{ "Description": "(SO0217) - The AWS CloudFormation hub template for deployment of the Account Assessment for AWS Organizations, Version: 1.1.11", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Solution Setup" }, "Parameters": [ "DeploymentNamespace", "OrganizationID" ] }, { "Label": { "default": "DynamoDB Configuration" }, "Parameters": [ "DynamoTimeToLive" ] }, { "Label": { "default": "Web UI Configuration" }, "Parameters": [ "UserEmail", "MultiFactorAuthentication" ] }, { "Label": { "default": "Security Configuration" }, "Parameters": [ "AllowListedIPRanges" ] }, { "Label": { "default": "Application Manager Configuration" }, "Parameters": [ "ManagementAccountId" ] } ], "ParameterLabels": { "DeploymentNamespace": { "default": "Provide a unique namespace value." }, "OrganizationID": { "default": "Provide the AWS Organization ID" }, "DynamoTimeToLive": { "default": "Provide Time to live (in days) for DynamoDB items." }, "UserEmail": { "default": "Provide Web UI Login User Email" }, "MultiFactorAuthentication": { "default": "Set MFA for Cognito to 'ON' or 'OPTIONAL'" }, "AllowListedIPRanges": { "default": "Provide CIDR ranges that allow to console to access the API." }, "ManagementAccountId": { "default": "Provide the Org Management Account ID" } } } }, "Parameters": { "AllowListedIPRanges": { "Type": "CommaDelimitedList", "Default": "0.0.0.0/1,128.0.0.0/1", "Description": "Comma separated list of CIDR ranges that allow access to the API. To allow all the entire internet, use 0.0.0.0/1,128.0.0.0/1" }, "DeploymentNamespace": { "Type": "String", "AllowedPattern": "^[a-z0-9][a-z0-9-]{1,8}[a-z0-9]$", "ConstraintDescription": "Must be 3-10 characters long, containing only lowercase letters, numbers, and hyphens. Cannot begin or end with a hyphen.", "Description": "This value is used as prefix for resource names. Same namespace must be used in spoke stack and management account stack.", "MaxLength": 10, "MinLength": 3 }, "OrganizationID": { "Type": "String", "AllowedPattern": "^$|^o-[a-z0-9]{10,32}$", "Description": "Organization ID" }, "ManagementAccountId": { "Type": "String", "Description": "Account ID for the management account of the Organization." }, "DynamoTimeToLive": { "Type": "Number", "Default": 90, "Description": "DynamoDB will delete each stored Item after the given time. This value will be applicable to all the DynamoDB tables." }, "MultiFactorAuthentication": { "Type": "String", "Default": "OPTIONAL", "AllowedValues": [ "ON", "OPTIONAL" ], "Description": "Set to 'ON' or 'OPTIONAL' to enable multi factor authentication for Cognito User Pool." }, "UserEmail": { "Type": "String", "AllowedPattern": "^(([^<>()\\[\\]\\\\.,;:\\s@\"]+(\\.[^<>()\\[\\]\\\\.,;:\\s@\"]+)*)|(\".+\"))@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}])|(([a-zA-Z\\-0-9]+\\.)+[a-zA-Z]{2,}))$", "Description": "Admin user will be created at deployment time. Provide an email address to create this initial Cognito user." } }, "Resources": { "ApiProdLogsAC7A9268": { "Type": "AWS::Logs::LogGroup", "Properties": { "RetentionInDays": 3653 }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/ProdLogs/Resource", "guard": { "SuppressedRules": [ "CLOUDWATCH_LOG_GROUP_ENCRYPTED" ] } } }, "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Name": { "Fn::Join": [ "", [ "AccountAssessmentForAWSOrganisationsApi-", { "Ref": "DeploymentNamespace" } ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApiCloudWatchRoleEF2CAC3A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" ] ] } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/CloudWatchRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "ApiAccountAssessmentForAWSOrganisationsApiAccount9C22A6D3": { "Type": "AWS::ApiGateway::Account", "Properties": { "CloudWatchRoleArn": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCloudWatchRoleEF2CAC3A", "Arn" ] } }, "DependsOn": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Account" } }, "ApiAccountAssessmentForAWSOrganisationsApiDeployment30D1B1E633cdc065900962a602007415215b1335": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "Description": "Automatically created by the RestApi construct", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "DependsOn": [ "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsGET4A31FEC2", "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsOPTIONS001FCB8B", "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsPOST8B870775", "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsE50B22F7", "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidGETE4BCB085", "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidOPTIONSBA3B7ABE", "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidC28790DF", "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeOPTIONSC7E0667E", "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentType13020835", "ApiAccountAssessmentForAWSOrganisationsApijobsGETA5125B54", "ApiAccountAssessmentForAWSOrganisationsApijobsOPTIONSD5103352", "ApiAccountAssessmentForAWSOrganisationsApijobsC03CBD56", "ApiAccountAssessmentForAWSOrganisationsApiOPTIONSD2A35DEE", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKeyGETB31C53C2", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKeyOPTIONSCDAF6563", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKey2E581A48", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerOPTIONSA530352A", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorer3DE2309B", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscanOPTIONS793C425E", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscanPOST9D3A897C", "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscan794DC3D8", "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpoliciesGET25E1DB26", "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpoliciesOPTIONS44694EB3", "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpolicies3BE50DCC", "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessGET85AFCC94", "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessOPTIONS67BBBA5F", "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessPOST4970B5C0", "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessB194924C", "ApiCORSResponse4xxFE19E5DC", "ApiCORSResponse5xxF5A162EC" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Deployment/Resource", "aws:cdk:do-not-refactor": true } }, "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF": { "Type": "AWS::ApiGateway::Stage", "Properties": { "AccessLogSetting": { "DestinationArn": { "Fn::GetAtt": [ "ApiProdLogsAC7A9268", "Arn" ] }, "Format": "{\"requestId\":\"$context.requestId\",\"ip\":\"$context.identity.sourceIp\",\"user\":\"$context.identity.user\",\"caller\":\"$context.identity.caller\",\"requestTime\":\"$context.requestTime\",\"httpMethod\":\"$context.httpMethod\",\"resourcePath\":\"$context.resourcePath\",\"status\":\"$context.status\",\"protocol\":\"$context.protocol\",\"responseLength\":\"$context.responseLength\"}" }, "DeploymentId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeployment30D1B1E633cdc065900962a602007415215b1335" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "StageName": "prod", "TracingEnabled": true }, "DependsOn": [ "ApiAccountAssessmentForAWSOrganisationsApiAccount9C22A6D3" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/DeploymentStage.prod/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApiOPTIONSD2A35DEE": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A", "RootResourceId" ] }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsC03CBD56": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A", "RootResourceId" ] }, "PathPart": "jobs", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsOPTIONSD5103352": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsC03CBD56" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsGETApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETjobs174367F5": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "JobHistoryJobsHandler0605796C", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/GET/jobs" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/GET/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..jobs" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsGETApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETjobsB5EC2A39": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "JobHistoryJobsHandler0605796C", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/GET/jobs" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/GET/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..jobs" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsGETA5125B54": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "GET", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "JobHistoryJobsHandler0605796C", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsC03CBD56" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/GET/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentType13020835": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsC03CBD56" }, "PathPart": "{assessmentType}", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeOPTIONSC7E0667E": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentType13020835" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidC28790DF": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentType13020835" }, "PathPart": "{id}", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/{id}/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidOPTIONSBA3B7ABE": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidC28790DF" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/{id}/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidGETApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETjobsassessmentTypeid8DE88825": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "JobHistoryJobsHandler0605796C", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/GET/jobs/*/*" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/{id}/GET/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..jobs.