Untitled

mail@pastecode.io avatar
unknown
plain_text
2 months ago
93 kB
1
Indexable
Never
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Creates additional resources for CUP",
     "Parameters": {
         "Stage": {
             "Type": "String",
             "Description": "The stage"
         },
         "RegionCode": {
             "Type": "String",
             "Description": "The abbreviated region ex: iad"
         },
         "RegionCodeUpperCase": {
             "Type": "String",
             "Description": "The abbreviated region ex: iad"
         },
         "SkipADMSTopicSubscription": {
             "Type": "String",
             "Default": "false",
             "AllowedValues": ["true", "false"],
             "Description": "Boolean value to skip creation of the ADMSTopicSubscription resource"
         }
     },
     "Conditions": {
         "IsProdStage" : { "Fn::Equals" : [{"Ref" : "Stage"}, "prod"] },
         "IsGammaStage" : { "Fn::Equals" : [{"Ref" : "Stage"}, "gamma"] },
         "IsNotPdt": {"Fn::Not" : [{"Fn::Equals": [{"Ref": "AWS::Region"},"us-gov-west-1"]}]},
         "IsOptIn": {"Fn::Or" : [
             {"Fn::Equals":  [{"Ref": "AWS::Region"}, "af-south-1"]},
             {"Fn::Equals":  [{"Ref": "AWS::Region"}, "ap-east-1"]},
             {"Fn::Equals":  [{"Ref": "AWS::Region"}, "eu-south-1"]},
             {"Fn::Equals":  [{"Ref": "AWS::Region"}, "me-south-1"]}
         ]},
         "IsNotPdtOrOptIn": {"Fn::And" :  [{"Fn::Not" : [{"Condition" : "IsOptIn"}]}, {"Condition" :  "IsNotPdt"}]},
         "CreateADMSTopicSubscription": {
            "Fn::And": [
                { "Fn::Equals" : [{"Ref" : "SkipADMSTopicSubscription"}, "false"] },
                { "Condition" : "IsNotPdt" }
            ]
         }
     },
    "Resources": {
        "ResourceDeletionNotificationSNSTopic" : {
            "Type": "AWS::SNS::Topic",
            "Properties": {
                "DisplayName": "CUP Resource deletion notification topic",
                "TopicName": "cup_resource_deletion_notification"
            }
        },
        "ResourceDeletionNotificationSNSTopicAccessPolicy" : {
            "Type": "AWS::SNS::TopicPolicy",
            "Properties": {
                "Topics": [
                    {
                        "Ref": "ResourceDeletionNotificationSNSTopic"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": {
                                   "Fn::If": [
                                       "IsGammaStage",
                                       [
                                           "preprod.gdpr.cognito-idp.aws.internal",
                                           "cognito-idp.aws.internal"
                                       ],
                                       [
                                           "prod.gdpr.cognito-idp.aws.internal",
                                           "cognito-idp.amazonaws.com"
                                       ]
                                   ]
                                }
                            },
                            "Action": [
                                "SNS:GetTopicAttributes",
                                "SNS:SetTopicAttributes",
                                "SNS:AddPermission",
                                "SNS:RemovePermission",
                                "SNS:DeleteTopic",
                                "SNS:Subscribe",
                                "SNS:ListSubscriptionsByTopic",
                                "SNS:Publish",
                                "SNS:Receive"
                            ],
                            "Resource": {
                                "Ref": "ResourceDeletionNotificationSNSTopic"
                            }
                        }
                    ]
                }
            }
        },
        "AccountClosedNotificationSubscriberDLQ" : {
            "Condition": "IsNotPdt",
            "Type" : "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-adms-subscriber", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}, "dlq"]]}
            }
        },
        "AccountClosedNotificationSubscriber" : {
            "Condition": "IsNotPdt",
            "Type": "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-adms-subscriber", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}]]},
                "MessageRetentionPeriod": 1209600,
                "RedrivePolicy": {
                    "deadLetterTargetArn" : {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriberDLQ" , "Arn" ]},
                    "maxReceiveCount" : 10
                },
                "SqsManagedSseEnabled": false
            }
        },
        "AccountClosedNotificationSubscriberPolicy": {
            "Condition": "IsNotPdt",
            "Type": "AWS::SQS::QueuePolicy",
            "Properties": {
                "Queues": [{"Ref": "AccountClosedNotificationSubscriber"}],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Id": "AccountClosedNotificationSubscriberPolicy",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": "*",
                        "Action": ["sqs:SendMessage"],
                        "Resource": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "Arn" ]},
                        "Condition": {
                            "ArnEquals": {
                                "aws:SourceArn": {
                                    "Fn::If" : [
                                        "IsProdStage",
                                        { "Fn::Join": [ "-", ["arn:aws:sns:us-east-1:741443714515:ResourceEvent", { "Ref" :  "RegionCodeUpperCase"}]]},
                                        [ "arn:aws:sns:us-east-1:741443714515:ResourceEvent-PreProd",
                                        "arn:aws:sns:us-east-1:741443714515:ResourceEvent-GLOBAL"]
                                    ]
                                }
                            }
                        }
                    }]
                }
            }
        },
        "ADMSTopicSubscription": {
            "Condition": "CreateADMSTopicSubscription",
            "Type": "Custom::CrossRegionSubscription",
            "Properties": {
                "ServiceToken": { "Fn::Join" : [":", ["arn:aws:lambda", {"Ref" : "AWS::Region"}, {"Ref" : "AWS::AccountId"}, "function:CrossRegionSNSSubscriptionCustomResourceCreator"]]},
                "SQSQueueARN": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "Arn" ]},
                "SNSTopicARN": {
                    "Fn::If" : [
                        "IsProdStage",
                        { "Fn::Join": [ "-", ["arn:aws:sns:us-east-1:741443714515:ResourceEvent", { "Ref" : "RegionCodeUpperCase"}]]},
                        "arn:aws:sns:us-east-1:741443714515:ResourceEvent-PreProd"
                    ]
                }
            }
        },
        "UserDeletionNotificationSNSTopic" : {
            "Condition": "IsNotPdt",
            "Type": "AWS::SNS::Topic",
            "Properties": {
                "DisplayName": "CUP notification topic to start user deletion",
                "TopicName": "cup_user_deletion_notification"
            }
        },
        "UserDeletionNotificationSubscriberDLQ" : {
            "Condition": "IsNotPdt",
            "Type" : "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete"
        },
        "UserDeletionNotificationSubscriber" : {
            "Condition": "IsNotPdt",
            "Type": "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "MessageRetentionPeriod": 1209600,
