diff --git a/ec2/al2-mutable-private.yaml b/ec2/al2-mutable-private.yaml index c17500c4b..806cdfcfa 100644 --- a/ec2/al2-mutable-private.yaml +++ b/ec2/al2-mutable-private.yaml @@ -868,7 +868,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' VirtualMachine: # TODO make IMDSv2 required (waits for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/655) Type: 'AWS::EC2::Instance' Metadata: @@ -1156,7 +1156,7 @@ Resources: ComparisonOperator: GreaterThanThreshold Threshold: 0 AlarmActions: - - !Sub 'arn:aws:automate:${AWS::Region}:ec2:recover' + - !Sub 'arn:${AWS::Partition}:automate:${AWS::Region}:ec2:recover' Dimensions: - Name: InstanceId Value: !Ref VirtualMachine diff --git a/ec2/al2-mutable-public.yaml b/ec2/al2-mutable-public.yaml index 464c775cd..8bc584c3f 100644 --- a/ec2/al2-mutable-public.yaml +++ b/ec2/al2-mutable-public.yaml @@ -877,7 +877,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' VirtualMachine: # TODO make IMDSv2 required (waits for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/655) DependsOn: EIPAssociation Type: 'AWS::EC2::Instance' @@ -1166,7 +1166,7 @@ Resources: ComparisonOperator: GreaterThanThreshold Threshold: 0 AlarmActions: - - !Sub 'arn:aws:automate:${AWS::Region}:ec2:recover' + - !Sub 'arn:${AWS::Partition}:automate:${AWS::Region}:ec2:recover' Dimensions: - Name: InstanceId Value: !Ref VirtualMachine diff --git a/ecs/cluster-cost-optimized.yaml b/ecs/cluster-cost-optimized.yaml index 24fc4fd12..86369d238 100644 --- a/ecs/cluster-cost-optimized.yaml +++ b/ecs/cluster-cost-optimized.yaml @@ -292,7 +292,7 @@ Resources: - 'ecs:SubmitContainerStateChange' - 'ecs:SubmitTaskStateChange' - 'ecs:ListContainerInstances' - Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' + Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' - PolicyName: ecs-cluster-instance PolicyDocument: Version: '2012-10-17' @@ -304,11 +304,11 @@ Resources: - 'ecs:UpdateContainerInstancesState' - 'ecs:ListTasks' - 'ecs:DescribeContainerInstances' - Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*' + Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*' Condition: 'StringEquals': 'ecs:cluster': - !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' + !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' - PolicyName: ecr PolicyDocument: Version: '2012-10-17' @@ -351,7 +351,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' ALBSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: diff --git a/ecs/cluster.yaml b/ecs/cluster.yaml index 6837d2e76..7ee4e66b3 100644 --- a/ecs/cluster.yaml +++ b/ecs/cluster.yaml @@ -325,7 +325,7 @@ Resources: - 'ecs:SubmitContainerStateChange' - 'ecs:SubmitTaskStateChange' - 'ecs:ListContainerInstances' - Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' + Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' - PolicyName: ecs-cluster-instance PolicyDocument: Version: '2012-10-17' @@ -337,11 +337,11 @@ Resources: - 'ecs:UpdateContainerInstancesState' - 'ecs:ListTasks' - 'ecs:DescribeContainerInstances' - Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*' + Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*' Condition: 'StringEquals': 'ecs:cluster': - !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' + !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' - PolicyName: ecr PolicyDocument: Version: '2012-10-17' @@ -384,7 +384,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' ALBSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: @@ -1185,13 +1185,13 @@ Resources: Statement: - Effect: Allow Action: 'ecs:ListContainerInstances' - Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' + Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' - Effect: Allow Action: 'ecs:DescribeContainerInstances' Resource: '*' Condition: ArnEquals: - 'ecs:cluster': !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' + 'ecs:cluster': !