !Ref SubnetA
- !Ref SubnetB
SecurityGroups:
- !If [CreateConsoleSecurityGroupNoLB, !Ref ContainerSecurityGroup, !Ref ConsoleSecurityGroup]
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConsoleService'
ServiceWithLB:
Type: AWS::ECS::Service
Condition: UseLB
DependsOn:
- Listener
- ConsoleTaskPolicyApiLb
Properties:
ServiceName: !Sub '${ServicePrefix}LB-${AppConfigAgentApplication}'
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DeploymentConfiguration:
MinimumHealthyPercent: 100
MaximumPercent: 200
DesiredCount: 1
LaunchType: FARGATE
PlatformVersion: 1.4.0
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: !Ref ConsoleAutoAssignPublicIp
Subnets:
- !Ref SubnetA
- !Ref SubnetB
SecurityGroups:
- !If [CreateContainerSecurityGroupLB, !Ref ContainerSecurityGroupWithLB, !Ref ContainerSecurityGroupLB]
LoadBalancers:
- ContainerName: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}'
ContainerPort: 443
TargetGroupArn: !Ref TargetGroup
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConsoleService'
TaskDefinition:
Type: AWS::ECS::TaskDefinition
DependsOn: ConsoleTaskPolicy
Properties:
Family: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}'
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Cpu: !FindInMap [vCPUvalues, !Ref ConsoleCpu, size]
Memory: !FindInMap [MemValues, !Ref ConsoleMemory, size]
ExecutionRoleArn: !If [CreateExecutionRole, !GetAtt ExecutionRole.Arn, !Ref ExecutionRoleArn]
TaskRoleArn: !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn]
ContainerDefinitions:
- Name: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}'
Image: !Sub ${EcrAccountIdParameter.Value}.dkr.ecr.${AWS::Region}.amazonaws.com/cloudstoragesecurity/console:v6.05.002
Cpu: !FindInMap [vCPUvalues, !Ref ConsoleCpu, size]
MemoryReservation: !FindInMap [MemValues, !Ref ConsoleMemory, size]
Environment:
- Name: AGENT_TASK_DEFINITION_ROLE_ARN
Value: !If [CreateAgentRole, !GetAtt AgentTaskRole.Arn, !Ref AgentTaskRoleArn]
- Name: APP_CONFIG_AGENT_APPLICATION_ID
Value: !Ref AppConfigAgentApplication
- Name: APP_CONFIG_AGENT_CONFIGURATION_PROFILE_ROLE_ARN
Value: !If [CreateAppConfigDocRole, !GetAtt AppConfigAgentConfigurationDocumentRole.Arn, !Ref AppConfigAgentConfigurationDocumentRoleArn]
- Name: APP_CONFIG_AGENT_DEPLOYMENT_STRATEGY_ID
Value: !Ref AppConfigAgentDeploymentStrategy
- Name: APP_CONFIG_AGENT_ENVIRONMENT_ID
Value: !Ref AppConfigAgentEnvironment
- Name: EXECUTION_ROLE_ARN
Value: !If [CreateExecutionRole, !GetAtt ExecutionRole.Arn, !Ref ExecutionRoleArn]
- Name: EC2_CONTAINER_ROLE_ARN
Value: !If [CreateEc2ContainerRole, !GetAtt Ec2ContainerInstanceProfile.Arn, !Ref Ec2ContainerInstanceProfileArn]
- Name: CONSOLE_VPC
Value: !Ref VPC
- Name: CONSOLE_SUBNET
Value: !Join [',', [!Ref SubnetA, !Ref SubnetB]]
- Name: PARAMETER_STORE_NAME_PREFIX
Value: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}'
- Name: CONSOLE_SECURITY_GROUP_ID
Value: !If [CreateConsoleSecurityGroup, !If [UseLB, !GetAtt LoadBalancerSecurityGroup.GroupId, !GetAtt ContainerSecurityGroup.GroupId], !Ref ConsoleSecurityGroup]
- Name: AGENT_AUTO_ASSIGN_PUBLIC_IP
Value: !Ref AgentAutoAssignPublicIp
- Name: BYOL_MODE
Value: False
- Name: BLANKET_KMS_ACCESS
Value: !If [BlanketKmsAccess, True, False]
- Name: HAS_LOAD_BALANCER
Value: !If [UseLB, True, False]
- Name: INFO_OPT_OUT
Value: !FindInMap [yesNoToBool, !Ref InfoOptOut, value]
- Name: QUARANTINE_BUCKET_NAME_PREFIX
Value: !Sub '${QuarantineBucketNamePrefix}${AppConfigAgentApplication}'
- Name: DYNAMO_DB_TABLE_NAME_PREFIX
Value: !GetAtt DynamoTableNamePrefixParameter.Value
- Name: CLUSTER_NAME