                "RedrivePolicy": {
                    "deadLetterTargetArn" : {"Fn::GetAtt" : [ "UserDeletionNotificationSubscriberDLQ" , "Arn" ]},
                    "maxReceiveCount" : 10
                }
            }
        },
        "UserDeletionNotificationSubscription" : {
            "Condition": "IsNotPdt",
            "Type": "AWS::SNS::Subscription",
            "Properties": {
                "Endpoint": {"Fn::GetAtt" : [ "UserDeletionNotificationSubscriber" , "Arn" ]},
                "Protocol": "sqs",
                "TopicArn": {"Ref" : "UserDeletionNotificationSNSTopic"}
            }
        },
        "AESSubscriberSQSQueueHighVisibleMessageAlarm": {
            "Condition": "IsNotPdt",
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has messages > 14,400 (what we can process in a day)",
                "AlarmName" : "AESSubscriberSQSQueueHighVisibleMessageAlarm",
                "ComparisonOperator": "GreaterThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "QueueName" ]}
                }],
                "EvaluationPeriods": "12",
                "MetricName": "ApproximateNumberOfMessagesVisible",
                "Namespace": "AWS/SQS",
                "Period": "300",
                "Statistic": "Minimum",
                "Threshold": "14400",
                "TreatMissingData": "notBreaching"
            }
        },
        "AESSubscriberSQSQueueOldestMessageAgeAlarm": {
            "Condition": "IsNotPdt",
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has a message older than 7 days (we will loose the message in 14 days)",
                "AlarmName" : "AESSubscriberSQSQueueOldestMessageAgeAlarm",
                "ComparisonOperator": "GreaterThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "QueueName" ]}
                }],
                "EvaluationPeriods": "6",
                "MetricName": "ApproximateAgeOfOldestMessage",
                "Namespace": "AWS/SQS",
                "Period": "300",
                "Statistic": "Maximum",
                "Threshold": "604800",
                "TreatMissingData": "notBreaching"
            }
        },
        "AESSubscriberSQSQueueNoVisibleMessageAlarm": {
            "Condition": "IsNotPdt",
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has messages < 1",
                "AlarmName" : "AESSubscriberSQSQueueNoVisibleMessageAlarm",
                "ComparisonOperator": "LessThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriber" , "QueueName" ]}
                }],
                "EvaluationPeriods": "12",
                "MetricName": "NumberOfMessagesSent",
                "Namespace": "AWS/SQS",
                "Period": "300",
                "Statistic": "Maximum",
                "Threshold": "1",
                "TreatMissingData": "breaching"
            }
        },
        "AESSubscriberSQSDLQVisibleMessageAlarm": {
            "Condition": "IsNotPdt",
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if AccountClosedNotificationSubscriber SQS queue has messages > 0",
                "AlarmName" : "AESSubscriberSQSDLQVisibleMessageAlarm",
                "ComparisonOperator": "GreaterThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "AccountClosedNotificationSubscriberDLQ" , "QueueName" ]}
                }],
                "EvaluationPeriods": "1",
                "MetricName": "ApproximateNumberOfMessagesVisible",
                "Namespace": "AWS/SQS",
                "Period": "300",
                "Statistic": "Average",
                "Threshold": "0",
                "TreatMissingData": "notBreaching"
            }
        },
        "UserDataDeletionDLQ" : {
            "Type" : "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-user-data-deletion", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}, "dlq"]]}
            }
        },
        "UserDataDeletion" : {
            "Type": "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-user-data-deletion", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}]]},
                "MessageRetentionPeriod": 1209600,
                "DelaySeconds": 300,
                "RedrivePolicy": {
                    "deadLetterTargetArn" : {"Fn::GetAtt" : [ "UserDataDeletionDLQ" , "Arn" ]},
                    "maxReceiveCount" : 25
                }
            }
        },
        "UserDataDeletionQueuePolicy" : {
            "Condition": "IsNotPdtOrOptIn",
            "Type" : "AWS::SQS::QueuePolicy",
            "Properties" : {
                "Queues" : [{"Ref": "UserDataDeletion"}],
                "PolicyDocument" : {
                    "Version": "2012-10-17",
                    "Id": "UserDataDeletionQueuePolicy",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                          "AWS": ["333243231797"]
                        },
                        "Action": [
                          "SQS:DeleteMessage",
                          "SQS:ReceiveMessage"
                        ],
                        "Resource": {"Fn::GetAtt" : [ "UserDataDeletion" , "Arn" ]}
                    }]
                }
            }
        },
        "UserDataDeletionDLQVisibleMessageAlarm" : {
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if UserDataDeletionDLQ SQS queue has messages > 0",
                "AlarmName" : "UserDataDeletionDLQVisibleMessageAlarm",
                "ComparisonOperator": "GreaterThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "UserDataDeletionDLQ" , "QueueName" ]}
                }],
                "EvaluationPeriods": "1",
                "MetricName": "ApproximateNumberOfMessagesVisible",
                "Namespace": "AWS/SQS",
                "Period": "300",
                "Statistic": "Average",
                "Threshold": "0",
                "TreatMissingData": "notBreaching"
            }
        },
        "QueryUserDataDLQ" : {
            "Type" : "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-query-user-data", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}, "dlq"]]},
                "MessageRetentionPeriod": 1209600
            }
        },
        "QueryUserData" : {
            "Type": "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-query-user-data", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}]]},
                "MessageRetentionPeriod": 1209600,
                "VisibilityTimeout" : 900,
                "RedrivePolicy": {
                    "deadLetterTargetArn" : {"Fn::GetAtt" : [ "QueryUserDataDLQ" , "Arn" ]},
                    "maxReceiveCount" : 1
                }
            }
        },
        "QueryUserDataDLQVisibleMessageAlarm" : {
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if QueryUserDataDLQ SQS queue has messages > 0",
                "AlarmName" : "QueryUserDataDLQVisibleMessageAlarm",
                "ComparisonOperator": "GreaterThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "QueryUserDataDLQ" , "QueueName" ]}
                }],
                "EvaluationPeriods": "1",
                "MetricName": "ApproximateNumberOfMessagesVisible",
                "Namespace": "AWS/SQS",
                "Period": "60",
                "Statistic": "Average",
                "Threshold": "0",
                "TreatMissingData": "notBreaching"
            }
        },
        "DeleteUserDataDLQ" : {
            "Type" : "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-delete-user-data", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}, "dlq"]]},
                "MessageRetentionPeriod": 1209600
