Untitled
unknown
plain_text
a year ago
93 kB
16
Indexable
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates additional resources for CUP",
"Parameters": {
"Stage": {
"Type": "String",
"Description": "The stage"
},
"RegionCode": {
"Type": "String",
"Description": "The abbreviated region ex: iad"
},
"RegionCodeUpperCase": {
"Type": "String",
"Description": "The abbreviated region ex: iad"
},
"SkipADMSTopicSubscription": {
"Type": "String",
"Default": "false",
"AllowedValues": ["true", "false"],
"Description": "Boolean value to skip creation of the ADMSTopicSubscription resource"
}
},
"Conditions": {
"IsProdStage" : { "Fn::Equals" : [{"Ref" : "Stage"}, "prod"] },
"IsGammaStage" : { "Fn::Equals" : [{"Ref" : "Stage"}, "gamma"] },
"IsNotPdt": {"Fn::Not" : [{"Fn::Equals": [{"Ref": "AWS::Region"},"us-gov-west-1"]}]},
"IsOptIn": {"Fn::Or" : [
{"Fn::Equals": [{"Ref": "AWS::Region"}, "af-south-1"]},
{"Fn::Equals": [{"Ref": "AWS::Region"}, "ap-east-1"]},
{"Fn::Equals": [{"Ref": "AWS::Region"}, "eu-south-1"]},
{"Fn::Equals": [{"Ref": "AWS::Region"}, "me-south-1"]}
]},
"IsNotPdtOrOptIn": {"Fn::And" : [{"Fn::Not" : [{"Condition" : "IsOptIn"}]}, {"Condition" : "IsNotPdt"}]},
"CreateADMSTopicSubscription": {
"Fn::And": [
{ "Fn::Equals" : [{"Ref" : "SkipADMSTopicSubscription"}, "false"] },
{ "Condition" : "IsNotPdt" }
]
}
},
"Resources": {
"ResourceDeletionNotificationSNSTopic" : {
"Type": "AWS::SNS::Topic",
"Properties": {
"DisplayName": "CUP Resource deletion notification topic",
"TopicName": "cup_resource_deletion_notification"
}
},
"ResourceDeletionNotificationSNSTopicAccessPolicy" : {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"Topics": [
{
"Ref": "ResourceDeletionNotificationSNSTopic"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If": [
"IsGammaStage",
[
"preprod.gdpr.cognito-idp.aws.internal",
"cognito-idp.aws.internal"
],
[
"prod.gdpr.cognito-idp.aws.internal",
"cognito-idp.amazonaws.com"
]
]
}
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": {
"Ref": "ResourceDeletionNotificationSNSTopic"
}
}
]
}
}
},
"AccountClosedNotificationSubscriberDLQ" : {
"Condition": "IsNotPdt",
"Type" : "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-adms-subscriber", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}, "dlq"]]}
}
},
"AccountClosedNotificationSubscriber" : {
"Condition": "IsNotPdt",
"Type": "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-adms-subscriber", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}]]},
"MessageRetentionPeriod": 1209600,
"RedrivePolicy": {
"deadLetterTargetArn" : {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriberDLQ" , "Arn" ]},
"maxReceiveCount" : 10
},
"SqsManagedSseEnabled": false
}
},
"AccountClosedNotificationSubscriberPolicy": {
"Condition": "IsNotPdt",
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [{"Ref": "AccountClosedNotificationSubscriber"}],
"PolicyDocument": {
"Version": "2012-10-17",
"Id": "AccountClosedNotificationSubscriberPolicy",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": ["sqs:SendMessage"],
"Resource": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "Arn" ]},
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Fn::If" : [
"IsProdStage",
{ "Fn::Join": [ "-", ["arn:aws:sns:us-east-1:741443714515:ResourceEvent", { "Ref" : "RegionCodeUpperCase"}]]},
[ "arn:aws:sns:us-east-1:741443714515:ResourceEvent-PreProd",
"arn:aws:sns:us-east-1:741443714515:ResourceEvent-GLOBAL"]
]
}
}
}
}]
}
}
},
"ADMSTopicSubscription": {
"Condition": "CreateADMSTopicSubscription",
"Type": "Custom::CrossRegionSubscription",
"Properties": {
"ServiceToken": { "Fn::Join" : [":", ["arn:aws:lambda", {"Ref" : "AWS::Region"}, {"Ref" : "AWS::AccountId"}, "function:CrossRegionSNSSubscriptionCustomResourceCreator"]]},
"SQSQueueARN": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "Arn" ]},
"SNSTopicARN": {
"Fn::If" : [
"IsProdStage",
{ "Fn::Join": [ "-", ["arn:aws:sns:us-east-1:741443714515:ResourceEvent", { "Ref" : "RegionCodeUpperCase"}]]},
"arn:aws:sns:us-east-1:741443714515:ResourceEvent-PreProd"
]
}
}
},
"UserDeletionNotificationSNSTopic" : {
"Condition": "IsNotPdt",
"Type": "AWS::SNS::Topic",
"Properties": {
"DisplayName": "CUP notification topic to start user deletion",
"TopicName": "cup_user_deletion_notification"
}
},
"UserDeletionNotificationSubscriberDLQ" : {
"Condition": "IsNotPdt",
"Type" : "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete"
},
"UserDeletionNotificationSubscriber" : {
"Condition": "IsNotPdt",
"Type": "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"MessageRetentionPeriod": 1209600,
"RedrivePolicy": {
"deadLetterTargetArn" : {"Fn::GetAtt" : [ "UserDeletionNotificationSubscriberDLQ" , "Arn" ]},
"maxReceiveCount" : 10
}
}
},
"UserDeletionNotificationSubscription" : {
"Condition": "IsNotPdt",
