AWSTemplateFormatVersion: 2010-09-09 Description: Version 6.05.002 - CloudFormation template for CloudStorageSec Console software. Parameters: VPC: Type: AWS::EC2::VPC::Id Description: The VPC in which to place the public facing Console MinLength: 1 ConstraintDescription: VPC is a mandatory input parameter. Select an existing VPC ID. SubnetA: Type: AWS::EC2::Subnet::Id Description: A subnet in your VPC in which the public facing Console can be placed. Ensure this subnet allows outbound internet traffic. MinLength: 1 ConstraintDescription: SubnetA is a mandatory input parameter. Select existing subnet from the selected VPC. SubnetB: Type: AWS::EC2::Subnet::Id Description: A subnet in your VPC in which the public facing Console can be placed. Ensure this subnet allows outbound internet traffic. **Subnet B must be different from Subnet A and should be in a different Availability Zones** MinLength: 1 ConstraintDescription: SubnetB is a mandatory input parameter. Select existing subnet from the selected VPC. ConsoleSecurityGroup: Type: String Default: "Created by CFT" Description: The Security Group for the Console management website (Optional, leave blank to create a new security group). ConsoleSecurityGroupCidrBlock: Type: String Description: The IP address range that can access the Console management website (e.g. X.X.X.X/32 for a single given IP, 0.0.0.0/0 for open access) MinLength: 9 MaxLength: 18 AllowedPattern: ((\d{1,3})\.){3}\d{1,3}/\d{1,2} ConstraintDescription: Must be valid CIDR notation of the form X.X.X.X/X MinRunningAgents: Type: Number Default: 1 MinValue: 0 Description: Cannot be greater than Maximum Running Agents MaxRunningAgents: Type: Number Default: 12 MinValue: 1 Description: Cannot be less than Minimum Running Agents NumMessagesInQueueScalingThreshold: Type: Number Default: 1000 Description: The number of pending files to be scanned before adding or removing agents ConsoleCpu: Type: String Default: 0.5vCPU AllowedValues: ["0.5vCPU", "1vCPU", "2vCPU", "4vCPU"] Description: The number of vCPU units for the Console (1024 vCPU units per 1 vCPU) ConsoleMemory: Type: String Default: 1GB AllowedValues: ["1GB", "2GB", "3GB", "4GB", "5GB", "6GB", "7GB", "8GB", "9GB", "10GB", "11GB", "12GB", "13GB", "14GB", "15GB", "16GB", "17GB", "18GB", "19GB", "20GB", "21GB", "22GB", "23GB", "24GB", "25GB", "26GB", "27GB", "28GB", "29GB", "30GB"] Description: The amount of memory for the Console. Must be 2-8x the vCPU. i.e. 0.5 vCPU should have 1-4GB of memory. ConsoleAutoAssignPublicIp: Type: String Default: "ENABLED" AllowedValues: ["ENABLED", "DISABLED"] Description: "Should a public IP be assigned to the Console? (WARNING: do not set to disabled unless you have configured your AWS VPC in a manner that would still allow access to the console.)" EnableCloudTrailLake : Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Would you like to send audit logs to CloudTrail Lake? CloudTrailLakeDataStoreName: Type: String Default: "default" Description: Enter a CloudTrail Event Data Store name if you would like to use an existing one. Otherwise we will create a new one. If existing, must be in same region as this deployment. CloudTrailLakeChannelName: Type: String Default: "default" Description: Enter a CloudTrail Channel name if you would like to use an existing one. Otherwise we will create a new one. If existing, must be in same region as this deployment. AgentCpu: Type: String Default: "1vCPU" AllowedValues: ["1vCPU", "2vCPU", "4vCPU"] Description: The number of vCPU units for the Agents (1024 vCPU units = 1 vCPU) AgentMemory: Type: String Default: 3GB AllowedValues: ["2GB", "3GB", "4GB", "5GB", "6GB", "7GB", "8GB", "9GB", "10GB", "11GB", "12GB", "13GB", "14GB", "15GB", "16GB", "17GB", "18GB", "19GB", "20GB", "21GB", "22GB", "23GB", "24GB", "25GB", "26GB", "27GB", "28GB", "29GB", "30GB"] Description: The amount of memory for the scanning Agent. Must be 2-8x the vCPU. i.e. 2 vCPU should have 4-16GB of memory. AgentScanningEngine: Type: String Default: "ClamAV" AllowedValues: ["ClamAV", "Sophos"] Description: "Choose the engine that should be used to scan files (See Marketplace listing for pricing differences)" MultiEngineScanningMode: Type: String Default: "Disabled" AllowedValues: ["Disabled", "All", "LargeFiles"] Description: "Choose if you want to use multiple engines to scan files. All will scan every file with both engines, LargeFiles will scan files larger than 2GB with Sophos. Premium Engine pricing applies." AgentDiskSize: Type: Number Default: 20 MinValue: 20 MaxValue: 200 Description: Choose a larger disk size (up to 200 GB) to enable scanning larger files, up to 5 GB fewer than the total disk size. This only applies when using the Sophos scanning engine. EnableLargeFileScanning: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to have EC2 instances launched to scan files too large to be scanned by the normal agent LargeFileDiskSize: Type: Number Default: 2000 MinValue: 20 MaxValue: 16300 Description: Choose a larger disk size (between 20 - 16,300 GB) to enable scanning larger files, up to 5 GB fewer than the total disk size. This only applies when using the Sophos scanning engine with EC2 large file scanning enabled. LargeFileEC2Tags: Type: String Default: "CloudStorageSec-[appId]=EC2Instance" Description: "Enter an optional comma-separated list of key=value tags to place on extra large file scanning EC2 instances (Note: if you use [appId] in your tag name, we will replace it with the CSS application ID. It is recommended to leave the default in order to identify resources from this product)" AgentAutoAssignPublicIp: Type: String Default: "ENABLED" AllowedValues: ["ENABLED", "DISABLED"] Description: "Should public IPs be assigned to the Agents? (WARNING: do not set to disabled unless you have configured your AWS VPC in a manner that would still allow the agents to reach AWS services over the internet.)" UserName: Type: String Description: Initial user name for the Console management website MinLength: 1 MaxLength: 128 Default: admin Email: Type: String Description: Email address for Console management website account AllowedPattern: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$ ConstraintDescription: Must be a valid email address. OnlyScanWhenQueueThresholdExceeded: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to only run scanning agents when the number of files waiting to be scanned exceeds the queue scaling threshold QuarantineInPrimaryAccount: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to create quarantine buckets in the primary account only (if you utilize linked accounts, infected objects will be moved to the quarantine bucket(s) in the primary account) AllowAccessToAllKmsKeys: Type: String Default: "Yes" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to give the scanner access to all KMS encrypted buckets StorageAssessmentEnabled: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to enable Storage Assessment to run UseLoadBalancer: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to use a load balancer for the console service. Note that in doing so you will not be able to use the custom DNS feature and would need to provide your own DNS and SSL certificate for the load balancer ContainerSecurityGroupLB: Type: String Default: "Created by CFT" Description: The Security Group for the Console Service (ECS Container) to allow connections from the Load Balancer (Optional, leave blank to create a new security group). Certificate: Type: String Default: 'arn:aws:acm:region:123456789012:certificate/00000000-0000-0000-0000-000000000000' Description: Enter the ARN for the certificate you wish to use for the load balancer. Only needed if using a load balancer. LBScheme: Type: String Default: "internet-facing" AllowedValues: ["internet-facing", "internal"] Description: Should the load balancer be internet facing or internal only? LBSubnetA: Type: String Default: enter-subnet-id Description: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. ** Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. ** LBSubnetB: Type: String Default: enter-subnet-id Description: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. **Subnet B must be different from Subnet A and should be in a different Availability Zones. Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. ** RegisterRoute53: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Pick Yes if you would like to add a dns entry in Route53. This is only for when using a load balancer. HostedZoneName: Type: String Default: domain-for-your-ssl-cert.com Description: "Enter the hosted zone domain name for adding an entry to Route53. Only needed if registering dns in Route53." HostedZoneId: Type: String Default: ZXXXXDEFAULTXXXXXXXXX Description: "Enter the hosted zone ID for adding an entry to Route53. Only needed if registering dns in Route53 (Optional, only needed if you have multiple zones with the same name)." HostedSubdomain: Type: String Default: subdomain Description: Enter the subdomain for adding an entry to Route53. Only needed if registering dns in Route53. InfoOptOut: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Would you like to opt-out from sending information about your deployment? Selecting "Yes" will cause custom DNS registration and trial eligiblity checks to not work. Given this, you must use your own Load Balancer in order to opt-out. If you opt-out and would still like a trial, please contact support@cloudstoragesec.com. CustomEcrAccount: Type: String Default: "default" Description: If you would like to host the container images yourself in ECR, enter the AWS account ID here. Ensure you have copied the images to your repositories. Repository names are required to be cloudstoragesecurity/console and cloudstoragesecurity/agent. DynamoTableNamePrefix: Type: String Default: '7-character-application-id.' Description: Prefix for dynamo db tables. DynamoPointInTimeRecoveryEnabled: Type: String Default: "No" AllowedValues: ["Yes", "No"] Description: Would you like to enable point in time recovery (PTIR) for DynamoDB tables? QuarantineBucketNamePrefix: Type: String Default: 'cloudstoragesecquarantine-' Description: Prefix for the quarantine bucket names. MinLength: 4 MaxLength: 27 AppConfigApplicationPrefix: Type: String Default: 'CloudStorageSec-' Description: Prefix for the AWS AppConfig application. AppConfigEnvironmentPrefix: Type: String Default: 'CloudStorageSecEnv-' Description: Prefix for the AWS AppConfig Environment. AppConfigDeploymentStrategyPrefix: Type: String Default: 'CloudStorageSecConfigDeploy-' Description: Prefix for the AWS AppConfig Deployment Strategy. AppConfigDocumentPrefix: Type: String Default: 'CloudStorageSecConfig-' Description: Prefix for the AWS AppConfig Configuration Document. AppConfigDocumentSchemaPrefix: Type: String Default: 'IGNORED' Description: Deprecated parameter persisted for backwards compatibility. AppConfigDocumentRolePrefix: Type: String Default: 'AppConfigAgentConfigurationDocumentRole-' Description: Prefix for the AWS AppConfig Configuration Document IAM Role. AppConfigDocumentPolicyPrefix: Type: String Default: 'AppConfigAgentConfigurationDocumentPolicy-' Description: Prefix for the AWS AppConfig Configuration Document IAM Policy. UserPoolPrefix: Type: String Default: 'CloudStorageSecUserPool-' Description: Prefix for the AWS Cognito User Pool. UserPoolClientPrefix: Type: String Default: 'CloudStorageSecUserPoolClient-' Description: Prefix for the AWS Cognito User Pool Client. UserPoolRolePrefix: Type: String Default: 'CloudStorageSecUserPoolRole-' Description: Prefix for the AWS Cognito User Pool IAM Role. UserPoolPolicyPrefix: Type: String Default: 'CloudStorageSecUserPoolPolicy-' Description: Prefix for