            }
        },
        "DeleteUserData" : {
            "Type": "AWS::SQS::Queue",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "QueueName": { "Fn::Join" : ["-", ["cognito-idp-delete-user-data", { "Ref" : "Stage" },  {"Ref" : "RegionCode"}]]},
                "MessageRetentionPeriod": 1209600,
                "VisibilityTimeout" : 900,
                "RedrivePolicy": {
                    "deadLetterTargetArn" : {"Fn::GetAtt" : [ "DeleteUserDataDLQ" , "Arn" ]},
                    "maxReceiveCount" : 1
                }
            }
        },
        "DeleteUserDataDLQVisibleMessageAlarm" : {
            "Type": "AWS::CloudWatch::Alarm",
            "Properties": {
                "AlarmDescription": "Alarm if DeleteUserDataDLQ SQS queue has messages > 0",
                "AlarmName" : "DeleteUserDataDLQVisibleMessageAlarm",
                "ComparisonOperator": "GreaterThanThreshold",
                "Dimensions": [{
                    "Name": "QueueName",
                    "Value": {"Fn::GetAtt" : [ "DeleteUserDataDLQ" , "QueueName" ]}
                }],
                "EvaluationPeriods": "1",
                "MetricName": "ApproximateNumberOfMessagesVisible",
                "Namespace": "AWS/SQS",
                "Period": "60",
                "Statistic": "Average",
                "Threshold": "0",
                "TreatMissingData": "notBreaching"
            }
        },
         "CognitoTicketBotPolicyPermissions" : {
            "Condition": "IsNotPdt",
             "Type" : "AWS::IAM::Policy",
             "Properties" : {
                 "PolicyName" : "CognitoTicketBotPolicy",
                 "PolicyDocument" : {
                     "Statement":[
                         {
                             "Sid": "TicketBotAccess",
                             "Effect": "Allow",
                             "Action": [
                                "s3:GetObject",
                                "s3:GetObjectVersion"
                              ],
                             "Resource": [
                                "arn:aws:s3:::aws-cognito-signin-throttling-config*/*"
                             ]
                         }
                      ]
                  },
                  "Roles" : [{"Ref" : "LogReaderRole"}]
              }
          },
        "LogReaderRole": {
            "Condition": "IsNotPdt",
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version" : "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": "065325130854"
                        },
                        "Action": [ "sts:AssumeRole" ]
                    }]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess"
                ],
                "RoleName": "LogReader"
            }
        },
        "MinervaSyncBucket": {
              "Type": "AWS::S3::Bucket",
              "Properties": {
                "BucketName": { "Fn::Join": [ "-", ["aws-cognito-signin-minerva-sync", {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
                "VersioningConfiguration": {
                  "Status": "Enabled"
                },
                "LoggingConfiguration": {
                  "DestinationBucketName": { "Fn::Join": [ "-", ["cognito-signin-s3-bucket-access-log" , {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
                  "LogFilePrefix": "minerva-sync-logs"
                },
                "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                    {
                      "ServerSideEncryptionByDefault": {
                        "SSEAlgorithm": "AES256"
                      }
                    }
                  ]
                }
              }
        },
        "MinervaSyncRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "CUPMinervaSyncRole",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                        "Service": "turtle.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "ForAnyValue:StringLike": {
                                "turtle.amazonaws.com:region": { "Ref" : "AWS::Region" },
                                "turtle.amazonaws.com:hostclass":  { "Fn::Join" : ["-", ["AWS-COG-PROD", {"Ref" : "RegionCodeUpperCase"}, "TOD"]]}
                            }
                        }
                    },
                    {
                        "Sid": "AllowIamUserAssumeRole",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [
                                "prod.tod.aws.internal",
                                "tod.aws.internal"
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "aws:RequestTag/tod.aws.internal.package": "AWSCognitoCustomerLimits-1.0",
                                "aws:RequestTag/tod.aws.internal.environment": { "Fn::Join" : ["", ["RegionalTodWorker/", {"Ref" : "RegionCodeUpperCase"} ,"/AWSCognito/Prod"]] },
                                "aws:RequestTag/tod.aws.internal.requester": "CDPipeline:AWSCognitoDynamicConfig"
                            }
                        }
                    },
                    {
                        "Sid": "AllowPassSessionTags",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [
                                "prod.tod.aws.internal",
                                "tod.aws.internal"
                            ]
                        },
                        "Action": "sts:TagSession",
                        "Condition": {
                            "StringLike": {
                                "aws:RequestTag/tod.aws.internal.package": "*",
                                "aws:RequestTag/tod.aws.internal.environment": "*",
                                "aws:RequestTag/tod.aws.internal.requester": "*"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "CUPMinervaRolePolicy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": ["s3:*"],
                            "Resource": [{"Fn::Join":["/",[{ "Fn::GetAtt" : [ "MinervaSyncBucket", "Arn"]},"*"]]},
                                   {"Fn::GetAtt" : [ "MinervaSyncBucket", "Arn"]}]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "minerva:CreateLimitDefinition",
                                "minerva:UpdateLimitDefinition",
                                "minerva:ImportLimitDefinition",
                                "minerva:ListLimitDefinitions",
                                "minerva:SetSubjectLimit",
                                "minerva:GetSubjectLimit",
                                "minerva:ListSubjectLimits",
                                "minerva:DeleteSubjectLimit"
                            ],
                            "Resource": "*"
                        }]
                    }
                }]
            }
        },
        "ServiceCloudTrail" : {
            "Type" : "AWS::CloudTrail::Trail",
            "Properties" : {
                "IncludeGlobalServiceEvents" : true,
                "IsLogging": true,
                "EnableLogFileValidation" : true,
                "TrailName": { "Fn::Join": [ "-", ["cognito", "cup", {"Ref" : "RegionCode"}, { "Ref" : "Stage" }, "cloudtrail"]]},
                "S3BucketName": {"Ref" : "CloudTrailLogsS3Bucket"},
                "IsMultiRegionTrail" : true
            },
            "DependsOn": "CloudTrailLogsS3BucketPolicy"
        },
        "CloudTrailLogsS3Bucket" : {
            "Type" : "AWS::S3::Bucket",
            "Properties" : {
                "BucketName": { "Fn::Join": [ "-", ["cognito-cloudtrail-logs", "cup", {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