Value: !Sub '${ClusterPrefix}${AppConfigAgentApplication}'
- Name: NOTIFICATIONS_TOPIC_NAME
Value: !Sub '${NotificationsTopicPrefix}${AppConfigAgentApplication}'
- Name: APP_CONFIG_DOCUMENT_NAME
Value: !Ref AppConfigDocument
- Name: APP_CONFIG_DOCUMENT_SCHEMA_NAME
Value: !Ref AppConfigDocumentSchema
- Name: APP_CONFIG_PROFILE_ID
Value: !Ref AppConfigProfile
- Name: EVENT_BASED_SCAN_TOPIC_NAME
Value: !Sub '${EventBasedScanTopicPrefix}${AppConfigAgentApplication}'
- Name: EVENT_BASED_SCAN_QUEUE_NAME
Value: !Sub '${EventBasedScanQueuePrefix}${AppConfigAgentApplication}'
- Name: DC_EVENT_BASED_SCAN_QUEUE_NAME
Value: !Sub '${DcEventBasedScanQueuePrefix}${AppConfigAgentApplication}'
- Name: RETRO_SCAN_QUEUE_NAME
Value: !Sub '${RetroScanQueuePrefix}${AppConfigAgentApplication}'
- Name: CONSOLE_TASK_NAME
Value: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}'
- Name: CONSOLE_SERVICE_NAME
Value: !If [UseLB, !Sub '${ServicePrefix}LB-${AppConfigAgentApplication}', !Sub '${ServicePrefix}${AppConfigAgentApplication}']
- Name: CONSOLE_ROLE_ARN
Value: !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn]
- Name: EVENT_AGENT_TASK_NAME
Value: !Sub '${EventAgentTaskPrefix}${AppConfigAgentApplication}'
- Name: DC_EVENT_AGENT_TASK_NAME
Value: !Sub '${DcEventAgentTaskPrefix}${AppConfigAgentApplication}'
- Name: EVENT_AGENT_SERVICE_NAME
Value: !Sub '${EventAgentServicePrefix}${AppConfigAgentApplication}'
- Name: DC_EVENT_AGENT_SERVICE_NAME
Value: !Sub '${DcEventAgentServicePrefix}${AppConfigAgentApplication}'
- Name: LARGE_FILE_AGENT_TASK_NAME
Value: !Sub '${LargeFileAgentTaskPrefix}${AppConfigAgentApplication}'
- Name: API_AGENT_TASK_NAME
Value: !Sub '${ApiAgentTaskPrefix}${AppConfigAgentApplication}'
- Name: API_AGENT_SERVICE_NAME
Value: !Sub '${ApiAgentServicePrefix}${AppConfigAgentApplication}'
- Name: API_LB_NAME
Value: !Sub '${ApiLoadBalancerPrefix}${AppConfigAgentApplication}'
- Name: API_LB_TG_NAME
Value: !Sub '${ApiTargetGroupPrefix}${AppConfigAgentApplication}'
- Name: RETRO_AGENT_TASK_NAME
Value: !Sub '${RetroAgentTaskPrefix}${AppConfigAgentApplication}'
- Name: RETRO_AGENT_SERVICE_NAME
Value: !Sub '${RetroAgentServicePrefix}${AppConfigAgentApplication}'
- Name: LARGE_EVENT_QUEUE_ALARM_NAME
Value: !Sub '${LargeEventQueueAlarmPrefix}${AppConfigAgentApplication}'
- Name: SMALL_EVENT_QUEUE_ALARM_NAME
Value: !Sub '${SmallEventQueueAlarmPrefix}${AppConfigAgentApplication}'
- Name: DECREASE_AGENTS_SCALING_POLICY_NAME
Value: !Sub '${DecreaseAgentsScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: INCREASE_AGENTS_SCALING_POLICY_NAME
Value: !Sub '${IncreaseAgentsScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: LARGE_DC_EVENT_QUEUE_ALARM_NAME
Value: !Sub '${LargeDcEventQueueAlarmPrefix}${AppConfigAgentApplication}'
- Name: SMALL_DC_EVENT_QUEUE_ALARM_NAME
Value: !Sub '${SmallDcEventQueueAlarmPrefix}${AppConfigAgentApplication}'
- Name: DECREASE_DC_AGENTS_SCALING_POLICY_NAME
Value: !Sub '${DecreaseDcAgentsScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: INCREASE_DC_AGENTS_SCALING_POLICY_NAME
Value: !Sub '${IncreaseDcAgentsScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: API_REQUEST_SCALING_POLICY_NAME
Value: !Sub '${ApiRequestScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: API_CPU_SCALING_POLICY_NAME
Value: !Sub '${ApiCpuScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: RETRO_QUEUE_NOT_EMPTY_ALARM_NAME
Value: !Sub '${RetroQueueNotEmptyAlarmPrefix}${AppConfigAgentApplication}'
- Name: RETRO_QUEUE_EMPTY_ALARM_NAME
Value: !Sub '${RetroQueueEmptyAlarmPrefix}${AppConfigAgentApplication}'
- Name: REMOVE_RETRO_AGENTS_SCALING_POLICY_NAME
