--- AWSTemplateFormatVersion: '2010-09-09' Description: "CrowdStrike Cloud Security Root Template - SSM, ECR Registration, and EKS Protection. (abp-1kirFQBF75MfEQ3RbMQHRb-5NlayJp9WpX1krs2Aq7Koa-ln87vzuy)" Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Falcon CID Details Parameters: - FalconAccountType - FalconClientID - FalconSecret - CSCloud - Label: default: AWS Org Details Parameters: - AWSAccountType - DelegatedAdmin - DeploymentScope - PermissionsBoundary - Label: default: Deploy Falcon Sensors with SSM Distributor Parameters: - EnableSSMDistributor - SSMRegions - DocumentVersion - AutomationAssumeRole - ApplyOnlyAtCronInterval - ScheduleExpression - MaxErrors - MaxConcurrency - Label: default: ECR Registry Connections Parameters: - ECRConnections - ECRRegions - ECRExecutionRoleName - ECRLambdaName - Label: default: Advanced Configuration Properties Parameters: - SourceS3BucketName - S3BucketRegion - SourceS3BucketNamePrefix - Label: default: EKS Protection Parameters: - EKSProtection - EKSRegions - FalconCID - DockerAPIToken - EventBusName - EventBridgeRoleName - EKSExecutionRoleName - CodeBuildRoleName - CodeBuildProjectName - KubernetesUserName - Registry - Backend - EnableKAC - Label: default: Create Organization CloudTrail Parameters: - CreateSRAOrgTrail - pControlTower - pGovernedRegions - pSecurityAccountId - pLogArchiveAccountId - pRepoURL - pRepoBranch ParameterLabels: # Account Type FalconAccountType: default: Falcon Account Type AWSAccountType: default: AWS Account Type # Permissions Boundary PermissionsBoundary: default: Permissions Boundary Policy Name # CrowdStrike Falcon API Key FalconClientID: default: Falcon API Client ID FalconSecret: default: Falcon API Secret CSCloud: default: CrowdStrike Cloud # Provision OUs DeploymentScope: default: Deployment Scope # Regions SSMRegions: default: SSM Regions EKSRegions: default: EKS Regions ECRRegions: default: ECR Regions # Deploy Falcon Sensors with SSM Distributor EnableSSMDistributor: default: Enable Falcon SSM Distributor DocumentVersion: default: Automation Document Version AutomationAssumeRole: default: SSM Execution Role ApplyOnlyAtCronInterval: default: Apply Only At Cron Interval ScheduleExpression: default: Cron Schedule Expression MaxErrors: default: Max Errors Allowed MaxConcurrency: default: Max Concurrency Allowed # AWS S3 Bucket SourceS3BucketName: default: Source S3 Bucket Name S3BucketRegion: default: S3 Bucket Region SourceS3BucketNamePrefix: default: Source S3 Bucket Name Prefix # Advanced Configuration Properties DelegatedAdmin: default: Delegated Administrator Account # Create Organization CloudTrail CreateSRAOrgTrail: default: Create Default Organization CloudTrail pControlTower: default: Control Tower pGovernedRegions: default: Governed Regions pSecurityAccountId: default: Security Account Id pLogArchiveAccountId: default: LogArchive Account Id pRepoURL: default: SRA Repo URL pRepoBranch: default: SRA Repo Branch # EKS Protection EKSProtection: default: Enable EKS Protection FalconCID: default: Falcon CID DockerAPIToken: default: Falcon Docker API Token EventBusName: default: Name of EventBus EventBridgeRoleName: default: Name of EventBridge Role EKSExecutionRoleName: default: Name of Execution Role CodeBuildProjectName: default: CodeBuild Project Name CodeBuildRoleName: default: CodeBuild Role Name KubernetesUserName: default: Kubernetes User Name Registry: default: Registry Backend: default: Backend EnableKAC: default: Enable Kubernetes Admission Controller # ECR Connections ECRConnections: default: Enable ECR Connections for Image Assessment ECRExecutionRoleName: default: ECR Execution Role Name ECRLambdaName: default: ECR Lambda Function Name Parameters: # Account Type FalconAccountType: Type: String AllowedValues: - 'commercial' - 'govcloud' Default: 'commercial' AWSAccountType: Type: String AllowedValues: - 'commercial' - 'govcloud' Default: 'commercial' # Permissions Boundary PermissionsBoundary: Type: String Description: The name of the policy used to set the permissions boundary for IAM roles. Default: '' # CrowdStrike Falcon API Key FalconClientID: Description: Your Falcon OAuth2 Client ID. NoEcho: 'true' Type: String FalconSecret: Description: Your Falcon OAuth2 API