                "VersioningConfiguration": {
                    "Status": "Enabled"
                },
                "LoggingConfiguration": {
                    "DestinationBucketName": { "Fn::Join": [ "-", ["cognito-signin-s3-bucket-access-log" , {"Ref" : "RegionCode"}, { "Ref" : "Stage" }]]},
                    "LogFilePrefix": "cloudtrail-logs"
                },
                "BucketEncryption": {
                    "ServerSideEncryptionConfiguration": [
                        {
                            "ServerSideEncryptionByDefault": {
                                "SSEAlgorithm": "AES256"
                            }
                        }
                    ]
                }
            }
        },
        "CloudTrailLogsS3BucketPolicy": {
            "Type": "AWS::S3::BucketPolicy",
            "Properties": {
                "Bucket": { "Ref": "CloudTrailLogsS3Bucket" },
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": { "Service": { "Fn::Join": [ ".", ["cloudtrail", { "Ref": "AWS::URLSuffix" }]]} },
                        "Action": "s3:GetBucketAcl",
                        "Resource": { "Fn::GetAtt" : [ "CloudTrailLogsS3Bucket", "Arn" ]}
                    }, {
                        "Effect": "Allow",
                        "Principal": { "Service": { "Fn::Join": [ ".", ["cloudtrail", { "Ref": "AWS::URLSuffix" }]]} },
                        "Action": "s3:PutObject",
                        "Resource": { "Fn::Join": [ "/", [{ "Fn::GetAtt" : [ "CloudTrailLogsS3Bucket", "Arn" ]}, "*"]]},
                        "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
                    }]
                }
            }
        },
        "CupUpcdsCrossAccountDynamoDbAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsGammaStage",
            "Properties": {
                "RoleName": "cup-upcds-cross-account-dynamodb-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.upcds.cognito.aws.internal",
                                    "prod.upcds.cognito.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-upcds-cross-account-dynamodb-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "dynamodb-gsi-query",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": "dynamodb:Query",
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/userPoolId-include-awsAccountId-poolStatus-identityStoreId-index" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolClients/index/clientId-include-awsAccountId-userPoolId-index" }
                            ]
                        }]
                    }
                }]
            }
        },
        "CUPAccountsPollerGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-accounts-poller-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-accounts-poller-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-accounts-poller-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:PutItem",
                                "dynamodb:GetItem",
                                "dynamodb:UpdateItem",
                                "dynamodb:DeleteItem"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:GetItem"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain/index/userPoolId-index"}
                            ]
                        }
                        ]
                    }
                }]
            }
        },
        "CUPAccountAccessKeyInfoRole": {
                    "Type": "AWS::IAM::Role",
                    "Condition": "IsNotPdt",
                    "Properties": {
                        "RoleName": "cup-account-access-key-info",
                        "AssumeRolePolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [{
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": {
                                        "Fn::If" : [
                                            "IsGammaStage",
                                            "preprod.gdpr.cognito-idp.aws.internal",
                                            "prod.gdpr.cognito-idp.aws.internal"
                                        ]
                                    }
                                },
                                "Action": "sts:AssumeRole",
                                "Condition": {
                                    "StringEquals": {
                                        "sts:ExternalId": "cup-account-access-key-info-id"
                                    }
                                }
                            }]
                        },
                        "Policies": [{
                            "PolicyName": "AccessKeyInfo",
                            "PolicyDocument": {
                                "Version": "2012-10-17",
                                "Statement": [{
                                    "Effect": "Allow",
                                    "Action": [
                                        "sts:getAccessKeyInfo"
                                    ],
                                    "Resource": "*"
                                }
                                ]
                            }
                        }]
                    }
                },
        "CUPADMSNotificationPollerGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-adms-poller-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-adms-poller-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-adms-poller-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:PutItem",
                                "dynamodb:GetItem",
                                "dynamodb:UpdateItem"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "sqs:ReceiveMessage",
                                "sqs:DeleteMessage"
                            ],
                            "Resource": "*"
                        }]
                    }
                }]
            }
        },
        "CUPCrossRegionSNSSubscriptionGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-sns-subscription-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-sns-subscription-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-sns-subscription-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "sns:Subscribe",
                                "sns:Unsubscribe",
                                "sns:ListSubscriptions"
                            ],
                            "Resource": "*"
                        }]
                    }
                }]
            }
        },
        "CUPCrossRegionAESGDPRAccessRole": {
                    "Type": "AWS::IAM::Role",
                    "Condition": "IsNotPdt",
                    "Properties": {
                        "RoleName": "cup-gdpr-adms-cross-account-access",
                        "AssumeRolePolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [{
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": {
                                        "Fn::If" : [
                                            "IsGammaStage",
                                            "preprod.gdpr.cognito-idp.aws.internal",
                                            "prod.gdpr.cognito-idp.aws.internal"
                                        ]
                                    }
                                },
                                "Action": "sts:AssumeRole"
                            }]
                        },
                        "Policies": [{
                            "PolicyName": "cup-gdpr-adms-cross-account-policy",
                            "PolicyDocument": {