Value: !Sub '${RemoveRetroAgentsScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: SET_RETRO_AGENTS_SCALING_POLICY_NAME
Value: !Sub '${SetRetroAgentsScalingPolicyPrefix}${AppConfigAgentApplication}'
- Name: AGENT_SECURITY_GROUP_NAME
Value: !Sub '${AgentSecurityGroupPrefix}${AppConfigAgentApplication}'
- Name: CROSS_ACCOUNT_ROLE_NAME
Value: !Sub '${CrossAccountRolePrefix}${AppConfigAgentApplication}'
- Name: CROSS_ACCOUNT_POLICY_NAME
Value: !Sub '${CrossAccountPolicyPrefix}${AppConfigAgentApplication}'
- Name: CROSS_ACCOUNT_EVENT_BRIDGE_ROLE_NAME
Value: !Sub '${CrossAccountEventBridgeRolePrefix}${AppConfigAgentApplication}'
- Name: CROSS_ACCOUNT_EVENT_BRIDGE_POLICY_NAME
Value: !Sub '${CrossAccountEventBridgePolicyPrefix}${AppConfigAgentApplication}'
- Name: DLP_CCL_DIR
Value: '/cssdlp'
- Name: DLP_CCL_FILE_NAME
Value: 'PredefinedContentControlLists.xml'
- Name: PROXY_HOST
Value: !If [UseProxy, !Ref ProxyHost, '']
- Name: PROXY_PORT
Value: !If [UseProxy, !Ref ProxyPort, '']
- Name: PRODUCT_MODE
Value: !Ref ProductMode
PortMappings:
- ContainerPort: 80
- ContainerPort: 443
ReadonlyRootFilesystem: yes
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref CloudwatchLogsGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: ecs
Tags:
- Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]]
Value: 'ConsoleTaskDefinition'
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Condition: UseLB
DependsOn: ConsoleTaskPolicyApiLb
Properties:
Name: !Sub '${TargetGroupPrefix}LB-${AppConfigAgentApplication}'
Port: 443
Protocol: HTTPS
HealthCheckProtocol: HTTPS
HealthCheckPort: 443
HealthCheckPath: /Account/SignIn
HealthCheckIntervalSeconds: 300
HealthCheckTimeoutSeconds: 120
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 60 # default is 300
TargetType: ip
VpcId: !Ref VPC
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Condition: UseLB
Properties:
DefaultActions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
LoadBalancerArn: !Ref LoadBalancer
Port: 443
Protocol: HTTPS
SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
Certificates:
- CertificateArn: !Ref Certificate
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Condition: UseLB
Properties:
LoadBalancerAttributes:
# this is the default, but is specified here in case it needs to be changed
- Key: idle_timeout.timeout_seconds
Value: 60
Name: !Sub '${LoadBalancerPrefix}${AppConfigAgentApplication}'
# "internal" is also an option
Scheme: !Ref LBScheme
SecurityGroups:
- !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup]
Subnets:
- !If [UseLBSubnetA, !Ref LBSubnetA, !Ref SubnetA]
- !If [UseLBSubnetB, !Ref LBSubnetB, !Ref SubnetB]
DynamoTableNamePrefixParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/DynamoTableNamePrefix'
Value: !If [UseDefaultDynamoPrefix, !Sub '${AppConfigAgentApplication}.', !Ref DynamoTableNamePrefix]
DynamoPointInTimeRecoveryEnabledParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/DynamoPointInTimeRecoveryEnabled'
Value: !FindInMap [yesNoToBool, !Ref DynamoPointInTimeRecoveryEnabled, value]
AgentEcrImageUrlParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentEcrImageUrl'
Value: !Sub '${EcrAccountIdParameter.Value}.dkr.ecr..amazonaws.com/cloudstoragesecurity/agent:v6.05.001'
MaxNumAgentsParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/MaxNumAgents'
Value: !Ref MaxRunningAgents
MinNumAgentsParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/MinNumAgents'
Value: !Ref MinRunningAgents
QueueScalingThresholdParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/QueueScalingThreshold'
Value: !Ref NumMessagesInQueueScalingThreshold
AgentCpuParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentCpu'
Value: !FindInMap [vCPUvalues, !Ref AgentCpu, size]
AgentMemoryParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentMemory'
Value: !FindInMap [MemValues, !Ref AgentMemory, size]
AgentDiskSizeParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentDiskSize'
Value: !Ref AgentDiskSize
EnableLargeFileScanningParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/EnableLargeFileScanning'
Value: !FindInMap [yesNoToBool, !Ref EnableLargeFileScanning, value]
StorageAssessmentEnabledParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/StorageAssessmentEnabled'
Value: !FindInMap [yesNoToBool, !Ref StorageAssessmentEnabled, value]
LargeFileDiskSizeParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LargeFileDiskSize'
Value: !Ref LargeFileDiskSize
LargeFileEC2TagsParameter:
Type: AWS::SSM::Parameter
Properties:
Type: StringList
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LargeFileEC2Tags'
Value: !Ref LargeFileEC2Tags
SubdomainParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/Subdomain'
Value: !Join ['-', [!Ref 'AWS::AccountId', !Ref AppConfigAgentApplication]]
EmailParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/Email'
Value: !Ref Email
UserNameParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/UserName'
Value: !Ref UserName
StackNameParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/StackName'
Value: !Ref AWS::StackName
PrivateMirrorParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/PrivateMirror'
Value: '!!none_chosen!!'
LastUpgradeNotesSeenParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LastUpgradeNotesSeen'
Value: 'v1.00.000'
LastPostUpgradeProcedureParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LastPostUpgradeProcedure'
Value: 'v1.00.000'
RegionParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/Region'
Value: !Ref AWS::Region
UserPoolClientIdParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/UserPoolClientId'
Value: !Ref UserPoolClient
UserPoolClientSecretParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/UserPoolClientSecret'
Value: 'AWS:UserPoolClientSecret'
UserPoolIdParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/UserPoolId'
Value: !Ref UserPool
OnlyScanWhenQueueThresholdExceededParameter:
Type: AWS::SSM::Parameter
DependsOn: ConsoleTaskPolicy
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/OnlyScanWhenQueueThresholdExceeded'
Value: !FindInMap [yesNoToBool, !Ref OnlyScanWhenQueueThresholdExceeded, value]
QuarantineInPrimaryAccountParameter:
Type: AWS::SSM::Parameter
DependsOn: ConsoleTaskPolicy
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/QuarantineInPrimaryAccount'
Value: !FindInMap [yesNoToBool, !Ref QuarantineInPrimaryAccount, value]
SecurityHubEnabledParameter:
Type: AWS::SSM::Parameter
DependsOn: ConsoleTaskPolicy
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/SecurityHubEnabled'
Value: 'False'
AgentScanningEngineParameter:
Type: AWS::SSM::Parameter
DependsOn: ConsoleTaskPolicy
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentScanningEngine'
Value: !Ref AgentScanningEngine
MultiEngineScanningModeParameter:
Type: AWS::SSM::Parameter
DependsOn: ConsoleTaskPolicy
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/MultiEngineScanningMode'
Value: !Ref MultiEngineScanningMode
EcrAccountIdParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/EcrAccountId'
Value: !If [UseDefaultEcrAccount, !If [IsGovCloud, '822167061992', '564477214187'], !Ref CustomEcrAccount]
QuarantineBucketDaysToExpireParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/QuarantineBucketDaysToExpire'
