austoonz · January 3, 2025 04:27
diff --git a/PowerShellAssociation.yml b/PowerShellAssociation.yml
 ---
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Creates a Systems Manager Association with inline PowerShell.
 Resources:
  Association:
    Type: AWS::SSM::Association
    Properties:
      AssociationName: AssociationName
      Name: AWS-RunPowerShellScript
      Parameters:
        commands:
          - |
            Write-Host 'This is some embedded PowerShell!'
        executionTimeout:
          - '300'
      ScheduleExpression: 'rate(1 day)'
      Targets:
        - Key: 'tag:Service'
          Values:
            - 'ServiceName'
diff --git a/S3Bucket with SNS trigger.yml b/S3Bucket with SNS trigger.yml
 ---
 AWSTemplateFormatVersion: '2010-09-09'
 Description: A CloudFormation template for creating an S3 Bucket with an SNS Trigger.
 Parameters:
  BucketName:
    Type: String
    Description: The name of the S3 Bucket to create

 Metadata:
  AWS::CloudFormation::Interface:
    ParameterLabels:
      BucketName:
        default: S3 Bucket Name

 Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    DependsOn:
      - SNSTopicPolicy
    Properties:
      # Need to define a static BucketName due to a circular dependency with the AWS::SNS::TopicPolicy
      BucketName: !Ref BucketName
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      AccessControl: BucketOwnerFullControl
      LifecycleConfiguration:
        Rules:
          -
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 3
            NoncurrentVersionExpirationInDays: 3
            Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref S3BucketLogs
        LogFilePrefix: !Sub '/logs/${BucketName}/'
      NotificationConfiguration:
        TopicConfigurations:
          -
            Event: s3:ObjectCreated:Put
            Topic: !Ref SNSTopic
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      Tags:
        -
          Key: Description
          Value: Object Storage
      VersioningConfiguration:
        Status: Enabled

  SNSTopic:
    Type: AWS::SNS::Topic

  SNSTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref SNSTopic
      PolicyDocument:
        Id: SNSTopicPolicy
        Version: '2012-10-17'
        Statement:
          -
            Sid: S3TriggerAccess
            Effect: Allow
            Principal:
              AWS:
                - '*'
            Action:
              - sns:Publish
            Resource:
              - !Ref SNSTopic
            Condition:
              ArnLike:
                aws:SourceArn: !Sub "arn:aws:s3:::${BucketName}"
          # If you do not require cross-account subscriptions, this Policy can be removed
          -
            Sid: CrossAccountSubscriptionAccess
            Effect: Allow
            Principal:
              AWS:
                # List of AWS Accounts for cross-account subscriptions
                - !Sub 'arn:aws:iam::123456789012:root'
            Action:
              - sns:Subscribe
              - sns:Receive
              - sns:ListSubscriptionsByTopic
            Resource:
              - !Ref SNSTopic

  # If a source AWS Account is going to put objects into the Bucket, keep this resource,
  # if not, this BucketPolicy can be removed.
  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Statement:
          -
            Sid: PutObjectAccess
            Action:
              - s3:PutObject
            Effect: Allow
            Principal:
              AWS:
                - '123456789012' # Replace with a valid source AWS Account Id
            Resource:
              - !Sub "arn:aws:s3:::${BucketName}"

  S3BucketLogs:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite
      LifecycleConfiguration:
        Rules:
          -
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 7
            Status: Enabled
            Transitions:
              -
                StorageClass: GLACIER
                TransitionInDays: 30
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      Tags:
        -
          Key: Description
          Value: S3 Access Logs

 Outputs:

  S3Bucket:
    Value: !Ref S3Bucket
    Description: S3 Bucket for object storage

  SNSTopicArn:
    Value: !Ref SNSTopic
    Description: SNS Topic for S3 Object Triggers
diff --git a/SQS Queue that is subscribed to an SNS Topic.yml b/SQS Queue that is subscribed to an SNS Topic.yml
 ---
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Creates an SQS Queue that is subscribed to an SNS Topic
 Parameters:
  SourceSNSTopicArn:
    Type: String
    Description: SNS Topic Arn to subscribe the SQS Queue to

 Metadata:
  AWS::CloudFormation::Interface:
    ParameterLabels:
      SourceSNSTopicArn:
        default: SNS Topic Arn

 Resources:
  SQSQueue:
    Type: AWS::SQS::Queue
    Properties:
      VisibilityTimeout: 180
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn
        maxReceiveCount: 3
      Tags:
        -
          Key: StackId
          Value: !Ref AWS::StackId

  SQSQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref SQSQueue
      PolicyDocument:
        Id: AllowIncomingAccess
        Statement:
          -
            Effect: Allow
            Principal:
              AWS:
                - !Ref AWS::AccountId
            Action:
              - sqs:SendMessage
              - sqs:ReceiveMessage
            Resource:
              - !GetAtt SQSQueue.Arn
          -
            Effect: Allow
            Principal: '*'
            Action:
              - sqs:SendMessage
            Resource:
              - !GetAtt SQSQueue.Arn
            Condition:
              ArnEquals:
                aws:SourceArn: !Ref SourceSNSTopicArn