                                "Version": "2012-10-17",
                                "Statement": [{
                                    "Effect": "Allow",
                                    "Action": "aes:*",
                                    "Resource": "*"
                                }]
                            }
                        }]
                    }
                },
        "CUPResourceDeletionGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-resource-deletion-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-resource-deletion-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-resource-deletion-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:GetItem",
                                "dynamodb:DeleteItem",
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolClients" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSILimits" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CIPResourceServer" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIFrontlineRiskConfiguration" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIIdPIdentifier" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserImportJobs" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolMFAConfigurations" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolProvider" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolUIConfiguration" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSISigningCertificate" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/FrontlineRiskOverrides" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolClients/index/userPoolId-clientId-index" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPoolDomain/index/userPoolId-index" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserMFASettings/index/userPoolId-keys-only-index" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "route53:ChangeResourceRecordSets"
                            ],
                            "Resource": "*"
                        }]
                    }
                }]
            }
        },
        "CUPInvestigationAuditorGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-investigation-auditor-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-investigation-auditor-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-investigation-auditor-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:PutItem",
                                "dynamodb:GetItem",
                                "dynamodb:UpdateItem",
                                "dynamodb:DeleteItem"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "s3:GetObject",
                                "s3:ListBucket"
                            ],
                            "Resource": "*"
                        }]
                    }
                }]
            }
        },
        "CUPJournalEventsAuditorGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-journal-events-auditor-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-journal-events-auditor-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-journal-events-auditor-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:PutItem",
                                "dynamodb:GetItem",
                                "dynamodb:UpdateItem",
                                "dynamodb:DeleteItem"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AWSAccountStatus/index/*" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "s3:GetObject",
                                "s3:ListBucket"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "sts:assumeRole"
                            ],
                            "Resource": [
                                "arn:aws:iam::320900696344:role/cognitoidp/GDPRDJR-cognitoidp-999305110543-1",
                                "arn:aws:iam::320900696344:role/cognitoidp/GDPRDJR-cognitoidp-999305110543-2"
                            ]
                        }
                        ]
                    }
                }]
            }
        },
        "CUPMOCDUserDataGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "cup-mocd-user-data-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-mocd-user-data-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-mocd-user-data-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "sqs:ReceiveMessage",
                                "sqs:DeleteMessage",
                                "sqs:GetQueueAttributes",
                                "sqs:ChangeMessageVisibility",
                                "sqs:SendMessage"
                            ],
                            "Resource": [
                                {"Fn::GetAtt" : [ "QueryUserData" , "Arn" ]},
                                {"Fn::GetAtt" : [ "QueryUserDataDLQ" , "Arn" ]},
                                {"Fn::GetAtt" : [ "DeleteUserData" , "Arn" ]},
                                {"Fn::GetAtt" : [ "DeleteUserDataDLQ" , "Arn" ]}
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserMFASettings/index/userPoolId-keys-only-index" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserPools/index/awsAccountId-userPoolId-index" }
                            ]
                        },
                        {
                           "Effect": "Allow",
                           "Action": [
                               "dynamodb:GetItem",
                               "dynamodb:BatchGetItem",
                               "dynamodb:DeleteItem",
                               "dynamodb:BatchWriteItem",
                               "dynamodb:Scan",
                               "dynamodb:ConditionCheckItem"
                           ],
                           "Resource": [
                               { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIUserMFASettings" },
                               { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingCheckPoints" },
                               { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/AccountsProcessingAndAuditingLocks" }
                           ]
                        }]
                    }
                }]
            }
        },
        "CUPHardDeleteGDPRAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-hard-delete-gdpr-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "preprod.gdpr.cognito-idp.aws.internal",
                                    "prod.gdpr.cognito-idp.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-hard-delete-gdpr-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-hard-delete-gdpr-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:Query",
                                "dynamodb:GetItem"
                            ],
                            "Resource": [
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIInactiveUserPool" },
                                { "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/CSIInactiveUserPool/index/userPoolStatus-deletionTimestamp-index" }
                            ]
                        }]
                    }
                }]
            }
        },
        "UserMessagingServiceKMSKey": {
            "Type" : "AWS::KMS::Key",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties" : {
                "Description" : "KMS master key to encrypt/decrypt data from Cognito used in EUMS",
                "Enabled" : "true",
                "EnableKeyRotation" : "true",
                "KeyPolicy" : {
                    "Version": "2012-10-17",
                    "Id": "key-default-1",