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}' - PolicyName: cloudwatch PolicyDocument: Statement: diff --git a/ecs/service-cluster-alb.yaml b/ecs/service-cluster-alb.yaml index cf4b24b2a..a31df7c54 100644 --- a/ecs/service-cluster-alb.yaml +++ b/ecs/service-cluster-alb.yaml @@ -303,7 +303,7 @@ Resources: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' AssumeRolePolicyDocument: Version: '2008-10-17' Statement: diff --git a/ecs/service-dedicated-alb.yaml b/ecs/service-dedicated-alb.yaml index 353ca00e2..31f36c186 100644 --- a/ecs/service-dedicated-alb.yaml +++ b/ecs/service-dedicated-alb.yaml @@ -411,7 +411,7 @@ Resources: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' AssumeRolePolicyDocument: Version: '2008-10-17' Statement: diff --git a/jenkins/jenkins2-ha-agents.yaml b/jenkins/jenkins2-ha-agents.yaml index 77edf2f19..467756260 100644 --- a/jenkins/jenkins2-ha-agents.yaml +++ b/jenkins/jenkins2-ha-agents.yaml @@ -680,7 +680,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' MasterSG: Type: 'AWS::EC2::SecurityGroup' Properties: @@ -1601,7 +1601,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' AgentSG: Type: 'AWS::EC2::SecurityGroup' Properties: diff --git a/jenkins/jenkins2-ha.yaml b/jenkins/jenkins2-ha.yaml index 61ccd6ff3..f964e6582 100644 --- a/jenkins/jenkins2-ha.yaml +++ b/jenkins/jenkins2-ha.yaml @@ -600,7 +600,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' MasterSG: Type: 'AWS::EC2::SecurityGroup' Properties: diff --git a/security/auth-proxy-ha-github-orga.yaml b/security/auth-proxy-ha-github-orga.yaml index 2cf65b178..2b93549ed 100644 --- a/security/auth-proxy-ha-github-orga.yaml +++ b/security/auth-proxy-ha-github-orga.yaml @@ -486,7 +486,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' LaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Metadata: diff --git a/security/cloudtrail.yaml b/security/cloudtrail.yaml index a77f3bf8f..2d91967e8 100644 --- a/security/cloudtrail.yaml +++ b/security/cloudtrail.yaml @@ -94,13 +94,13 @@ Resources: Principal: Service: 'cloudtrail.amazonaws.com' Action: 's3:GetBucketAcl' - Resource: !Sub 'arn:aws:s3:::${TrailBucket}' + Resource: !Sub 'arn:${AWS::Partition}:s3:::${TrailBucket}' - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: 'cloudtrail.amazonaws.com' Action: 's3:PutObject' - Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*'] + Resource: !If [HasLogFilePrefix, !Sub 'arn:${AWS::Partition}:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:${AWS::Partition}:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*'] Condition: StringEquals: 's3:x-amz-acl': 'bucket-owner-full-control' @@ -167,7 +167,7 @@ Resources: IncludeGlobalServiceEvents: true IsLogging: true IsMultiRegionTrail: true - EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: ['arn:aws:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue'] + EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: [!Sub 'arn:${AWS::Partition}:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue'] KMSKeyId: !If [HasParentKmsKeyStack, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] S3BucketName: !Ref TrailBucket S3KeyPrefix: !Ref LogFilePrefix @@ -184,7 +184,7 @@ Resources: IncludeGlobalServiceEvents: true IsLogging: true IsMultiRegionTrail: true - EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: ['arn:aws:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue'] + EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: [!Sub 'arn:${AWS::Partition}:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue'] KMSKeyId: !If [HasParentKmsKeyStack, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] S3BucketName: !Ref ExternalTrailBucket S3KeyPrefix: !Ref LogFilePrefix diff --git a/security/config.yaml b/security/config.yaml index aa2d05e5a..e495aa70f 100644 --- a/security/config.yaml +++ b/security/config.yaml @@ -108,7 +108,7 @@ Resources: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRole' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -125,13 +125,13 @@ Resources: Statement: - Effect: Allow Action: 's3:PutObject' - Resource: !Sub 'arn:aws:s3:::${ConfigBucket}/*' + Resource: !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}/*' Condition: StringLike: 's3:x-amz-acl': 'bucket-owner-full-control' - Effect: Allow Action: 's3:GetBucketAcl' - Resource: !Sub 'arn:aws:s3:::${ConfigBucket}' + Resource: !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}' - PolicyName: 'sns-policy' PolicyDocument: Version: '2012-10-17' @@ -144,7 +144,7 @@ Resources: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRole' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: diff --git a/security/kms-key-legacy.yaml b/security/kms-key-legacy.yaml index ee235b16b..caa5a8c92 100644 --- a/security/kms-key-legacy.yaml +++ b/security/kms-key-legacy.yaml @@ -46,7 +46,7 @@ Resources: 'detail-type': - 'AWS API Call via CloudTrail' resources: - - !Sub 'arn:aws:${AWS::Partition}:${AWS::Region}:${AWS::AccountId}:key/${KeyId}' + - !Sub 'arn:${AWS::Partition}:${AWS::Partition}:${AWS::Region}:${AWS::AccountId}:key/${KeyId}' detail: eventSource: - 