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {"Fn::GetAtt" : [ "UserDeletionNotificationSubscriber" , "Arn" ]},
"Protocol": "sqs",
"TopicArn": {"Ref" : "UserDeletionNotificationSNSTopic"}
}
},
"AESSubscriberSQSQueueHighVisibleMessageAlarm": {
"Condition": "IsNotPdt",
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has messages > 14,400 (what we can process in a day)",
"AlarmName" : "AESSubscriberSQSQueueHighVisibleMessageAlarm",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "QueueName" ]}
}],
"EvaluationPeriods": "12",
"MetricName": "ApproximateNumberOfMessagesVisible",
"Namespace": "AWS/SQS",
"Period": "300",
"Statistic": "Minimum",
"Threshold": "14400",
"TreatMissingData": "notBreaching"
}
},
"AESSubscriberSQSQueueOldestMessageAgeAlarm": {
"Condition": "IsNotPdt",
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has a message older than 7 days (we will loose the message in 14 days)",
"AlarmName" : "AESSubscriberSQSQueueOldestMessageAgeAlarm",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "QueueName" ]}
}],
"EvaluationPeriods": "6",
"MetricName": "ApproximateAgeOfOldestMessage",
"Namespace": "AWS/SQS",
"Period": "300",
"Statistic": "Maximum",
"Threshold": "604800",
"TreatMissingData": "notBreaching"
}
},
"AESSubscriberSQSQueueNoVisibleMessageAlarm": {
"Condition": "IsNotPdt",
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has messages < 1",
"AlarmName" : "AESSubscriberSQSQueueNoVisibleMessageAlarm",
"ComparisonOperator": "LessThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "QueueName" ]}
}],
"EvaluationPeriods": "12",
"MetricName": "NumberOfMessagesSent",
"Namespace": "AWS/SQS",
"Period": "300",
"Statistic": "Maximum",
"Threshold": "1",
"TreatMissingData": "breaching"
}
},
"AESSubscriberSQSDLQVisibleMessageAlarm": {
"Condition": "IsNotPdt",
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has messages > 0",
"AlarmName" : "AESSubscriberSQSDLQVisibleMessageAlarm",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriberDLQ" , "QueueName" ]}
}],
"EvaluationPeriods": "1",
"MetricName": "ApproximateNumberOfMessagesVisible",
"Namespace": "AWS/SQS",
"Period": "300",
"Statistic": "Average",
"Threshold": "0",
"TreatMissingData": "notBreaching"
}
},
"UserDataDeletionDLQ" : {
"Type" : "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-user-data-deletion", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}, "dlq"]]}
}
},
"UserDataDeletion" : {
"Type": "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-user-data-deletion", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}]]},
"MessageRetentionPeriod": 1209600,
"DelaySeconds": 300,
"RedrivePolicy": {
"deadLetterTargetArn" : {"Fn::GetAtt" : [ "UserDataDeletionDLQ" , "Arn" ]},
"maxReceiveCount" : 25
}
}
},
"UserDataDeletionQueuePolicy" : {
"Condition": "IsNotPdtOrOptIn",
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"Queues" : [{"Ref": "UserDataDeletion"}],
"PolicyDocument" : {
"Version": "2012-10-17",
"Id": "UserDataDeletionQueuePolicy",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": ["333243231797"]
},
"Action": [
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": {"Fn::GetAtt" : [ "UserDataDeletion" , "Arn" ]}
}]
}
}
},
"UserDataDeletionDLQVisibleMessageAlarm" : {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if UserDataDeletionDLQ SQS queue has messages > 0",
"AlarmName" : "UserDataDeletionDLQVisibleMessageAlarm",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "UserDataDeletionDLQ" , "QueueName" ]}
}],
"EvaluationPeriods": "1",
"MetricName": "ApproximateNumberOfMessagesVisible",
"Namespace": "AWS/SQS",
"Period": "300",
"Statistic": "Average",
"Threshold": "0",
"TreatMissingData": "notBreaching"
}
},
"QueryUserDataDLQ" : {
"Type" : "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-query-user-data", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}, "dlq"]]},
"MessageRetentionPeriod": 1209600
}
},
"QueryUserData" : {
"Type": "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-query-user-data", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}]]},
"MessageRetentionPeriod": 1209600,
"VisibilityTimeout" : 900,
"RedrivePolicy": {
"deadLetterTargetArn" : {"Fn::GetAtt" : [ "QueryUserDataDLQ" , "Arn" ]},
"maxReceiveCount" : 1
}
}
},
"QueryUserDataDLQVisibleMessageAlarm" : {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if QueryUserDataDLQ SQS queue has messages > 0",
"AlarmName" : "QueryUserDataDLQVisibleMessageAlarm",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "QueryUserDataDLQ" , "QueueName" ]}
}],
"EvaluationPeriods": "1",
"MetricName": "ApproximateNumberOfMessagesVisible",
"Namespace": "AWS/SQS",
"Period": "60",
"Statistic": "Average",
"Threshold": "0",
"TreatMissingData": "notBreaching"
}
},
"DeleteUserDataDLQ" : {
"Type" : "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-delete-user-data", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}, "dlq"]]},