the AWS Cognito User Pool IAM Policy. ConsoleTaskRolePrefix: Type: String Default: 'CloudStorageSecConsoleRole-' Description: Prefix for the Console ECS Task IAM Role. ConsoleTaskPolicyPrefix: Type: String Default: 'CloudStorageSecConsolePolicy-' Description: Prefix for the Console ECS Task IAM Policy. AgentTaskRolePrefix: Type: String Default: 'CloudStorageSecAgentRole-' Description: Prefix for the Agent ECS Task IAM Role. AgentTaskPolicyPrefix: Type: String Default: 'CloudStorageSecAgentPolicy-' Description: Prefix for the Agent ECS Task IAM Policy. CrossAccountRolePrefix: Type: String Default: 'CloudStorageSecRemoteRole-' Description: Prefix for the Cross-Account Scanning Role. CrossAccountPolicyPrefix: Type: String Default: 'CloudStorageSecRemotePolicy-' Description: Prefix for the Cross-Account Scanning Policy. CrossAccountEventBridgeRolePrefix: Type: String Default: 'CloudStorageSecEventBridgeRole-' Description: Prefix for the Cross-Account Event Bridge Scanning Role. CrossAccountEventBridgePolicyPrefix: Type: String Default: 'CloudStorageSecEventBridgePolicy-' Description: Prefix for the Cross-Account Event Bridge Scanning Policy. ExecutionRolePrefix: Type: String Default: 'CloudStorageSecExecutionRole-' Description: Prefix for the ECS Execution Role. Ec2ContainerRolePrefix: Type: String Default: 'CloudStorageSecEc2ContainerRole-' Description: Prefix for the EC2 ECS Container Role. Ec2ContainerPolicyPrefix: Type: String Default: 'CloudStorageSecEc2ContainerPolicy-' Description: Prefix for the EC2 ECS Container Policy. ClusterPrefix: Type: String Default: 'CloudStorageSecCluster-' Description: Prefix for the ECS Cluster. ServicePrefix: Type: String Default: 'CloudStorageSecConsoleService-' Description: Prefix for the ECS Console Service. TaskDefinitionPrefix: Type: String Default: 'CloudStorageSecConsole-' Description: Prefix for the ECS Console Task Definition. ConsoleSecurityGroupPrefix: Type: String Default: 'CloudStorageSecConsoleSecurityGroup-' Description: Prefix for the Console Security Group. LoadBalancerPrefix: Type: String Default: 'CloudStorageSecLB-' Description: Prefix for the Load Balancer (if using a Load Balancer). TargetGroupPrefix: Type: String Default: 'CloudStorageSecTG-' Description: Prefix for the Load Balancer Target Group (if using a Load Balancer). LoadBalancerGroupPrefix: Type: String Default: 'CloudStorageSecLBSecurityGroup-' Description: Prefix for the Load Balancer Security Group (if using a Load Balancer). ApiLoadBalancerPrefix: Type: String Default: 'CloudStorageSecApiLB-' Description: Prefix for the API Load Balancer. ApiTargetGroupPrefix: Type: String Default: 'CloudStorageSecApiTG-' Description: Prefix for the API Load Balancer Target Group. ParametersPrefix: Type: String Default: 'CloudStorageSecConsole-' Description: Prefix for the Systems Manager Parameters. NotificationsTopicPrefix: Type: String Default: 'CloudStorageSecNotificationsTopic-' Description: Prefix for the notifications topic. EventBasedScanTopicPrefix: Type: String Default: 'CloudStorageSecTopic-' Description: Prefix for the event based scanning SNS Topic. EventBasedScanQueuePrefix: Type: String Default: 'CloudStorageSecQueue-' Description: Prefix for the event based scanning SQS Queue. DcEventBasedScanQueuePrefix: Type: String Default: 'CloudStorageSecQueue-DC-' Description: Prefix for the Data Classification event based scanning SQS Queue. RetroScanQueuePrefix: Type: String Default: 'CloudStorageSecRetroQueue-' Description: Prefix for the retro-active scanning SQS Queue. EventAgentTaskPrefix: Type: String Default: 'CloudStorageSecAgent-' Description: Prefix for the ECS Event Agent Task. EventAgentServicePrefix: Type: String Default: 'CloudStorageSecAgentService-' Description: Prefix for the ECS Event Agent Service. DcEventAgentTaskPrefix: Type: String Default: 'CloudStorageSecAgent-DC-' Description: Prefix for the ECS Data Classification Event Agent Task. DcEventAgentServicePrefix: Type: String Default: 'CloudStorageSecAgentService-DC-' Description: Prefix for the ECS Data Classification Event Agent Service. LargeFileAgentTaskPrefix: Type: String Default: 'CloudStorageSecLargeFileAgent-' Description: Prefix for the ECS Large File Agent Task ApiAgentTaskPrefix: Type: String Default: 'CloudStorageSecApiAgent-' Description: Prefix for the ECS API Agent Task. ApiAgentServicePrefix: Type: String Default: 'CloudStorageSecApiAgentService-' Description: Prefix for the ECS API Agent Service. RetroAgentTaskPrefix: Type: String Default: 'CloudStorageSecRetroAgent-' Description: Prefix for the ECS Retro Agent Task. RetroAgentServicePrefix: Type: String Default: 'CloudStorageSecRetroAgentService-' Description: Prefix for the ECS Retro Agent Service. LargeEventQueueAlarmPrefix: Type: String Default: 'CloudStorageSecLargeQueue-' Description: Prefix for the Alarm triggered when event queue is backed up. SmallEventQueueAlarmPrefix: Type: String Default: 'CloudStorageSecSmallQueue-' Description: Prefix for the Alarm triggered when event queue is within normal range. DecreaseAgentsScalingPolicyPrefix: Type: String Default: 'DecreaseAgents-' Description: Prefix for the AutoScaling policy to decrease running agent count. IncreaseAgentsScalingPolicyPrefix: Type: String Default: 'IncreaseAgents-' Description: Prefix for the AutoScaling policy to increase running agent count. LargeDcEventQueueAlarmPrefix: Type: String Default: 'CloudStorageSecLargeQueue-DC-' Description: Prefix for the Alarm triggered when Data Classification event queue is backed up. SmallDcEventQueueAlarmPrefix: Type: String Default: 'CloudStorageSecSmallQueue-DC-' Description: Prefix for the Alarm triggered when Data Classification event queue is within normal range. DecreaseDcAgentsScalingPolicyPrefix: Type: String Default: 'DecreaseAgents-DC-' Description: Prefix for the AutoScaling policy to decrease running Data Classification agent count. IncreaseDcAgentsScalingPolicyPrefix: Type: String Default: 'IncreaseAgents-DC-' Description: Prefix for the AutoScaling policy to increase running Data Classification agent count. ApiRequestScalingPolicyPrefix: Type: String Default: 'ApiServiceRequestScaling-' Description: Prefix for the AutoScaling policy for the API Service. ApiCpuScalingPolicyPrefix: Type: String Default: 'ApiServiceCpuScaling-' Description: Prefix for the AutoScaling policy for the API Service. RetroQueueNotEmptyAlarmPrefix: Type: String Default: 'CloudStorageSecRetroQueueNotEmpty-' Description: Prefix for the Alarm triggered when retro queue is not empty. RetroQueueEmptyAlarmPrefix: Type: String Default: 'CloudStorageSecRetroQueueEmpty-' Description: Prefix for the Alarm triggered when retro queue is empty. RemoveRetroAgentsScalingPolicyPrefix: Type: String Default: 'RemoveRetroAgents-' Description: Prefix for the AutoScaling policy to stop running retro agents. SetRetroAgentsScalingPolicyPrefix: Type: String Default: 'SetRetroAgents-' Description: Prefix for the AutoScaling policy to set running retro agent count. AgentSecurityGroupPrefix: Type: String Default: 'CloudStorageSecAgentSecurityGroup-' Description: Prefix for the security group used by scanning agents. CloudTrailLakeEventDataStorePrefix: Type: String Default: 'CloudStorageSecCloudTrailLake-' Description: Prefix for the event data store for CloudTrail Lake -- only used if you don't specify your own data store above. CloudTrailLakeChannelPrefix: Type: String Default: 'CloudStorageSecCloudTrailLake-' Description: Prefix for the ingestion channel for CloudTrail Lake. QuarantineBucketDaysToExpire: Type: Number Default: 0 MinValue: 0 MaxValue: 1000 Description: Number of days the quarantined files will be retained before deletion. For infinite retention, leave it at zero. AutoProtectBucketTagKey: Type: String Default: 'default' Description: Key of the bucket tag that indicates that protection must be automatically turned on for the bucket ("default" = CloudStorageSecAutoProtect-{7 character application id}) ConsoleTaskRoleArn: Type: String Default: 'Created by CFT' Description: Role ARN for the Console ECS Task ConsoleTaskRoleName: Type: String Default: 'Created by CFT' Description: Role name for the Console ECS Task AgentTaskRoleName: Type: String Default: 'Created by CFT' Description: Role name for the Agent ECS Task AgentTaskRoleArn: Type: String Default: 'Created by CFT' Description: Role ARN for the Agent ECS Task ExecutionRoleArn: Type: String Default: 'Created by CFT' Description: Role ARN for AWS ECS execution Ec2ContainerInstanceProfileArn: Type: String Default: 'Created by CFT' Description: Instance Profile ARN for AWS ECS EC2 execution Ec2ContainerInstanceRoleName: Type: String Default: 'Created by CFT' Description: Role Name for AWS ECS EC2 execution AppConfigAgentConfigurationDocumentRoleName: Type: String Default: 'Created by CFT' Description: Role name for the AWS AppConfig Config Document AppConfigAgentConfigurationDocumentRoleArn: Type: String Default: 'Created by CFT' Description: Role ARN for the AWS AppConfig Config Document UserPoolSnsRoleName: Type: String Default: 'Created by CFT' Description: Role name for the AWS Cognito User Pool SNS for MFA UserPoolSnsRoleArn: Type: String Default: 'Created by CFT' Description: Role ARN for the AWS Cognito User Pool SNS for MFA EnsureAutoScalingRoleExists: Type: String Default: "Yes" AllowedValues: ["Yes", "No"] Description: Would you like us to ensure the ECS Autoscaling Role exists (by registering the console as an AutoScalingGroup)? ProxyHost: Type: String Default: 'none' Description: URL for proxy server ProxyPort: Type: String Default: 'none' Description: Port for proxy server ProductMode: Type: String Default: 'AV' AllowedValues: ['AV', 'Classification'] Description: Initial product mode for this deployment. Do not modify this value. Rules: SubnetsInVPC: Assertions: - AssertDescription: All subnets must belong to the VPC selected Assert: !EachMemberIn [ !ValueOfAll ["AWS::EC2::Subnet::Id", "VpcId"], !RefAll "AWS::EC2::VPC::Id" ] SubnetsMustDiffer: Assertions: - AssertDescription: Subnet A and Subnet B must be different Assert: !Not [!Equals [!Ref SubnetA, !Ref SubnetB]] CheckConsoleCPUAndMem: Assertions: - AssertDescription: Console Memory needs to be in range (2x to 8x) of Console vCPU. If you select 0.5vCPU, then memory must be set between 1GB and 4GB. Assert: !Or [ !And [ !Equals [!Ref ConsoleCpu, "0.5vCPU"], !Contains [["1GB", "2GB", "3GB", "4GB"], !Ref ConsoleMemory]], !And [ !Equals [!Ref ConsoleCpu, "1vCPU"], !Contains [["2GB","3GB","4GB","5GB","6GB","7GB","8GB"], !Ref ConsoleMemory]], !And [ !Equals [!Ref ConsoleCpu, "2vCPU"], !Contains [["4GB","5GB","6GB","7GB","8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB"], !Ref ConsoleMemory]], !And [ !Equals [!Ref ConsoleCpu, "4vCPU"], !Contains [["8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB","17GB","18GB","19GB","20GB","21GB","22GB","23GB","24GB","25GB","26GB","27GB","28GB","29GB","30GB"], !Ref ConsoleMemory]] ] CheckAgentCPUAndMem: Assertions: - AssertDescription: Agent Memory needs to be in range (2x to 8x) of Agent vCPU. If you select 2vCPU, then memory must be set between 4GB and 16GB. Assert: !Or [ !And [ !Equals [!Ref AgentCpu, "1vCPU"], !Contains [["2GB", "3GB","4GB","5GB","6GB","7GB","8GB"], !Ref AgentMemory]], !And [ !Equals [!Ref AgentCpu, "2vCPU"], !Contains [["4GB","5GB","6GB","7GB","8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB"], !Ref AgentMemory]], !And [ !Equals [!Ref AgentCpu, "4vCPU"], !Contains [["8GB","9GB","10GB","11GB","12GB","13GB","14GB","15GB","16GB","17GB","18GB","19GB","20GB","21GB","22GB","23GB","24GB","25GB","26GB","27GB","28GB","29GB","30GB"], !Ref AgentMemory]] ] CheckMinAgentsWhenScanningOnlyWhenQueueThresholdExceeded: Assertions: - AssertDescription: Minimum Number of Agents must be 0 when only scanning when queue threshold is exceeded, or greater than 0 otherwise Assert: !Or [ !And [ !Equals [!Ref OnlyScanWhenQueueThresholdExceeded, "Yes"], !Equals [!Ref MinRunningAgents, "0"]], !And [ !Equals [!Ref OnlyScanWhenQueueThresholdExceeded, "No"], !Not [ !Equals [!Ref MinRunningAgents, "0"]]] ] CheckSslCertWhenUsingLoadBalancer: Assertions: - AssertDescription: SSL Certificate ARN must be specified when using a Load Balancer Assert: !Or [ !Equals [!Ref UseLoadBalancer, "No"], !Not [ !Equals [!Ref Certificate, "arn:aws:acm:region:123456789012:certificate/00000000-0000-0000-0000-000000000000"]] ] LBSubnetsMustDiffer: Assertions: - AssertDescription: Load Balancer Subnet A and Subnet B must be different Assert: !Or [ !Equals [!Ref UseLoadBalancer, "No"], !Or [ !Equals [!Ref LBSubnetA, "enter-subnet-id"], !Not [!Equals [!Ref LBSubnetA, !Ref LBSubnetB]] ] ] OptOutOnlyWithLB: Assertions: - AssertDescription: Cannot opt-out from sending info if you are not using a Load Balancer Assert: !Or [ !Equals [!Ref UseLoadBalancer, "Yes"], !Equals [!Ref InfoOptOut, "No"] ] CheckHostedZoneNameWhenUsingRoute53: Assertions: - AssertDescription: Must specify a hosted zone name or ID when using Route53 Assert: !Or [ !Equals [!Ref RegisterRoute53, "No"], !And [ !Not [ !Equals [!Ref HostedZoneName, "domain-for-your-ssl-cert.com"]], !Not [ !