Skip to content
This repository has been archived by the owner on Dec 6, 2024. It is now read-only.

Commit

Permalink
Addressed cfn-lint findings, added encryption for S3 buckets and SNS …
Browse files Browse the repository at this point in the history
…topics
  • Loading branch information
vsnyc committed Aug 21, 2023
1 parent ff1a8e3 commit 9b14164
Show file tree
Hide file tree
Showing 10 changed files with 103 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ Resources:
CodePipelineSNSTopic:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns
Subscription:
- Endpoint: !Ref 'Email'
Protocol: email
Expand Down Expand Up @@ -159,7 +160,7 @@ Resources:
- PolicyName: CloudFormationRole
PolicyDocument:
Version: '2012-10-17'
Statement:
Statement:
- Effect: Allow
Action:
- ec2:ImportKeyPair
Expand Down
10 changes: 10 additions & 0 deletions patterns/LambdaZips/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,16 @@ Resources:
# Create a bucket in the local region
LambdaZipsBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
# Copy zip files from source bucket
CopyZips:
Type: Custom::CopyZips
Expand Down
10 changes: 10 additions & 0 deletions patterns/LambdaZips/example.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,16 @@ Parameters:
Resources:
LambdaZipsBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
CopyZips:
Type: Custom::CopyZips
Properties:
Expand Down
14 changes: 12 additions & 2 deletions patterns/blog/CircularDependency/LessSimpleNonWorking.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,17 @@ AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
Bucket:
Type: AWS::S3::Bucket
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Function:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -11,7 +21,7 @@ Resources:
Handler: index.handler
Policies:
- Version: 2012-10-17
Statement:
Statement:
- Effect: Allow
Action: s3:GetObject*
Resource: !Sub "arn:aws:s3:::${Bucket}*"
Expand Down
13 changes: 11 additions & 2 deletions patterns/blog/CircularDependency/LessSimpleWorking.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,18 @@ AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
Bucket:
Type: AWS::S3::Bucket
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "cderror-${AWS::AccountId}"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Function:
Type: AWS::Serverless::Function
Properties:
Expand All @@ -13,7 +22,7 @@ Resources:
Handler: index.handler
Policies:
- Version: 2012-10-17
Statement:
Statement:
- Effect: Allow
Action: s3:GetObject*
Resource: !Sub "arn:aws:s3:::cderror-${AWS::AccountId}/*"
Expand Down
1 change: 1 addition & 0 deletions samples/ami-factory-step-function/ami-factory.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Resources:
SNSTopic:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns
Subscription:
- Endpoint: !Ref NotificationEmail
Protocol: "email"
Expand Down
15 changes: 12 additions & 3 deletions samples/cloudformation-codebuild-container/codebuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,15 @@ Resources:
LambdaZipsBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags: []
CopyZips:
Type: AWS::CloudFormation::CustomResource
Expand Down Expand Up @@ -200,7 +209,7 @@ Resources:
- Name: IMAGE_REPO_NAME
Value: !Ref ECRRepository
- Name: IMAGE_TAG
Value: 'latest'
Value: 'latest'
- Name: url_path
Value: 'placeholder'
- Name: url_query
Expand Down Expand Up @@ -271,7 +280,7 @@ Resources:
BuildProjectName: !Ref CodeBuildProject
ECRRepository: !Ref ECRRepository
# cfn_signal_url: is part of the event by default hence missing here
# cfn_stack_id: is part of the event by default
# cfn_stack_id: is part of the event by default
# cfn_request_id: also part of the event
# cfn_logical_resource_id: also part of the event
# Lambda function passes the above into the build project when invoking StartBuild
Expand Down Expand Up @@ -324,4 +333,4 @@ Resources:
Action:
- s3:GetObject
- s3:PutObject
Resource: arn:aws:s3:::*
Resource: arn:aws:s3:::*
11 changes: 10 additions & 1 deletion samples/cloudformation-cross-account/examples/bucket.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,20 @@
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
Tag:
Tag:
Type: String
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
- Key: cross-account
Value: !Ref Tag
Expand Down
31 changes: 24 additions & 7 deletions samples/hugo-pipeline/templates/master.template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ Resources:
ArtifactBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
AccessControl: Private
LifecycleConfiguration:
Rules:
Expand All @@ -21,17 +25,21 @@ Resources:
WebHostingBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
AccessControl: PublicRead
BucketName: !Ref HostingBucketName
WebsiteConfiguration:
IndexDocument: index.html
WebHostingBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Properties:
Bucket: !Ref WebHostingBucket
PolicyDocument:
Statement:
-
-
Action:
- "s3:GetObject"
Effect: "Allow"
Expand All @@ -43,6 +51,15 @@ Resources:
- !Ref WebHostingBucket
- "/*"
Principal: "*"
- Action: s3:*
Effect: Deny
Principal: '*'
Resource:
- arn:aws:s3:::bucketname/*
- arn:aws:s3:::bucketname
Condition:
Bool:
aws:SecureTransport: false
IAMRoleStack:
Type: 'AWS::CloudFormation::Stack'
DependsOn:
Expand All @@ -62,18 +79,18 @@ Resources:
https://${S3BucketName}.s3.amazonaws.com/${S3KeyPrefix}templates/pipeline.template.yaml
Parameters:
ArtifactBucket: !Ref ArtifactBucket
CodePipelineRoleArn: !GetAtt
CodePipelineRoleArn: !GetAtt
- IAMRoleStack
- Outputs.CodePipelineRoleArn
CodeBuildRoleArn: !GetAtt
CodeBuildRoleArn: !GetAtt
- IAMRoleStack
- Outputs.CodeBuildRoleArn
CloudfrontDistId: '!Ref CloudfrontDistId'
CloudfrontRole: '!Ref CloudfrontRoleArn'
WebsiteBucket: !Ref WebHostingBucket
RepoName: !Ref RepoName
RepoBranch: 'master'

Parameters:
RepoName:
Description: Enter the repository name to host hugo website content
Expand Down Expand Up @@ -118,9 +135,9 @@ Outputs:
Description: Name of S3 bucket to hold website content
CodePipelineURL:
Description: The URL of the created Pipeline
Value: !Sub
Value: !Sub
- >-
https://${AWS::Region}.console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${CodePipelineName}
- CodePipelineName: !GetAtt
- CodePipelineName: !GetAtt
- CodePipelineStack
- Outputs.CodePipelineName
12 changes: 11 additions & 1 deletion templates/workload-yaml.template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ Resources:
NotificationTopic:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns
Subscription:
- Endpoint:
Ref: OperatorEmail
Expand Down Expand Up @@ -294,7 +295,7 @@ Resources:
Resource:
- !Sub
- arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}*
- S3Bucket: !If
- S3Bucket: !If
- UsingDefaultBucket
- !Sub '${QSS3BucketName}-${AWS::Region}'
- !Ref QSS3BucketName
Expand Down Expand Up @@ -481,6 +482,15 @@ Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketName:
Ref: S3BucketName
AccessControl: BucketOwnerFullControl
Expand Down

0 comments on commit 9b14164

Please sign in to comment.