                    "Statement": [
                        {
                            "Sid": "Enable IAM User Permissions",
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Fn::Join": [":", ["arn",{ "Ref" : "AWS::Partition" }, "iam:", { "Ref": "AWS::AccountId" }, "root" ] ]
                                }
                            },
                            "Action": "kms:*",
                            "Resource": "*"
                        },
                        {
                            "Sid": "Allow use of the key by EUMS",
                            "Effect": "Allow",
                            "Principal": {
                                "Service": {
                                    "Fn::If": [
                                        "IsGammaStage",
                                        "preprod.user-notifications.aws.internal",
                                        "user-notifications.amazonaws.com"
                                    ]
                                }
                            },
                            "Action": "kms:Decrypt",
                            "Resource": "*"
                        }
                    ]
                }
            }
        },
        "UserMessagingServiceKMSKeyAlias": {
            "Type": "AWS::KMS::Alias",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "AliasName": "alias/UserMessagingServiceKMSKey",
                "TargetKeyId": { "Ref": "UserMessagingServiceKMSKey" }
            }
        },
        "CupUMSSESRole": {
            "Type": "AWS::IAM::Role",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "RoleName": "cognito_ums_ses_role",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": {
                                "Fn::Join": [":", ["arn", { "Ref" : "AWS::Partition" }, "iam:", { "Ref": "AWS::AccountId" }, "root" ] ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": { "Ref": "AWS::AccountId" }
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "UmsSendEmail",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{
                            "Effect": "Allow",
                            "Action": [
                                "ses:SendEmail",
                                "ses:SendRawEmail"
                            ],
                            "Resource": "*"
                        }]
                    }
                }]
            }
        },
        "CupUipPreImportCrossAccountAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-uip-pre-import-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "gamma.cognito-user-import.aws.internal",
                                    "prod.cognito-user-import.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-uip-pre-import-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-uip-pre-import-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                         {
                             "Sid":"KMSAccess",
                             "Effect":"Allow",
                             "Action":[
                                "kms:DescribeKey",
                                "kms:GenerateDataKey*",
                                "kms:Encrypt",
                                "kms:ReEncrypt*",
                                "kms:Decrypt"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
                             ]
                         },
                         {
                             "Sid":"S3BucketAccess",
                             "Effect":"Allow",
                             "Action":[
                                 "s3:ListBucket"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
                             ]
                         },
                         {
                             "Sid":"S3Read",
                             "Effect":"Allow",
                             "Action":[
                                 "s3:GetObject",
                                 "s3:GetObjectVersion"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                             ]
                         },
                         {
                             "Sid":"DynamoReadWrite",
                             "Effect":"Allow",
                             "Action": [
                                 "dynamodb:GetItem",
                                 "dynamodb:PutItem",
                                 "dynamodb:Query",
                                 "dynamodb:Scan",
                                 "dynamodb:UpdateItem",
                                 "dynamodb:DeleteItem"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/status-userPoolId-index"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/UserImportLocking"]] }
                             ]
                         },
                         {
                             "Sid":"DynamoRead",
                             "Effect":"Allow",
                             "Action": [
                                 "dynamodb:GetItem",
                                 "dynamodb:Query",
                                 "dynamodb:Scan"
                             ],
                             "Resource":[
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserPools"]] }
                             ]
                         },
                         {
                             "Sid":"CupOperation",
                             "Effect":"Allow",
                             "Action": "cognito-idp:GetCSVHeader",
                             "Resource": "*"
                         }
                        ]
                    }
                }]
            }
        },
        "CupUipImportUsersCrossAccountAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-uip-import-users-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "gamma.cognito-user-import.aws.internal",
                                    "prod.cognito-user-import.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-uip-import-users-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-uip-import-users-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                         {
                             "Sid":"KMSAccess",
                             "Effect":"Allow",
                             "Action":[
                                "kms:DescribeKey",
                                "kms:GenerateDataKey*",
                                "kms:Encrypt",
                                "kms:ReEncrypt*",
                                "kms:Decrypt"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
                             ]
                         },
                         {
                             "Sid":"S3BucketAccess",
                             "Effect":"Allow",
                             "Action":[
                                 "s3:ListBucket"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
                             ]
                         },
                         {
                             "Sid":"S3Read",
                             "Effect":"Allow",
                             "Action":[
                                 "s3:GetObject",
                                 "s3:GetObjectVersion"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                             ]
                         },
                         {
                             "Sid":"DynamoReadWrite",
                             "Effect":"Allow",
                             "Action": [