{assessmentType}.{id}" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidGETApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETjobsassessmentTypeidADDC45A1": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "JobHistoryJobsHandler0605796C", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/GET/jobs/*/*" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/{id}/GET/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..jobs.{assessmentType}.{id}" } }, "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidGETE4BCB085": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "GET", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "JobHistoryJobsHandler0605796C", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApijobsassessmentTypeidC28790DF" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/jobs/{assessmentType}/{id}/GET/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsE50B22F7": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A", "RootResourceId" ] }, "PathPart": "delegated-admins", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsOPTIONS001FCB8B": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsE50B22F7" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsGETApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETdelegatedadminsD4DDE417": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "DelegatedAdminsRead591DCC7E", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/GET/delegated-admins" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/GET/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..delegated-admins" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsGETApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETdelegatedadmins5F3B89DE": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "DelegatedAdminsRead591DCC7E", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/GET/delegated-admins" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/GET/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..delegated-admins" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsGET4A31FEC2": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "GET", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "DelegatedAdminsRead591DCC7E", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsE50B22F7" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/GET/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsPOSTApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494POSTdelegatedadmins8F2FBDD5": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "DelegatedAdminsStartScanE7DED487", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/POST/delegated-admins" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/POST/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.POST..delegated-admins" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsPOSTApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494POSTdelegatedadmins0133EF83": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "DelegatedAdminsStartScanE7DED487", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/POST/delegated-admins" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/POST/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.POST..delegated-admins" } }, "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsPOST8B870775": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "POST", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "DelegatedAdminsStartScanE7DED487", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApidelegatedadminsE50B22F7" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/delegated-admins/POST/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessB194924C": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A", "RootResourceId" ] }, "PathPart": "trusted-access", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessOPTIONS67BBBA5F": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessB194924C" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessGETApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETtrustedaccessC0EC93B5": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TrustedAccessRead96AB6071", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/GET/trusted-access" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/GET/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..trusted-access" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessGETApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETtrustedaccess9FFC27B0": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TrustedAccessRead96AB6071", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/GET/trusted-access" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/GET/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..trusted-access" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessGET85AFCC94": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "GET", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "TrustedAccessRead96AB6071", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessB194924C" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/GET/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessPOSTApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494POSTtrustedaccess1E0D3496": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TrustedAccessStartScan70308E2B", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/POST/trusted-access" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/POST/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.POST..trusted-access" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessPOSTApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494POSTtrustedaccess5E964098": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "TrustedAccessStartScan70308E2B", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/POST/trusted-access" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/POST/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.POST..trusted-access" } }, "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessPOST4970B5C0": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "POST", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "TrustedAccessStartScan70308E2B", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApitrustedaccessB194924C" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/trusted-access/POST/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpolicies3BE50DCC": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A", "RootResourceId" ] }, "PathPart": "resource-based-policies", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/resource-based-policies/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpoliciesOPTIONS44694EB3": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpolicies3BE50DCC" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/resource-based-policies/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpoliciesGETApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETresourcebasedpolicies146A343E": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "ResourceBasedPolicyReadDC5D2BC4", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/GET/resource-based-policies" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/resource-based-policies/GET/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..resource-based-policies" } }, "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpoliciesGETApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETresourcebasedpoliciesED282595": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "ResourceBasedPolicyReadDC5D2BC4", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/GET/resource-based-policies" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/resource-based-policies/GET/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..resource-based-policies" } }, "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpoliciesGET25E1DB26": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "GET", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "ResourceBasedPolicyReadDC5D2BC4", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiresourcebasedpolicies3BE50DCC" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/resource-based-policies/GET/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorer3DE2309B": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Fn::GetAtt": [ "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A", "RootResourceId" ] }, "PathPart": "policy-explorer", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerOPTIONSA530352A": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorer3DE2309B" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKey2E581A48": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorer3DE2309B" }, "PathPart": "{partitionKey}", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/{partitionKey}/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKeyOPTIONSCDAF6563": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKey2E581A48" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/{partitionKey}/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKeyGETApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETpolicyexplorerpartitionKey236A0F3B": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "PolicyExplorerReadD7458004", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/GET/policy-explorer/*" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/{partitionKey}/GET/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..policy-explorer.