Secret. NoEcho: 'true' Type: String CSCloud: Type: String Default: us1 AllowedValues: - 'us1' - 'us2' - 'eu1' - 'usgov1' - 'usgov2' Description: The Cloud your CID is hosted in # Provision OUs DeploymentScope: Type: CommaDelimitedList Description: Comma Delimited List of OU(s) to provision resources. If you are onboarding the entire Organization, please enter the Root OU (r-****) AllowedPattern: '^r-[0-9a-z]{4,32}$|^(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32},)*(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$' EKSRegions: Type: CommaDelimitedList Description: Comma Delimited List of AWS Regions to provision resources for EKS Protection. Default: 'us-east-1' SSMRegions: Type: CommaDelimitedList Description: Comma Delimited List of AWS Regions to provision resources for SSM Distributor. Default: 'us-east-1' ECRRegions: Type: String Description: Comma Delimited List of AWS Regions to provision resources for ECR Registration. Default: 'us-east-1' # Deploy Falcon Sensors with SSM Distributor EnableSSMDistributor: Type: String Description: Deploy Associations in each account to automatically install Falcon Sensors against SSM-Managed Instances. AllowedValues: - 'true' - 'false' Default: 'false' AutomationAssumeRole: Type: String Default: 'crowdstrike-distributor-deploy-role' Description: 'Execution Role for CrowdStrike SSM Distributor Package' ApplyOnlyAtCronInterval: Description: By default, when you create a new association, the system runs it immediately after it is created and then according to the schedule you specified. Specify true if you don't want an association to run immediately after you create it. . Type: String Default: 'false' ScheduleExpression: Description: A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC). Type: String Default: 'cron(0 0 */1 * * ? *)' MaxErrors: Description: The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. Type: String Default: '10%' MaxConcurrency: Description: The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time. Type: String Default: '20%' DocumentVersion: Description: The version of the SSM document to associate with the target. Type: String Default: '2' AllowedPattern: '([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)' # AWS S3 Bucket SourceS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ Type: String Default: aws-abi S3BucketRegion: Type: String Default: us-east-1 SourceS3BucketNamePrefix: AllowedValues: [cfn-abi-crowdstrike-fcs] Default: cfn-abi-crowdstrike-fcs Description: Staging S3 bucket name prefix for the artifacts relevant to the solutions. (e.g., lambda zips, CloudFormation templates). The account and region are added to the prefix --. Example = staging-123456789012-us-east-1. Type: String # Advanced Configuration Properties DelegatedAdmin: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether this is a Delegated Administrator account. Type: String # Create Organization CloudTrail CreateSRAOrgTrail: Type: String Description: Create org-wide trail, bucket, and bucket policy to enable EventBridge event collection. If you already have either an Organization CloudTrail or CloudTrails enabled in each account, please leave this parameter false. AllowedValues: - 'true' - 'false' Default: 'false' pControlTower: AllowedValues: ['true', 'false'] Default: 'true' Description: Indicates whether AWS Control Tower is deployed and being used for this AWS environment. Type: String pSecurityAccountId: AllowedPattern: '^\d{12}$' Default: 111111111111 ConstraintDescription: Must be 12 digits. Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments). Type: String pLogArchiveAccountId: AllowedPattern: '^\d{12}$' Default: 222222222222 ConstraintDescription: Must be 12 digits. Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments). Type: String pGovernedRegions: AllowedPattern: '^(ct-regions)|((\b(?- https://${SourceS3BucketName}.s3.${S3BucketRegion}.