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"]] ], !And [ !Not [ !Equals [!Ref HostedZoneName, "domain-for-your-ssl-cert.com"]], !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"] ] ] CheckSubdomainWhenUsingRoute53: Assertions: - AssertDescription: Must specify a hosted subdomain when using Route53 Assert: !Or [ !Equals [!Ref RegisterRoute53, "No"], !Not [ !Equals [!Ref HostedSubdomain, "subdomain"]] ] CheckUsingSophosIfEc2ScanningEnabled: Assertions: - AssertDescription: Must use Sophos engine to enable EC2 large file scanning Assert: !Or [ !And [ !Equals [!Ref EnableLargeFileScanning, "Yes"], !Equals [!Ref AgentScanningEngine, "Sophos"] ], !Equals [!Ref EnableLargeFileScanning, "No"], ] Conditions: BlanketKmsAccess: !Equals [!Ref AllowAccessToAllKmsKeys, "Yes"] UseLB: !Equals [!Ref UseLoadBalancer, "Yes"] DontUseLB: !Equals [!Ref UseLoadBalancer, "No"] UseRoute53: !And [ !Equals [!Ref UseLoadBalancer, "Yes"], !Equals [!Ref RegisterRoute53, "Yes"]] UseHostedZoneId: !And - Condition: UseRoute53 - !Not [ !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"]] UseHostedZoneName: !And - Condition: UseRoute53 - !Equals [!Ref HostedZoneId, "ZXXXXDEFAULTXXXXXXXXX"] UseLBSubnetA: !Not [ !Equals [!Ref LBSubnetA, "enter-subnet-id"]] UseLBSubnetB: !Not [ !Equals [!Ref LBSubnetB, "enter-subnet-id"]] UseDefaultDynamoPrefix: !Equals [!Ref DynamoTableNamePrefix, "7-character-application-id."] IsAntivirus: !Equals [!Ref ProductMode, 'AV'] IsGovCloud: !Equals [!Ref AWS::Region, "us-gov-west-1"] UseDefaultEcrAccount: !Equals [!Ref CustomEcrAccount, "default"] UseProxy: !Not [ !Equals [!Ref ProxyHost, "none"]] CreateConsoleRole: !Equals [!Ref ConsoleTaskRoleArn, "Created by CFT"] CreateConsoleSecurityGroup: !Equals [!Ref ConsoleSecurityGroup, "Created by CFT"] UseExistingConsoleSecurityGroup: !Not [ !Equals [!Ref ConsoleSecurityGroup, "Created by CFT"]] CreateConsoleSecurityGroupNoLB: !And - Condition: DontUseLB - Condition: CreateConsoleSecurityGroup CreateConsoleSecurityGroupLB: !And - Condition: UseLB - Condition: CreateConsoleSecurityGroup CreateContainerSecurityGroupLB: !And - Condition: UseLB - !Equals [!Ref ContainerSecurityGroupLB, "Created by CFT"] UseExistingContainerSecurityGroupLB: !And - Condition: UseLB - !Not [ !Equals [!Ref ContainerSecurityGroupLB, "Created by CFT"]] CreateAgentRole: !Equals [!Ref AgentTaskRoleArn, "Created by CFT"] CreateExecutionRole: !Equals [!Ref ExecutionRoleArn, "Created by CFT"] CreateEc2ContainerRole: !Equals [!Ref Ec2ContainerInstanceProfileArn, "Created by CFT"] CreateAppConfigDocRole: !Equals [!Ref AppConfigAgentConfigurationDocumentRoleArn, "Created by CFT"] CreateUserPoolSnsRole: !Equals [!Ref UserPoolSnsRoleArn, "Created by CFT"] CreateAutoScalingRole: !Equals [!Ref EnsureAutoScalingRoleExists, "Yes"] CreateAutoScalingRoleWithLb: !And [!Condition CreateAutoScalingRole, !Condition UseLB] CreateAutoScalingRoleWithoutLb: !And [!Condition CreateAutoScalingRole, !Condition DontUseLB] UseDefaultAutoProtectBucketTagKey: !Equals [!Ref AutoProtectBucketTagKey, "default"] UseDefaultCloudTrailLakeEventDataStoreName: !Equals [!Ref CloudTrailLakeDataStoreName, "default"] UseDefaultCloudTrailLakeChannelName: !Equals [!Ref CloudTrailLakeChannelName, "default"] Mappings: yesNoToBool: "Yes": "value": true "No": "value": false vCPUvalues: "0.5vCPU": "size": 512 "1vCPU": "size": 1024 "2vCPU": "size": 2048 "4vCPU": "size": 4096 MemValues: "1GB": "size": 1024 "2GB": "size": 2048 "3GB": "size": 3072 "4GB": "size": 4096 "5GB": "size": 5120 "6GB": "size": 6144 "7GB": "size": 7168 "8GB": "size": 8192 "9GB": "size": 9216 "10GB": "size": 10240 "11GB": "size": 11264 "12GB": "size": 12288 "13GB": "size": 13312 "14GB": "size": 14336 "15GB": "size": 15360 "16GB": "size": 16384 "17GB": "size": 17408 "18GB": "size": 18432 "19GB": "size": 19456 "20GB": "size": 20480 "21GB": "size": 21504 "22GB": "size": 22528 "23GB": "size": 23552 "24GB": "size": 24576 "25GB": "size": 25600 "26GB": "size": 26624 "27GB": "size": 27648 "28GB": "size": 28672 "29GB": "size": 29696 "30GB": "size": 30720 Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Please refer to the 'How to Deploy' section of the documentation for further information. - Label: default: "." - Parameters: - VPC - SubnetA - SubnetB - ConsoleSecurityGroup - ConsoleSecurityGroupCidrBlock Label: default: Network Configuration - Parameters: - ConsoleCpu - ConsoleMemory - UserName - Email - ConsoleAutoAssignPublicIp - EnableCloudTrailLake - DynamoPointInTimeRecoveryEnabled - StorageAssessmentEnabled Label: default: Console Configuration - Parameters: - AgentCpu - AgentMemory - AgentScanningEngine - MultiEngineScanningMode - AgentDiskSize - EnableLargeFileScanning - LargeFileDiskSize - LargeFileEC2Tags - AllowAccessToAllKmsKeys - AgentAutoAssignPublicIp - QuarantineInPrimaryAccount - QuarantineBucketDaysToExpire - AutoProtectBucketTagKey Label: default: Agent Configuration - Parameters: - OnlyScanWhenQueueThresholdExceeded - MinRunningAgents - MaxRunningAgents - NumMessagesInQueueScalingThreshold Label: default: Agent Auto-Scaling Configuration - Parameters: - UseLoadBalancer - ContainerSecurityGroupLB - Certificate - LBScheme - LBSubnetA - LBSubnetB - RegisterRoute53 - HostedZoneName - HostedZoneId - HostedSubdomain - InfoOptOut Label: default: Optional Load Balancer Configuration - Parameters: - CustomEcrAccount Label: default: Optional custom hosting of docker container images - Parameters: - DynamoTableNamePrefix - QuarantineBucketNamePrefix - AppConfigApplicationPrefix - AppConfigEnvironmentPrefix - AppConfigDeploymentStrategyPrefix - AppConfigDocumentPrefix - AppConfigDocumentSchemaPrefix - AppConfigDocumentRolePrefix - AppConfigDocumentPolicyPrefix - UserPoolPrefix - UserPoolClientPrefix - UserPoolRolePrefix - UserPoolPolicyPrefix - ConsoleTaskRolePrefix - ConsoleTaskPolicyPrefix - AgentTaskRolePrefix - AgentTaskPolicyPrefix - CrossAccountRolePrefix - CrossAccountPolicyPrefix - CrossAccountEventBridgeRolePrefix - CrossAccountEventBridgePolicyPrefix - ExecutionRolePrefix - Ec2ContainerRolePrefix - Ec2ContainerPolicyPrefix - ClusterPrefix - ServicePrefix - TaskDefinitionPrefix - ConsoleSecurityGroupPrefix - LoadBalancerPrefix - TargetGroupPrefix - LoadBalancerGroupPrefix - ApiLoadBalancerPrefix - ApiTargetGroupPrefix - ParametersPrefix - NotificationsTopicPrefix - EventBasedScanTopicPrefix - EventBasedScanQueuePrefix - DcEventBasedScanQueuePrefix - RetroScanQueuePrefix - EventAgentTaskPrefix - EventAgentServicePrefix - DcEventAgentTaskPrefix - DcEventAgentServicePrefix - LargeFileAgentTaskPrefix - ApiAgentTaskPrefix - ApiAgentServicePrefix - RetroAgentTaskPrefix - RetroAgentServicePrefix - LargeEventQueueAlarmPrefix - SmallEventQueueAlarmPrefix - DecreaseAgentsScalingPolicyPrefix - IncreaseAgentsScalingPolicyPrefix - LargeDcEventQueueAlarmPrefix - SmallDcEventQueueAlarmPrefix - DecreaseDcAgentsScalingPolicyPrefix - IncreaseDcAgentsScalingPolicyPrefix - ApiRequestScalingPolicyPrefix - ApiCpuScalingPolicyPrefix - RetroQueueNotEmptyAlarmPrefix - RetroQueueEmptyAlarmPrefix - RemoveRetroAgentsScalingPolicyPrefix - SetRetroAgentsScalingPolicyPrefix - AgentSecurityGroupPrefix - CloudTrailLakeEventDataStorePrefix - CloudTrailLakeChannelPrefix Label: default: 'Optional AWS Resource Renaming (WARNING: do not change after initial deployment)' - Parameters: - ConsoleTaskRoleArn - ConsoleTaskRoleName - AgentTaskRoleArn - AgentTaskRoleName - ExecutionRoleArn - Ec2ContainerInstanceProfileArn - Ec2ContainerInstanceRoleName - AppConfigAgentConfigurationDocumentRoleArn - AppConfigAgentConfigurationDocumentRoleName - UserPoolSnsRoleArn - UserPoolSnsRoleName - EnsureAutoScalingRoleExists Label: default: 'Optional pre-existing role specification. These roles must exist before deployment and the trust relationships must match those in this template. Do not change these values if you would like the deployment to create roles' - Parameters: - ProxyHost - ProxyPort Label: default: 'Optional proxy configuration for AWS services that do not have available VPC Endpoints.' - Parameters: - ProductMode Label: default: 'Deployment specific settings. These should be left at default values.' ParameterLabels: VPC: default: Virtual Private Cloud (VPC) ID SubnetA: default: Subnet A ID SubnetB: default: Subnet B ID ConsoleSecurityGroup: default: Console Security Group ID ConsoleSecurityGroupCidrBlock: default: Console Security Group CIDR Block ConsoleCpu: default: Console vCPU ConsoleMemory: default: Console Memory ConsoleAutoAssignPublicIp: default: Console Auto Assign Public IP EnableCloudTrailLake: default: Enable CloudTrail Lake AgentCpu: default: Agent vCPU AgentMemory: default: Agent Memory AgentScanningEngine: default: Agent Scanning Engine MultiEngineScanningMode: default: Multi-Engine Scanning Mode AgentDiskSize: default: Agent Disk Size EnableLargeFileScanning: default: Enable Large File Scanning LargeFileDiskSize: default: Extra Large File Disk Size LargeFileEC2Tags: default: Extra Large File EC2 Tags AgentAutoAssignPublicIp: default: Agent Auto Assign Public IP MinRunningAgents: default: Minimum Number of Running Agents Per Region MaxRunningAgents: default: Maximum Number of Running Agents Per Region NumMessagesInQueueScalingThreshold: default: Number of Messages in Queue to Trigger Agent Auto-Scaling OnlyScanWhenQueueThresholdExceeded: default: Only Run Scanning Agents When Files Are In Queue? QuarantineInPrimaryAccount: default: Quarantine objects into the primary account for infections in linked accounts? QuarantineBucketDaysToExpire: default: Expire (delete) quarantined objects after a specified number of days? AutoProtectBucketTagKey: default: Bucket auto protection tag key DynamoPointInTimeRecoveryEnabled: default: DynamoDB Point In Time Recovery AllowAccessToAllKmsKeys: default: Allow Access To All KMS Keys? EnableStorageAssessment: default: Allow Console To Run Storage Assessment? UseLoadBalancer: default: Use a Load Balancer for the Console? ContainerSecurityGroupLB: default: Container Security Group ID Certificate: default: SSL Certificate ARN LBScheme: default: Load Balancer Scheme LBSubnetA: default: Load Balancer Subnet A ID LBSubnetB: default: Load Balancer Subnet B ID RegisterRoute53: default: Register a subdomain on Route53? HostedZoneName: default: Hosted Zone Name HostedZoneId: default: Hosted Zone ID HostedSubdomain: default: Subdomain