"MessageRetentionPeriod": 1209600
}
},
"DeleteUserData" : {
"Type": "AWS::SQS::Queue",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"QueueName": { "Fn::Join" : ["-", ["cognito-idp-delete-user-data", { "Ref" : "Stage" }, {"Ref" : "RegionCode"}]]},
"MessageRetentionPeriod": 1209600,
"VisibilityTimeout" : 900,
"RedrivePolicy": {
"deadLetterTargetArn" : {"Fn::GetAtt" : [ "DeleteUserDataDLQ" , "Arn" ]},
"maxReceiveCount" : 1
}
}
},
"DeleteUserDataDLQVisibleMessageAlarm" : {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if DeleteUserDataDLQ SQS queue has messages > 0",
"AlarmName" : "DeleteUserDataDLQVisibleMessageAlarm",
"ComparisonOperator": "GreaterThanThreshold",
"Dimensions": [{
"Name": "QueueName",
"Value": {"Fn::GetAtt" : [ "DeleteUserDataDLQ" , "QueueName" ]}
}],
"EvaluationPeriods": "1",
"MetricName": "ApproximateNumberOfMessagesVisible",
"Namespace": "AWS/SQS",
"Period": "60",
"Statistic": "Average",
"Threshold": "0",
"TreatMissingData": "notBreaching"
}
},
"CognitoTicketBotPolicyPermissions" : {
"Condition": "IsNotPdt",
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CognitoTicketBotPolicy",
"PolicyDocument" : {
"Statement":[
{
"Sid": "TicketBotAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws-cognito-signin-throttling-config*/*"
]
}
]
},
"Roles" : [{"Ref" : "LogReaderRole"}]
}
},
"LogReaderRole": {
"Condition": "IsNotPdt",
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "065325130854"
},
"Action": [ "sts:AssumeRole" ]
}]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess"
],
"RoleName": "LogReader"
}
},
"MinervaSyncBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": { "Fn::Join": [ "-", ["aws-cognito-signin-minerva-sync", {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
"VersioningConfiguration": {
"Status": "Enabled"
},
"LoggingConfiguration": {
"DestinationBucketName": { "Fn::Join": [ "-", ["cognito-signin-s3-bucket-access-log" , {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
"LogFilePrefix": "minerva-sync-logs"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
},
"MinervaSyncRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "CUPMinervaSyncRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "turtle.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:StringLike": {
"turtle.amazonaws.com:region": { "Ref" : "AWS::Region" },
"turtle.amazonaws.com:hostclass": { "Fn::Join" : ["-", ["AWS-COG-PROD", {"Ref" : "RegionCodeUpperCase"}, "TOD"]]}
}
}
},
{
"Sid": "AllowIamUserAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"prod.tod.aws.internal",
"tod.aws.internal"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:RequestTag/tod.aws.internal.package": "AWSCognitoCustomerLimits-1.0",
"aws:RequestTag/tod.aws.internal.environment": { "Fn::Join" : ["", ["RegionalTodWorker/", {"Ref" : "RegionCodeUpperCase"} ,"/AWSCognito/Prod"]] },
"aws:RequestTag/tod.aws.internal.requester": "CDPipeline:AWSCognitoDynamicConfig"
}
}
},
{
"Sid": "AllowPassSessionTags",
"Effect": "Allow",
"Principal": {
"Service": [
"prod.tod.aws.internal",
"tod.aws.internal"
]
},
"Action": "sts:TagSession",
"Condition": {
"StringLike": {
"aws:RequestTag/tod.aws.internal.package": "*",
"aws:RequestTag/tod.aws.internal.environment": "*",
"aws:RequestTag/tod.aws.internal.requester": "*"
}
}
}]
},
"Policies": [{
"PolicyName": "CUPMinervaRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [{"Fn::Join":["/",[{ "Fn::GetAtt" : [ "MinervaSyncBucket", "Arn"]},"*"]]},
{"Fn::GetAtt" : [ "MinervaSyncBucket", "Arn"]}]
},
{
"Effect": "Allow",
"Action": [
"minerva:CreateLimitDefinition",
"minerva:UpdateLimitDefinition",
"minerva:ImportLimitDefinition",
"minerva:ListLimitDefinitions",
"minerva:SetSubjectLimit",
"minerva:GetSubjectLimit",
"minerva:ListSubjectLimits",
"minerva:DeleteSubjectLimit"
],
"Resource": "*"
}]
}
}]
}
},
"ServiceCloudTrail" : {
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"IncludeGlobalServiceEvents" : true,
"IsLogging": true,
"EnableLogFileValidation" : true,
"TrailName": { "Fn::Join": [ "-", ["cognito", "cup", {"Ref" : "RegionCode"}, { "Ref" : "Stage" }, "cloudtrail"]]},
"S3BucketName": {"Ref" : "CloudTrailLogsS3Bucket"},
"IsMultiRegionTrail" : true
},
"DependsOn": "CloudTrailLogsS3BucketPolicy"
},
"CloudTrailLogsS3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName": { "Fn::Join": [ "-", ["cognito-cloudtrail-logs", "cup", {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
"VersioningConfiguration": {
"Status": "Enabled"
},
"LoggingConfiguration": {
"DestinationBucketName": { "Fn::Join": [ "-", ["cognito-signin-s3-bucket-access-log" , {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
"LogFilePrefix": "cloudtrail-logs"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
},
"CloudTrailLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": { "Ref": "CloudTrailLogsS3Bucket" },