{partitionKey}" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKeyGETApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494GETpolicyexplorerpartitionKey5AFD06D7": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "PolicyExplorerReadD7458004", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/GET/policy-explorer/*" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/{partitionKey}/GET/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.GET..policy-explorer.{partitionKey}" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKeyGETB31C53C2": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "GET", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "PolicyExplorerReadD7458004", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerpartitionKey2E581A48" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/{partitionKey}/GET/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscan794DC3D8": { "Type": "AWS::ApiGateway::Resource", "Properties": { "ParentId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorer3DE2309B" }, "PathPart": "scan", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/scan/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscanOPTIONS793C425E": { "Type": "AWS::ApiGateway::Method", "Properties": { "ApiKeyRequired": false, "AuthorizationType": "NONE", "HttpMethod": "OPTIONS", "Integration": { "IntegrationResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'*'" }, "StatusCode": "204" } ], "RequestTemplates": { "application/json": "{ statusCode: 200 }" }, "Type": "MOCK" }, "MethodResponses": [ { "ResponseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true }, "StatusCode": "204" } ], "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscan794DC3D8" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/scan/OPTIONS/Resource" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscanPOSTApiPermissionaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494POSTpolicyexplorerscan58DF9512": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSingleAccount706DFDA3", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/POST/policy-explorer/scan" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/scan/POST/ApiPermission.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.POST..policy-explorer.scan" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscanPOSTApiPermissionTestaccountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494POSTpolicyexplorerscan7C4C103A": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSingleAccount706DFDA3", "Arn" ] }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":execute-api:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/test-invoke-stage/POST/policy-explorer/scan" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/scan/POST/ApiPermission.Test.accountassessmentforawsorganizationshubApiAccountAssessmentForAWSOrganisationsApi9D7C0494.POST..policy-explorer.scan" } }, "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscanPOST9D3A897C": { "Type": "AWS::ApiGateway::Method", "Properties": { "AuthorizationScopes": [ "account-assessment-api/api" ], "AuthorizationType": "COGNITO_USER_POOLS", "AuthorizerId": { "Ref": "AuthFullAccessAuthorizer1F31C21E" }, "HttpMethod": "POST", "Integration": { "IntegrationHttpMethod": "POST", "Type": "AWS_PROXY", "Uri": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, ":lambda:path/2015-03-31/functions/", { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSingleAccount706DFDA3", "Arn" ] }, "/invocations" ] ] } }, "ResourceId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApipolicyexplorerscan794DC3D8" }, "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/AccountAssessmentForAWSOrganisationsApi/Default/policy-explorer/scan/POST/Resource" } }, "ApiCORSResponse4xxFE19E5DC": { "Type": "AWS::ApiGateway::GatewayResponse", "Properties": { "ResponseParameters": { "gatewayresponse.header.gatewayresponse.header.Access-Control-Allow-Origin": "'*'", "gatewayresponse.header.gatewayresponse.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "gatewayresponse.header.gatewayresponse.header.Access-Control-Allow-Methods": "'GET,OPTIONS,POST,PUT,DELETE'" }, "ResponseType": "DEFAULT_4XX", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/CORSResponse4xx/Resource" } }, "ApiCORSResponse5xxF5A162EC": { "Type": "AWS::ApiGateway::GatewayResponse", "Properties": { "ResponseParameters": { "gatewayresponse.header.gatewayresponse.header.Access-Control-Allow-Origin": "'*'", "gatewayresponse.header.gatewayresponse.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "gatewayresponse.header.gatewayresponse.header.Access-Control-Allow-Methods": "'GET,OPTIONS,POST,PUT,DELETE'" }, "ResponseType": "DEFAULT_5XX", "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/CORSResponse5xx/Resource" } }, "ApiIPSet27316B4C": { "Type": "AWS::WAFv2::IPSet", "Properties": { "Addresses": { "Ref": "AllowListedIPRanges" }, "IPAddressVersion": "IPV4", "Scope": "REGIONAL" }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/IPSet" } }, "ApiMyCfnWebACLAssociation75BACA0F": { "Type": "AWS::WAFv2::WebACLAssociation", "Properties": { "ResourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, "::/restapis/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "/stages/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" } ] ] }, "WebACLArn": { "Fn::GetAtt": [ "WebACL", "Arn" ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Api/MyCfnWebACLAssociation" } }, "WebACL": { "Type": "AWS::WAFv2::WebACL", "Properties": { "DefaultAction": { "Block": {} }, "Rules": [ { "Action": { "Allow": {} }, "Name": "AllowlistRule", "Priority": 0, "Statement": { "IPSetReferenceStatement": { "Arn": { "Fn::GetAtt": [ "ApiIPSet27316B4C", "Arn" ] } } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AccountAssessment-AllowlistMetric", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesBotControlRuleSet", "OverrideAction": { "None": {} }, "Priority": 1, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesBotControlRuleSet", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesBotControlRuleSet", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesKnownBadInputsRuleSet", "OverrideAction": { "None": {} }, "Priority": 2, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesKnownBadInputsRuleSet", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesKnownBadInputsRuleSet", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesCommonRuleSet", "OverrideAction": { "None": {} }, "Priority": 3, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesCommonRuleSet", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesCommonRuleSet", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesAnonymousIpList", "OverrideAction": { "None": {} }, "Priority": 4, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesAnonymousIpList", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesAnonymousIpList", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesAmazonIpReputationList", "OverrideAction": { "None": {} }, "Priority": 5, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesAmazonIpReputationList", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesAmazonIpReputationList", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesAdminProtectionRuleSet", "OverrideAction": { "None": {} }, "Priority": 6, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesAdminProtectionRuleSet", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesAdminProtectionRuleSet", "SampledRequestsEnabled": true } }, { "Name": "AWS-AWSManagedRulesSQLiRuleSet", "OverrideAction": { "None": {} }, "Priority": 7, "Statement": { "ManagedRuleGroupStatement": { "Name": "AWSManagedRulesSQLiRuleSet", "VendorName": "AWS" } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AWSManagedRulesSQLiRuleSet", "SampledRequestsEnabled": true } } ], "Scope": "REGIONAL", "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "AccountAssessmentWebAclMetrics", "SampledRequestsEnabled": true } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/WebACL" } }, "CloudFrontS3LoggingBucketE3DA3BDA": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/S3LoggingBucket/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the access logging bucket for another bucket" } ] } } }, "CloudFrontS3LoggingBucketPolicyFA23F105": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "CloudFrontS3LoggingBucketE3DA3BDA" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "CloudFrontS3LoggingBucketE3DA3BDA", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontS3LoggingBucketE3DA3BDA", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "CloudFrontS3Bucket68FEB4E1", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontS3LoggingBucketE3DA3BDA", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/S3LoggingBucket/Policy/Resource" } }, "CloudFrontS3Bucket68FEB4E1": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LifecycleConfiguration": { "Rules": [ { "NoncurrentVersionTransitions": [ { "StorageClass": "GLACIER", "TransitionInDays": 90 } ], "Status": "Enabled" } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CloudFrontS3LoggingBucketE3DA3BDA" } }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/S3Bucket/Resource" } }, "CloudFrontS3BucketPolicy9059DB0F": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "CloudFrontS3Bucket68FEB4E1" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "CloudFrontS3Bucket68FEB4E1", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontS3Bucket68FEB4E1", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:GetObject", "Condition": { "StringEquals": { "AWS:SourceArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/", { "Ref": "CloudFrontCloudFrontDistribution824F3346" } ] ] } } }, "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontS3Bucket68FEB4E1", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/S3Bucket/Policy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "F16", "reason": "Public website bucket policy requires a wildcard principal" } ] } } }, "CloudFrontCloudfrontLoggingBucketAccessLogD57288E7": { "Type": "AWS::S3::Bucket", "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/CloudfrontLoggingBucketAccessLog/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W35", "reason": "This S3 bucket is used as the access logging bucket for another bucket" } ] } } }, "CloudFrontCloudfrontLoggingBucketAccessLogPolicy2D3F422E": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "CloudFrontCloudfrontLoggingBucketAccessLogD57288E7" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketAccessLogD57288E7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketAccessLogD57288E7", "Arn" ] }, "/*" ] ] } ] }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketE23C521E", "Arn" ] } }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketAccessLogD57288E7", "Arn" ] }, "/*" ] ] } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/CloudfrontLoggingBucketAccessLog/Policy/Resource" } }, "CloudFrontCloudfrontLoggingBucketE23C521E": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CloudFrontCloudfrontLoggingBucketAccessLogD57288E7" } }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter" } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VersioningConfiguration": { "Status": "Enabled" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/CloudfrontLoggingBucket/Resource" } }, "CloudFrontCloudfrontLoggingBucketPolicyD60AA01A": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "CloudFrontCloudfrontLoggingBucketE23C521E" }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": [ { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketE23C521E", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketE23C521E", "Arn" ] }, "/*" ] ] } ] } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/CloudfrontLoggingBucket/Policy/Resource" } }, "CloudFrontCloudFrontOac36AB834C": { "Type": "AWS::CloudFront::OriginAccessControl", "Properties": { "OriginAccessControlConfig": { "Description": "Origin access control provisioned by aws-cloudfront-s3", "Name": { "Fn::Join": [ "", [ "aws-cloudfront-s3-ClouFront-", { "Fn::Select": [ 2, { "Fn::Split": [ "/", { "Ref": "AWS::StackId" } ] } ] } ] ] }, "OriginAccessControlOriginType": "s3", "SigningBehavior": "always", "SigningProtocol": "sigv4" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/CloudFrontOac" } }, "CloudFrontResponseHeadersPolicy167CC132": { "Type": "AWS::CloudFront::ResponseHeadersPolicy", "Properties": { "ResponseHeadersPolicyConfig": { "Comment": "Adds a set of recommended security headers", "CustomHeadersConfig": { "Items": [ { "Header": "Cache-Control", "Override": true, "Value": "no-store, no-cache" }, { "Header": "Pragma", "Override": true, "Value": "no-cache" } ] }, "Name": { "Fn::Join": [ "-", [ "AccountAssessmentHeaders-WebUIHosting", { "Ref": "DeploymentNamespace" }, { "Ref": "AWS::Region" } ] ] }, "SecurityHeadersConfig": { "ContentSecurityPolicy": { "ContentSecurityPolicy": "upgrade-insecure-requests; default-src 'none'; manifest-src 'self'; img-src 'self'; font-src data:; connect-src 'self' https:; script-src 'self'; style-src https:; base-uri 'none'; frame-ancestors 'none';", "Override": true }, "ContentTypeOptions": { "Override": true }, "FrameOptions": { "FrameOption": "DENY", "Override": true }, "ReferrerPolicy": { "Override": true, "ReferrerPolicy": "same-origin" }, "StrictTransportSecurity": { "AccessControlMaxAgeSec": 2592000, "IncludeSubdomains": true, "Override": true, "Preload": true } } } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/ResponseHeadersPolicy/Resource" } }, "CloudFrontCloudFrontDistribution824F3346": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "CustomErrorResponses": [ { "ErrorCachingMinTTL": 300, "ErrorCode": 403, "ResponseCode": 200, "ResponsePagePath": "/index.html" }, { "ErrorCachingMinTTL": 300, "ErrorCode": 404, "ResponseCode": 200, "ResponsePagePath": "/index.html" }, { "ErrorCachingMinTTL": 300, "ErrorCode": 400, "ResponseCode": 200, "ResponsePagePath": "/index.html" } ], "DefaultCacheBehavior": { "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "Compress": true, "ResponseHeadersPolicyId": { "Ref": "CloudFrontResponseHeadersPolicy167CC132" }, "TargetOriginId": "accountassessmentforawsorganizationshubCloudFrontCloudFrontDistributionOrigin10C86FE6E", "ViewerProtocolPolicy": "redirect-to-https" }, "DefaultRootObject": "index.html", "Enabled": true, "HttpVersion": "http2", "IPV6Enabled": true, "Logging": { "Bucket": { "Fn::GetAtt": [ "CloudFrontCloudfrontLoggingBucketE23C521E", "RegionalDomainName" ] } }, "Origins": [ { "DomainName": { "Fn::GetAtt": [ "CloudFrontS3Bucket68FEB4E1", "RegionalDomainName" ] }, "Id": "accountassessmentforawsorganizationshubCloudFrontCloudFrontDistributionOrigin10C86FE6E", "OriginAccessControlId": { "Fn::GetAtt": [ "CloudFrontCloudFrontOac36AB834C", "Id" ] }, "S3OriginConfig": { "OriginAccessIdentity": "" } } ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/CloudFront/CloudFrontDistribution/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W70", "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" } ] } } }, "AuthDomainLambdaServiceRoleF1A81F0E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/DomainLambda/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "AuthDomainLambdaServiceRoleDefaultPolicyEF8D5B6D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cognito-idp:CreateUserPoolDomain", "cognito-idp:DeleteUserPoolDomain" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "AuthFullAccessUsers932AF091", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "AuthDomainLambdaServiceRoleDefaultPolicyEF8D5B6D", "Roles": [ { "Ref": "AuthDomainLambdaServiceRoleF1A81F0E" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/DomainLambda/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "AuthDomainLambda42690529": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Handler": "manage_cognito_domain/manage_cognito_domain.lambda_handler", "Role": { "Fn::GetAtt": [ "AuthDomainLambdaServiceRoleF1A81F0E", "Arn" ] }, "Runtime": "python3.12", "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "AuthDomainLambdaServiceRoleDefaultPolicyEF8D5B6D", "AuthDomainLambdaServiceRoleF1A81F0E" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/DomainLambda/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "AuthFullAccessUsers932AF091": { "Type": "AWS::Cognito::UserPool", "Properties": { "AccountRecoverySetting": { "RecoveryMechanisms": [ { "Name": "verified_phone_number", "Priority": 1 }, { "Name": "verified_email", "Priority": 2 } ] }, "AdminCreateUserConfig": { "AllowAdminCreateUserOnly": true, "InviteMessageTemplate": { "EmailMessage": { "Fn::Join": [ "", [ "

Account Assessment for AWS Organizations

Here are your temporary login credentials for the WebUI: https://", { "Fn::GetAtt": [ "CloudFrontCloudFrontDistribution824F3346", "DomainName" ] }, "

\n

\nRegion: ", { "Ref": "AWS::Region" }, "
\nUsername: {username}
\nTemporary Password: {####}\n