  DeadLetterQueue:
    Type: AWS::SQS::Queue
    Properties:
      VisibilityTimeout: 160
      Tags:
        -
          Key: StackId
          Value: !Ref AWS::StackId

  SNSSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      TopicArn: !Ref SourceSNSTopicArn
      Endpoint: !GetAtt SQSQueue.Arn
      Protocol: sqs
      RawMessageDelivery: true

  SQSQueueAgeOfOldestMessage:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: SQSQueue_AgeOfOldestMessage
      AlarmDescription: Alarms if the SQS Queue has messages in it for too long
      ComparisonOperator: GreaterThanThreshold
      Dimensions:
        - Name: QueueName
          Value: !GetAtt SQSQueue.QueueName
      DatapointsToAlarm: 2
      EvaluationPeriods: 3
      MetricName: ApproximateAgeOfOldestMessage
      Namespace: AWS/SQS
      Period: 300
      Statistic: Maximum
      Threshold: 30
      TreatMissingData: notBreaching
      Unit: Seconds

  DeadLetterQueueApproximateNumberOfMessagesVisible:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: DeadLetterQueue_ApproximateNumberOfMessagesVisible
      AlarmDescription: Alarms if the Dead Letter Queue has too many messages
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Dimensions:
        - Name: QueueName
          Value: !GetAtt DeadLetterQueue.QueueName
      DatapointsToAlarm: 2
      EvaluationPeriods: 3
      MetricName: ApproximateNumberOfMessagesVisible
      Namespace: AWS/SQS
      Period: 300
      Statistic: Maximum
      Threshold: 1
      TreatMissingData: notBreaching

 Outputs:
  SQSQueueArn:
    Value: !GetAtt SQSQueue.Arn
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Creates a Systems Manager Association with inline PowerShell.
	Resources:
	Association:
	Type: AWS::SSM::Association
	Properties:
	AssociationName: AssociationName
	Name: AWS-RunPowerShellScript
	Parameters:
	commands:
	- \|
	Write-Host 'This is some embedded PowerShell!'
	executionTimeout:
	- '300'
	ScheduleExpression: 'rate(1 day)'
	Targets:
	- Key: 'tag:Service'
	Values:
	- 'ServiceName'
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: A CloudFormation template for creating an S3 Bucket with an SNS Trigger.
	Parameters:
	BucketName:
	Type: String
	Description: The name of the S3 Bucket to create

	Metadata:
	AWS::CloudFormation::Interface:
	ParameterLabels:
	BucketName:
	default: S3 Bucket Name

	Resources:
	S3Bucket:
	Type: AWS::S3::Bucket
	DependsOn:
	- SNSTopicPolicy
	Properties:
	# Need to define a static BucketName due to a circular dependency with the AWS::SNS::TopicPolicy
	BucketName: !Ref BucketName
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	AccessControl: BucketOwnerFullControl
	LifecycleConfiguration:
	Rules:
	-
	AbortIncompleteMultipartUpload:
	DaysAfterInitiation: 3
	NoncurrentVersionExpirationInDays: 3
	Status: Enabled
	LoggingConfiguration:
	DestinationBucketName: !Ref S3BucketLogs
	LogFilePrefix: !Sub '/logs/${BucketName}/'
	NotificationConfiguration:
	TopicConfigurations:
	-
	Event: s3:ObjectCreated:Put
	Topic: !Ref SNSTopic
	PublicAccessBlockConfiguration:
	BlockPublicAcls: true
	BlockPublicPolicy: true
	IgnorePublicAcls: true
	RestrictPublicBuckets: true
	Tags:
	-
	Key: Description
	Value: Object Storage
	VersioningConfiguration:
	Status: Enabled

	SNSTopic:
	Type: AWS::SNS::Topic

	SNSTopicPolicy:
	Type: AWS::SNS::TopicPolicy
	Properties:
	Topics:
	- !Ref SNSTopic
	PolicyDocument:
	Id: SNSTopicPolicy
	Version: '2012-10-17'
	Statement:
	-
	Sid: S3TriggerAccess
	Effect: Allow
	Principal:
	AWS:
	- '*'
	Action:
	- sns:Publish
	Resource:
	- !Ref SNSTopic
	Condition:
	ArnLike:
	aws:SourceArn: !Sub "arn:aws:s3:::${BucketName}"
	# If you do not require cross-account subscriptions, this Policy can be removed
	-
	Sid: CrossAccountSubscriptionAccess
	Effect: Allow
	Principal:
	AWS:
	# List of AWS Accounts for cross-account subscriptions
	- !Sub 'arn:aws:iam::123456789012:root'
	Action:
	- sns:Subscribe
	- sns:Receive
	- sns:ListSubscriptionsByTopic
	Resource:
	- !Ref SNSTopic