${AWS::URLSuffix}/${SourceS3BucketNamePrefix}/submodules/aws-security-reference-architecture-examples/aws_sra_examples/modules/cloudtrail-org-module/templates/sra-cloudtrail-org-module-main.yaml Parameters: pRepoURL: !Ref pRepoURL pRepoBranch: !Ref pRepoBranch pEnableDataEventsOnly: false pControlTower: !Ref pControlTower pGovernedRegions: !Ref pGovernedRegions pSecurityAccountId: !Ref pSecurityAccountId pLogArchiveAccountId: !Ref pLogArchiveAccountId # Create SSM Distributor Associations AssociationStackSet: Type: 'AWS::CloudFormation::StackSet' Condition: CreateSSMAssociations Properties: StackSetName: !Join ['-', ['cs-abi-SSMAssociationStackSet', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Description: Create SSM State Manager Association to automatically manage Falcon Sensor installation across SSM Managed Instances PermissionModel: SERVICE_MANAGED CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] ManagedExecution: Active: true Parameters: - ParameterKey: DocumentVersion ParameterValue: !Ref DocumentVersion - ParameterKey: SecretsManagerSecretName ParameterValue: !Join ['-', ['cs-abi-FalconAPI-SSM', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] - ParameterKey: SecretStorageMethod ParameterValue: 'SecretsManager' - ParameterKey: Action ParameterValue: 'Install' - ParameterKey: ScheduleExpression ParameterValue: !Ref ScheduleExpression - ParameterKey: MaxErrors ParameterValue: !Ref MaxErrors - ParameterKey: MaxConcurrency ParameterValue: !Ref MaxConcurrency - ParameterKey: AutomationAssumeRole ParameterValue: !Ref AutomationAssumeRole - ParameterKey: ApplyOnlyAtCronInterval ParameterValue: !Ref ApplyOnlyAtCronInterval - ParameterKey: BaseURL ParameterValue: !FindInMap - CloudMap - !Ref CSCloud - BaseURL - ParameterKey: FalconClientID ParameterValue: !Ref FalconClientID - ParameterKey: FalconSecret ParameterValue: !Ref FalconSecret AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: true StackInstancesGroup: - DeploymentTargets: AccountFilterType: NONE OrganizationalUnitIds: !Ref DeploymentScope Regions: !Ref SSMRegions TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/ssm-association-stackset.yml SSMSetupStackSet: Type: 'AWS::CloudFormation::StackSet' Condition: CreateSSMAssociations Properties: StackSetName: !Join ['-', ['cs-abi-SSMSetupStackSet', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Description: Securely store Falcon credentials and create AWS IAM role to assume when running the AWS Systems Manager Automation document. Capabilities: - CAPABILITY_NAMED_IAM PermissionModel: SERVICE_MANAGED CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] ManagedExecution: Active: true Parameters: - ParameterKey: AutomationAssumeRole ParameterValue: !Ref AutomationAssumeRole - ParameterKey: PermissionsBoundary ParameterValue: !Ref PermissionsBoundary AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: true OperationPreferences: ConcurrencyMode: SOFT_FAILURE_TOLERANCE MaxConcurrentPercentage: 100 FailureTolerancePercentage: 50 RegionConcurrencyType: PARALLEL StackInstancesGroup: - DeploymentTargets: AccountFilterType: NONE OrganizationalUnitIds: !Ref DeploymentScope Regions: - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/ssm-setup-stackset.yml # CrowdStrike Registration CrowdStrikeSecrets: Type: AWS::SecretsManager::Secret Metadata: checkov: skip: - id: CKV_AWS_149 comment: The default key aws/secretsmanager is sufficient to secure this resource Properties: Description: CrowdStrike Credentials Name: !Join ['-', ['cs-abi-FalconAPI', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] SecretString: Fn::Join: - '' - - '{"FalconClientId":"' - Ref: "FalconClientID" - '","FalconSecret": "' - Ref: FalconSecret - '"}' # Staging S3 Bucket StagingS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: S3 access logs intentionally not enabled checkov: skip: - id: CKV_AWS_18 comment: S3 access logs intentionally not enabled Properties: BucketName: !Join ['-', ['cs-abi', !Ref AWS::AccountId, !Ref AWS::Region, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True IgnorePublicAcls: True RestrictPublicBuckets: True VersioningConfiguration: Status: Enabled StagingS3BucketPolicy: Type: AWS::S3::BucketPolicy Metadata: cfn_nag: rules_to_suppress: - id: F16 reason: GetObject is restricted to AWS accounts within the AWS Organization Properties: Bucket: !Ref StagingS3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowDeploymentRoleGetObject Effect: Allow Action: s3:GetObject Principal: '*' Resource: !Sub arn:${AWS::Partition}:s3:::${StagingS3Bucket}/* Condition: ArnLike: aws:PrincipalArn: - !Join ['', ['arn:', !Ref AWS::Partition, ':iam::', !Ref AWS::AccountId, ':role/cs-abi-StackSetExecRole-', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] - !Sub arn:${AWS::Partition}:iam::*:role/stacksets-exec-* - Sid: DenyExternalPrincipals Effect: Deny Action: 's3:*' Principal: '*' Resource: - !Sub arn:${AWS::Partition}:s3:::${StagingS3Bucket} - !Sub arn:${AWS::Partition}:s3:::${StagingS3Bucket}/* Condition: StringNotEquals: aws:PrincipalOrgID: !GetAtt OrgIdLambdaCustomResource.organization_id - Sid: SecureTransport Effect: Deny Action: 's3:*' Principal: '*' Resource: - !Sub arn:${AWS::Partition}:s3:::${StagingS3Bucket} - !Sub arn:${AWS::Partition}:s3:::${StagingS3Bucket}/* Condition: Bool: aws:SecureTransport: False # CopyZips Lambda CopyZips: Type: Custom::CopyZips Properties: ServiceToken: !GetAtt 'CopyZipsFunction.Arn' DestBucket: !Ref 'StagingS3Bucket' SourceBucket: !Ref 'SourceS3BucketName' Prefix: !Sub ${SourceS3BucketNamePrefix}/ Objects: - lambda_functions/packages/cw-helper/lambda.zip - templates/crowdstrike_init_stack.yaml - lambda_functions/packages/eks-existing-clusters/lambda.zip - lambda_functions/packages/eks-new-clusters/lambda.zip - lambda_functions/packages/codebuild/lambda.zip - lambda_functions/packages/ecr-registration/lambda.zip CopyZipsRole: Type: AWS::IAM::Role Properties: RoleName: !Join ['-', ['cs-abi-CopyZipsRole', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] PermissionsBoundary: Fn::If: - SetPermissionsBoundary - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${PermissionsBoundary}' - Ref: AWS::NoValue AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Path: / Policies: - PolicyName: lambda-copier PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:GetObjectTagging Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3BucketName}/' - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3BucketName}/${SourceS3BucketNamePrefix}/*' - Effect: Allow Action: - s3:PutObject - s3:DeleteObject - s3:PutObjectTagging Resource: - !Sub 'arn:${AWS::Partition}:s3:::${StagingS3Bucket}/' - !Sub 'arn:${AWS::Partition}:s3:::${StagingS3Bucket}/${SourceS3BucketNamePrefix}/*' - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' CopyZipsFunction: Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: Lambda role provides access to CloudWatch Logs - id: W89 reason: Lambda does not need to communicate with VPC resources. - id: W92 reason: Lambda does not need reserved concurrent executions. checkov: skip: - id: CKV_AWS_115 comment: Lambda does not need reserved concurrent executions. - id: CKV_AWS_116 comment: DLQ not needed, as Lambda function only triggered by CloudFormation events. - id: CKV_AWS_117 comment: Lambda does not need to communicate with VPC resources. Type: AWS::Lambda::Function Properties: FunctionName: !Join ['-', ['cs-abi-CopyZipsLambda', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Description: Copies objects from a source S3 bucket to a destination Handler: index.handler Runtime: python3.9 MemorySize: 128 Role: !GetAtt 'CopyZipsRole.Arn' Timeout: 240 Code: ZipFile: | import json import logging import threading import boto3 import cfnresponse def copy_objects(source_bucket, dest_bucket, prefix, objects): s3 = boto3.client('s3') for o in objects: key = prefix + o copy_source = { 'Bucket': source_bucket, 'Key': key } print(('copy_source: %s' % copy_source)) print(('dest_bucket = %s'%dest_bucket)) print(('key = %s' %key)) s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key) def bucket_exists(bucket): s3 = boto3.client('s3') buckets = s3.list_buckets() if bucket in buckets['Buckets']: return True def delete_objects(bucket, prefix, objects): s3 = boto3.client('s3') if bucket_exists(bucket): objects = {'Objects': [{'Key': prefix + o} for o in objects]} s3.delete_objects(Bucket=bucket, Delete=objects) def timeout(event, context): logging.error('Execution is about to time out, sending failure response to CloudFormation') cfnresponse.send(event, context, cfnresponse.FAILED, {}, None) def handler(event, context): # make sure we send a failure to CloudFormation if the function # is going to timeout timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context]) timer.start() print(('Received event: %s' % json.dumps(event))) status = cfnresponse.SUCCESS try: source_bucket = event['ResourceProperties']['SourceBucket'] dest_bucket = event['ResourceProperties']['DestBucket'] prefix = event['ResourceProperties']['Prefix'] objects = event['ResourceProperties']['Objects'] if event['RequestType'] == 'Delete': delete_objects(dest_bucket, prefix, objects) else: copy_objects(source_bucket, dest_bucket, prefix, objects) except Exception as e: logging.error('Exception: %s' % e, exc_info=True) status = cfnresponse.FAILED finally: timer.cancel() cfnresponse.send(event, context, status, {}, None) # Org Id Lambda OrgIdLambdaCustomResource: Type: Custom::LambdaCustomResource Version: '1.0' Properties: ServiceToken: !GetAtt OrgIdLambdaFunction.Arn OrgIdLambdaFunction: DependsOn: CopyZips Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: Lambda role provides access to CloudWatch Logs - id: W89 reason: Lambda does not need to communicate with VPC resources. - id: W92 reason: Lambda does not need reserved concurrent executions. checkov: skip: - id: CKV_AWS_115 comment: Lambda does not need reserved concurrent executions. - id: CKV_AWS_116 comment: DLQ not needed, as Lambda function only triggered by CloudFormation events. - id: CKV_AWS_117 comment: Lambda does not need to communicate with VPC resources. - id: CKV_AWS_173 comment: Environment variables are not sensitive. Type: AWS::Lambda::Function Properties: FunctionName: !Join ['-', ['cs-abi-OrgIdLambda', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Description: Get AWS Organization ID Handler: organizations.lambda_handler Role: !GetAtt OrgIdLambdaRole.Arn Runtime: python3.9 Timeout: 60 Environment: Variables: LOG_LEVEL: "INFO" EVENTBUS_ACCOUNT: !Ref AWS::AccountId EKS_PROTECTION: !Ref EKSProtection Code: S3Bucket: !Ref StagingS3Bucket S3Key: !Sub ${SourceS3BucketNamePrefix}/lambda_functions/packages/cw-helper/lambda.zip OrgIdLambdaRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: Allow * in resource when required - id: W28 reason: The role name is defined to identify automation resources Properties: RoleName: !Join ['-', ['cs-abi-OrgIdRole', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] PermissionsBoundary: Fn::If: - SetPermissionsBoundary - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${PermissionsBoundary}' - Ref: AWS::NoValue Description: 'Role for cs-abi-OrgId Lambda function' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - lambda.amazonaws.com Policies: - PolicyName: org-id PolicyDocument: Version: 2012-10-17 Statement: - Sid: OrganizationRead Effect: Allow Action: - organizations:DescribeOrganization - organizations:ListParents Resource: '*' - PolicyName: CloudWatchLogGroup PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogs Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Join ['', ['arn:', !Ref AWS::Partition, ':logs:', !Ref AWS::Region, ':', !Ref AWS::AccountId, ':log-group:/aws/lambda/cs-abi-OrgIdLambda-', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], ':log-stream:*' ]] # EKS Protection RootRolesStack: Type: 'AWS::CloudFormation::Stack' Condition: EnableEKSProtection DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-root-roles.yml Parameters: CodeBuildProjectName: !Ref CodeBuildProjectName CodeBuildRoleName: !Ref CodeBuildRoleName EventBridgeRoleName: !Ref EventBridgeRoleName EKSExecutionRoleName: !Ref EKSExecutionRoleName StagingS3Bucket: !Ref StagingS3Bucket EventBusName: !Ref EventBusName PermissionsBoundary: !Ref PermissionsBoundary EKSTargetRolesStackSet: Condition: EnableEKSProtection DependsOn: RootRolesStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: !Join ['-', ['cs-abi-EKSTargetRolesStackSet', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Capabilities: - CAPABILITY_NAMED_IAM Parameters: - ParameterKey: EKSExecutionRoleName ParameterValue: !Ref EKSExecutionRoleName - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - ParameterKey: EventBusAccount ParameterValue: !Ref AWS::AccountId - ParameterKey: EventBusName ParameterValue: !Ref EventBusName - ParameterKey: CodeBuildRoleName ParameterValue: !Ref CodeBuildRoleName - ParameterKey: PermissionsBoundary ParameterValue: !Ref PermissionsBoundary PermissionModel: SERVICE_MANAGED CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false