" ] ] }, "EmailSubject": "WebUI Credentials - Account Assessment for AWS Organizations" } }, "AutoVerifiedAttributes": [ "email" ], "EmailVerificationMessage": "The verification code to your new account is {####}", "EmailVerificationSubject": "Verify your new account", "EnabledMfas": [ "SOFTWARE_TOKEN_MFA" ], "MfaConfiguration": { "Ref": "MultiFactorAuthentication" }, "Policies": { "PasswordPolicy": { "MinimumLength": 8, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true, "RequireUppercase": true, "TemporaryPasswordValidityDays": 7 } }, "SmsVerificationMessage": "The verification code to your new account is {####}", "UsernameAttributes": [ "email" ], "VerificationMessageTemplate": { "DefaultEmailOption": "CONFIRM_WITH_CODE", "EmailMessage": "The verification code to your new account is {####}", "EmailSubject": "Verify your new account", "SmsMessage": "The verification code to your new account is {####}" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/FullAccessUsers/Resource" } }, "AuthFullAccessUsersWebUIClient18642E52": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "AllowedOAuthFlows": [ "code" ], "AllowedOAuthFlowsUserPoolClient": true, "AllowedOAuthScopes": [ "openid", "profile", "email", "aws.cognito.signin.user.admin", "account-assessment-api/api" ], "CallbackURLs": [ "http://localhost:3000/", { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "CloudFrontCloudFrontDistribution824F3346", "DomainName" ] }, "/" ] ] } ], "ExplicitAuthFlows": [ "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH" ], "LogoutURLs": [ "http://localhost:3000/", { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "CloudFrontCloudFrontDistribution824F3346", "DomainName" ] }, "/" ] ] } ], "SupportedIdentityProviders": [ "COGNITO" ], "UserPoolId": { "Ref": "AuthFullAccessUsers932AF091" } }, "DependsOn": [ "AuthResourceServer569006C5" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/FullAccessUsers/WebUIClient/Resource" } }, "AuthUserPoolDomainCustomResource77C501EE": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AuthDomainLambda42690529", "Arn" ] }, "UserPoolId": { "Ref": "AuthFullAccessUsers932AF091" }, "DomainPrefix": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::AccountId" } ] ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/UserPoolDomainCustomResource/Default" } }, "AuthResourceServer569006C5": { "Type": "AWS::Cognito::UserPoolResourceServer", "Properties": { "Identifier": "account-assessment-api", "Name": "Resource Server representing the API Gateway of the solution", "Scopes": [ { "ScopeDescription": "Access to solution API", "ScopeName": "api" } ], "UserPoolId": { "Ref": "AuthFullAccessUsers932AF091" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/ResourceServer/Resource" } }, "AuthFullAccessGroup00D474E7": { "Type": "AWS::Cognito::UserPoolGroup", "Properties": { "Description": "Provides unrestricted access to the RestApi", "GroupName": "FullAccessGroup", "UserPoolId": { "Ref": "AuthFullAccessUsers932AF091" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/FullAccessGroup" } }, "AuthInitialFullAccessUser3C7C83CA": { "Type": "AWS::Cognito::UserPoolUser", "Properties": { "UserAttributes": [ { "Name": "email_verified", "Value": "true" }, { "Name": "email", "Value": { "Ref": "UserEmail" } } ], "UserPoolId": { "Ref": "AuthFullAccessUsers932AF091" }, "Username": { "Ref": "UserEmail" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/InitialFullAccessUser" } }, "AuthInitialFullAccessUserToGroupAttachmentF5F4B4BB": { "Type": "AWS::Cognito::UserPoolUserToGroupAttachment", "Properties": { "GroupName": "FullAccessGroup", "UserPoolId": { "Ref": "AuthFullAccessUsers932AF091" }, "Username": { "Ref": "UserEmail" } }, "DependsOn": [ "AuthFullAccessGroup00D474E7", "AuthInitialFullAccessUser3C7C83CA" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/InitialFullAccessUserToGroupAttachment" } }, "AuthFullAccessAuthorizer1F31C21E": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { "IdentitySource": "method.request.header.Authorization", "Name": "FullAccessAuthorizer", "ProviderARNs": [ { "Fn::GetAtt": [ "AuthFullAccessUsers932AF091", "Arn" ] } ], "RestApiId": { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, "Type": "COGNITO_USER_POOLS" }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/Auth/FullAccessAuthorizer" } }, "JobHistoryTableE4B293DD": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PartitionKey", "AttributeType": "S" }, { "AttributeName": "SortKey", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "KeySchema": [ { "AttributeName": "PartitionKey", "KeyType": "HASH" }, { "AttributeName": "SortKey", "KeyType": "RANGE" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, "RecoveryPeriodInDays": 10 }, "SSESpecification": { "SSEEnabled": true }, "TimeToLiveSpecification": { "AttributeName": "ExpiresAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/JobHistory/Table/Resource", "guard": { "SuppressedRules": [ "DYNAMODB_TABLE_ENCRYPTED_KMS", "DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS" ] } } }, "JobHistoryJobsHandlerServiceRole5B211282": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/JobHistory/JobsHandler/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "JobHistoryJobsHandlerServiceRoleDefaultPolicy4863DA03": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": "dynamodb:Query", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": "dynamodb:Query", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": "dynamodb:Query", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, "/index/*" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": "dynamodb:Query", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "JobHistoryJobsHandlerServiceRoleDefaultPolicy4863DA03", "Roles": [ { "Ref": "JobHistoryJobsHandlerServiceRole5B211282" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/JobHistory/JobsHandler/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "JobHistoryJobsHandler0605796C": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "POWERTOOLS_LOGGER_LOG_EVENT": "True", "POWERTOOLS_SERVICE_NAME": "JobsApiHandler", "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] }, "TABLE_DELEGATED_ADMIN": { "Ref": "DelegatedAdminsTable29E80916" }, "TABLE_TRUSTED_ACCESS": { "Ref": "TrustedAccessTable495B447A" }, "TABLE_RESOURCE_BASED_POLICY": { "Ref": "ResourceBasedPolicyTable7277C643" }, "TABLE_POLICY_EXPLORER": { "Ref": "PolicyExplorerTable3E6DD7C7" } } }, "Handler": "assessment_runner/api_router.lambda_handler", "Role": { "Fn::GetAtt": [ "JobHistoryJobsHandlerServiceRole5B211282", "Arn" ] }, "Runtime": "python3.12", "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "JobHistoryJobsHandlerServiceRoleDefaultPolicy4863DA03", "JobHistoryJobsHandlerServiceRole5B211282" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/JobHistory/JobsHandler/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "DelegatedAdminsTable29E80916": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PartitionKey", "AttributeType": "S" }, { "AttributeName": "SortKey", "AttributeType": "S" }, { "AttributeName": "JobId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "GlobalSecondaryIndexes": [ { "IndexName": "JobId", "KeySchema": [ { "AttributeName": "JobId", "KeyType": "HASH" } ], "Projection": { "ProjectionType": "ALL" } } ], "KeySchema": [ { "AttributeName": "PartitionKey", "KeyType": "HASH" }, { "AttributeName": "SortKey", "KeyType": "RANGE" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, "RecoveryPeriodInDays": 10 }, "SSESpecification": { "SSEEnabled": true }, "TimeToLiveSpecification": { "AttributeName": "ExpiresAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/Table/Resource", "guard": { "SuppressedRules": [ "DYNAMODB_TABLE_ENCRYPTED_KMS", "DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS" ] } } }, "DelegatedAdminsReadServiceRoleBDC7C449": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/Read/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "DelegatedAdminsReadServiceRoleDefaultPolicyC18A0D35": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "DelegatedAdminsReadServiceRoleDefaultPolicyC18A0D35", "Roles": [ { "Ref": "DelegatedAdminsReadServiceRoleBDC7C449" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/Read/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "DelegatedAdminsRead591DCC7E": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "DelegatedAdminsTable29E80916" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "POWERTOOLS_SERVICE_NAME": "ReadDelegatedAdmin", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "delegated_admins/read_delegated_admins.lambda_handler", "Role": { "Fn::GetAtt": [ "DelegatedAdminsReadServiceRoleBDC7C449", "Arn" ] }, "Runtime": "python3.12", "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "DelegatedAdminsReadServiceRoleDefaultPolicyC18A0D35", "DelegatedAdminsReadServiceRoleBDC7C449" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/Read/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "DelegatedAdminsStartScanServiceRole9CC01771": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-DelegatedAdmin" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/StartScan/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "DelegatedAdminsStartScanServiceRoleDefaultPolicyFB859E87": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": "organizations:DescribeOrganization", "Effect": "Allow", "Resource": "*" }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DelegatedAdminsTable29E80916", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "DelegatedAdminsStartScanServiceRoleDefaultPolicyFB859E87", "Roles": [ { "Ref": "DelegatedAdminsStartScanServiceRole9CC01771" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/StartScan/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for organizations:List* operations. No risk, because the role can still only access its own organization." }, { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "DelegatedAdminsStartScanE7DED487": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "DelegatedAdminsTable29E80916" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "ORG_MANAGEMENT_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] }, "LOG_LEVEL": "INFO", "POWERTOOLS_SERVICE_NAME": "ScanDelegatedAdmin", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "delegated_admins/scan_for_delegated_admins.lambda_handler", "Role": { "Fn::GetAtt": [ "DelegatedAdminsStartScanServiceRole9CC01771", "Arn" ] }, "Runtime": "python3.12", "Timeout": 120, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "DelegatedAdminsStartScanServiceRoleDefaultPolicyFB859E87", "DelegatedAdminsStartScanServiceRole9CC01771" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/DelegatedAdmins/StartScan/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "TrustedAccessTable495B447A": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PartitionKey", "AttributeType": "S" }, { "AttributeName": "SortKey", "AttributeType": "S" }, { "AttributeName": "JobId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "GlobalSecondaryIndexes": [ { "IndexName": "JobId", "KeySchema": [ { "AttributeName": "JobId", "KeyType": "HASH" } ], "Projection": { "ProjectionType": "ALL" } } ], "KeySchema": [ { "AttributeName": "PartitionKey", "KeyType": "HASH" }, { "AttributeName": "SortKey", "KeyType": "RANGE" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, "RecoveryPeriodInDays": 10 }, "SSESpecification": { "SSEEnabled": true }, "TimeToLiveSpecification": { "AttributeName": "ExpiresAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/Table/Resource", "guard": { "SuppressedRules": [ "DYNAMODB_TABLE_ENCRYPTED_KMS", "DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS" ] } } }, "TrustedAccessReadServiceRoleFED50FB8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/Read/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "TrustedAccessReadServiceRoleDefaultPolicy4F0CC01B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "TrustedAccessReadServiceRoleDefaultPolicy4F0CC01B", "Roles": [ { "Ref": "TrustedAccessReadServiceRoleFED50FB8" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/Read/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "TrustedAccessRead96AB6071": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "TrustedAccessTable495B447A" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "POWERTOOLS_SERVICE_NAME": "ReadTrustedAccess", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "trusted_access_enabled_services/read_trusted_services.lambda_handler", "Role": { "Fn::GetAtt": [ "TrustedAccessReadServiceRoleFED50FB8", "Arn" ] }, "Runtime": "python3.12", "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "TrustedAccessReadServiceRoleDefaultPolicy4F0CC01B", "TrustedAccessReadServiceRoleFED50FB8" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/Read/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "TrustedAccessStartScanServiceRoleA218CD44": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-TrustedAccess" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/StartScan/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "TrustedAccessStartScanServiceRoleDefaultPolicyBBB5BB59": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": "organizations:DescribeOrganization", "Effect": "Allow", "Resource": "*" }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "TrustedAccessTable495B447A", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "TrustedAccessStartScanServiceRoleDefaultPolicyBBB5BB59", "Roles": [ { "Ref": "TrustedAccessStartScanServiceRoleA218CD44" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/StartScan/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for organizations:List* operations. No risk, because the role can still only access its own organization." }, { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "TrustedAccessStartScan70308E2B": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "TrustedAccessTable495B447A" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "ORG_MANAGEMENT_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] }, "LOG_LEVEL": "INFO", "POWERTOOLS_SERVICE_NAME": "ScanTrustedAccess", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "trusted_access_enabled_services/scan_for_trusted_services.lambda_handler", "Role": { "Fn::GetAtt": [ "TrustedAccessStartScanServiceRoleA218CD44", "Arn" ] }, "Runtime": "python3.12", "Timeout": 120, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "TrustedAccessStartScanServiceRoleDefaultPolicyBBB5BB59", "TrustedAccessStartScanServiceRoleA218CD44" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/TrustedAccess/StartScan/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "ResourceBasedPolicyTable7277C643": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PartitionKey", "AttributeType": "S" }, { "AttributeName": "SortKey", "AttributeType": "S" }, { "AttributeName": "JobId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "GlobalSecondaryIndexes": [ { "IndexName": "JobId", "KeySchema": [ { "AttributeName": "JobId", "KeyType": "HASH" } ], "Projection": { "ProjectionType": "ALL" } } ], "KeySchema": [ { "AttributeName": "PartitionKey", "KeyType": "HASH" }, { "AttributeName": "SortKey", "KeyType": "RANGE" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, "RecoveryPeriodInDays": 10 }, "SSESpecification": { "SSEEnabled": true }, "TimeToLiveSpecification": { "AttributeName": "ExpiresAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/ResourceBasedPolicy/Table/Resource", "guard": { "SuppressedRules": [ "DYNAMODB_TABLE_ENCRYPTED_KMS", "DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS" ] } } }, "ResourceBasedPolicyReadServiceRole96A1B85C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/ResourceBasedPolicy/Read/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "ResourceBasedPolicyReadServiceRoleDefaultPolicy99498DE7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "ResourceBasedPolicyTable7277C643", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ResourceBasedPolicyReadServiceRoleDefaultPolicy99498DE7", "Roles": [ { "Ref": "ResourceBasedPolicyReadServiceRole96A1B85C" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/ResourceBasedPolicy/Read/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "ResourceBasedPolicyReadDC5D2BC4": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "ResourceBasedPolicyTable7277C643" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "POWERTOOLS_SERVICE_NAME": "ReadResourceBasedPolicy", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "resource_based_policy/read_resource_based_policies.lambda_handler", "Role": { "Fn::GetAtt": [ "ResourceBasedPolicyReadServiceRole96A1B85C", "Arn" ] }, "Runtime": "python3.12", "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "ResourceBasedPolicyReadServiceRoleDefaultPolicy99498DE7", "ResourceBasedPolicyReadServiceRole96A1B85C" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/ResourceBasedPolicy/Read/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "WebUIDeployerDeployWebUIServiceRole57CC2ECD": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/WebUIDeployer/DeployWebUI/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "WebUIDeployerDeployWebUIServiceRoleDefaultPolicyA5CCFE46": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CloudFrontS3Bucket68FEB4E1", "Arn" ] }, "/*" ] ] } }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::solutions-", { "Ref": "AWS::Region" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::solutions-", { "Ref": "AWS::Region" }, "/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "WebUIDeployerDeployWebUIServiceRoleDefaultPolicyA5CCFE46", "Roles": [ { "Ref": "WebUIDeployerDeployWebUIServiceRole57CC2ECD" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/WebUIDeployer/DeployWebUI/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "WebUIDeployerDeployWebUIC2B79695": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "LOG_LEVEL": "INFO", "CONFIG": { "Fn::Join": [ "", [ "{\"SrcBucket\":\"solutions-", { "Ref": "AWS::Region" }, "\",\"SrcPath\":\"account-assessment-for-aws-organizations/1.1.11/webui/\",\"WebUIBucket\":\"", { "Ref": "CloudFrontS3Bucket68FEB4E1" }, "\",\"awsExports\":{\"API\":{\"endpoints\":[{\"name\":\"AccountAssessmentApi\",\"endpoint\":\"https://", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, ".execute-api.", { "Ref": "AWS::Region" }, ".amazonaws.com/prod\"}]},\"loggingLevel\":\"INFO\",\"Auth\":{\"region\":\"", { "Ref": "AWS::Region" }, "\",\"userPoolId\":\"", { "Ref": "AuthFullAccessUsers932AF091" }, "\",\"userPoolWebClientId\":\"", { "Ref": "AuthFullAccessUsersWebUIClient18642E52" }, "\",\"mandatorySignIn\":true,\"oauth\":{\"domain\":\"", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::AccountId" }, ".auth.", { "Ref": "AWS::Region" }, ".amazoncognito.com\",\"scope\":[\"openid\",\"profile\",\"email\",\"aws.cognito.signin.user.admin\",\"account-assessment-api/api\"],\"redirectSignIn\":\"https://", { "Fn::GetAtt": [ "CloudFrontCloudFrontDistribution824F3346", "DomainName" ] }, "/\",\"redirectSignOut\":\"https://", { "Fn::GetAtt": [ "CloudFrontCloudFrontDistribution824F3346", "DomainName" ] }, "/\",\"responseType\":\"code\",\"clientId\":\"", { "Ref": "AuthFullAccessUsersWebUIClient18642E52" }, "\"}},\"OrgId\":\"", { "Ref": "OrganizationID" }, "\"}}" ] ] }, "POWERTOOLS_SERVICE_NAME": "DeployWebUI", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "deploy_webui/deploy_webui.lambda_handler", "Role": { "Fn::GetAtt": [ "WebUIDeployerDeployWebUIServiceRole57CC2ECD", "Arn" ] }, "Runtime": "python3.12", "Timeout": 300, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "WebUIDeployerDeployWebUIServiceRoleDefaultPolicyA5CCFE46", "WebUIDeployerDeployWebUIServiceRole57CC2ECD" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/WebUIDeployer/DeployWebUI/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "WebUIDeployerWebUIDeploymentResourceDC3D4E53": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "WebUIDeployerDeployWebUIC2B79695", "Arn" ] }, "ServiceTimeout": "300", "SolutionVersion": "1.1.11" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/WebUIDeployer/WebUIDeploymentResource/Default" } }, "PolicyExplorerTable3E6DD7C7": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PartitionKey", "AttributeType": "S" }, { "AttributeName": "SortKey", "AttributeType": "S" }, { "AttributeName": "JobId", "AttributeType": "S" } ], "BillingMode": "PAY_PER_REQUEST", "GlobalSecondaryIndexes": [ { "IndexName": "JobId", "KeySchema": [ { "AttributeName": "JobId", "KeyType": "HASH" } ], "Projection": { "ProjectionType": "ALL" } } ], "KeySchema": [ { "AttributeName": "PartitionKey", "KeyType": "HASH" }, { "AttributeName": "SortKey", "KeyType": "RANGE" } ], "PointInTimeRecoverySpecification": { "PointInTimeRecoveryEnabled": true, "RecoveryPeriodInDays": 10 }, "SSESpecification": { "SSEEnabled": true }, "TimeToLiveSpecification": { "AttributeName": "ExpiresAt", "Enabled": true } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/Table/Resource", "guard": { "SuppressedRules": [ "DYNAMODB_TABLE_ENCRYPTED_KMS", "DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS" ] } } }, "PolicyExplorerDynamoDbRoleB7F393DE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/DynamoDbRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerDynamoDbRoleDefaultPolicyF1853B61": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "dynamodb:Query", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerDynamoDbRoleDefaultPolicyF1853B61", "Roles": [ { "Ref": "PolicyExplorerDynamoDbRoleB7F393DE" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/DynamoDbRole/DefaultPolicy/Resource" } }, "PolicyExplorerValidateSpokeAccessServiceRole28EA4095": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-ValidateSpokeAccess" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/ValidateSpokeAccess/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerValidateSpokeAccessServiceRoleDefaultPolicyA05D9737": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerValidateSpokeAccessServiceRoleDefaultPolicyA05D9737", "Roles": [ { "Ref": "PolicyExplorerValidateSpokeAccessServiceRole28EA4095" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/ValidateSpokeAccess/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerValidateSpokeAccessA430B0C1": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "PolicyExplorerTable3E6DD7C7" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "SPOKE_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "LOG_LEVEL": "INFO", "POWERTOOLS_SERVICE_NAME": "ScanPolicyExplorer", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "policy_explorer/step_functions_lambda/validate_account_access.lambda_handler", "MemorySize": 1024, "Role": { "Fn::GetAtt": [ "PolicyExplorerValidateSpokeAccessServiceRole28EA4095", "Arn" ] }, "Runtime": "python3.12", "Timeout": 900, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PolicyExplorerValidateSpokeAccessServiceRoleDefaultPolicyA05D9737", "PolicyExplorerValidateSpokeAccessServiceRole28EA4095" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/ValidateSpokeAccess/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "PolicyExplorerStartScanServiceRole9AC79B15": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-PolicyExplorer" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/StartScan/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerStartScanServiceRoleDefaultPolicyFF45000F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": "states:StartExecution", "Effect": "Allow", "Resource": { "Ref": "PolicyExplorerScanAllSpokeAccountsC4284EFB" } }, { "Action": "organizations:DescribeOrganization", "Effect": "Allow", "Resource": "*" }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerStartScanServiceRoleDefaultPolicyFF45000F", "Roles": [ { "Ref": "PolicyExplorerStartScanServiceRole9AC79B15" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/StartScan/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for organizations:List* operations. No risk, because the role can still only access its own organization." }, { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerStartScan0A32F675": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "PolicyExplorerTable3E6DD7C7" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "ORG_MANAGEMENT_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] }, "LOG_LEVEL": "INFO", "POWERTOOLS_SERVICE_NAME": "ScanPolicyExplorer", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] }, "SCAN_POLICIES_STATE_MACHINE_ARN": { "Ref": "PolicyExplorerScanAllSpokeAccountsC4284EFB" } } }, "Handler": "policy_explorer/start_state_machine_execution_to_scan_services.lambda_handler", "Role": { "Fn::GetAtt": [ "PolicyExplorerStartScanServiceRole9AC79B15", "Arn" ] }, "Runtime": "python3.12", "Timeout": 120, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PolicyExplorerStartScanServiceRoleDefaultPolicyFF45000F", "PolicyExplorerStartScanServiceRole9AC79B15" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/StartScan/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "PolicyExplorerStartScanAwsEventsLambdaInvokePermission1EE606A6D": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "PolicyExplorerStartScan0A32F675", "Arn" ] }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "PolicyExplorerpolicyexplorerscheduleruleEventsRule02E815BD", "Arn" ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/StartScan/AwsEventsLambdaInvokePermission-1" } }, "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRole3B78E70E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-PolicyExplorerScanSpokeResource" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/PolicyExplorerScanSpokeResource/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRoleDefaultPolicy6AD79F27": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRoleDefaultPolicy6AD79F27", "Roles": [ { "Ref": "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRole3B78E70E" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/PolicyExplorerScanSpokeResource/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerPolicyExplorerScanSpokeResourceCE1226F7": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "PolicyExplorerTable3E6DD7C7" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "POLICY_ITEM_TTL_IN_DAYS": "1", "SPOKE_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "ORG_MANAGEMENT_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] }, "LOG_LEVEL": "INFO", "POWERTOOLS_SERVICE_NAME": "ScanResourceBasedPolicyInSpokeAccount", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "policy_explorer/step_functions_lambda/scan_policy_all_services_router.lambda_handler", "MemorySize": 512, "Role": { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRole3B78E70E", "Arn" ] }, "Runtime": "python3.12", "Timeout": 900, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRoleDefaultPolicy6AD79F27", "PolicyExplorerPolicyExplorerScanSpokeResourceServiceRole3B78E70E" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/PolicyExplorerScanSpokeResource/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "PolicyExplorerPolicyExplorerScanSingleAccountServiceRole14522DF7": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-PolicyExplorerScanSingleAccountResource" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/PolicyExplorerScanSingleAccount/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerPolicyExplorerScanSingleAccountServiceRoleDefaultPolicy62631D58": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::*:role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] } }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerPolicyExplorerScanSingleAccountServiceRoleDefaultPolicy62631D58", "Roles": [ { "Ref": "PolicyExplorerPolicyExplorerScanSingleAccountServiceRole14522DF7" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/PolicyExplorerScanSingleAccount/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerPolicyExplorerScanSingleAccount706DFDA3": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "PolicyExplorerTable3E6DD7C7" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "POLICY_ITEM_TTL_IN_DAYS": "1", "NAMESPACE": { "Ref": "DeploymentNamespace" }, "SPOKE_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] }, "ORG_MANAGEMENT_ROLE_NAME": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] }, "LOG_LEVEL": "INFO", "POWERTOOLS_SERVICE_NAME": "ScanResourceBasedPolicyInSpokeAccount", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "policy_explorer/scan_single_service.lambda_handler", "MemorySize": 3584, "Role": { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSingleAccountServiceRole14522DF7", "Arn" ] }, "Runtime": "python3.12", "Timeout": 29, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PolicyExplorerPolicyExplorerScanSingleAccountServiceRoleDefaultPolicy62631D58", "PolicyExplorerPolicyExplorerScanSingleAccountServiceRole14522DF7" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/PolicyExplorerScanSingleAccount/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "PolicyExplorerFinishAsyncJobServiceRole7B0710E4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/FinishAsyncJob/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerFinishAsyncJobServiceRoleDefaultPolicy3BB1F1AC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "JobHistoryTableE4B293DD", "Arn" ] } ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerFinishAsyncJobServiceRoleDefaultPolicy3BB1F1AC", "Roles": [ { "Ref": "PolicyExplorerFinishAsyncJobServiceRole7B0710E4" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/FinishAsyncJob/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerFinishAsyncJob297E891C": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "PolicyExplorerTable3E6DD7C7" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "TIME_TO_LIVE_IN_DAYS": { "Ref": "DynamoTimeToLive" }, "POWERTOOLS_SERVICE_NAME": "FinishScanForResourceBasedPolicies", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "policy_explorer/finish_scan.lambda_handler", "Role": { "Fn::GetAtt": [ "PolicyExplorerFinishAsyncJobServiceRole7B0710E4", "Arn" ] }, "Runtime": "python3.12", "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PolicyExplorerFinishAsyncJobServiceRoleDefaultPolicy3BB1F1AC", "PolicyExplorerFinishAsyncJobServiceRole7B0710E4" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/FinishAsyncJob/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "PolicyExplorerScanAllSpokeAccountsRole398CEDEC": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" } } ], "Version": "2012-10-17" } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/ScanAllSpokeAccounts/Role/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerScanAllSpokeAccountsRoleDefaultPolicyE01329E7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerFinishAsyncJob297E891C", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerFinishAsyncJob297E891C", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerValidateSpokeAccessA430B0C1", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerValidateSpokeAccessA430B0C1", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSpokeResourceCE1226F7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSpokeResourceCE1226F7", "Arn" ] }, ":*" ] ] } ] }, { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets" ], "Effect": "Allow", "Resource": "*" }, { "Action": "states:StartExecution", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":states:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":stateMachine:", { "Ref": "DeploymentNamespace" }, "-PolicyExplorerScan-StateMachine" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerScanAllSpokeAccountsRoleDefaultPolicyE01329E7", "Roles": [ { "Ref": "PolicyExplorerScanAllSpokeAccountsRole398CEDEC" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/ScanAllSpokeAccounts/Role/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerScanAllSpokeAccountsC4284EFB": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { "DefinitionString": { "Fn::Join": [ "", [ "{\"StartAt\":\"AccountIterator\",\"States\":{\"AccountIterator\":{\"Type\":\"Map\",\"ResultPath\":null,\"Next\":\"FinishJob\",\"InputPath\":\"$\",\"Catch\":[{\"ErrorEquals\":[\"States.ALL\"],\"ResultPath\":\"$.Error\",\"Next\":\"FailJob\"}],\"ItemsPath\":\"$.Scan.AccountIds\",\"ItemSelector\":{\"AccountId.$\":\"$$.Map.Item.Value\",\"ServiceNames.$\":\"$.Scan.ServiceNames\",\"JobId.$\":\"$.JobId\"},\"ItemProcessor\":{\"ProcessorConfig\":{\"Mode\":\"DISTRIBUTED\",\"ExecutionType\":\"STANDARD\"},\"StartAt\":\"AccountValidation\",\"States\":{\"AccountValidation\":{\"Next\":\"ServiceIterator\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"ResultPath\":\"$.ValidationResult\",\"ResultSelector\":{\"ServicesToScanForAccount.$\":\"$.Payload.ServicesToScanForAccount\",\"Status.$\":\"$.Payload.Validation\",\"StatusCode.$\":\"$.StatusCode\",\"RequestId.$\":\"$.SdkResponseMetadata.RequestId\",\"Regions.$\":\"$.Payload.Regions\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "PolicyExplorerValidateSpokeAccessA430B0C1", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"ServiceIterator\":{\"Type\":\"Map\",\"End\":true,\"ItemsPath\":\"$.ValidationResult.ServicesToScanForAccount\",\"ItemSelector\":{\"ServiceName.$\":\"$$.Map.Item.Value\",\"AccountId.$\":\"$.AccountId\",\"Regions.$\":\"$.ValidationResult.Regions\",\"JobId.$\":\"$.JobId\"},\"ItemProcessor\":{\"ProcessorConfig\":{\"Mode\":\"INLINE\"},\"StartAt\":\"ScanServicePerAccount\",\"States\":{\"ScanServicePerAccount\":{\"Next\":\"TaskComplete\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"ResultSelector\":{\"Status.$\":\"$.Payload\",\"StatusCode.$\":\"$.StatusCode\",\"RequestId.$\":\"$.SdkResponseMetadata.RequestId\"},\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "PolicyExplorerPolicyExplorerScanSpokeResourceCE1226F7", "Arn" ] }, "\",\"Payload.$\":\"$\"}},\"TaskComplete\":{\"Type\":\"Pass\",\"Parameters\":{\"StartTime.$\":\"$$.Execution.StartTime\",\"ExecutionName.$\":\"$$.Execution.Name\"},\"End\":true}}},\"MaxConcurrency\":10}}},\"MaxConcurrency\":10},\"FinishJob\":{\"Next\":\"Success\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "PolicyExplorerFinishAsyncJob297E891C", "Arn" ] }, "\",\"Payload\":{\"AssessmentType\":\"POLICY_EXPLORER\",\"Result\":\"SUCCEEDED\",\"JobId.$\":\"$.JobId\"}}},\"Success\":{\"Type\":\"Succeed\"},\"FailJob\":{\"Next\":\"Failed\",\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", { "Fn::GetAtt": [ "PolicyExplorerFinishAsyncJob297E891C", "Arn" ] }, "\",\"Payload\":{\"AssessmentType\":\"POLICY_EXPLORER\",\"Result\":\"FAILED\",\"JobId.$\":\"$.JobId\",\"Error.$\":\"$.Error\"}}},\"Failed\":{\"Type\":\"Fail\"}}}" ] ] }, "RoleArn": { "Fn::GetAtt": [ "PolicyExplorerScanAllSpokeAccountsRole398CEDEC", "Arn" ] }, "StateMachineName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-PolicyExplorerScan-StateMachine" ] ] }, "TracingConfiguration": { "Enabled": true } }, "DependsOn": [ "PolicyExplorerScanAllSpokeAccountsRoleDefaultPolicyE01329E7", "PolicyExplorerScanAllSpokeAccountsRole398CEDEC" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/ScanAllSpokeAccounts/Resource" } }, "PolicyExplorerpolicyexplorerscheduleruleEventsRule02E815BD": { "Type": "AWS::Events::Rule", "Properties": { "ScheduleExpression": "cron(00 23 * * ? *)", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "PolicyExplorerStartScan0A32F675", "Arn" ] }, "Id": "Target0" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/policy-explorer-schedule-rule/EventsRule/Resource" } }, "PolicyExplorerReadServiceRole0CAC9B9E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/Read/ServiceRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "PolicyExplorerReadServiceRoleDefaultPolicy96327407": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:ConditionCheckItem", "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] }, { "Action": [ "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "PolicyExplorerTable3E6DD7C7", "Arn" ] }, "/index/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "PolicyExplorerReadServiceRoleDefaultPolicy96327407", "Roles": [ { "Ref": "PolicyExplorerReadServiceRole0CAC9B9E" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/Read/ServiceRole/DefaultPolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary for xray:PutTraceSegments and xray:PutTelemetryRecords." } ] } } }, "PolicyExplorerReadD7458004": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "account-assessment-for-aws-organizations/1.1.11/lambda.zip" }, "Environment": { "Variables": { "COMPONENT_TABLE": { "Ref": "PolicyExplorerTable3E6DD7C7" }, "TABLE_JOBS": { "Ref": "JobHistoryTableE4B293DD" }, "NAMESPACE": { "Ref": "DeploymentNamespace" }, "POWERTOOLS_SERVICE_NAME": "ReadPolicyExplorer", "SOLUTION_VERSION": "1.1.11", "STACK_ID": { "Ref": "AWS::StackId" }, "SEND_ANONYMOUS_DATA": { "Fn::FindInMap": [ "AnonymousData", "SendAnonymousData", "Data" ] } } }, "Handler": "policy_explorer/read_policies.lambda_handler", "Role": { "Fn::GetAtt": [ "PolicyExplorerReadServiceRole0CAC9B9E", "Arn" ] }, "Runtime": "python3.12", "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "PolicyExplorerReadServiceRoleDefaultPolicy96327407", "PolicyExplorerReadServiceRole0CAC9B9E" ], "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-hub/PolicyExplorer/Read/Resource", "aws:asset:path": "asset.75af5bc354d804a606f4a3ffdb615436c4b3930dd3b4316b802ec94f573b0763.zip", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } } }, "Outputs": { "ApiAccountAssessmentForAWSOrganisationsApiEndpoint584AF851": { "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, ".execute-api.", { "Ref": "AWS::Region" }, ".", { "Ref": "AWS::URLSuffix" }, "/", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiDeploymentStageprod6B748DCF" }, "/" ] ] } }, "ApiApiGatewayURLE593E542": { "Value": { "Fn::Join": [ "", [ "https://", { "Ref": "ApiAccountAssessmentForAWSOrganisationsApiCC987D5A" }, ".execute-api.", { "Ref": "AWS::Region" }, ".amazonaws.com/prod" ] ] } }, "WebUserInterfaceURL": { "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "CloudFrontCloudFrontDistribution824F3346", "DomainName" ] } ] ] } }, "AuthUserPoolIdOutputF07C6764": { "Value": { "Ref": "AuthFullAccessUsers932AF091" } }, "AuthUserPoolClientIdOutputC3824669": { "Value": { "Ref": "AuthFullAccessUsersWebUIClient18642E52" } } }, "Mappings": { "AnonymousData": { "SendAnonymousData": { "Data": "Yes" } } } }