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": { "Fn::Join": [ ".", ["cloudtrail", { "Ref": "AWS::URLSuffix" }]]} },
"Action": "s3:GetBucketAcl",
"Resource": { "Fn::GetAtt" : [ "CloudTrailLogsS3Bucket", "Arn" ]}
}, {
"Effect": "Allow",
"Principal": { "Service": { "Fn::Join": [ ".", ["cloudtrail", { "Ref": "AWS::URLSuffix" }]]} },
"Action": "s3:PutObject",
"Resource": { "Fn::Join": [ "/", [{ "Fn::GetAtt" : [ "CloudTrailLogsS3Bucket", "Arn" ]}, "*"]]},
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
}]
}
}
},
"CupUpcdsCrossAccountDynamoDbAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsGammaStage",
"Properties": {
"RoleName": "cup-upcds-cross-account-dynamodb-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.upcds.cognito.aws.internal",
"prod.upcds.cognito.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-upcds-cross-account-dynamodb-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "dynamodb-gsi-query",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "dynamodb:Query",
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/userPoolId-include-awsAccountId-poolStatus-identityStoreId-index" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolClients/index/clientId-include-awsAccountId-userPoolId-index" }
]
}]
}
}]
}
},
"CUPAccountsPollerGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-accounts-poller-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-accounts-poller-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-accounts-poller-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain/index/userPoolId-index"}
]
}
]
}
}]
}
},
"CUPAccountAccessKeyInfoRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-account-access-key-info",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-account-access-key-info-id"
}
}
}]
},
"Policies": [{
"PolicyName": "AccessKeyInfo",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"sts:getAccessKeyInfo"
],
"Resource": "*"
}
]
}
}]
}
},
"CUPADMSNotificationPollerGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-adms-poller-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-adms-poller-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-adms-poller-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" }
]
},
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Resource": "*"
}]
}
}]
}
},
"CUPCrossRegionSNSSubscriptionGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-sns-subscription-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-sns-subscription-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-sns-subscription-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ListSubscriptions"
],
"Resource": "*"
}]
}
}]
}
},
"CUPCrossRegionAESGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-gdpr-adms-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole"
}]
},
"Policies": [{
"PolicyName": "cup-gdpr-adms-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "aes:*",
"Resource": "*"
}]
}
}]
}
},
"CUPResourceDeletionGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-resource-deletion-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-resource-deletion-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-resource-deletion-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolClients" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSILimits" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CIPResourceServer" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIFrontlineRiskConfiguration" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIIdPIdentifier" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserImportJobs" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolMFAConfigurations" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolProvider" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolUIConfiguration" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSISigningCertificate" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/FrontlineRiskOverrides" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolClients/index/userPoolId-clientId-index" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain/index/userPoolId-index" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserMFASettings/index/userPoolId-keys-only-index" }
]
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*"
}]
}
}]
}
},
"CUPInvestigationAuditorGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-investigation-auditor-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-investigation-auditor-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-investigation-auditor-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" }
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}]
}
}]
}
},
"CUPJournalEventsAuditorGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-journal-events-auditor-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-journal-events-auditor-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-journal-events-auditor-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" }
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:assumeRole"
],
"Resource": [
"arn:aws:iam::320900696344:role/cognitoidp/GDPRDJR-cognitoidp-999305110543-1",
"arn:aws:iam::320900696344:role/cognitoidp/GDPRDJR-cognitoidp-999305110543-2"
]
}
]
}
}]
}
},
"CUPMOCDUserDataGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "cup-mocd-user-data-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-mocd-user-data-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-mocd-user-data-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ChangeMessageVisibility",
"sqs:SendMessage"
],
"Resource": [
{"Fn::GetAtt" : [ "QueryUserData" , "Arn" ]},
{"Fn::GetAtt" : [ "QueryUserDataDLQ" , "Arn" ]},
{"Fn::GetAtt" : [ "DeleteUserData" , "Arn" ]},
{"Fn::GetAtt" : [ "DeleteUserDataDLQ" , "Arn" ]}
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Query"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserMFASettings/index/userPoolId-keys-only-index" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" }
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserMFASettings" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
]
}]
}
}]
}
},
"CUPHardDeleteGDPRAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-hard-delete-gdpr-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"preprod.gdpr.cognito-idp.aws.internal",
"prod.gdpr.cognito-idp.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-hard-delete-gdpr-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-hard-delete-gdpr-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:Query",
"dynamodb:GetItem"
],
"Resource": [
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIInactiveUserPool" },
{ "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIInactiveUserPool/index/userPoolStatus-deletionTimestamp-index" }
]
}]
}
}]
}
},
"UserMessagingServiceKMSKey": {
"Type" : "AWS::KMS::Key",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties" : {
"Description" : "KMS master key to encrypt/decrypt data from Cognito used in EUMS",
"Enabled" : "true",
"EnableKeyRotation" : "true",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [":", ["arn",{ "Ref" : "AWS::Partition" }, "iam:", { "Ref": "AWS::AccountId" }, "root" ] ]
}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key by EUMS",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If": [
"IsGammaStage",
"preprod.user-notifications.aws.internal",
"user-notifications.amazonaws.com"
]
}
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
}
},
"UserMessagingServiceKMSKeyAlias": {
"Type": "AWS::KMS::Alias",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"AliasName": "alias/UserMessagingServiceKMSKey",
"TargetKeyId": { "Ref": "UserMessagingServiceKMSKey" }
}
},
"CupUMSSESRole": {
"Type": "AWS::IAM::Role",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"RoleName": "cognito_ums_ses_role",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [":", ["arn", { "Ref" : "AWS::Partition" }, "iam:", { "Ref": "AWS::AccountId" }, "root" ] ]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": { "Ref": "AWS::AccountId" }
}
}
}]
},
"Policies": [{
"PolicyName": "UmsSendEmail",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}]
}
}]
}
},
"CupUipPreImportCrossAccountAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-uip-pre-import-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"gamma.cognito-user-import.aws.internal",
"prod.cognito-user-import.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-uip-pre-import-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-uip-pre-import-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid":"KMSAccess",
"Effect":"Allow",
"Action":[
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
]
},
{
"Sid":"S3BucketAccess",
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
]
},
{
"Sid":"S3Read",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"DynamoReadWrite",
"Effect":"Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/status-userPoolId-index"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/UserImportLocking"]] }
]
},
{
"Sid":"DynamoRead",
"Effect":"Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource":[
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserPools"]] }
]
},
{
"Sid":"CupOperation",
"Effect":"Allow",
"Action": "cognito-idp:GetCSVHeader",
"Resource": "*"
}
]
}
}]
}
},
"CupUipImportUsersCrossAccountAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-uip-import-users-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"gamma.cognito-user-import.aws.internal",