InfoOptOut: default: Info Opt-Out CustomEcrAccount: default: Custom ECR Account ProxyHost: default: Proxy Host ProxyPort: default: Proxy Port ProductMode: default: Product Mode Resources: AppConfigAgentApplication: Type: AWS::AppConfig::Application Properties: Description: AppConfig Application for CloudStorageSec Agents Name: !Join - '' - - !Ref AppConfigApplicationPrefix - !Select - 0 - !Split - '-' - !Select - 2 - !Split - '/' - !Ref AWS::StackId AppConfigAgentEnvironment: Type: AWS::AppConfig::Environment Properties: ApplicationId: !Ref AppConfigAgentApplication Name: !Sub '${AppConfigEnvironmentPrefix}${AppConfigAgentApplication}' Description: "AppConfig Environment for CloudStorageSec Agents" AppConfigAgentConfigurationDocumentRole: Type: AWS::IAM::Role Condition: CreateAppConfigDocRole Properties: RoleName: !Sub '${AppConfigDocumentRolePrefix}${AppConfigAgentApplication}' AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: 'appconfig.amazonaws.com' Action: 'sts:AssumeRole' AppConfigAgentConfigurationDocumentPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Sub '${AppConfigDocumentPolicyPrefix}${AppConfigAgentApplication}' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:GetDocument Resource: - !Sub 'arn:${AWS::Partition}:ssm:*:*:document/${AppConfigDocument}' Roles: - !If [CreateAppConfigDocRole, !Ref AppConfigAgentConfigurationDocumentRole, !Ref AppConfigAgentConfigurationDocumentRoleName] AppConfigAgentDeploymentStrategy: Type: AWS::AppConfig::DeploymentStrategy DependsOn: AppConfigAgentApplication Properties: Name: !Sub '${AppConfigDeploymentStrategyPrefix}${AppConfigAgentApplication}' Description: "AppConfig Deployment Strategy for CloudStorageSec Agents" DeploymentDurationInMinutes: 0 FinalBakeTimeInMinutes: 0 GrowthFactor: 100 GrowthType: LINEAR ReplicateTo: NONE AppConfigDocumentSchema: Type: 'AWS::SSM::Document' DependsOn: ConsoleTaskPolicy Properties: DocumentType: ApplicationConfigurationSchema DocumentFormat: JSON Content: '{"$schema":"http://json-schema.org/draft-07/schema#","description":"Configuration for CloudStorageScan","type":"object","required":["objectTagKeys","quarantine","scanList","skipList","classifyList","classifySkipList","scanTaggingEnabled","scanTagsExcluded","classificationTaggingEnabled","classificationTagsExcluded"],"properties":{"scanTaggingEnabled":{"type":"boolean","description":"Indicates whether tags should be added to the scanned objects."},"scanTagsExcluded":{"type":"array","description":"Scan tags to not be added to scanned objects","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"classificationTaggingEnabled":{"type":"boolean","description":"Indicates whether tags should be added to the classified objects."},"classificationTagsExcluded":{"type":"array","description":"Classification tags to not be added to classified objects","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"avEventProtectedBuckets":{"type":"array","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"avScheduledBuckets":{"type":"array","items":{"type":"string"},"uniqueItems":true,"additionalProperties":false},"dcEventBucketRuleSets":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"classificationRuleSets":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"objectTagKeys":{"type":"object","required":["result","dateScanned","virusName","virusUploadedBy","errorMessage","classificationResult","dateClassified","classificationMatches","classificationErrorMessage"],"properties":{"result":{"type":"string","description":"The tag key for scan results."},"dateScanned":{"type":"string","description":"The tag key for the scan date."},"virusName":{"type":"string","description":"The tag key for the virus name."},"virusUploadedBy":{"type":"string","description":"The tag key for who uploaded the virus."},"errorMessage":{"type":"string","description":"The tag key for the error message."},"classificationResult":{"type":"string","description":"The tag key for classification results."},"dateClassified":{"type":"string","description":"The tag key for the classification date."},"classificationMatches":{"type":"string","description":"The tag key for the list of classification matches found."},"classificationErrorMessage":{"type":"string","description":"The tag key for the classification error message."}}},"quarantine":{"type":"object","required":["action","moveBucketPrefix"],"properties":{"action":{"type":"string","pattern":"Keep|Move|Delete","description":"Action to take on an object upon a virus being detected."},"moveBucketPrefix":{"type":"string","description":"Bucket to move infected objects to."}}},"scanList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"skipList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"classifyList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}},"classifySkipList":{"type":"object","patternProperties":{"^[a-zA-Z]+$":{"type":"array","items":{"type":"string"},"additionalProperties":false}}}},"additionalProperties":false}' Name: !Sub '${AppConfigDocumentPrefix}Schema-${AppConfigAgentApplication}' Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConfigSchema' UpdateMethod: NewVersion AppConfigDocument: Type: 'AWS::SSM::Document' DependsOn: AppConfigDocumentSchema Properties: DocumentType: ApplicationConfiguration DocumentFormat: JSON Content: !Sub '{"scanTaggingEnabled":true,"scanTagsExcluded":[],"classificationTaggingEnabled":true,"classificationTagsExcluded":[],"objectTagKeys":{"result":"scan-result","dateScanned":"date-scanned","virusName":"virus-name","virusUploadedBy":"uploaded-by","errorMessage":"message","classificationResult":"classification-result","dateClassified":"date-classified","classificationMatches":"classification-matches","classificationErrorMessage":"classification-message"},"quarantine":{"action":"Move","moveBucketPrefix":"${QuarantineBucketNamePrefix}${AppConfigAgentApplication}"},"scanList":{},"skipList":{},"classifyList":{},"classifySkipList":{}}' Name: !Sub '${AppConfigDocumentPrefix}Doc-${AppConfigAgentApplication}' Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConfigDoc' Requires: - Name: !Ref AppConfigDocumentSchema Version: $LATEST UpdateMethod: NewVersion AppConfigProfile: Type: 'AWS::AppConfig::ConfigurationProfile' DependsOn: AppConfigAgentConfigurationDocumentPolicy Properties: ApplicationId: !Ref AppConfigAgentApplication Description: 'AppConfig profile for CloudStorageSec Agents' Name: !Sub '${AppConfigDocumentPrefix}Profile-${AppConfigAgentApplication}' LocationUri: !Sub 'ssm-document://${AppConfigDocument}' RetrievalRoleArn: !If [CreateAppConfigDocRole, !GetAtt AppConfigAgentConfigurationDocumentRole.Arn, !Ref AppConfigAgentConfigurationDocumentRoleArn] Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConfigProfile' Type: AWS.Freeform AppConfigAgentDeployment: Type: AWS::AppConfig::Deployment Properties: ApplicationId: !Ref AppConfigAgentApplication EnvironmentId: !Ref AppConfigAgentEnvironment ConfigurationProfileId: !Ref AppConfigProfile DeploymentStrategyId: !Ref AppConfigAgentDeploymentStrategy ConfigurationVersion: 1 Description: "AppConfig Deployment for CloudStorageSec Agents" BucketsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Name" AttributeType: "S" KeySchema: - AttributeName: "Name" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Buckets' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' SubnetsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Region" AttributeType: "S" KeySchema: - AttributeName: "Region" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Subnets' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' StorageAnalysisTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "BucketName" AttributeType: "S" - AttributeName: "ScanDate" AttributeType: "S" - AttributeName: "TrackerFlag" AttributeType: "N" KeySchema: - AttributeName: "BucketName" KeyType: "HASH" - AttributeName: "ScanDate" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: DateIndex KeySchema: - AttributeName: "TrackerFlag" KeyType: "HASH" - AttributeName: "ScanDate" KeyType: "RANGE" Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}StorageAnalysis' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' FileCountTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "ScanDate" AttributeType: "S" - AttributeName: "Guid" AttributeType: "S" - AttributeName: "TrackerFlag" AttributeType: "N" KeySchema: - AttributeName: "ScanDate" KeyType: "HASH" - AttributeName: "Guid" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: DateIndex KeySchema: - AttributeName: "TrackerFlag" KeyType: "HASH" - AttributeName: "ScanDate" KeyType: "RANGE" Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}FileCount' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' ConsoleTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "ApplicationId" AttributeType: "S" KeySchema: - AttributeName: "ApplicationId" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Console' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' AgentsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "AgentId" AttributeType: "S" - AttributeName: "DeactivationDate" AttributeType: "S" - AttributeName: "Active" AttributeType: "N" KeySchema: - AttributeName: "AgentId" KeyType: "HASH" GlobalSecondaryIndexes: - IndexName: ActiveAndDeactivationDateIndex KeySchema: - AttributeName: Active KeyType: HASH - AttributeName: DeactivationDate KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Agents' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' AgentDataTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "AgentId" AttributeType: "S" - AttributeName: "Tstp" AttributeType: "N" - AttributeName: "TrackerFlag" AttributeType: "N" KeySchema: - AttributeName: "AgentId" KeyType: "HASH" - AttributeName: "Tstp" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: TstpIndex KeySchema: - AttributeName: TrackerFlag KeyType: HASH - AttributeName: Tstp KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}AgentData' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' BucketScanStatisticsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "BucketName" AttributeType: "S" - AttributeName: "Date" AttributeType: "S" - AttributeName: "TrackerFlag" AttributeType: "N" KeySchema: - AttributeName: "BucketName" KeyType: "HASH" - AttributeName: "Date" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: DateIndex KeySchema: - AttributeName: TrackerFlag KeyType: HASH - AttributeName: Date KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}BucketScanStatistics' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' BucketClassificationStatisticsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "BucketName" AttributeType: "S" - AttributeName: "Date" AttributeType: "S" KeySchema: - AttributeName: "BucketName" KeyType: "HASH" - AttributeName: "Date" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: DateIndex KeySchema: - AttributeName: Date KeyType: HASH Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}BucketClassificationStatistics' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' SophosTapDataTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Date" AttributeType: "S" - AttributeName: "Tstp" AttributeType: "N" KeySchema: - AttributeName: "Date" KeyType: "HASH" - AttributeName: "Tstp" KeyType: "RANGE" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}SophosTapData' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' DailyScanStatisticsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "AccountId" AttributeType: "S" - AttributeName: "Date" AttributeType: "S" - AttributeName: "ScanType" AttributeType: "S" - AttributeName: "ScanEngine" AttributeType: "S" - AttributeName: "TrackerFlag" AttributeType: "N" KeySchema: - AttributeName: "AccountId" KeyType: "HASH" - AttributeName: "Date" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: ScanTypeAndScanEngine KeySchema: - AttributeName: ScanType KeyType: HASH - AttributeName: ScanEngine KeyType: RANGE Projection: ProjectionType: ALL - IndexName: LastRecordDate KeySchema: - AttributeName: TrackerFlag KeyType: HASH - AttributeName: Date KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}DailyScanStatistics' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' MonthlyScanStatisticsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "AccountId" AttributeType: "S" - AttributeName: "Date" AttributeType: "S" - AttributeName: "TrackerFlag" AttributeType: "N" - AttributeName: "ScanType" AttributeType: "S" - AttributeName: "ScanEngine" AttributeType: "S" KeySchema: - AttributeName: "AccountId" KeyType: "HASH" - AttributeName: "Date" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: ScanTypeAndScanEngine KeySchema: - AttributeName: ScanType KeyType: HASH - AttributeName: ScanEngine KeyType: RANGE Projection: ProjectionType: ALL - IndexName: LastRecordDate KeySchema: - AttributeName: TrackerFlag KeyType: HASH - AttributeName: Date KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}MonthlyScanStatistics' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' ProblemFilesTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Guid" AttributeType: "S" - AttributeName: "DateScanned" AttributeType: "S" - AttributeName: "AccountId" AttributeType: "S" - AttributeName: "AccountIdResult" AttributeType: "S" KeySchema: - AttributeName: "Guid" KeyType: "HASH" - AttributeName: "DateScanned" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: AccountIdAndDateScanned KeySchema: - AttributeName: AccountId KeyType: HASH - AttributeName: DateScanned KeyType: RANGE Projection: ProjectionType: ALL - IndexName: AccountIdResultAndDateScanned KeySchema: - AttributeName: AccountIdResult KeyType: HASH - AttributeName: DateScanned KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ProblemFiles' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' ClassificationResultsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Date" AttributeType: "S" - AttributeName: "Guid" AttributeType: "S" - AttributeName: "AccountId" AttributeType: "S" KeySchema: - AttributeName: "Date" KeyType: "HASH" - AttributeName: "Guid" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: AccountIdAndGuid KeySchema: - AttributeName: AccountId KeyType: HASH - AttributeName: Guid KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ClassificationResults' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' AllowedInfectedFilesTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "BucketAndKey" AttributeType: "S" - AttributeName: "VirusName" AttributeType: "S" - AttributeName: "DateAdded" AttributeType: "S" - AttributeName: "Active" AttributeType: "N" KeySchema: - AttributeName: "BucketAndKey" KeyType: "HASH" - AttributeName: "VirusName" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: ActiveAndDateAdded KeySchema: - AttributeName: Active KeyType: HASH - AttributeName: DateAdded KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}AllowedInfectedFiles' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' LinkedAccountsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "AccountId" AttributeType: "S" KeySchema: - AttributeName: "AccountId" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}LinkedAccounts' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' WorkDocsConnectionsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "OrganizationId" AttributeType: "S" KeySchema: - AttributeName: "OrganizationId" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}WorkDocsConnections' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' GroupsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Id" AttributeType: "S" KeySchema: - AttributeName: "Id" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Groups' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' GroupMembershipTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "ParentGroupId" AttributeType: "S" - AttributeName: "ChildGroupId" AttributeType: "S" KeySchema: - AttributeName: "ParentGroupId" KeyType: "HASH" - AttributeName: "ChildGroupId" KeyType: "RANGE" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}GroupMembership' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' JobsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Type" AttributeType: "S" - AttributeName: "Date" AttributeType: "S" - AttributeName: "Status" AttributeType: "N" - AttributeName: "ParentJobId" AttributeType: "S" KeySchema: - AttributeName: "Type" KeyType: "HASH" - AttributeName: "Date" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: Status KeySchema: - AttributeName: Status KeyType: HASH Projection: ProjectionType: ALL - IndexName: TypeAndParentJobId KeySchema: - AttributeName: Type KeyType: HASH - AttributeName: ParentJobId KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Jobs' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' LinkedAccountMembershipTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "GroupId" AttributeType: "S" - AttributeName: "AccountId" AttributeType: "S" KeySchema: - AttributeName: "GroupId" KeyType: "HASH" - AttributeName: "AccountId" KeyType: "RANGE" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}LinkedAccountMembership' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' VisibleGroupsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Username" AttributeType: "S" KeySchema: - AttributeName: "Username" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}VisibleGroups' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' ScheduledScansTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "ScheduleName" AttributeType: "S" KeySchema: - AttributeName: "ScheduleName" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ScheduledScans' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' ScheduledClassificationsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Name" AttributeType: "S" KeySchema: - AttributeName: "Name" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}ScheduledClassifications' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' LicenseFileHistoryTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Type" AttributeType: "S" - AttributeName: "DateApplied" AttributeType: "S" KeySchema: - AttributeName: "Type" KeyType: "HASH" - AttributeName: "DateApplied" KeyType: "RANGE" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}LicenseFileHistory' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' DeploymentStatusTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Region" AttributeType: "S" KeySchema: - AttributeName: "Region" KeyType: "HASH" BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}DeploymentStatus' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' NotificationsTable: Type: AWS::DynamoDB::Table DependsOn: ConsoleTaskPolicy Properties: AttributeDefinitions: - AttributeName: "Guid" AttributeType: "S" - AttributeName: "Date" AttributeType: "S" - AttributeName: "AccountId" AttributeType: "S" - AttributeName: "Read" AttributeType: "N" KeySchema: - AttributeName: "Guid" KeyType: "HASH" - AttributeName: "Date" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: AccountIdAndDate KeySchema: - AttributeName: AccountId KeyType: HASH - AttributeName: Date KeyType: RANGE Projection: ProjectionType: ALL - IndexName: ReadAndDate KeySchema: - AttributeName: Read KeyType: HASH - AttributeName: Date KeyType: RANGE Projection: ProjectionType: ALL BillingMode: PAY_PER_REQUEST TableName: !Sub '${DynamoTableNamePrefixParameter.Value}Notifications' PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: !GetAtt DynamoPointInTimeRecoveryEnabledParameter.Value Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'DynamoTable' UserPoolSnsRole: Type: AWS::IAM::Role Condition: CreateUserPoolSnsRole Properties: RoleName: !Sub '${UserPoolRolePrefix}${AppConfigAgentApplication}' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cognito-idp.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: !Sub '${UserPoolPolicyPrefix}${AppConfigAgentApplication}' PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "sns:publish" Resource: "*" UserPool: Type: AWS::Cognito::UserPool Properties: AdminCreateUserConfig: AllowAdminCreateUserOnly: true InviteMessageTemplate: EmailSubject: !Sub - '${PRODUCTDESC} for Amazon S3 - Console Account Information' - PRODUCTDESC: !If [IsAntivirus, 'Antivirus', 'Data Classification'] EmailMessage: !Sub - 'A new account has been created for you in the ${PRODUCTDESC} for Amazon S3 Console.
Your account credentials are provided below:

User Name: {username}
Temporary Password: {####}

This temporary password will expire in 7 days.

Sign in at ${URL} to change your password.

Have Fun,
Cloud Storage Security
support@cloudstoragesec.com
801-410-0408' - PRODUCTDESC: !If [IsAntivirus, 'Antivirus', 'Data Classification'] URL: !If [UseLB, !If [UseRoute53, !Sub 'https://${HostedSubdomain}.${HostedZoneName}', 'the address provided by your application administrator'], !Sub 'https://${SubdomainParameter.Value}.cloudstoragesecapp.com'] UserPoolName: !Sub '${UserPoolPrefix}${AppConfigAgentApplication}' MfaConfiguration: OPTIONAL EnabledMfas: [SOFTWARE_TOKEN_MFA, SMS_MFA] AccountRecoverySetting: RecoveryMechanisms: - Name: verified_email Priority: 1 AutoVerifiedAttributes: - phone_number - email SmsConfiguration: ExternalId: !Join ['-', [CloudStorageSecUserPoolExternal, !Ref AppConfigAgentApplication]] SnsCallerArn: !If [CreateUserPoolSnsRole, !GetAtt UserPoolSnsRole.Arn, !Ref UserPoolSnsRoleArn] Policies: PasswordPolicy: MinimumLength: 12 RequireLowercase: true RequireUppercase: true RequireNumbers: true RequireSymbols: true TemporaryPasswordValidityDays: 7 Schema: - AttributeDataType: Number Mutable: true Name: hide_welcome_msg NumberAttributeConstraints: MinValue: 0 MaxValue: 1 - AttributeDataType: Number Mutable: true Name: hide_trial_msg NumberAttributeConstraints: MinValue: 0 MaxValue: 1 - AttributeDataType: Number Mutable: true Name: user_disabled NumberAttributeConstraints: MinValue: 0 MaxValue: 1 - AttributeDataType: String Mutable: true Name: aws_account_id StringAttributeConstraints: MinLength: 12 MaxLength: 12 UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: !Sub '${UserPoolClientPrefix}${AppConfigAgentApplication}' GenerateSecret: true UserPoolId: !Ref UserPool UserPoolAdminGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: Accounts with Admin level access GroupName: Admins UserPoolId: !Ref UserPool UserPoolUserGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: Accounts with user level access GroupName: Users UserPoolId: !Ref UserPool UserPoolApiGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: Accounts with API level access GroupName: Api UserPoolId: !Ref UserPool UserPoolReadOnlyGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: Accounts with ReadOnly level access GroupName: ReadOnly UserPoolId: !Ref UserPool UserPoolPrimaryGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: Accounts with access to the Primary group GroupName: Primary UserPoolId: !Ref UserPool UserPoolUser: Type: AWS::Cognito::UserPoolUser Properties: DesiredDeliveryMediums: [EMAIL] Username: !Ref UserName UserPoolId: !Ref UserPool UserAttributes: - Name: email Value: !Ref Email - Name: email_verified Value: true UserPoolUserAdminGroupAttachment: Type: AWS::Cognito::UserPoolUserToGroupAttachment DependsOn: - UserPoolUserGroup - UserPoolUser Properties: GroupName: Admins Username: !Ref UserName UserPoolId: !Ref UserPool ConsoleTaskRole: Type: AWS::IAM::Role Condition: CreateConsoleRole Properties: RoleName: !Sub '${ConsoleTaskRolePrefix}${AppConfigAgentApplication}' AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: 