diff --git a/source/cfn/templates/account-import-templates-resolvers.template b/source/cfn/templates/account-import-templates-resolvers.template index e24793f4..b420954f 100644 --- a/source/cfn/templates/account-import-templates-resolvers.template +++ b/source/cfn/templates/account-import-templates-resolvers.template @@ -14,6 +14,18 @@ Parameters: PerspectiveAppSyncApiId: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: AccountImportTemplatesApiLambdaFunctionRole: @@ -30,6 +42,8 @@ Resources: Service: - lambda.amazonaws.com Action: sts:AssumeRole + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AccountImportTemplatesApiFunction: Metadata: @@ -77,6 +91,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt AccountImportTemplatesApiFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AccountImportTemplatesApiLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/appsync-api.template b/source/cfn/templates/appsync-api.template index eabf320e..14d933a4 100644 --- a/source/cfn/templates/appsync-api.template +++ b/source/cfn/templates/appsync-api.template @@ -15,6 +15,18 @@ Parameters: CognitoUserPoolId: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveAppSyncLoggingRole: @@ -48,6 +60,8 @@ Resources: Action: - logs:PutLogEvents Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncApi: Type: AWS::AppSync::GraphQLApi @@ -76,4 +90,4 @@ Outputs: AppSyncApiArn: Value: !GetAtt PerspectiveAppSyncApi.Arn AppSyncApiUrl: - Value: !GetAtt PerspectiveAppSyncApi.GraphQLUrl \ No newline at end of file + Value: !GetAtt PerspectiveAppSyncApi.GraphQLUrl diff --git a/source/cfn/templates/athena-glue-crawler.template b/source/cfn/templates/athena-glue-crawler.template index ab06b129..650ae54b 100644 --- a/source/cfn/templates/athena-glue-crawler.template +++ b/source/cfn/templates/athena-glue-crawler.template @@ -17,6 +17,16 @@ Parameters: DeploymentBucketKey: Type: String Description: "The key to the deployment code for Perspective" + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: AWSCURDatabase: @@ -70,6 +80,8 @@ Resources: - 's3:GetObject' - 's3:PutObject' Resource: !Sub 'arn:${AWS::Partition}:s3:::${CostAndUsageBucket}/${CURCrawlerKey}/*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AWSCURCrawlerLambdaExecutor: Metadata: @@ -113,6 +125,8 @@ Resources: Action: - 'glue:StartCrawler' Resource: '*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AWSCURCrawler: Type: 'AWS::Glue::Crawler' @@ -202,6 +216,8 @@ Resources: Action: - 's3:PutBucketNotification' Resource: !Sub 'arn:${AWS::Partition}:s3:::${CostAndUsageBucket}' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] AWSS3CURNotification: Metadata: diff --git a/source/cfn/templates/buckets.template b/source/cfn/templates/buckets.template index 22ec6f83..4df3c0b8 100644 --- a/source/cfn/templates/buckets.template +++ b/source/cfn/templates/buckets.template @@ -29,10 +29,20 @@ Parameters: S3CleanupBucket: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: CreateConfigBucket: !Equals - Ref: CreateConfigBucket - "true" + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: # The custom resource disables access logging because otherwise logs will be @@ -412,6 +422,8 @@ Resources: - Ref: "AWS::NoValue" Runtime: python3.8 Timeout: 60 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] CleanupAccessLogsBucket: Type: "Custom::S3BucketCleanup" @@ -501,4 +513,4 @@ Outputs: Value: !Ref WebUIBucket WebUIBucketRegionalDomainName: - Value: !GetAtt WebUIBucket.RegionalDomainName \ No newline at end of file + Value: !GetAtt WebUIBucket.RegionalDomainName diff --git a/source/cfn/templates/codebuild.template b/source/cfn/templates/codebuild.template index 7e10ddc0..315b6485 100644 --- a/source/cfn/templates/codebuild.template +++ b/source/cfn/templates/codebuild.template @@ -32,6 +32,18 @@ Parameters: SolutionVersion: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: CodeBuildRole: @@ -91,6 +103,8 @@ Resources: - s3:PutObject Resource: - !Sub "arn:aws:s3:::${WebUIBucket}/*" + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] CodeBuildProject: Type: AWS::CodeBuild::Project @@ -182,4 +196,6 @@ Resources: Resource: !GetAtt CodeBuildProject.Arn Runtime: python3.8 ReservedConcurrentExecutions: 1 - Timeout: 900 \ No newline at end of file + Timeout: 900 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] diff --git a/source/cfn/templates/cognito.template b/source/cfn/templates/cognito.template index 0107ca3b..4060d014 100644 --- a/source/cfn/templates/cognito.template +++ b/source/cfn/templates/cognito.template @@ -13,6 +13,18 @@ Parameters: WebUiUrl: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: CognitoAuthRole: @@ -70,6 +82,8 @@ Resources: - Action: s3:ListBucket Resource: !Sub "arn:aws:s3:::${AmplifyStorageBucket}" Effect: "Allow" + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] IdentityPoolRoleMap: Type: AWS::Cognito::IdentityPoolRoleAttachment @@ -144,4 +158,4 @@ Outputs: UserPoolARN: Value: !GetAtt WDCognitoUserPool.Arn WebClientId: - Value: !Ref UserPoolClient \ No newline at end of file + Value: !Ref UserPoolClient diff --git a/source/cfn/templates/config-aggregator.template b/source/cfn/templates/config-aggregator.template index dd286e45..ee98700a 100644 --- a/source/cfn/templates/config-aggregator.template +++ b/source/cfn/templates/config-aggregator.template @@ -10,8 +10,18 @@ Parameters: ConfigBucket: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: SetUpConfig: !Equals [!Ref ExistingConfigInstallation, 'No'] + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: @@ -78,6 +88,8 @@ Resources: Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] Outputs: diff --git a/source/cfn/templates/cost-resolvers.template b/source/cfn/templates/cost-resolvers.template index 5681ec05..9f012ab5 100644 --- a/source/cfn/templates/cost-resolvers.template +++ b/source/cfn/templates/cost-resolvers.template @@ -36,6 +36,18 @@ Parameters: CustomUserAgent: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveCostLambdaRole: @@ -111,6 +123,8 @@ Resources: - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${AthenaDatabaseName} - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${AthenaDatabaseName}/${AthenaTableName} + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveCostFunction: Metadata: @@ -161,6 +175,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt PerspectiveCostFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncCostLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/discovery-crawler.template b/source/cfn/templates/discovery-crawler.template index acde0b22..202df692 100644 --- a/source/cfn/templates/discovery-crawler.template +++ b/source/cfn/templates/discovery-crawler.template @@ -91,6 +91,18 @@ Parameters: Type: String Default: 'AwsSolution/SO0075/1.1.0' + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveContainerRepo: Type: AWS::ECR::Repository @@ -164,6 +176,8 @@ Resources: Environment: Variables: CustomUserAgent: !Ref CustomUserAgent + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] CleanupECRRepository: Type: Custom::Setup @@ -197,6 +211,8 @@ Resources: ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveDiscoveryTaskRole: Type: AWS::IAM::Role @@ -260,6 +276,8 @@ Resources: Action: - appsync:GraphQL Resource: !Sub ${AppSyncArn}/* + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] TaskDefinition: Type: AWS::ECS::TaskDefinition diff --git a/source/cfn/templates/draw-io-resolvers.template b/source/cfn/templates/draw-io-resolvers.template index e51e2ed6..1cf7e12e 100644 --- a/source/cfn/templates/draw-io-resolvers.template +++ b/source/cfn/templates/draw-io-resolvers.template @@ -14,6 +14,18 @@ Parameters: PerspectiveAppSyncApiId: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: DrawIoLambdaFunctionRole: @@ -30,6 +42,8 @@ Resources: Service: - lambda.amazonaws.com Action: sts:AssumeRole + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] DrawIoFunction: Type: AWS::Serverless::Function @@ -48,6 +62,8 @@ Resources: Timeout: 5 MemorySize: 256 ReservedConcurrentExecutions: 5 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] DrawIoInvokeRole: Type: AWS::IAM::Role @@ -70,6 +86,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt DrawIoFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] DrawIoExportLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/gremlin-resolvers.template b/source/cfn/templates/gremlin-resolvers.template index 1e483863..7537c9fa 100644 --- a/source/cfn/templates/gremlin-resolvers.template +++ b/source/cfn/templates/gremlin-resolvers.template @@ -42,6 +42,18 @@ Parameters: CustomUserAgent: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: GremlinResolverLambdaSg: @@ -98,6 +110,8 @@ Resources: - neptune-db:ReadDataViaQuery - neptune-db:WriteDataViaQuery Resource: !Sub arn:aws:neptune-db:${AWS::Region}:${AWS::AccountId}:${NeptuneClusterResourceId}/* + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] GremlinAppSyncFunction: Metadata: @@ -153,6 +167,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt GremlinAppSyncFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncGremlinLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/main.template b/source/cfn/templates/main.template index 9d2307d4..8ec16ad7 100644 --- a/source/cfn/templates/main.template +++ b/source/cfn/templates/main.template @@ -146,6 +146,18 @@ Parameters: Type: String Default: "primary" Description: Specify the name of the Athena Workgroup you would like to use. By default it will use 'primary'. + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + Default: "No" + AllowedValues: + - 'Yes' + - 'No' + ConstraintDescription: Please specify if Roles should have a Permissions Boundary set (Yes/No) + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Mappings: Solution: @@ -184,6 +196,8 @@ Resources: physicalResourceId=event.get("LogicalResourceId"), reason=None, ) + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] Variables: Type: "Custom::Variables" @@ -220,6 +234,8 @@ Resources: DeploymentBucketKey: !FindInMap [Solution, Constants, DeploymentBucketKey] CreateConfigBucket: !If [SetUpConfig, 'true', 'false'] CustomResourceHelperLambdaLayer: !GetAtt LayerStack.Outputs.CustomResourceHelper + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary TemplateURL: !Sub - "${DeploymentBucket}/buckets.template" @@ -234,6 +250,9 @@ Resources: - "${DeploymentBucket}/vpc.template" - DeploymentBucket: !GetAtt Variables.DeploymentBucket TimeoutInMinutes: 60 + Parameters: + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary NeptuneStack: Type: AWS::CloudFormation::Stack @@ -254,6 +273,8 @@ Resources: Port: 6174 CreateNeptuneReplica: !Ref CreateNeptuneReplica DBInstanceClass: !Ref NeptuneInstanceClass + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary ConfigAggregator: Type: AWS::CloudFormation::Stack @@ -266,6 +287,8 @@ Resources: Parameters: ExistingConfigInstallation: !Ref AlreadyHaveConfigSetup ConfigBucket: !If [SetUpConfig, !GetAtt S3Buckets.Outputs.ConfigBucket, ''] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary OpenSearchRoleStack: Type: AWS::CloudFormation::Stack @@ -277,6 +300,8 @@ Resources: TimeoutInMinutes: 60 Parameters: CreateOpensearchServiceRole: !Ref CreateOpensearchServiceRole + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary OpenSearchStack: Type: AWS::CloudFormation::Stack @@ -322,6 +347,8 @@ Resources: CustomResourceHelper: !GetAtt LayerStack.Outputs.CustomResourceHelper DeploymentBucketName: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary CodebuildStack: Type: AWS::CloudFormation::Stack @@ -340,6 +367,8 @@ Resources: ImageVersion: !FindInMap [Solution, Constants, ImageVersion] SolutionVersion: !FindInMap [Solution, Constants, SolutionVersion] WebUIBucket: !GetAtt S3Buckets.Outputs.WebUIBucket + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary CognitoStack: Type: AWS::CloudFormation::Stack @@ -353,6 +382,8 @@ Resources: AdminUserEmailAddress: !Ref AdminUserEmailAddress AmplifyStorageBucket: !GetAtt S3Buckets.Outputs.AmplifyStorageBucket WebUiUrl: !GetAtt WebUiStack.Outputs.WebUiUrl + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary GremlinResolversStack: Type: AWS::CloudFormation::Stack @@ -375,6 +406,8 @@ Resources: PrivateSubnet1: !GetAtt VpcStack.Outputs.PrivateSubnet1 DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary SearchResolversStack: Type: AWS::CloudFormation::Stack @@ -397,6 +430,8 @@ Resources: SolutionVersion: !FindInMap [Solution, Constants, SolutionVersion] DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary DrawIoExportResolversStack: Type: AWS::CloudFormation::Stack @@ -410,6 +445,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary AccountImportTemplatesResolversStack: Type: AWS::CloudFormation::Stack @@ -423,6 +460,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary AppSyncApiStack: Type: AWS::CloudFormation::Stack @@ -436,6 +475,8 @@ Resources: CognitoUserPoolId: !GetAtt CognitoStack.Outputs.UserPoolId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary CostResolversStack: Type: AWS::CloudFormation::Stack @@ -452,6 +493,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary SettingsResolversStack: Type: AWS::CloudFormation::Stack @@ -467,6 +510,8 @@ Resources: PerspectiveAppSyncApiId: !GetAtt AppSyncApiStack.Outputs.AppSyncApiId DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary AthenaGlueCrawlerStack: Type: AWS::CloudFormation::Stack @@ -480,6 +525,8 @@ Resources: CostAndUsageBucket: !GetAtt S3Buckets.Outputs.CostAndUsageReportBucket DeploymentBucket: !GetAtt Variables.DeploymentBucketName DeploymentBucketKey: !FindInMap [ Solution, Constants, DeploymentBucketKey ] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary WebUiStack: Type: AWS::CloudFormation::Stack @@ -512,6 +559,8 @@ Resources: CollectAnonymousMetrics: !Ref OptOutOfSendingAnonymousUsageMetrics SettingsObjectKey: "settings.js" SolutionVersion: !FindInMap [Solution, Constants, SolutionVersion] + PermissionsBoundaryName: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${PermissionsBoundaryName}" + AttachPermissionsBoundary: !Ref AttachPermissionsBoundary Outputs: diff --git a/source/cfn/templates/neptune.template b/source/cfn/templates/neptune.template index ab6624de..222027a6 100644 --- a/source/cfn/templates/neptune.template +++ b/source/cfn/templates/neptune.template @@ -210,6 +210,14 @@ Parameters: Type: String Default: 'No' + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: EnableAuditLogUpload: Fn::Equals: @@ -219,6 +227,8 @@ Conditions: Fn::Equals: - Ref: CreateNeptuneReplica - 'Yes' + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: @@ -407,6 +417,8 @@ Resources: ManagedPolicyArns: - Ref: NeptuneCloudWatchPolicy - Ref: NeptuneS3Policy + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] NeptuneCloudWatchPolicy: Type: AWS::IAM::ManagedPolicy diff --git a/source/cfn/templates/opensearch-roles.template b/source/cfn/templates/opensearch-roles.template index 7cb09eec..cb04f2bc 100644 --- a/source/cfn/templates/opensearch-roles.template +++ b/source/cfn/templates/opensearch-roles.template @@ -6,8 +6,18 @@ Parameters: CreateOpensearchServiceRole: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + Conditions: DeployOpensearchServiceRole: !Equals [!Ref CreateOpensearchServiceRole, 'Yes'] + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] Resources: # As this stack has no dependencies it should be created first giving sufficient time for @@ -37,6 +47,8 @@ Resources: - lambda.amazonaws.com Action: - sts:AssumeRole + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] Outputs: OpenSearchLambdaRoleArn: diff --git a/source/cfn/templates/search-resolvers.template b/source/cfn/templates/search-resolvers.template index 528f8205..30ba92e2 100644 --- a/source/cfn/templates/search-resolvers.template +++ b/source/cfn/templates/search-resolvers.template @@ -41,6 +41,18 @@ Parameters: SolutionVersion: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: SearchLambdaSg: @@ -154,6 +166,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt SearchApiAppSyncFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncSearchLambdaDataSource: Type: AWS::AppSync::DataSource @@ -196,4 +210,4 @@ Resources: ApiId: !Ref PerspectiveAppSyncApiId TypeName: Query FieldName: searchResources - DataSourceName: !GetAtt PerspectiveAppSyncSearchLambdaDataSource.Name \ No newline at end of file + DataSourceName: !GetAtt PerspectiveAppSyncSearchLambdaDataSource.Name diff --git a/source/cfn/templates/settings-resolvers.template b/source/cfn/templates/settings-resolvers.template index e434cf7d..4335475e 100644 --- a/source/cfn/templates/settings-resolvers.template +++ b/source/cfn/templates/settings-resolvers.template @@ -21,6 +21,18 @@ Parameters: CustomUserAgent: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: PerspectiveSettingsTable: @@ -85,6 +97,8 @@ Resources: Action: - ec2:DescribeRegions Resource: '*' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveSettingsFunction: Metadata: @@ -134,6 +148,8 @@ Resources: Action: - lambda:InvokeFunction Resource: !GetAtt PerspectiveSettingsFunction.Arn + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] PerspectiveAppSyncSettingsLambdaDataSource: Type: AWS::AppSync::DataSource diff --git a/source/cfn/templates/vpc.template b/source/cfn/templates/vpc.template index 45c55d19..2b118acd 100644 --- a/source/cfn/templates/vpc.template +++ b/source/cfn/templates/vpc.template @@ -16,6 +16,12 @@ Parameters: - ACCEPT - REJECT - ALL + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String Mappings: SubnetConfig: @@ -64,6 +70,10 @@ Mappings: us-west-2: AZs: ['a', 'b'] +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: VPC: Type: AWS::EC2::VPC @@ -104,6 +114,8 @@ Resources: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !GetAtt 'FlowLogGroup.Arn' + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] FlowLogGroup: Metadata: diff --git a/source/cfn/templates/webui-settings.template b/source/cfn/templates/webui-settings.template index 5a5b1823..d834285c 100644 --- a/source/cfn/templates/webui-settings.template +++ b/source/cfn/templates/webui-settings.template @@ -33,6 +33,18 @@ Parameters: WebUIBucket: Type: String + AttachPermissionsBoundary: + Description: Attach Permissions Boundary + Type: String + + PermissionsBoundaryName: + Description: Name of optional Permissions Boundary + Type: String + +Conditions: + AttachPermissionsBoundary: + !Equals [!Ref AttachPermissionsBoundary, 'Yes'] + Resources: UiSettingsResource: @@ -90,6 +102,8 @@ Resources: Runtime: python3.9 Timeout: 120 ReservedConcurrentExecutions: 1 + PermissionsBoundary: + !If [AttachPermissionsBoundary, !Ref PermissionsBoundaryName, !Ref "AWS::NoValue"] UiSettings: Type: Custom::UiSettings @@ -131,4 +145,4 @@ Resources: ContentType: text/javascript ObjectKey: !Ref SettingsObjectKey ServiceToken: !GetAtt UiSettingsResource.Arn - UpdateReplacePolicy: Delete \ No newline at end of file + UpdateReplacePolicy: Delete