OperationPreferences: ConcurrencyMode: SOFT_FAILURE_TOLERANCE MaxConcurrentPercentage: 100 FailureTolerancePercentage: 50 RegionConcurrencyType: PARALLEL StackInstancesGroup: - DeploymentTargets: AccountFilterType: NONE OrganizationalUnitIds: !Ref DeploymentScope Regions: - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-target-roles-stackset.yml RootEKSProtectionStack: Type: 'AWS::CloudFormation::Stack' Condition: EnableEKSProtection DependsOn: EKSTargetRolesStackSet DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-protection-stack.yml Parameters: StagingS3Bucket: !Ref StagingS3Bucket Backend: !Ref Backend Registry: !Ref Registry EnableKAC: !Ref EnableKAC CrowdStrikeCloud: !FindInMap - CloudMap - !Ref CSCloud - CrowdStrikeCloud EventBusName: !Ref EventBusName OrganizationId: !GetAtt OrgIdLambdaCustomResource.organization_id FalconClientId: !Ref FalconClientID FalconClientSecret: !Ref FalconSecret KubernetesUserName: !Ref KubernetesUserName FalconCID: !Ref FalconCID DockerAPIToken: !Ref DockerAPIToken EKSExecutionRoleName: !Ref EKSExecutionRoleName CodeBuildProjectName: !Ref CodeBuildProjectName CodeBuildRoleName: !Ref CodeBuildRoleName SourceS3BucketNamePrefix: !Ref SourceS3BucketNamePrefix VpcCIDR: '10.192.0.0/16' PublicSubnet1CIDR: '10.192.10.0/24' PublicSubnet2CIDR: '10.192.11.0/24' PrivateSubnet1CIDR: '10.192.20.0/24' PrivateSubnet2CIDR: '10.192.21.0/24' EKSEventBridgeStackSet: Condition: EnableEKSProtection DependsOn: RootEKSProtectionStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: !Join ['-', ['cs-abi-EKSEBStackSet', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Parameters: - ParameterKey: EventBusName ParameterValue: !Ref EventBusName - ParameterKey: EventBusAccount ParameterValue: !Ref AWS::AccountId - ParameterKey: EventBusRegion ParameterValue: !Ref AWS::Region - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName PermissionModel: SERVICE_MANAGED CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: true OperationPreferences: ConcurrencyMode: SOFT_FAILURE_TOLERANCE MaxConcurrentPercentage: 100 FailureTolerancePercentage: 50 RegionConcurrencyType: PARALLEL StackInstancesGroup: - DeploymentTargets: AccountFilterType: NONE OrganizationalUnitIds: !Ref DeploymentScope Regions: !Ref EKSRegions TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-eventbridge-stackset.yml ECRRegistrationStackSet: Condition: EnableECRRegistration DependsOn: - CopyZips Type: AWS::CloudFormation::StackSet Properties: StackSetName: !Join ['-', ['cs-abi-ECRStackSet', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Capabilities: - CAPABILITY_NAMED_IAM Parameters: - ParameterKey: S3Bucket ParameterValue: !Ref StagingS3Bucket - ParameterKey: SourceS3BucketNamePrefix ParameterValue: !Ref SourceS3BucketNamePrefix - ParameterKey: SecretsManagerSecretName ParameterValue: !Join ['-', ['cs-abi-FalconAPI-ECR', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] - ParameterKey: PermissionsBoundary ParameterValue: !Ref PermissionsBoundary - ParameterKey: FalconClientID ParameterValue: !Ref FalconClientID - ParameterKey: FalconSecret ParameterValue: !Ref FalconSecret - ParameterKey: ECRExecutionRoleName ParameterValue: !Ref ECRExecutionRoleName - ParameterKey: ECRLambdaName ParameterValue: !Ref ECRLambdaName - ParameterKey: GovCloud ParameterValue: !If [ IsGovToGov, 'True', 'False' ] - ParameterKey: CommToGovCloud ParameterValue: !If [ IsCommToGovCloud, 'True', 'False' ] - ParameterKey: StackId ParameterValue: !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]] - ParameterKey: CSCloud ParameterValue: !Ref CSCloud - ParameterKey: Regions ParameterValue: !Ref ECRRegions PermissionModel: SERVICE_MANAGED CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: true OperationPreferences: ConcurrencyMode: SOFT_FAILURE_TOLERANCE MaxConcurrentPercentage: 100 FailureTolerancePercentage: 50 RegionConcurrencyType: PARALLEL StackInstancesGroup: - DeploymentTargets: AccountFilterType: NONE OrganizationalUnitIds: !Ref DeploymentScope Regions: - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/ecr-registration-stackset.yml Outputs: StackId: Description: Stack ID for reference Value: !Ref AWS::StackId Export: Name: !Sub "${AWS::StackName}-StackId"