'sts:AssumeRole' ConsoleTaskPolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}' PolicyDocument: Version: '2012-10-17' Statement: - Sid: !Sub 'AllResources${AppConfigAgentApplication}' Effect: Allow Action: - acm:DescribeCertificate - acm:RequestCertificate - application-autoscaling:*ScalableTarget* - application-autoscaling:PutScalingPolicy - aws-marketplace:MeterUsage - cloudwatch:GetMetricStatistics - ec2:DeleteVolume - ec2:DescribeInternetGateways - ec2:DescribeNetwork* - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVolumes - ec2:DescribeVpcs - ecs:CreateCluster - ecs:*TaskDefinition* - ecs:ListTasks - ecs:RunTask - workdocs:*Document* - workdocs:*Labels - workdocs:*Metadata - workdocs:*NotificationSubscription Resource: "*" - Sid: !Sub 'AllResourcesInService${AppConfigAgentApplication}' Effect: Allow Action: - cloudwatch:DescribeAlarms - ec2:AuthorizeSecurityGroupIngress - ec2:*SecurityGroup - ec2:CreateTags - ec2:RevokeSecurityGroupIngress - ec2:RunInstances - ec2:TerminateInstances - logs:CreateLogStream - logs:DescribeLog* - logs:FilterLogEvents - logs:GetLog* - logs:GetQueryResults - logs:PutLogEvents - logs:*Query - s3:CreateBucket - s3:GetBucket* - s3:Get*Configuration - s3:GetObject* - s3:ListAllMyBuckets - s3:ListBucket - s3:PutBucket* - s3:PutObject* - s3:Put*Configuration - sns:ListSubscriptions* - sns:ListTopics - sns:Subscribe - sns:Unsubscribe - sqs:ListQueues Resource: - !Sub 'arn:${AWS::Partition}:cloudwatch:*:*:alarm:*' - !Sub 'arn:${AWS::Partition}:ec2:*::image/*' - !Sub 'arn:${AWS::Partition}:ec2:*:*:*' - !Sub 'arn:${AWS::Partition}:logs:*:*:*' - !Sub 'arn:${AWS::Partition}:s3:::*' - !Sub 'arn:${AWS::Partition}:sns:*:*:*' - !Sub 'arn:${AWS::Partition}:sqs:*:*:*' - Sid: !Sub 'RestrictedResources${AppConfigAgentApplication}' Effect: Allow Action: - appconfig:*Profile* - appconfig:*Deployment - appconfig:TagResource - appconfig:UpdateDeploymentStrategy - cloudformation:DescribeStacks - cloudformation:UpdateStack - cloudwatch:DeleteAlarms - cloudwatch:DescribeAlarms - cloudwatch:PutMetricAlarm - cloudwatch:TagResource - cognito-idp:* - dynamodb:BatchWriteItem - dynamodb:CreateTable - dynamodb:DeleteItem - dynamodb:DeleteTable - dynamodb:DescribeContinuousBackups - dynamodb:DescribeTable - dynamodb:GetItem - dynamodb:ListTagsOfResource - dynamodb:PutItem - dynamodb:Query - dynamodb:Scan - dynamodb:TagResource - dynamodb:UpdateContinuousBackups - dynamodb:UpdateItem - dynamodb:UpdateTable - ecr:ListImages - ecs:CreateService - ecs:DeleteCluster - ecs:DeleteService - ecs:Describe* - ecs:ListContainerInstances - ecs:ListTagsForResource - ecs:StopTask - ecs:TagResource - ecs:UpdateService - events:*Bus - events:*Permission - events:*Rule - events:*Targets - events:*agResource - iam:*InstanceProfile - iam:*RolePolicy - iam:CreateRole - iam:DeleteRole - iam:GetRole - iam:PassRole - s3:PutEncryptionConfiguration - s3:PutLifecycleConfiguration - s3:DeleteBucket* - s3:DeleteObject* - securityhub:*Findings* - sns:AddPermission - sns:*Topic - sns:*Attributes - sns:ListSubscriptionsByTopic - sns:Publish - sns:TagResource - sqs:*Queue - sqs:*Message - sqs:*Attributes - ssm:AddTagsToResource - ssm:ListTagsForResource - ssm:*Document* - ssm:*Parameter* Resource: - !If [CreateAgentRole, !GetAtt AgentTaskRole.Arn, !Ref AgentTaskRoleArn] - !If [CreateAppConfigDocRole, !GetAtt AppConfigAgentConfigurationDocumentRole.Arn, !Ref AppConfigAgentConfigurationDocumentRoleArn] - !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn] - !If [CreateEc2ContainerRole, !Sub 'arn:${AWS::Partition}:iam::*:role/${Ec2ContainerRolePrefix}${AppConfigAgentApplication}', !Ref Ec2ContainerInstanceProfileArn] - !If [CreateEc2ContainerRole, !Sub 'arn:${AWS::Partition}:iam::*:instance-profile/${Ec2ContainerRolePrefix}${AppConfigAgentApplication}', !Ref Ec2ContainerInstanceProfileArn] - !If [CreateExecutionRole, !GetAtt ExecutionRole.Arn, !Ref ExecutionRoleArn] - !If [CreateUserPoolSnsRole, !GetAtt UserPoolSnsRole.Arn, !Ref UserPoolSnsRoleArn] - !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:appconfig:*:*:deploymentstrategy/${AppConfigAgentDeploymentStrategy}' - !Sub 'arn:${AWS::Partition}:cognito-idp:*:*:userpool/${UserPool}' - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:*:stack/${AWS::StackName}/*' - !Sub 'arn:${AWS::Partition}:cloudwatch:*:*:alarm:*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:cloudwatch:*:*:alarm:TargetTracking-service/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:dynamodb:${AWS::Region}:*:table/${DynamoTableNamePrefixParameter.Value}*' - !Sub 'arn:${AWS::Partition}:ecs:*:*:service/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:ecs:*:*:cluster/*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:ecs:*:*:task/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:events:*:*:*/*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' - !Sub 'arn:${AWS::Partition}:s3:::*${AppConfigAgentApplication}-*' - !Sub 'arn:${AWS::Partition}:s3:::*${AppConfigAgentApplication}-*/*' - !Sub 'arn:${AWS::Partition}:sns:*:*:*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:sqs:*:*:*${AppConfigAgentApplication}*' - !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id' - !Sub 'arn:${AWS::Partition}:ssm:*:*:document/*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:ecr:${AWS::Region}:${EcrAccountIdParameter.Value}:repository/cloudstoragesecurity/*' - !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/cloud-storage-security/antivirus-for-amazon-s3' - !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:*:product-subscription/cloud-storage-security/antivirus-for-amazon-s3' - !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:*:hub/default' - Sid: !Sub 'Logs${AppConfigAgentApplication}' Effect: Allow Action: - logs:CreateLogGroup - logs:DeleteLogGroup - logs:PutRetentionPolicy Resource: - !Sub 'arn:${AWS::Partition}:logs:*:*:log-group:CloudStorageSecurity.*' - !Sub 'arn:${AWS::Partition}:logs:*:*:log-group:CloudStorageSecurity.*:*' - Sid: !Sub 'CrossAccount${AppConfigAgentApplication}' Effect: Allow Action: sts:AssumeRole Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/*${AppConfigAgentApplication}' - Sid: !Sub 'KmsConsole${AppConfigAgentApplication}' Effect: Allow Condition: StringLike: kms:ViaService: !Sub s3.*.${AWS::URLSuffix} Action: - kms:Decrypt - kms:Encrypt - kms:GenerateDataKey Resource: !If [BlanketKmsAccess, '*', !Sub 'arn:${AWS::Partition}:kms:::key/no-blanket-kms-access'] Roles: - !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName] ConsoleTaskPolicyApiLb: Type: AWS::IAM::Policy DependsOn: ConsoleTaskPolicy Properties: PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}-ApiLb' PolicyDocument: Version: '2012-10-17' Statement: - Sid: !Sub 'AllResources${AppConfigAgentApplication}' Effect: Allow Action: - ec2:DescribeAccountAttributes - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeTargetGroups Resource: "*" - Sid: !Sub 'RestrictedResources${AppConfigAgentApplication}' Effect: Allow Action: - elasticloadbalancing:Create* - elasticloadbalancing:Delete* - elasticloadbalancing:Modify* - elasticloadbalancing:SetSubnets - iam:CreateServiceLinkedRole Resource: - !Sub 'arn:${AWS::Partition}:elasticloadbalancing:*:*:listener/*/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:elasticloadbalancing:*:*:loadbalancer/*/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:elasticloadbalancing:*:*:targetgroup/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing' Roles: - !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName] ConsoleTaskPolicyAwsLicensing: Type: AWS::IAM::Policy DependsOn: ConsoleTaskPolicy Properties: PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}-AwsLicensing' PolicyDocument: Version: '2012-10-17' Statement: - Sid: !Sub 'AllResources${AppConfigAgentApplication}' Effect: Allow Action: - license-manager:CheckoutLicense - license-manager:ListReceivedLicenses Resource: "*" Roles: - !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName] CloudTrailLakePolicy: Type: AWS::IAM::Policy DependsOn: ConsoleTaskPolicy Properties: PolicyName: !Sub '${ConsoleTaskPolicyPrefix}${AppConfigAgentApplication}-CloudTrailLake' PolicyDocument: Version: '2012-10-17' Statement: - Sid: CloudTrail Effect: Allow Action: - cloudtrail:*DataStore* - cloudtrail:*Quer* - cloudtrail:*Channel* - cloudtrail-data:*Audit* - iam:ListRoles - iam:GetRolePolicy - iam:GetUser Resource: "*" - Sid: PassRole Effect: Allow Action: - iam:PassRole Resource: "*" Condition: StringEquals: iam:PassedToService: cloudtrail.amazonaws.com Roles: - !If [CreateConsoleRole, !Ref ConsoleTaskRole, !Ref ConsoleTaskRoleName] AgentTaskRole: Type: AWS::IAM::Role Condition: CreateAgentRole Properties: RoleName: !Sub '${AgentTaskRolePrefix}${AppConfigAgentApplication}' AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com AWS: !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn] Action: 'sts:AssumeRole' AgentTaskPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Sub '${AgentTaskPolicyPrefix}${AppConfigAgentApplication}' PolicyDocument: Version: '2012-10-17' Statement: - Sid: !Sub 'AllResources${AppConfigAgentApplication}' Effect: Allow Action: - aws-marketplace:MeterUsage - ec2:DescribeVpcs - workdocs:*Document* - workdocs:*Labels - workdocs:*Metadata Resource: "*" - Sid: !Sub 'AllResourcesInService${AppConfigAgentApplication}' Effect: Allow Action: - appconfig:ListApplications - appconfig:ListDeploymentStrategies - s3:DeleteObject - s3:DeleteObjectVersion - s3:GetBucketAcl - s3:GetBucketLocation - s3:GetObject* - s3:GetEncryptionConfiguration - s3:ListBucket - s3:PutObject* - s3:PutEncryptionConfiguration - ssm:ListDocuments Resource: - !Sub 'arn:${AWS::Partition}:s3:::*' - !Sub 'arn:${AWS::Partition}:appconfig:*:*:*' - !Sub 'arn:${AWS::Partition}:ssm:*:*:*' - Sid: !Sub 'RestrictedResources${AppConfigAgentApplication}' Effect: Allow Action: - appconfig:GetApplication - appconfig:GetConfiguration* - appconfig:GetDeploymentStrategy - appconfig:GetEnvironment - appconfig:ListConfigurationProfiles - appconfig:ListDeployments - appconfig:ListEnvironments - cognito-idp:* - dynamodb:DeleteItem - dynamodb:DescribeTable - dynamodb:GetItem - dynamodb:PutItem - dynamodb:BatchWriteItem - dynamodb:Query - dynamodb:Scan - dynamodb:UpdateItem - logs:CreateLogStream - logs:DescribeLogGroups - logs:PutLogEvents - securityhub:BatchImportFindings - sns:ConfirmSubscription - sns:Publish - sqs:*Message - sqs:GetQueueAttributes - ssm:GetDocument - ssm:GetParameters - ssm:GetParametersByPath Resource: - !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}/configurationprofile/*' - !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}/environment/${AppConfigAgentEnvironment}' - !Sub 'arn:${AWS::Partition}:appconfig:*:*:application/${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:appconfig:*:*:deploymentstrategy/${AppConfigAgentDeploymentStrategy}' - !Sub 'arn:${AWS::Partition}:cognito-idp:*:*:userpool/${UserPool}' - !Sub 'arn:${AWS::Partition}:dynamodb:${AWS::Region}:*:table/${DynamoTableNamePrefixParameter.Value}*' - !Sub 'arn:${AWS::Partition}:logs:*:*:*' - !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::product/cloud-storage-security/antivirus-for-amazon-s3' - !Sub 'arn:${AWS::Partition}:sns:*:*:awsworkdocs*' - !Sub 'arn:${AWS::Partition}:sns:*:*:*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:sqs:*:*:*${AppConfigAgentApplication}*' - !Sub 'arn:${AWS::Partition}:ssm:*:*:document/*${AppConfigAgentApplication}' - !