"prod.cognito-user-import.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-uip-import-users-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-uip-import-users-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid":"KMSAccess",
"Effect":"Allow",
"Action":[
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
]
},
{
"Sid":"S3BucketAccess",
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
]
},
{
"Sid":"S3Read",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"DynamoReadWrite",
"Effect":"Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/status-userPoolId-index"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/UserImportLocking"]] }
]
}
]
}
}]
}
},
"CupUipCleanupCrossAccountAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-uip-cleanup-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"gamma.cognito-user-import.aws.internal",
"prod.cognito-user-import.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-uip-cleanup-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-uip-cleanup-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid":"KMSAccess",
"Effect":"Allow",
"Action":[
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
]
},
{
"Sid":"S3BucketAccess",
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
]
},
{
"Sid":"S3SecretsRead",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"S3Delete",
"Effect":"Allow",
"Action":[
"s3:DeleteObject"
],
"Resource":[
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"DynamoReadWrite",
"Effect":"Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource":[
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/status-userPoolId-index"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/UserImportLocking"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserPools"]] }
]
}
]
}
}]
}
},
"CupUipCleanupPollingCrossAccountAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-uip-cleanup-polling-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"gamma.cognito-user-import.aws.internal",
"prod.cognito-user-import.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-uip-cleanup-polling-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-uip-cleanup-polling-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid":"KMSAccess",
"Effect":"Allow",
"Action":[
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
]
},
{
"Sid":"S3BucketAccess",
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"S3Read",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] },
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid": "S3Delete",
"Effect": "Allow",
"Action": [
"s3:DeleteObject"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"DynamoRead",
"Effect":"Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource":[
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/status-userPoolId-index"]] }
]
}
]
}
}]
}
},
"CupUipUserImportPollingCrossAccountAccessRole": {
"Type": "AWS::IAM::Role",
"Condition": "IsNotPdt",
"Properties": {
"RoleName": "cup-uip-user-import-polling-cross-account-access",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If" : [
"IsGammaStage",
"gamma.cognito-user-import.aws.internal",
"prod.cognito-user-import.aws.internal"
]
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "cup-uip-user-import-polling-cross-account-access-id"
}
}
}]
},
"Policies": [{
"PolicyName": "cup-uip-user-import-polling-cross-account-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid":"KMSAccess",
"Effect":"Allow",
"Action":[
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
]
},
{
"Sid":"S3BucketAccess",
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
]
},
{
"Sid":"S3Read",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource":[
{ "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
]
},
{
"Sid":"DynamoRead",
"Effect":"Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource":[
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
{ "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/status-userPoolId-index"]] }
]
}
]
}
}]
}
},
"UserImportKMSKey": {
"Type" : "AWS::KMS::Key",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties" : {
"Description" : "KMS master key to encrypt/decrypt data from Cognito used in UIP",
"Enabled" : "true",
"EnableKeyRotation" : "true",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [":", ["arn",{ "Ref" : "AWS::Partition" }, "iam:", { "Ref": "AWS::AccountId" }, "root" ] ]
}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key by UIP",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::If": [
"IsGammaStage",
"gamma.cognito-user-import.aws.internal",
"prod.cognito-user-import.aws.internal"
]
}
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
}
},
"UserImportKMSKeyAlias": {
"Type": "AWS::KMS::Alias",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Delete",
"Properties": {
"AliasName": "alias/UserImportKMSKey",
"TargetKeyId": { "Ref": "UserImportKMSKey" }
}
}
}
}
Editor is loading...
Leave a Comment