	# If a source AWS Account is going to put objects into the Bucket, keep this resource,
	# if not, this BucketPolicy can be removed.
	S3BucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref S3Bucket
	PolicyDocument:
	Statement:
	-
	Sid: PutObjectAccess
	Action:
	- s3:PutObject
	Effect: Allow
	Principal:
	AWS:
	- '123456789012' # Replace with a valid source AWS Account Id
	Resource:
	- !Sub "arn:aws:s3:::${BucketName}"

	S3BucketLogs:
	Type: AWS::S3::Bucket
	Properties:
	AccessControl: LogDeliveryWrite
	LifecycleConfiguration:
	Rules:
	-
	AbortIncompleteMultipartUpload:
	DaysAfterInitiation: 7
	Status: Enabled
	Transitions:
	-
	StorageClass: GLACIER
	TransitionInDays: 30
	PublicAccessBlockConfiguration:
	BlockPublicAcls: true
	BlockPublicPolicy: true
	IgnorePublicAcls: true
	RestrictPublicBuckets: true
	Tags:
	-
	Key: Description
	Value: S3 Access Logs

	Outputs:

	S3Bucket:
	Value: !Ref S3Bucket
	Description: S3 Bucket for object storage

	SNSTopicArn:
	Value: !Ref SNSTopic
	Description: SNS Topic for S3 Object Triggers
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Creates an SQS Queue that is subscribed to an SNS Topic
	Parameters:
	SourceSNSTopicArn:
	Type: String
	Description: SNS Topic Arn to subscribe the SQS Queue to

	Metadata:
	AWS::CloudFormation::Interface:
	ParameterLabels:
	SourceSNSTopicArn:
	default: SNS Topic Arn

	Resources:
	SQSQueue:
	Type: AWS::SQS::Queue
	Properties:
	VisibilityTimeout: 180
	RedrivePolicy:
	deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn
	maxReceiveCount: 3
	Tags:
	-
	Key: StackId
	Value: !Ref AWS::StackId

	SQSQueuePolicy:
	Type: AWS::SQS::QueuePolicy
	Properties:
	Queues:
	- !Ref SQSQueue
	PolicyDocument:
	Id: AllowIncomingAccess
	Statement:
	-
	Effect: Allow
	Principal:
	AWS:
	- !Ref AWS::AccountId
	Action:
	- sqs:SendMessage
	- sqs:ReceiveMessage
	Resource:
	- !GetAtt SQSQueue.Arn
	-
	Effect: Allow
	Principal: '*'
	Action:
	- sqs:SendMessage
	Resource:
	- !GetAtt SQSQueue.Arn
	Condition:
	ArnEquals:
	aws:SourceArn: !Ref SourceSNSTopicArn

	DeadLetterQueue:
	Type: AWS::SQS::Queue
	Properties:
	VisibilityTimeout: 160
	Tags:
	-
	Key: StackId
	Value: !Ref AWS::StackId

	SNSSubscription:
	Type: AWS::SNS::Subscription
	Properties:
	TopicArn: !Ref SourceSNSTopicArn
	Endpoint: !GetAtt SQSQueue.Arn
	Protocol: sqs
	RawMessageDelivery: true

	SQSQueueAgeOfOldestMessage:
	Type: AWS::CloudWatch::Alarm
	Properties:
	AlarmName: SQSQueue_AgeOfOldestMessage
	AlarmDescription: Alarms if the SQS Queue has messages in it for too long
	ComparisonOperator: GreaterThanThreshold
	Dimensions:
	- Name: QueueName
	Value: !GetAtt SQSQueue.QueueName
	DatapointsToAlarm: 2
	EvaluationPeriods: 3
	MetricName: ApproximateAgeOfOldestMessage
	Namespace: AWS/SQS
	Period: 300
	Statistic: Maximum
	Threshold: 30
	TreatMissingData: notBreaching
	Unit: Seconds

	DeadLetterQueueApproximateNumberOfMessagesVisible:
	Type: AWS::CloudWatch::Alarm
	Properties:
	AlarmName: DeadLetterQueue_ApproximateNumberOfMessagesVisible
	AlarmDescription: Alarms if the Dead Letter Queue has too many messages
	ComparisonOperator: GreaterThanOrEqualToThreshold
	Dimensions:
	- Name: QueueName
	Value: !GetAtt DeadLetterQueue.QueueName
	DatapointsToAlarm: 2
	EvaluationPeriods: 3
	MetricName: ApproximateNumberOfMessagesVisible
	Namespace: AWS/SQS
	Period: 300
	Statistic: Maximum
	Threshold: 1
	TreatMissingData: notBreaching

	Outputs:
	SQSQueueArn:
	Value: !GetAtt SQSQueue.Arn