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}/*' - !Sub 'arn:${AWS::Partition}:ssm:*:*:parameter/*${AppConfigAgentApplication}' - Sid: !Sub 'Logs${AppConfigAgentApplication}' Effect: Allow Action: logs:CreateLogGroup Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*' - Sid: !Sub 'CrossAccount${AppConfigAgentApplication}' Effect: Allow Action: sts:AssumeRole Resource: - !Sub 'arn:${AWS::Partition}:iam::*:role/*${AppConfigAgentApplication}' - Sid: !Sub 'Kms${AppConfigAgentApplication}' Effect: Allow Condition: StringLike: kms:ViaService: !Sub s3.*.${AWS::URLSuffix} Action: - kms:Decrypt - kms:Encrypt - kms:GenerateDataKey Resource: !If [BlanketKmsAccess, '*', !Sub 'arn:${AWS::Partition}:kms:::key/no-blanket-kms-access'] Roles: - !If [CreateAgentRole, !Ref AgentTaskRole, !Ref AgentTaskRoleName] ExecutionRole: Type: AWS::IAM::Role Condition: CreateExecutionRole Properties: RoleName: !Sub '${ExecutionRolePrefix}${AppConfigAgentApplication}' AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: 'sts:AssumeRole' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy' Ec2ContainerRole: Type: AWS::IAM::Role DependsOn: ConsoleTaskPolicy Condition: CreateEc2ContainerRole Properties: RoleName: !Sub '${Ec2ContainerRolePrefix}${AppConfigAgentApplication}' AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role' Ec2ContainerPolicy: Type: 'AWS::IAM::Policy' DependsOn: ConsoleTaskPolicy Properties: PolicyName: !Sub '${Ec2ContainerPolicyPrefix}${AppConfigAgentApplication}' PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllResources Effect: Allow Action: - ec2:AttachVolume - ec2:CopySnapshot - ec2:CreateSnapshot - ec2:CreateTags - ec2:CreateVolume - ec2:DeleteSnapshot - ec2:DeleteVolume - ec2:DescribeAvailabilityZones - ec2:DescribeInstances - ec2:DescribeSnapshotAttribute - ec2:DescribeSnapshots - ec2:DescribeTags - ec2:DescribeVolumeAttribute - ec2:DescribeVolumes - ec2:DescribeVolumeStatus - ec2:DetachVolume - ec2:DetachVolume - ec2:ModifySnapshotAttribute - ec2:ModifyVolumeAttribute Resource: '*' Roles: - !If [CreateEc2ContainerRole, !Ref Ec2ContainerRole, !Ref Ec2ContainerInstanceRoleName] Ec2ContainerInstanceProfile: Type: AWS::IAM::InstanceProfile DependsOn: ConsoleTaskPolicy Condition: CreateEc2ContainerRole Properties: InstanceProfileName: !Sub '${Ec2ContainerRolePrefix}${AppConfigAgentApplication}' Roles: - !Ref Ec2ContainerRole ContainerSecurityGroup: Type: AWS::EC2::SecurityGroup Condition: CreateConsoleSecurityGroupNoLB DependsOn: ConsoleTaskPolicy Properties: GroupDescription: !Sub '${ConsoleSecurityGroupPrefix}${AppConfigAgentApplication}' VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref ConsoleSecurityGroupCidrBlock - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref ConsoleSecurityGroupCidrBlock Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'SecurityGroup' ExistingConsoleSecurityGroupIngressPort80: Type: 'AWS::EC2::SecurityGroupIngress' Condition: UseExistingConsoleSecurityGroup Properties: GroupId: !Ref ConsoleSecurityGroup IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref ConsoleSecurityGroupCidrBlock ExistingConsoleSecurityGroupIngressPort443: Type: 'AWS::EC2::SecurityGroupIngress' Condition: UseExistingConsoleSecurityGroup Properties: GroupId: !Ref ConsoleSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref ConsoleSecurityGroupCidrBlock ContainerSecurityGroupWithLB: Type: AWS::EC2::SecurityGroup Condition: CreateContainerSecurityGroupLB DependsOn: ConsoleTaskPolicy Properties: GroupDescription: !Sub '${ConsoleSecurityGroupPrefix}${AppConfigAgentApplication}' VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup] - IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup] Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'SecurityGroup' ExistingContainerSecurityGroupIngressPort80: Type: 'AWS::EC2::SecurityGroupIngress' Condition: UseExistingContainerSecurityGroupLB Properties: GroupId: !Ref ContainerSecurityGroupLB IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup] ExistingContainerSecurityGroupIngressPort443: Type: 'AWS::EC2::SecurityGroupIngress' Condition: UseExistingContainerSecurityGroupLB Properties: GroupId: !Ref ContainerSecurityGroupLB IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup] LoadBalancerSecurityGroup: Type: AWS::EC2::SecurityGroup Condition: CreateConsoleSecurityGroupLB DependsOn: ConsoleTaskPolicy Properties: GroupDescription: !Sub '${LoadBalancerGroupPrefix}${AppConfigAgentApplication}' VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref ConsoleSecurityGroupCidrBlock - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref ConsoleSecurityGroupCidrBlock Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'SecurityGroup' CloudwatchLogsGroup: Type: 'AWS::Logs::LogGroup' DependsOn: ConsoleTaskPolicy Properties: LogGroupName: !Sub 'CloudStorageSecurity.ECS.${AppConfigAgentApplication}.Console' RetentionInDays: 7 Cluster: Type: AWS::ECS::Cluster DependsOn: ConsoleTaskPolicy Properties: ClusterName: !Sub '${ClusterPrefix}${AppConfigAgentApplication}' Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConsoleCluster' Service: Type: AWS::ECS::Service Condition: DontUseLB Properties: ServiceName: !Sub '${ServicePrefix}${AppConfigAgentApplication}' Cluster: !Ref Cluster TaskDefinition: !Ref TaskDefinition DeploymentConfiguration: MinimumHealthyPercent: 100 MaximumPercent: 200 DesiredCount: 1 LaunchType: FARGATE PlatformVersion: 1.4.0 NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: !Ref ConsoleAutoAssignPublicIp Subnets: - !Ref SubnetA - !Ref SubnetB SecurityGroups: - !If [CreateConsoleSecurityGroupNoLB, !Ref ContainerSecurityGroup, !Ref ConsoleSecurityGroup] Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConsoleService' ServiceWithLB: Type: AWS::ECS::Service Condition: UseLB DependsOn: - Listener - ConsoleTaskPolicyApiLb Properties: ServiceName: !Sub '${ServicePrefix}LB-${AppConfigAgentApplication}' Cluster: !Ref Cluster TaskDefinition: !Ref TaskDefinition DeploymentConfiguration: MinimumHealthyPercent: 100 MaximumPercent: 200 DesiredCount: 1 LaunchType: FARGATE PlatformVersion: 1.4.0 NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: !Ref ConsoleAutoAssignPublicIp Subnets: - !Ref SubnetA - !Ref SubnetB SecurityGroups: - !If [CreateContainerSecurityGroupLB, !Ref ContainerSecurityGroupWithLB, !Ref ContainerSecurityGroupLB] LoadBalancers: - ContainerName: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}' ContainerPort: 443 TargetGroupArn: !Ref TargetGroup Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConsoleService' TaskDefinition: Type: AWS::ECS::TaskDefinition DependsOn: ConsoleTaskPolicy Properties: Family: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}' NetworkMode: awsvpc RequiresCompatibilities: - FARGATE Cpu: !FindInMap [vCPUvalues, !Ref ConsoleCpu, size] Memory: !FindInMap [MemValues, !Ref ConsoleMemory, size] ExecutionRoleArn: !If [CreateExecutionRole, !GetAtt ExecutionRole.Arn, !Ref ExecutionRoleArn] TaskRoleArn: !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn] ContainerDefinitions: - Name: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}' Image: !Sub ${EcrAccountIdParameter.Value}.dkr.ecr.${AWS::Region}.amazonaws.com/cloudstoragesecurity/console:v6.05.002 Cpu: !FindInMap [vCPUvalues, !Ref ConsoleCpu, size] MemoryReservation: !FindInMap [MemValues, !Ref ConsoleMemory, size] Environment: - Name: AGENT_TASK_DEFINITION_ROLE_ARN Value: !If [CreateAgentRole, !GetAtt AgentTaskRole.Arn, !Ref AgentTaskRoleArn] - Name: APP_CONFIG_AGENT_APPLICATION_ID Value: !Ref AppConfigAgentApplication - Name: APP_CONFIG_AGENT_CONFIGURATION_PROFILE_ROLE_ARN Value: !If [CreateAppConfigDocRole, !GetAtt AppConfigAgentConfigurationDocumentRole.Arn, !Ref AppConfigAgentConfigurationDocumentRoleArn] - Name: APP_CONFIG_AGENT_DEPLOYMENT_STRATEGY_ID Value: !Ref AppConfigAgentDeploymentStrategy - Name: APP_CONFIG_AGENT_ENVIRONMENT_ID Value: !Ref AppConfigAgentEnvironment - Name: EXECUTION_ROLE_ARN Value: !If [CreateExecutionRole, !GetAtt ExecutionRole.Arn, !Ref ExecutionRoleArn] - Name: EC2_CONTAINER_ROLE_ARN Value: !If [CreateEc2ContainerRole, !GetAtt Ec2ContainerInstanceProfile.Arn, !Ref Ec2ContainerInstanceProfileArn] - Name: CONSOLE_VPC Value: !Ref VPC - Name: CONSOLE_SUBNET Value: !Join [',', [!Ref SubnetA, !Ref SubnetB]] - Name: PARAMETER_STORE_NAME_PREFIX Value: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}' - Name: CONSOLE_SECURITY_GROUP_ID Value: !If [CreateConsoleSecurityGroup, !If [UseLB, !GetAtt LoadBalancerSecurityGroup.GroupId, !GetAtt ContainerSecurityGroup.GroupId], !Ref ConsoleSecurityGroup] - Name: AGENT_AUTO_ASSIGN_PUBLIC_IP Value: !Ref AgentAutoAssignPublicIp - Name: BYOL_MODE Value: False - Name: BLANKET_KMS_ACCESS Value: !If [BlanketKmsAccess, True, False] - Name: HAS_LOAD_BALANCER Value: !If [UseLB, True, False] - Name: INFO_OPT_OUT Value: !FindInMap [yesNoToBool, !Ref InfoOptOut, value] - Name: QUARANTINE_BUCKET_NAME_PREFIX Value: !Sub '${QuarantineBucketNamePrefix}${AppConfigAgentApplication}' - Name: DYNAMO_DB_TABLE_NAME_PREFIX Value: !GetAtt DynamoTableNamePrefixParameter.Value - Name: CLUSTER_NAME Value: !Sub '${ClusterPrefix}${AppConfigAgentApplication}' - Name: NOTIFICATIONS_TOPIC_NAME Value: !Sub '${NotificationsTopicPrefix}${AppConfigAgentApplication}' - Name: APP_CONFIG_DOCUMENT_NAME Value: !Ref AppConfigDocument - Name: APP_CONFIG_DOCUMENT_SCHEMA_NAME Value: !Ref AppConfigDocumentSchema - Name: APP_CONFIG_PROFILE_ID Value: !Ref AppConfigProfile - Name: EVENT_BASED_SCAN_TOPIC_NAME Value: !Sub '${EventBasedScanTopicPrefix}${AppConfigAgentApplication}' - Name: EVENT_BASED_SCAN_QUEUE_NAME Value: !Sub '${EventBasedScanQueuePrefix}${AppConfigAgentApplication}' - Name: DC_EVENT_BASED_SCAN_QUEUE_NAME Value: !Sub '${DcEventBasedScanQueuePrefix}${AppConfigAgentApplication}' - Name: RETRO_SCAN_QUEUE_NAME Value: !Sub '${RetroScanQueuePrefix}${AppConfigAgentApplication}' - Name: CONSOLE_TASK_NAME Value: !Sub '${TaskDefinitionPrefix}${AppConfigAgentApplication}' - Name: CONSOLE_SERVICE_NAME Value: !If [UseLB, !Sub '${ServicePrefix}LB-${AppConfigAgentApplication}', !Sub '${ServicePrefix}${AppConfigAgentApplication}'] - Name: CONSOLE_ROLE_ARN Value: !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn] - Name: EVENT_AGENT_TASK_NAME Value: !Sub '${EventAgentTaskPrefix}${AppConfigAgentApplication}' - Name: DC_EVENT_AGENT_TASK_NAME Value: !Sub '${DcEventAgentTaskPrefix}${AppConfigAgentApplication}' - Name: EVENT_AGENT_SERVICE_NAME Value: !Sub '${EventAgentServicePrefix}${AppConfigAgentApplication}' - Name: DC_EVENT_AGENT_SERVICE_NAME Value: !Sub '${DcEventAgentServicePrefix}${AppConfigAgentApplication}' - Name: LARGE_FILE_AGENT_TASK_NAME Value: !Sub '${LargeFileAgentTaskPrefix}${AppConfigAgentApplication}' - Name: API_AGENT_TASK_NAME Value: !Sub '${ApiAgentTaskPrefix}${AppConfigAgentApplication}' - Name: API_AGENT_SERVICE_NAME Value: !Sub '${ApiAgentServicePrefix}${AppConfigAgentApplication}' - Name: API_LB_NAME Value: !Sub '${ApiLoadBalancerPrefix}${AppConfigAgentApplication}' - Name: API_LB_TG_NAME Value: !Sub '${ApiTargetGroupPrefix}${AppConfigAgentApplication}' - Name: RETRO_AGENT_TASK_NAME Value: !Sub '${RetroAgentTaskPrefix}${AppConfigAgentApplication}' - Name: RETRO_AGENT_SERVICE_NAME Value: !Sub '${RetroAgentServicePrefix}${AppConfigAgentApplication}' - Name: LARGE_EVENT_QUEUE_ALARM_NAME Value: !Sub '${LargeEventQueueAlarmPrefix}${AppConfigAgentApplication}' - Name: SMALL_EVENT_QUEUE_ALARM_NAME Value: !Sub '${SmallEventQueueAlarmPrefix}${AppConfigAgentApplication}' - Name: DECREASE_AGENTS_SCALING_POLICY_NAME Value: !Sub '${DecreaseAgentsScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: INCREASE_AGENTS_SCALING_POLICY_NAME Value: !Sub '${IncreaseAgentsScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: LARGE_DC_EVENT_QUEUE_ALARM_NAME Value: !Sub '${LargeDcEventQueueAlarmPrefix}${AppConfigAgentApplication}' - Name: SMALL_DC_EVENT_QUEUE_ALARM_NAME Value: !Sub '${SmallDcEventQueueAlarmPrefix}${AppConfigAgentApplication}' - Name: DECREASE_DC_AGENTS_SCALING_POLICY_NAME