Value: !Ref QuarantineBucketDaysToExpire
AutoProtectBucketTagKeyParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AutoProtectBucketTagKey'
Value: !If [UseDefaultAutoProtectBucketTagKey, !Sub 'CloudStorageSecAutoProtect-${AppConfigAgentApplication}', !Ref AutoProtectBucketTagKey]
CloudTrailLakeEnabledParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeEnabled'
Value: !FindInMap [yesNoToBool, !Ref EnableCloudTrailLake, value]
CloudTrailLakeEventDataStoreNameParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeEventDataStoreName'
Value: !If [UseDefaultCloudTrailLakeEventDataStoreName, !Sub '${CloudTrailLakeEventDataStorePrefix}${AppConfigAgentApplication}', !Ref CloudTrailLakeDataStoreName]
CloudTrailLakeChannelNameParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeChannelName'
Value: !If [UseDefaultCloudTrailLakeChannelName, !Sub '${CloudTrailLakeChannelPrefix}${AppConfigAgentApplication}', !Ref CloudTrailLakeChannelName]
CloudTrailLakeChannelArnParameter:
Type: AWS::SSM::Parameter
Properties:
Type: String
Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeArn'
Value: "unknown"
NotificationsTopic:
Type: AWS::SNS::Topic
DependsOn: ConsoleTaskPolicy
Properties:
TopicName: !Sub '${NotificationsTopicPrefix}${AppConfigAgentApplication}'
NotificationsTopicPolicy:
Type: AWS::SNS::TopicPolicy
DependsOn: ConsoleTaskPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn]
- !If [CreateAgentRole, !GetAtt AgentTaskRole.Arn, !Ref AgentTaskRoleArn]
Action: sns:Publish
Resource: !Ref NotificationsTopic
Topics:
- !Ref NotificationsTopic
# This AutoScaling setup is only to cause creation of ECS Autoscaling Role
AutoScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Condition: CreateAutoScalingRoleWithoutLb
Properties:
MinCapacity: 1
MaxCapacity: 1
ResourceId: !Join ['/', [service, !Ref Cluster, !GetAtt Service.Name]]
RoleARN: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
AutoScalingTargetWithLb:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Condition: CreateAutoScalingRoleWithLb
Properties:
MinCapacity: 1
MaxCapacity: 1
ResourceId: !Join ['/', [service, !Ref Cluster, !GetAtt ServiceWithLB.Name]]
RoleARN: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
DNSRecord:
Type: AWS::Route53::RecordSet
Condition: UseHostedZoneName
Properties:
HostedZoneName: !Sub '${HostedZoneName}.'
Name: !Sub '${HostedSubdomain}.${HostedZoneName}.'
Type: A
AliasTarget:
DNSName: !GetAtt LoadBalancer.DNSName
HostedZoneId: !GetAtt LoadBalancer.CanonicalHostedZoneID
DNSRecordByZoneId:
Type: AWS::Route53::RecordSet
Condition: UseHostedZoneId
Properties:
HostedZoneId: !Ref HostedZoneId
Name: !Sub '${HostedSubdomain}.${HostedZoneName}.'
Type: A
AliasTarget:
DNSName: !GetAtt LoadBalancer.DNSName
HostedZoneId: !GetAtt LoadBalancer.CanonicalHostedZoneID
Outputs:
ConsoleWebAddress:
Condition: DontUseLB
Description: Public DNS address of Console Web Interface
Value: !Sub 'https://${SubdomainParameter.Value}.cloudstoragesecapp.com'
LBWebAddress:
Condition: UseLB
Description: Public DNS address of Console Web Interface
Value: !If [UseRoute53, !Sub 'https://${HostedSubdomain}.${HostedZoneName}', !Sub 'https://${LoadBalancer.DNSName}']
UserName:
Description: User Name used to log in to console
Value: !Ref UserName
Password:
Description: Temporary password used to log in to console
Value: !Sub 'Password was emailed to ${Email}'
ProactiveNotificationsTopicArn:
Description: ARN for the proactive notifications topic
Value: !Ref NotificationsTopic
Export:
Name: !Sub '${AWS::StackName}-proactive-notifications-sns-topic'