                                 "dynamodb:GetItem",
                                 "dynamodb:PutItem",
                                 "dynamodb:Query",
                                 "dynamodb:Scan",
                                 "dynamodb:UpdateItem"
                             ],
                             "Resource":[
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/CSIUserImportJobs/index/status-userPoolId-index"]] },
                                 { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":table/UserImportLocking"]] }
                             ]
                         }
                        ]
                    }
                }]
            }
        },
        "CupUipCleanupCrossAccountAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-uip-cleanup-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "gamma.cognito-user-import.aws.internal",
                                    "prod.cognito-user-import.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-uip-cleanup-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-uip-cleanup-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                 "Sid":"KMSAccess",
                                 "Effect":"Allow",
                                 "Action":[
                                    "kms:DescribeKey",
                                    "kms:GenerateDataKey*",
                                    "kms:Encrypt",
                                    "kms:ReEncrypt*",
                                    "kms:Decrypt"
                                 ],
                                 "Resource":[
                                     { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
                                 ]
                            },
                            {
                                "Sid":"S3BucketAccess",
                                "Effect":"Allow",
                                "Action":[
                                    "s3:ListBucket"
                                ],
                                "Resource":[
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] },
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
                                ]
                            },
                            {
                                "Sid":"S3SecretsRead",
                                "Effect":"Allow",
                                "Action":[
                                    "s3:GetObject",
                                    "s3:GetObjectVersion"
                                ],
                                "Resource":[
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                                ]
                            },
                            {
                                "Sid":"S3Delete",
                                "Effect":"Allow",
                                "Action":[
                                    "s3:DeleteObject"
                                ],
                                "Resource":[
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                                ]
                            },
                            {
                                "Sid":"DynamoReadWrite",
                                "Effect":"Allow",
                                "Action": [
                                    "dynamodb:GetItem",
                                    "dynamodb:PutItem",
                                    "dynamodb:Query",
                                    "dynamodb:Scan",
                                    "dynamodb:UpdateItem",
                                    "dynamodb:DeleteItem"
                                ],
                                "Resource":[
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs"]] },
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/status-userPoolId-index"]] },
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/UserImportLocking"]] },
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserPools"]] }
                                ]
                            }
                        ]
                    }
                }]
            }
        },
        "CupUipCleanupPollingCrossAccountAccessRole": {
            "Type": "AWS::IAM::Role",
            "Condition": "IsNotPdt",
            "Properties": {
                "RoleName": "cup-uip-cleanup-polling-cross-account-access",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Effect": "Allow",
                        "Principal": {
                            "Service": {
                                "Fn::If" : [
                                    "IsGammaStage",
                                    "gamma.cognito-user-import.aws.internal",
                                    "prod.cognito-user-import.aws.internal"
                                ]
                            }
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:ExternalId": "cup-uip-cleanup-polling-cross-account-access-id"
                            }
                        }
                    }]
                },
                "Policies": [{
                    "PolicyName": "cup-uip-cleanup-polling-cross-account-policy",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                 "Sid":"KMSAccess",
                                 "Effect":"Allow",
                                 "Action":[
                                    "kms:DescribeKey",
                                    "kms:GenerateDataKey*",
                                    "kms:Encrypt",
                                    "kms:ReEncrypt*",
                                    "kms:Decrypt"
                                 ],
                                 "Resource":[
                                     { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
                                 ]
                            },
                            {
                                "Sid":"S3BucketAccess",
                                "Effect":"Allow",
                                "Action":[
                                    "s3:ListBucket"
                                ],
                                "Resource":[
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] },
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                                ]
                            },
                            {
                                "Sid":"S3Read",
                                "Effect":"Allow",
                                "Action":[
                                    "s3:GetObject",
                                    "s3:GetObjectVersion"
                                ],
                                "Resource":[
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] },
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                                ]
                            },
                            {
                                "Sid": "S3Delete",
                                "Effect": "Allow",
                                "Action": [
                                    "s3:DeleteObject"
                                ],
                                "Resource":[
                                    { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-idp-user-import-",{"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                                ]
                            },
                            {
                                "Sid":"DynamoRead",
                                "Effect":"Allow",
                                "Action": [
                                    "dynamodb:GetItem",
                                    "dynamodb:Query",
                                    "dynamodb:Scan"
                                ],
                                "Resource":[
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs"]] },
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
                                    { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/status-userPoolId-index"]] }
                                ]
                            }
                        ]
                    }
                }]
            }
        },
        "CupUipUserImportPollingCrossAccountAccessRole": {
                    "Type": "AWS::IAM::Role",
                    "Condition": "IsNotPdt",
                    "Properties": {
                        "RoleName": "cup-uip-user-import-polling-cross-account-access",
                        "AssumeRolePolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [{
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": {
                                        "Fn::If" : [
                                            "IsGammaStage",
                                            "gamma.cognito-user-import.aws.internal",
                                            "prod.cognito-user-import.aws.internal"
                                        ]
                                    }
                                },
                                "Action": "sts:AssumeRole",
                                "Condition": {
                                    "StringEquals": {
                                        "sts:ExternalId": "cup-uip-user-import-polling-cross-account-access-id"
                                    }
                                }
                            }]
                        },
                        "Policies": [{
                            "PolicyName": "cup-uip-user-import-polling-cross-account-policy",
                            "PolicyDocument": {
                                "Version": "2012-10-17",
                                "Statement": [
                                    {
                                         "Sid":"KMSAccess",
                                         "Effect":"Allow",
                                         "Action":[
                                            "kms:DescribeKey",
                                            "kms:GenerateDataKey*",
                                            "kms:Encrypt",
                                            "kms:ReEncrypt*",
                                            "kms:Decrypt"
                                         ],
                                         "Resource":[
                                             { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":kms:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":key/*"]] }
                                         ]
                                    },
                                    {
                                        "Sid":"S3BucketAccess",
                                        "Effect":"Allow",
                                        "Action":[
                                            "s3:ListBucket"
                                        ],
                                        "Resource":[
                                            { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }]] }
                                        ]
                                    },
                                    {
                                        "Sid":"S3Read",
                                        "Effect":"Allow",
                                        "Action":[
                                            "s3:GetObject",
                                            "s3:GetObjectVersion"
                                        ],
                                        "Resource":[
                                            { "Fn::Join":["", ["arn:", { "Ref" : "AWS::Partition" }, ":s3:::aws-cognito-signin-secrets-", {"Ref" : "RegionCode"}, "-", { "Ref" : "Stage" }, "/*"]] }
                                        ]
                                    },
                                    {
                                        "Sid":"DynamoRead",
                                        "Effect":"Allow",
                                        "Action": [
                                            "dynamodb:GetItem",
                                            "dynamodb:Query",
                                            "dynamodb:Scan"
                                        ],
                                        "Resource":[
                                            { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs"]] },
                                            { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/userPoolId-creationDate-index"]] },
                                            { "Fn::Join":["",["arn:", { "Ref" : "AWS::Partition" }, ":dynamodb:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":table/CSIUserImportJobs/index/status-userPoolId-index"]] }
                                        ]
                                    }
                                ]
                            }
                        }]
                    }
                },
        "UserImportKMSKey": {
            "Type" : "AWS::KMS::Key",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties" : {
                "Description" : "KMS master key to encrypt/decrypt data from Cognito used in UIP",
                "Enabled" : "true",
                "EnableKeyRotation" : "true",
                "KeyPolicy" : {
                    "Version": "2012-10-17",
                    "Id": "key-default-1",
                    "Statement": [
                        {
                            "Sid": "Enable IAM User Permissions",
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Fn::Join": [":", ["arn",{ "Ref" : "AWS::Partition" }, "iam:", { "Ref": "AWS::AccountId" }, "root" ] ]
                                }
                            },
                            "Action": "kms:*",
                            "Resource": "*"
                        },
                        {
                            "Sid": "Allow use of the key by UIP",
                            "Effect": "Allow",
                            "Principal": {
                                "Service": {
                                    "Fn::If": [
                                        "IsGammaStage",
                                        "gamma.cognito-user-import.aws.internal",
                                        "prod.cognito-user-import.aws.internal"
                                    ]
                                }
                            },
                            "Action": "kms:Decrypt",
                            "Resource": "*"
                        }
                    ]
                }
            }
        },
        "UserImportKMSKeyAlias": {
            "Type": "AWS::KMS::Alias",
            "DeletionPolicy": "Retain",
            "UpdateReplacePolicy": "Delete",
            "Properties": {
                "AliasName": "alias/UserImportKMSKey",
                "TargetKeyId": { "Ref": "UserImportKMSKey" }
            }
        }
    }
}
Leave a Comment