Value: !Sub '${DecreaseDcAgentsScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: INCREASE_DC_AGENTS_SCALING_POLICY_NAME Value: !Sub '${IncreaseDcAgentsScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: API_REQUEST_SCALING_POLICY_NAME Value: !Sub '${ApiRequestScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: API_CPU_SCALING_POLICY_NAME Value: !Sub '${ApiCpuScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: RETRO_QUEUE_NOT_EMPTY_ALARM_NAME Value: !Sub '${RetroQueueNotEmptyAlarmPrefix}${AppConfigAgentApplication}' - Name: RETRO_QUEUE_EMPTY_ALARM_NAME Value: !Sub '${RetroQueueEmptyAlarmPrefix}${AppConfigAgentApplication}' - Name: REMOVE_RETRO_AGENTS_SCALING_POLICY_NAME Value: !Sub '${RemoveRetroAgentsScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: SET_RETRO_AGENTS_SCALING_POLICY_NAME Value: !Sub '${SetRetroAgentsScalingPolicyPrefix}${AppConfigAgentApplication}' - Name: AGENT_SECURITY_GROUP_NAME Value: !Sub '${AgentSecurityGroupPrefix}${AppConfigAgentApplication}' - Name: CROSS_ACCOUNT_ROLE_NAME Value: !Sub '${CrossAccountRolePrefix}${AppConfigAgentApplication}' - Name: CROSS_ACCOUNT_POLICY_NAME Value: !Sub '${CrossAccountPolicyPrefix}${AppConfigAgentApplication}' - Name: CROSS_ACCOUNT_EVENT_BRIDGE_ROLE_NAME Value: !Sub '${CrossAccountEventBridgeRolePrefix}${AppConfigAgentApplication}' - Name: CROSS_ACCOUNT_EVENT_BRIDGE_POLICY_NAME Value: !Sub '${CrossAccountEventBridgePolicyPrefix}${AppConfigAgentApplication}' - Name: DLP_CCL_DIR Value: '/cssdlp' - Name: DLP_CCL_FILE_NAME Value: 'PredefinedContentControlLists.xml' - Name: PROXY_HOST Value: !If [UseProxy, !Ref ProxyHost, ''] - Name: PROXY_PORT Value: !If [UseProxy, !Ref ProxyPort, ''] - Name: PRODUCT_MODE Value: !Ref ProductMode PortMappings: - ContainerPort: 80 - ContainerPort: 443 ReadonlyRootFilesystem: yes LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref CloudwatchLogsGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs Tags: - Key: !Join ['-', [CloudStorageSec, !Ref AppConfigAgentApplication]] Value: 'ConsoleTaskDefinition' TargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Condition: UseLB DependsOn: ConsoleTaskPolicyApiLb Properties: Name: !Sub '${TargetGroupPrefix}LB-${AppConfigAgentApplication}' Port: 443 Protocol: HTTPS HealthCheckProtocol: HTTPS HealthCheckPort: 443 HealthCheckPath: /Account/SignIn HealthCheckIntervalSeconds: 300 HealthCheckTimeoutSeconds: 120 TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: 60 # default is 300 TargetType: ip VpcId: !Ref VPC Listener: Type: AWS::ElasticLoadBalancingV2::Listener Condition: UseLB Properties: DefaultActions: - TargetGroupArn: !Ref TargetGroup Type: forward LoadBalancerArn: !Ref LoadBalancer Port: 443 Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn: !Ref Certificate LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Condition: UseLB Properties: LoadBalancerAttributes: # this is the default, but is specified here in case it needs to be changed - Key: idle_timeout.timeout_seconds Value: 60 Name: !Sub '${LoadBalancerPrefix}${AppConfigAgentApplication}' # "internal" is also an option Scheme: !Ref LBScheme SecurityGroups: - !If [CreateConsoleSecurityGroupLB, !Ref LoadBalancerSecurityGroup, !Ref ConsoleSecurityGroup] Subnets: - !If [UseLBSubnetA, !Ref LBSubnetA, !Ref SubnetA] - !If [UseLBSubnetB, !Ref LBSubnetB, !Ref SubnetB] DynamoTableNamePrefixParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/DynamoTableNamePrefix' Value: !If [UseDefaultDynamoPrefix, !Sub '${AppConfigAgentApplication}.', !Ref DynamoTableNamePrefix] DynamoPointInTimeRecoveryEnabledParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/DynamoPointInTimeRecoveryEnabled' Value: !FindInMap [yesNoToBool, !Ref DynamoPointInTimeRecoveryEnabled, value] AgentEcrImageUrlParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentEcrImageUrl' Value: !Sub '${EcrAccountIdParameter.Value}.dkr.ecr..amazonaws.com/cloudstoragesecurity/agent:v6.05.001' MaxNumAgentsParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/MaxNumAgents' Value: !Ref MaxRunningAgents MinNumAgentsParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/MinNumAgents' Value: !Ref MinRunningAgents QueueScalingThresholdParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/QueueScalingThreshold' Value: !Ref NumMessagesInQueueScalingThreshold AgentCpuParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentCpu' Value: !FindInMap [vCPUvalues, !Ref AgentCpu, size] AgentMemoryParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentMemory' Value: !FindInMap [MemValues, !Ref AgentMemory, size] AgentDiskSizeParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentDiskSize' Value: !Ref AgentDiskSize EnableLargeFileScanningParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/EnableLargeFileScanning' Value: !FindInMap [yesNoToBool, !Ref EnableLargeFileScanning, value] StorageAssessmentEnabledParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/StorageAssessmentEnabled' Value: !FindInMap [yesNoToBool, !Ref StorageAssessmentEnabled, value] LargeFileDiskSizeParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LargeFileDiskSize' Value: !Ref LargeFileDiskSize LargeFileEC2TagsParameter: Type: AWS::SSM::Parameter Properties: Type: StringList Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LargeFileEC2Tags' Value: !Ref LargeFileEC2Tags SubdomainParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/Subdomain' Value: !Join ['-', [!Ref 'AWS::AccountId', !Ref AppConfigAgentApplication]] EmailParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/Email' Value: !Ref Email UserNameParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/UserName' Value: !Ref UserName StackNameParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/StackName' Value: !Ref AWS::StackName PrivateMirrorParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/PrivateMirror' Value: '!!none_chosen!!' LastUpgradeNotesSeenParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LastUpgradeNotesSeen' Value: 'v1.00.000' LastPostUpgradeProcedureParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/LastPostUpgradeProcedure' Value: 'v1.00.000' RegionParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/Region' Value: !Ref AWS::Region UserPoolClientIdParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/UserPoolClientId' Value: !Ref UserPoolClient UserPoolClientSecretParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/UserPoolClientSecret' Value: 'AWS:UserPoolClientSecret' UserPoolIdParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/AWS/UserPoolId' Value: !Ref UserPool OnlyScanWhenQueueThresholdExceededParameter: Type: AWS::SSM::Parameter DependsOn: ConsoleTaskPolicy Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/OnlyScanWhenQueueThresholdExceeded' Value: !FindInMap [yesNoToBool, !Ref OnlyScanWhenQueueThresholdExceeded, value] QuarantineInPrimaryAccountParameter: Type: AWS::SSM::Parameter DependsOn: ConsoleTaskPolicy Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/QuarantineInPrimaryAccount' Value: !FindInMap [yesNoToBool, !Ref QuarantineInPrimaryAccount, value] SecurityHubEnabledParameter: Type: AWS::SSM::Parameter DependsOn: ConsoleTaskPolicy Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/SecurityHubEnabled' Value: 'False' AgentScanningEngineParameter: Type: AWS::SSM::Parameter DependsOn: ConsoleTaskPolicy Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AgentScanningEngine' Value: !Ref AgentScanningEngine MultiEngineScanningModeParameter: Type: AWS::SSM::Parameter DependsOn: ConsoleTaskPolicy Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/MultiEngineScanningMode' Value: !Ref MultiEngineScanningMode EcrAccountIdParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/EcrAccountId' Value: !If [UseDefaultEcrAccount, !If [IsGovCloud, '822167061992', '564477214187'], !Ref CustomEcrAccount] QuarantineBucketDaysToExpireParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/QuarantineBucketDaysToExpire' Value: !Ref QuarantineBucketDaysToExpire AutoProtectBucketTagKeyParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/AutoProtectBucketTagKey' Value: !If [UseDefaultAutoProtectBucketTagKey, !Sub 'CloudStorageSecAutoProtect-${AppConfigAgentApplication}', !Ref AutoProtectBucketTagKey] CloudTrailLakeEnabledParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeEnabled' Value: !FindInMap [yesNoToBool, !Ref EnableCloudTrailLake, value] CloudTrailLakeEventDataStoreNameParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeEventDataStoreName' Value: !If [UseDefaultCloudTrailLakeEventDataStoreName, !Sub '${CloudTrailLakeEventDataStorePrefix}${AppConfigAgentApplication}', !Ref CloudTrailLakeDataStoreName] CloudTrailLakeChannelNameParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeChannelName' Value: !If [UseDefaultCloudTrailLakeChannelName, !Sub '${CloudTrailLakeChannelPrefix}${AppConfigAgentApplication}', !Ref CloudTrailLakeChannelName] CloudTrailLakeChannelArnParameter: Type: AWS::SSM::Parameter Properties: Type: String Name: !Sub '/${ParametersPrefix}${AppConfigAgentApplication}/Config/CloudTrailLakeArn' Value: "unknown" NotificationsTopic: Type: AWS::SNS::Topic DependsOn: ConsoleTaskPolicy Properties: TopicName: !Sub '${NotificationsTopicPrefix}${AppConfigAgentApplication}' NotificationsTopicPolicy: Type: AWS::SNS::TopicPolicy DependsOn: ConsoleTaskPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !If [CreateConsoleRole, !GetAtt ConsoleTaskRole.Arn, !Ref ConsoleTaskRoleArn] - !If [CreateAgentRole, !GetAtt AgentTaskRole.Arn, !Ref AgentTaskRoleArn] Action: sns:Publish Resource: !Ref NotificationsTopic Topics: - !Ref NotificationsTopic # This AutoScaling setup is only to cause creation of ECS Autoscaling Role AutoScalingTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Condition: CreateAutoScalingRoleWithoutLb Properties: MinCapacity: 1 MaxCapacity: 1 ResourceId: !Join ['/', [service, !Ref Cluster, !GetAtt Service.Name]] RoleARN: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ScalableDimension: ecs:service:DesiredCount ServiceNamespace: ecs AutoScalingTargetWithLb: Type: AWS::ApplicationAutoScaling::ScalableTarget Condition: CreateAutoScalingRoleWithLb Properties: MinCapacity: 1 MaxCapacity: 1 ResourceId: !Join ['/', [service, !Ref Cluster, !GetAtt ServiceWithLB.Name]] RoleARN: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ScalableDimension: ecs:service:DesiredCount ServiceNamespace: ecs DNSRecord: Type: AWS::Route53::RecordSet Condition: UseHostedZoneName Properties: HostedZoneName: !Sub '${HostedZoneName}.' Name: !Sub '${HostedSubdomain}.${HostedZoneName}.' Type: A AliasTarget: DNSName: !GetAtt LoadBalancer.DNSName HostedZoneId: !GetAtt LoadBalancer.CanonicalHostedZoneID DNSRecordByZoneId: Type: AWS::Route53::RecordSet Condition: UseHostedZoneId Properties: HostedZoneId: !Ref HostedZoneId Name: !Sub '${HostedSubdomain}.${HostedZoneName}.' Type: A AliasTarget: DNSName: !GetAtt LoadBalancer.DNSName HostedZoneId: !GetAtt LoadBalancer.CanonicalHostedZoneID Outputs: ConsoleWebAddress: Condition: DontUseLB Description: Public DNS address of Console Web Interface Value: !Sub 'https://${SubdomainParameter.Value}.cloudstoragesecapp.com' LBWebAddress: Condition: UseLB Description: Public DNS address of Console Web Interface Value: !If [UseRoute53, !Sub 'https://${HostedSubdomain}.${HostedZoneName}', !Sub 'https://${LoadBalancer.DNSName}'] UserName: Description: User Name used to log in to console Value: !Ref UserName Password: Description: Temporary password used to log in to console Value: !Sub 'Password was emailed to ${Email}' ProactiveNotificationsTopicArn: Description: ARN for the proactive notifications topic Value: !Ref NotificationsTopic Export: Name: !Sub '${AWS::StackName}-proactive-notifications-sns-topic'