-
Notifications
You must be signed in to change notification settings - Fork 69
/
Copy pathSimple_CMS.yaml
191 lines (191 loc) · 5.45 KB
/
Simple_CMS.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
AWSTemplateFormatVersion: 2010-09-09
Description: Automaticaly provision and configure the AWS services necessary to deploy
an S3 bucket along with CloudFront Distribution to allow for simple hosting of images
and attachments for Pinpoint emails or other uses..
Resources:
StaticFiles:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
LoggingConfiguration:
DestinationBucketName:
Ref: LogBucket
LogFilePrefix: simple-cms-s3/
LogBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: This is the log bucket.
Properties:
AccessControl: LogDeliveryWrite
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled
LogBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: LogBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource:
Fn::Sub: arn:aws:s3:::${LogBucket}
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource:
Fn::Sub: arn:aws:s3:::${LogBucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
- Sid: LogBucketAllowSSLRequestsOnly
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- Fn::Sub: arn:aws:s3:::${LogBucket}/*
- Fn::Sub: arn:aws:s3:::${LogBucket}
Condition:
Bool:
aws:SecureTransport: 'false'
ReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: StaticFiles
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Resource:
Fn::Sub: arn:aws:s3:::${StaticFiles}/*
Principal:
CanonicalUser:
Fn::GetAtt:
- CloudFrontOriginAccessIdentity
- S3CanonicalUserId
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment:
Fn::GetAtt:
- StaticFiles
- RegionalDomainName
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DependsOn:
- LogBucket
- CloudFrontOriginAccessIdentity
Metadata:
cfn_nag:
rules_to_suppress:
- id: W70
reason: Using CloudFront Provided Cert which defaults this to TLS1. Hoping
to avoid customer needing to provision cert just to deploy solution.
Properties:
DistributionConfig:
Origins:
- DomainName:
Fn::GetAtt:
- StaticFiles
- RegionalDomainName
Id:
Fn::GetAtt:
- StaticFiles
- RegionalDomainName
S3OriginConfig:
OriginAccessIdentity:
Fn::Sub: origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
CachedMethods:
- GET
- HEAD
- OPTIONS
Compress: true
DefaultTTL: 60
ForwardedValues:
Cookies:
Forward: none
QueryString: false
MaxTTL: 86400
MinTTL: 0
SmoothStreaming: false
TargetOriginId:
Fn::GetAtt:
- StaticFiles
- RegionalDomainName
ViewerProtocolPolicy: redirect-to-https
Comment: ''
PriceClass: PriceClass_All
Enabled: true
ViewerCertificate:
CloudFrontDefaultCertificate: true
MinimumProtocolVersion: TLSv1.2_2018
Restrictions:
GeoRestriction:
RestrictionType: none
HttpVersion: http2
IPV6Enabled: true
DefaultRootObject: index.html
Logging:
Bucket:
Fn::GetAtt:
- LogBucket
- DomainName
IncludeCookies: true
Prefix: simple-cms-cloudfront
Outputs:
Domain:
Description: Cloudfront Domain
Value:
Fn::GetAtt:
- CloudFrontDistribution
- DomainName
S3Bucket:
Description: The S3 Bucket used to store images and attachments
Value:
Ref: StaticFiles
SimpleCMSURL:
Description: Use this link to prefix your images and attachments
Value:
Fn::Sub:
- https://${CFDomain}/
- CFDomain:
Fn::GetAtt:
- CloudFrontDistribution
- DomainName