{ "Conditions": { "CreateStackSetResources": { "Fn::Equals": [ { "Ref": "EnableStackSetRole" }, true ] } }, "Description": "AWS Service Management Connector for ServiceNow Demo & IAM Setup v3.0.4", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Roles" }, "Parameters": [ "EnableStackSetRole" ] } ], "ParameterLabels": { "EnableStackSetRole": { "default": "Enable Stack Set roles" } } } }, "Outputs": { "Portfolio": { "Value": { "Fn::GetAtt": [ "Portfolio", "PortfolioName" ] } }, "ProductID": { "Value": { "Ref": "S3Product" } }, "SCEndUserAccessKey": { "Value": { "Ref": "SCEndUserAccessKeys" } }, "SCEndUserSecretAccessKey": { "Value": { "Fn::GetAtt": [ "SCEndUserAccessKeys", "SecretAccessKey" ] } }, "SCIAMAdminRoleARN": { "Condition": "CreateStackSetResources", "Value": { "Fn::GetAtt": [ "AdministrationRole", "Arn" ] } }, "SCIAMStackSetExecutionRoleName": { "Condition": "CreateStackSetResources", "Value": "AWSCloudFormationStackSetExecutionRole" }, "SCSnowConSecHubQueueName": { "Value": { "Fn::GetAtt": [ "SCSnowConSecHubQueue", "QueueName" ] } }, "SCStackSetAdministratorRoleARN": { "Condition": "CreateStackSetResources", "Value": { "Fn::GetAtt": [ "AdministrationRole", "Arn" ] } }, "SCSyncUserAccessKey": { "Value": { "Ref": "SCSyncUserAccessKeys" } }, "SCSyncUserSecretAccessKey": { "Value": { "Fn::GetAtt": [ "SCSyncUserAccessKeys", "SecretAccessKey" ] } } }, "Parameters": { "EnableStackSetRole": { "AllowedValues": [ true, false ], "ConstraintDescription": "must specify prod or test.", "Default": true, "Description": "Because stack sets perform stack operations across multiple regions, before you can get started creating stack set products you need to have the necessary permissions defined in your AWS accounts. Select 'true' if you do not currently have AWSCloudFormationStackSetAdministrationRole and AWSCloudFormationStackSetExecutionRole roles created in your AWS account. Otherwise, select 'false' if they already exist.", "Type": "String" } }, "Resources": { "AdminPortfolioPrincipalAssociation": { "Properties": { "AcceptLanguage": "en", "PortfolioId": { "Ref": "Portfolio" }, "PrincipalARN": { "Fn::GetAtt": [ "SCEndUser", "Arn" ] }, "PrincipalType": "IAM" }, "Type": "AWS::ServiceCatalog::PortfolioPrincipalAssociation" }, "AdministrationRole": { "Condition": "CreateStackSetResources", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" } } ], "Version": "2012-10-17" }, "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole" ] } ], "Version": "2012-10-17" }, "PolicyName": "AssumeRole-AWSCloudFormationStackSetExecutionRole" } ], "RoleName": "AWSCloudFormationStackSetAdministrationRole" }, "Type": "AWS::IAM::Role" }, "ExecutionRole": { "Condition": "CreateStackSetResources", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "AWS": [ { "Ref": "AWS::AccountId" } ] } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AdministratorAccess" ], "Path": "/", "RoleName": "AWSCloudFormationStackSetExecutionRole" }, "Type": "AWS::IAM::Role" }, "Portfolio": { "Properties": { "AcceptLanguage": "en", "Description": "SC Test Portfolio.", "DisplayName": "SC Test Portfolio", "ProviderName": "CCOE" }, "Type": "AWS::ServiceCatalog::Portfolio" }, "PortfolioProductAssociation": { "Properties": { "AcceptLanguage": "en", "PortfolioId": { "Ref": "Portfolio" }, "ProductId": { "Ref": "S3Product" } }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation" }, "RuleLifeCycleEvents": { "Properties": { "Description": "Send Security Hub imported findings to the AwsServiceManagementConnectorForSecurityHubQueue SQS.", "EventPattern": { "detail-type": [ "Security Hub Findings - Imported" ], "source": [ "aws.securityhub" ] }, "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:aws:sqs:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", "AwsServiceManagementConnectorForSecurityHubQueue" ] ] }, "Id": "IDRuleLifeCycleEvents8" } ] }, "Type": "AWS::Events::Rule" }, "S3LaunchConstraint": { "DependsOn": [ "PortfolioProductAssociation" ], "Properties": { "AcceptLanguage": "en", "Description": "Launch role", "PortfolioId": { "Ref": "Portfolio" }, "ProductId": { "Ref": "S3Product" }, "RoleArn": { "Fn::GetAtt": [ "SCConnectLaunchRole", "Arn" ] } }, "Type": "AWS::ServiceCatalog::LaunchRoleConstraint" }, "S3Product": { "Properties": { "AcceptLanguage": "en", "Description": "S3 Product", "Distributor": "CCOE", "Name": "S3 WithLifeCycle", "Owner": "CCOE", "ProvisioningArtifactParameters": [ { "Description": "Version 3 of S3 product", "Info": { "LoadTemplateFromURL": "https://raw.githubusercontent.com/aws-samples/aws-service-catalog-terraform-reference-architecture/master/ServiceCatalogSamples/sc-s3-transition-snow-ra.json" }, "Name": "Version - 3.0" } ], "SupportDescription": "This is a sample S3 product For SC POC.", "SupportEmail": "email@mycompany.com", "SupportUrl": "https://www.mycompany.com" }, "Type": "AWS::ServiceCatalog::CloudFormationProduct" }, "SCConnectLaunchRole": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "servicecatalog.amazonaws.com" ] } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess" ], "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:List*", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet", "s3:GetObject" ], "Effect": "Allow", "Resource": "*", "Sid": "AWSCloudFormationFullAccess" } ], "Version": "2012-10-17" }, "PolicyName": "AWSCloudFormationFullAccess" }, { "PolicyDocument": { "Statement": [ { "Action": [ "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteprovisionedProductServiceAction", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:StartAutomationExecution", "ssm:StopAutomationExecution", "cloudformation:ListStackResources", "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Sid": "ServiceCatalogSSMActionsBaselineSID" } ], "Version": "2012-10-17" }, "PolicyName": "ServiceCatalogSSMActionsBaseline" } ], "RoleName": "SCConnectLaunchRole" }, "Type": "AWS::IAM::Role" }, "SCEndUser": { "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/AWSConfigUserAccess", "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess", "arn:aws:iam::aws:policy/service-role/AWSConfigRole" ], "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:StartAutomationExecution" ], "Effect": "Allow", "Resource": "*", "Sid": "SSMExecutionPolicySID" } ], "Version": "2012-10-17" }, "PolicyName": "SSMExecutionPolicy" } ], "UserName": "SCEndUser" }, "Type": "AWS::IAM::User" }, "SCEndUserAccessKeys": { "DependsOn": "SCEndUser", "Properties": { "Status": "Active", "UserName": "SCEndUser" }, "Type": "AWS::IAM::AccessKey" }, "SCSnowConSecHubQueue": { "Properties": { "QueueName": "AwsServiceManagementConnectorForSecurityHubQueue", "Tags": [ { "Key": "Name", "Value": "SCSnowConSecHubQueue" } ] }, "Type": "AWS::SQS::Queue" }, "SCSyncUser": { "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AWSServiceCatalogAdminReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSConfigRole", "arn:aws:iam::aws:policy/AWSConfigUserAccess" ], "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "budgets:ViewBudget" ], "Effect": "Allow", "Resource": "*", "Sid": "SSMActionPolicySID" } ], "Version": "2012-10-17" }, "PolicyName": "SSMActionPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:RegisterType", "cloudformation:DescribeTypeRegistration", "cloudformation:DeregisterType", "config:PutResourceConfig" ], "Effect": "Allow", "Resource": "*", "Sid": "ConfigBiDirectionalPolicySID" } ], "Version": "2012-10-17" }, "PolicyName": "ConfigBiDirectionalPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "securityhub:BatchUpdateFindings" ], "Effect": "Allow", "Resource": "*", "Sid": "SecurityHubPolicySID" } ], "Version": "2012-10-17" }, "PolicyName": "SecurityHubPolicy" } ], "UserName": "SCSyncUser" }, "Type": "AWS::IAM::User" }, "SCSyncUserAccessKeys": { "DependsOn": "SCSyncUser", "Properties": { "Status": "Active", "UserName": "SCSyncUser" }, "Type": "AWS::IAM::AccessKey" }, "SQSPolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "Queues": [ { "Ref": "SCSnowConSecHubQueue" } ], "PolicyDocument": { "Statement": [ { "Action": "SQS:SendMessage", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SCSnowConSecHubQueue", "Arn" ] }, "Principal": { "Service": "events.amazonaws.com" }, "Condition": { "ArnEquals": { "aws:SourceArn": { "Fn::GetAtt": [ "RuleLifeCycleEvents", "Arn" ] } } } } ] } } } } }