'kms.amazonaws.com' diff --git a/security/kms-key.yaml b/security/kms-key.yaml index c2f588851..fc4ddcdb4 100644 --- a/security/kms-key.yaml +++ b/security/kms-key.yaml @@ -104,7 +104,7 @@ Resources: Statement: - Effect: Allow Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' + AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' Action: 'kms:*' Resource: '*' - !If @@ -189,7 +189,7 @@ Resources: Resource: '*' Condition: StringLike: - 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*' + 'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:${AWS::Partition}:cloudtrail:*:${AWS::AccountId}:trail/*' - !Ref 'AWS::NoValue' KeyAlias: DeletionPolicy: Retain diff --git a/state/elasticsearch.yaml b/state/elasticsearch.yaml index c49d417e8..00aeb330d 100644 --- a/state/elasticsearch.yaml +++ b/state/elasticsearch.yaml @@ -151,7 +151,7 @@ Resources: AWS: '*' Action: - 'es:ESHttp*' - Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*' + Resource: !Sub 'arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*' DomainName: !Ref 'DomainName' EBSOptions: !If - HasEBSEnabled diff --git a/state/secretsmanager-dbsecret.yaml b/state/secretsmanager-dbsecret.yaml index 9797fe2d6..8c10e1158 100644 --- a/state/secretsmanager-dbsecret.yaml +++ b/state/secretsmanager-dbsecret.yaml @@ -91,7 +91,7 @@ Resources: Action: 'secretsmanager:DeleteSecret' Effect: Deny Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' + AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' Outputs: TemplateID: Description: 'cloudonaut.io template id.' diff --git a/static-website/static-website.yaml b/static-website/static-website.yaml index 3fcb9c6af..73eba0a77 100644 --- a/static-website/static-website.yaml +++ b/static-website/static-website.yaml @@ -188,7 +188,7 @@ Resources: Statement: - Action: 's3:GetObject' Effect: Allow - Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*' + Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/*' Principal: CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId - Sid: AllowSSLRequestsOnly # AWS Foundational Security Best Practices v1.0.0 S3.5 diff --git a/vpc/vpc-flow-logs-s3.yaml b/vpc/vpc-flow-logs-s3.yaml index ef8ee5449..c72feccc4 100644 --- a/vpc/vpc-flow-logs-s3.yaml +++ b/vpc/vpc-flow-logs-s3.yaml @@ -108,7 +108,7 @@ Resources: Condition: ExternalBucket Type: 'AWS::EC2::FlowLog' Properties: - LogDestination: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${ExternalLogBucket}/${LogFilePrefix}/', !Sub 'arn:aws:s3:::${ExternalLogBucket}'] + LogDestination: !If [HasLogFilePrefix, !Sub 'arn:${AWS::Partition}:s3:::${ExternalLogBucket}/${LogFilePrefix}/', !Sub 'arn:${AWS::Partition}:s3:::${ExternalLogBucket}'] LogDestinationType: s3 ResourceId: {'Fn::ImportValue': !Sub '${ParentVPCStack}-VPC'} ResourceType: 'VPC' diff --git a/vpc/vpc-nat-instance.yaml b/vpc/vpc-nat-instance.yaml index aa0ec9073..e16e4992e 100644 --- a/vpc/vpc-nat-instance.yaml +++ b/vpc/vpc-nat-instance.yaml @@ -282,7 +282,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' LaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Metadata: diff --git a/vpc/vpc-ssh-bastion.yaml b/vpc/vpc-ssh-bastion.yaml index cec86bc19..2de23bb4b 100644 --- a/vpc/vpc-ssh-bastion.yaml +++ b/vpc/vpc-ssh-bastion.yaml @@ -243,7 +243,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' LaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Metadata: diff --git a/vpc/vpc-vpn-bastion.yaml b/vpc/vpc-vpn-bastion.yaml index 5b32cb1ec..00c9b446a 100644 --- a/vpc/vpc-vpn-bastion.yaml +++ b/vpc/vpc-vpn-bastion.yaml @@ -435,7 +435,7 @@ Resources: Action: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' - Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' LaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Metadata: diff --git a/wordpress/wordpress-ha-aurora.yaml b/wordpress/wordpress-ha-aurora.yaml index c33767f14..8b15222f9 100644 --- a/wordpress/wordpress-ha-aurora.yaml +++ b/wordpress/wordpress-ha-aurora.yaml @@ -665,7 +665,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' LaunchTemplate: DependsOn: [DatabaseA, DatabaseB] Type: 'AWS::EC2::LaunchTemplate' diff --git a/wordpress/wordpress-ha.yaml b/wordpress/wordpress-ha.yaml index a24586c3a..d7a3af227 100644 --- a/wordpress/wordpress-ha.yaml +++ b/wordpress/wordpress-ha.yaml @@ -798,7 +798,7 @@ Resources: - 'iam:ListSSHPublicKeys' - 'iam:GetSSHPublicKey' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*' LaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Metadata: