# AMS CloudFormation ingest The AMS AWS CloudFormation ingest change type (CT) enables you to use your existing CloudFormation templates, with some modifications, to deploy custom stacks in an AMS-managed VPC. **Topics** + [CloudFormation Ingest Guidelines, Best Practices, and Limitations](cfn-author-templates.md) + [CloudFormation Ingest: Examples](cfn-ingest-examples.md) + [Create CloudFormation ingest stack](#ex-cfn-ingest-create-col) + [Update CloudFormation ingest stack](#ex-cfn-ingest-update-col) + [Approve a CloudFormation ingest stack changeset](#ex-cfn-ingest-approve-and-update-col) + [Update CloudFormation stacks termination protection](#ex-cfn-term-pro-update-col) + [Automated IAM deployments using CFN ingest or stack update CTs in AMS](cfn-ingest-iam-deploy.md) The AMS CloudFormation ingest process involves the following: + Prepare and upload your custom CloudFormation template to an S3 bucket, or provide the template inline when creating the RFC. If you are using an S3 bucket with a presigned URL; for more information, see [presign](https://docs.aws.amazon.com/cli/latest/reference/s3/presign.html). + Submit the CloudFormation ingest change type to AMS in an RFC. For the CFN ingest change type walkthrough, see [Create CloudFormation ingest stack](#ex-cfn-ingest-create-col). For CFN ingest examples, see [CloudFormation Ingest: Examples](cfn-ingest-examples.md). + Once your stack is created, you can update it, and remediate drift on it; additionally, should the update fail, you can explicitly approve and implement the update. All of these procedures are described in this section. For information on CFN drift detection, see [New – CloudFormation Drift Detection](https://aws.amazon.com/blogs/aws/new-cloudformation-drift-detection/). **Note** This change type now has a version 2.0. Version 2.0 is automated; not manually executed. This enables the CT execution to go more quickly. Two new parameters are introduced with this version: **CloudFormationTemplate**, which enables you to paste a custom CloudFormation template into the RFC, and **VpcId**, which enables CloudFormation ingest to be used with AMS multi-account landing zone. Version 1.0 is a manual change type. This means that an AMS operator must take some action before the change type can successfully conclude. At minimum, a review is required. This version also requires the **CloudFormationTemplateS3Endpoint** parameter value to be a pre-signed URL. # CloudFormation Ingest Guidelines, Best Practices, and Limitations For AMS to process your CloudFormation template, there are some guidelines and restrictions. ## Guidelines To reduce CloudFormation errors while performing CloudFormation ingest, follow these guidelines: + **Don't embed credentials or other sensitive information in the template** – The CloudFormation template is visible in the CloudFormation console, so you don't want to embed credentials or sensitive data in the template. The template can't contain sensitive information. The following resources are allowed only if you use AWS Secrets Manager for the value: + `AWS::RDS::DBInstance` - [MasterUserPassword,TdeCredentialPassword] + `AWS::RDS::DBCluster` - [MasterUserPassword] + `AWS::ElastiCache::ReplicationGroup` - [AuthToken] **Note** For information about using an AWS Secrets Manager secret in a resource property, see [ How to create and retrieve secrets managed in AWS Secrets Manager using AWS CloudFormation templates](https://aws.amazon.com/blogs/security/how-to-create-and-retrieve-secrets-managed-in-aws-secrets-manager-using-aws-cloudformation-template/) and [Using Dynamic References to Specify Template Values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html). + **Use Amazon RDS snapshots to create RDS DB instances** – By doing this you avoid having to provide a MasterUserPassword. + If the template you submit contains an IAM instance profile, it must be prefixed with 'customer'. For example, using an instance profile with the name 'example-instance-profile', causes failure. Instead, use an instance profile with the name 'customer-example-instance-profile'. + **Don't include any sensitive data in `AWS::EC2::Instance`** - [UserData]. UserData should not contain passwords, API keys, or any other sensitive data. This type of data can be encrypted and stored in an S3 bucket and downloaded onto the instance using UserData. + **IAM policy creation using CloudFormation templates is supported with constraints** – IAM policies have to be reviewed and approved by AMS SecOps. Currently we only support deploying IAM roles with in-line policies that contain pre-approved permissions. In other cases, IAM policies can't be created using CloudFormation templates because that would override the AMS SecOps process. + **SSH KeyPairs aren't supported** – Amazon EC2 instances must be accessed through the AMS access management system. The AMS RFC process authenticates you. You cannot include SSH keypairs in CloudFormation templates because you don't have the permissions to create SSH keypairs and override the AMS access management model. + **Security Group ingress rules are restricted** – You can't have a source CIDR range from 0.0.0.0/0, or a publicly routable address space, with a TCP port that is anything other than 80 or 443. + **Follow CloudFormation guidelines when writing CloudFormation resource templates** – Ensure that you use the right data type/property name for the resource by referring to the *AWS CloudFormation User Guide* for that resource. For example, the data type of SecurityGroupIds property in an AWS::EC2::Instance resource is 'List of String values', so ["sg-aaaaaaaa"] is ok (with brackets), but "sg-aaaaaaaa" is not (without brackets). For more information, see [AWS Resource and Property Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). + **Configure your custom CloudFormation templates to use parameters defined in the AMS CloudFormation ingest CT** – When you configure your CloudFormation template to use parameters defined in the AMS CloudFormation ingest CT, you can reuse the CloudFormation template to create similar stacks by submitting it with changed parameter values in the CT input with the Management \$1 Custom stack \$1 Stack from CloudFormation template \$1 Update CT (ct-361tlo1k7339x). For an example, see [CloudFormation Ingest examples: Defining resources](cfn-ingest-ex-define-resource.md). + **Amazon S3 bucket endpoints with a presigned URL can't be expired** – If you are using an Amazon S3 bucket endpoint with a presigned URL, verify that the presigned Amazon S3 URL isn't expired. A CloudFormation ingest RFC submitted with an expired presigned Amazon S3 bucket URL is rejected. + **Wait Condition requires signal logic** – Wait Condition is used to coordinate stack resource creation with configuration actions that are external to the stack creation. If you use the Wait Condition resource in the template, CloudFormation waits for a success signal, and it marks stack creation as a failure if the number of success signals aren't made. You need to have a logic for the signal if you use the Wait Condition resource. For more information, see [Creating Wait Conditions in a Template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-waitcondition.html). # Best Practices Following are some best practices you can use to migrate resources using the AMS CloudFormation ingest process: + **Submit IAM and other policy-related resources in one CT**– If you can use automated CTs such as CloudFormation Ingest to deploy IAM roles, we recommend you do so. In other cases, AMS recommends that you gather all IAM or other policy-related resources and submit them in a single Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76). For example, combine needed all IAM roles, IAM Amazon EC2 instance profiles, IAM policy updates for existing IAM roles, Amazon S3 bucket policies, Amazon SNS/Amazon SQS policies, and so forth, and submit a ct-1e1xtak34nx76 RFC so that these pre-existing resources can simply be referenced inside the future CloudFormation ingest templates. + **EC2 instances are bootstrapped and successfully joined to the domain** – This is done automatically as a best practice. To ensure that the Amazon EC2 instances launched via a CloudFormation ingest stack are bootstrapped and join the domain successfully, AMS includes a CreationPolicy and an UpdatePolicy for an Auto Scaling group resource (that is, if these policies don't already exist). + **Amazon RDS DB instance parameter must be specified**– When creating an Amazon RDS database via CloudFormation ingest, you must specify the `DBSnapshotIdentifier` parameter in order to restore from a previous DB snapshot. This is required because CloudFormation ingest does not currently handle sensitive data. For an example of how to use a CloudFormation template for AMS CloudFormation template ingest, see [CloudFormation Ingest: Examples](cfn-ingest-examples.md). # Template validation You can self-validate your CloudFormation template before submitting it to AMS. Templates submitted to AMS CloudFormation ingest are validated to ensure they are safe to deploy within an AMS account. The validation process checks the following: + **Supported resources** – Only AMS CloudFormation ingest-supported resources are used. For more information, see [Supported Resources](cfn-ingest-supp-services.md). + **Supported AMIs **– The AMI in the template is an AMS-supported AMI. For information about AMS AMIs, see [AMS Amazon Machine Images (AMIs)](ams-amis.md). + **AMS Shared Services subnet** – The template does not attempt to launch resources into the AMS Shared Services subnet. + **Resource policies** – There are no overly permissive resource policies, such as a publicly readable or writeable S3 bucket policy. AMS doesn't allow publicly readable or writable S3 buckets in AWS accounts. ## Validate with CloudFormation Linter You can self-validate your CloudFormation template before submitting it to AMS by using the CloudFormation Linter tool. The CloudFormation Linter tool is the best way to validate your CloudFormation template as it provides validation for resource/property names, data types, and functions. For more information, see [aws-cloudformation/cfn-python-lint](https://github.com/aws-cloudformation/cfn-python-lint). The CloudFormation Linter output of the template shown previously is as follows: ``` $ cfn-lint -t ./testtmpl.json E3002 Invalid Property Resources/SNSTopic/Properties/Name ./testtmpl.json:6:9 ``` To assist with offline validation of CloudFormation templates, AMS has developed a set of pluggable custom validation rules for the CloudFormation Linter tool. They're located on the **Developers Resources** page of the AMS console. Follow these steps to use CloudFormation pre-ingestion validation scripts: 1. Install the CloudFormation Linter tool. For installation instructions, see [aws-cloudformation / cfn-lint ](https://github.com/aws-cloudformation/cfn-python-lint). 1. Download a .zip file with validation scripts: [CFN Lint Custom Rules](https://github.com/awslabs/aws-managed-services/tree/main/cfn-lint-custom-rules). 1. Unzip the attached rules to a directory of your choice. 1. Validate your CloudFormation template by running the following command: ``` cfn-lint --template {TEMPLATE_FILE} --append-rules {DIRECTORY_WITH_CUSTOM_RULES} ``` # CloudFormation ingest stack: CFN validator examples These examples can help you prepare your template for a successful ingest. ## Format validation Validate that the template contains a "Resources" section, and all resources defined under it have a "Type" value. ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description" : "Create a SNS topic", "Resources": { "SnsTopic": { "Type": "AWS::SNS::Topic" } } } ``` Validate that the root keys of the template are allowed. Allowed root keys are: ``` [ "AWSTemplateFormatVersion", "Description", "Mappings", "Parameters", "Conditions", "Resources", "Rules", "Outputs", "Metadata" ] ``` ## Manual Managed Automation validation If the template contains the following resources, automatic validation fails and you'll need a manual review. The shown policies are high risk areas from a security standpoint. For example, an S3 bucket policy allowing anyone except for specific users or groups to create objects or write permissions, is extremely dangerous. So we validate the policies and approve or deny based on the contents, and those polices cannot be auto-created. We are investigating possible approaches to address this issue. We currently don’t have automated validation around the following resources. ``` [ "S3::BucketPolicy", "SNS::TopicPolicy", "SQS::QueuePolicy" ] ``` ## Parameter validation Validate that if a template parameter doesn't have a value provided; it must have a default value. ## Resource attribute validation Required attribute check: Certain attributes must exist for certain resource types. + "VPCOptions" must exist in `AWS::OpenSearch::Domain` + "CludsterSubnetGroupName" must exist in `AWS::Redshift::Cluster` ``` { "AWS::OpenSearch::Domain": [ "VPCOptions" ], "AWS::Redshift::Cluster": [ "ClusterSubnetGroupName" ] } ``` Disallowed attributes check: Certain attributes must \$1not\$1 exist for certain resource types. + "SecretString" must not exist in "AWS::SecretsManager::Secret" + "MongoDbSettings" must not exist in "AWS::DMS::Endpoint" ``` { "AWS::SecretsManager::Secret": [ "SecretString" ], "AWS::DMS::Endpoint": [ "MongoDbSettings" ] } ``` SSM parameter check: For attributes in the following list, values must be specified via Secrets Manager or Systems Manager Parameter Store (Secure String Parameter): ``` { "RDS::DBInstance": [ "MasterUserPassword", "TdeCredentialPassword" ], "RDS::DBCluster": [ "MasterUserPassword" ], "ElastiCache::ReplicationGroup": [ "AuthToken" ], "DMS::Certificate": [ "CertificatePem", "CertificateWallet" ], "DMS::Endpoint": [ "Password" ], "CodePipeline::Webhook": { "AuthenticationConfiguration": [ "SecretToken" ] }, "DocDB::DBCluster": [ "MasterUserPassword" ] }, ``` Some attributes must comply with certain patterns; for example, IAM instance profile names must not start with [AMS reserved prefixes](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-reserved-prefixes), and the attribute value must match the specific regex as shown: ``` { "AWS::EC2::Instance": { "IamInstanceProfile": [ "^(?!arn:aws:iam|ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+", "arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+" ] }, "AWS::AutoScaling::LaunchConfiguration": { "IamInstanceProfile": [ "^(?!arn:aws:iam|ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+", "arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+" ] }, "AWS::EC2::LaunchTemplate": { "LaunchTemplateData.IamInstanceProfile.Name": [ "^(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+" ], "LaunchTemplateData.IamInstanceProfile.Arn": [ "arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile\/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+" ] } } ``` ## Resource validation Only allowlisted resources can be specified in the template; those resources are described in [Supported Resources](cfn-ingest-supp-services.md). EC2 stacks and Auto Scaling groups (ASGs) are not allowed in the same stack due to patching limitations. ## Security group ingress rule validation + For requests that come from the CFN Ingest Create or Stack Update CT change types: + If (`IpProtocol` is tcp or 6) AND (Port is 80 or 443) , there are no restrictions around the `CidrIP` value + Otherwise, the `CidrIP` cannot be 0.0.0.0/0 + For requests that come from Service Catalog (Service Catalog products): + In addition to the CFN Ingest Create or Stack Update CT change type validation, the port in `management_ports` with the protocol in `ip_protocols` can only be accessed via `allowed_cidrs`: ``` { "ip_protocols": ["tcp", "6", "udp", "17"], "management_ports": [22, 23, 389, 636, 1494, 1604, 2222, 3389, 5900, 5901, 5985, 5986], "allowed_cidrs": ["10.0.0.0/8", "100.64.0.0/10", "172.16.0.0/12", "192.168.0.0/16"] } ``` # Limitations The following features and functionality currently aren't supported by the AMS CloudFormation ingest process. + **YAML** – Not supported. Only JSON-based CloudFormation templates are supported. + **Nested stacks** – Instead, architect your application infrastructure to use a single template. Or, alternatively you can make use of cross-stack referencing to separate resources across multiple stacks where one resource has a dependency on another. For more information, see [ Walkthrough: Refer to Resource Outputs in Another AWS CloudFormation Stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html). + **CloudFormation stack sets** – Not supported, due to security implications. + **IAM resource creation using CloudFormation templates** – Only IAM roles are supported, due to security implications. + **Sensitive data** – Not supported. Do not include sensitive data in the template or in the parameter values. If you need to reference sensitive data, use Secrets Manager to store and retrieve these values. For information about using AWS Secrets Managers secrets in a resource property, see [ How to create and retrieve secrets managed in AWS Secrets Manager using AWS CloudFormation templates](https://aws.amazon.com/blogs/security/how-to-create-and-retrieve-secrets-managed-in-aws-secrets-manager-using-aws-cloudformation-template/) and [Using Dynamic References to Specify Template Values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html). # Supported Resources The following AWS resources are supported in the AMS CloudFormation ingest process. ## CloudFormation Ingest Stack: Supported resources The instance operating system must be supported by AMS workload ingestion. Only those AWS resources listed here are supported. + [Amazon API Gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ApiGateway.html) + AWS::ApiGateway::Account + AWS::ApiGateway::ApiKey + AWS::ApiGateway::Authorizer + AWS::ApiGateway::BasePathMapping + AWS::ApiGateway::ClientCertificate + AWS::ApiGateway::Deployment + AWS::ApiGateway::DocumentationPart + AWS::ApiGateway::DocumentationVersion + AWS::ApiGateway::DomainName + AWS::ApiGateway::GatewayResponse + AWS::ApiGateway::Method + AWS::ApiGateway::Model + AWS::ApiGateway::RequestValidator + AWS::ApiGateway::Resource + AWS::ApiGateway::RestApi + AWS::ApiGateway::Stage + AWS::ApiGateway::UsagePlan + AWS::ApiGateway::UsagePlanKey + AWS::ApiGateway::VpcLink + [Amazon API Gateway V2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ApiGatewayV2.html) + AWS::ApiGatewayV2::Api + AWS::ApiGatewayV2::ApiGatewayManagedOverrides + AWS::ApiGatewayV2::ApiMapping + AWS::ApiGatewayV2::Authorizer + AWS::ApiGatewayV2::Deployment + AWS::ApiGatewayV2::DomainName + AWS::ApiGatewayV2::Integration + AWS::ApiGatewayV2::IntegrationResponse + AWS::ApiGatewayV2::Model + AWS::ApiGatewayV2::Route + AWS::ApiGatewayV2::RouteResponse + AWS::ApiGatewayV2::Stage + AWS::ApiGatewayV2::VpcLink + [AWS AppSync](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_AppSync.html) + AWS::AppSync::ApiCache + AWS::AppSync::ApiKey + AWS::AppSync::DataSource + AWS::AppSync::FunctionConfiguration + AWS::AppSync::GraphQLApi + AWS::AppSync::GraphQLSchema + AWS::AppSync::Resolver + [Amazon Athena](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Athena.html) + AWS::Athena::NamedQuery + AWS::Athena::WorkGroup + [AWS Backup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Backup.html) + AWS::Backup::BackupVault + [Amazon CloudFront](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-cloudfront.html) + AWS::CloudFront::Distribution + AWS::CloudFront::CloudFrontOriginAccessIdentity + AWS::CloudFront::StreamingDistribution + [Amazon CloudWatch](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-cloudwatch.html) + AWS::CloudWatch::Alarm + AWS::CloudWatch::AnomalyDetector + AWS::CloudWatch::CompositeAlarm + AWS::CloudWatch::Dashboard + AWS::CloudWatch::InsightRule + [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html) + AWS::Logs::LogGroup + AWS::Logs::LogStream + AWS::Logs::MetricFilter + AWS::Logs::SubscriptionFilter + [Amazon Cognito](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Cognito.html) + AWS::Cognito::IdentityPool + AWS::Cognito::IdentityPoolRoleAttachment + AWS::Cognito::UserPool + AWS::Cognito::UserPoolClient + AWS::Cognito::UserPoolDomain + AWS::Cognito::UserPoolGroup + AWS::Cognito::UserPoolIdentityProvider + AWS::Cognito::UserPoolResourceServer + AWS::Cognito::UserPoolRiskConfigurationAttachment + AWS::Cognito::UserPoolUICustomizationAttachment + AWS::Cognito::UserPoolUser + AWS::Cognito::UserPoolUserToGroupAttachment + [Amazon DocumentDB](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_DocDB.html) + AWS::DocDB::DBCluster + AWS::DocDB::DBClusterParameterGroup + AWS::DocDB::DBInstance + AWS::DocDB::DBSubnetGroup + [Amazon DynamoDB](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_DynamoDB.html) + AWS::DynamoDB::Table + [Amazon EC2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html) + AWS::EC2::Volume + AWS::EC2::VolumeAttachment + AWS::EC2::Instance + AWS::EC2::EIP + AWS::EC2::EIPAssociation + AWS::EC2::NetworkInterface + AWS::EC2::NetworkInterfaceAttachment + AWS::EC2::SecurityGroup + AWS::EC2::SecurityGroupIngress + AWS::EC2::SecurityGroupEgress + AWS::EC2::LaunchTemplate + [AWS Batch](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Batch.html) + AWS::Batch::ComputeEnvironment + AWS::Batch::JobDefinition + AWS::Batch::JobQueue + [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ECR.html) + AWS::ECR::Repository + [Amazon Elastic Container Service (ECS) (Fargate)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EFS.html) + AWS::ECS::CapacityProvider + AWS::ECS::Cluster + AWS::ECS::PrimaryTaskSet + AWS::ECS::Service + AWS::ECS::TaskDefinition + AWS::ECS::TaskSet + [Amazon Elastic File System (EFS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EFS.html) + AWS::EFS::FileSystem + AWS::EFS::MountTarget + [Amazon ElastiCache](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ElastiCache.html) + AWS::ElastiCache::CacheCluster + AWS::ElastiCache::ParameterGroup + AWS::ElastiCache::ReplicationGroup + AWS::ElastiCache::SecurityGroup + AWS::ElastiCache::SecurityGroupIngress + AWS::ElastiCache::SubnetGroup + [Amazon EventBridge](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Events.html) + AWS::Events::EventBus + AWS::Events::EventBusPolicy + AWS::Events::Rule + [Amazon FSx](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_FSx.html) + AWS::FSx::FileSystem + [Amazon Inspector](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Inspector.html) + AWS::Inspector::AssessmentTarget + AWS::Inspector::AssessmentTemplate + AWS::Inspector::ResourceGroup + [Amazon Kinesis Data Analytics](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_KinesisAnalytics.html) + AWS::KinesisAnalytics::Application + AWS::KinesisAnalytics::ApplicationOutput + AWS::KinesisAnalytics::ApplicationReferenceDataSource + [Amazon Kinesis Data Firehose](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_KinesisFirehose.html) + AWS::KinesisFirehose::DeliveryStream + [Amazon Kinesis Data Streams](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Kinesis.html) + AWS::Kinesis::Stream + AWS::Kinesis::StreamConsumer + [Amazon MQ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_AmazonMQ.html) + AWS::AmazonMQ::Broker + AWS::AmazonMQ::Configuration + AWS::AmazonMQ::ConfigurationAssociation + [Amazon OpenSearch](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_OpenSearchService.html) + AWS::OpenSearchService::Domain + [Amazon Relational Database Service (RDS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_RDS.html) + AWS::RDS::DBCluster + AWS::RDS::DBClusterParameterGroup + AWS::RDS::DBInstance + AWS::RDS::DBParameterGroup + AWS::RDS::DBSubnetGroup + AWS::RDS::EventSubscription + AWS::RDS::OptionGroup + [Amazon Route 53](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Route53.html) + AWS::Route53::HealthCheck + AWS::Route53::HostedZone + AWS::Route53::RecordSet + AWS::Route53::RecordSetGroup + AWS::Route53Resolver::ResolverRule + AWS::Route53Resolver::ResolverRuleAssociation + [Amazon S3](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_S3.html) + AWS::S3::Bucket + [Amazon Sagemaker](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SageMaker.html) + AWS::SageMaker::CodeRepository + AWS::SageMaker::Endpoint + AWS::SageMaker::EndpointConfig + AWS::SageMaker::Model + AWS::SageMaker::NotebookInstance + AWS::SageMaker::NotebookInstanceLifecycleConfig + AWS::SageMaker::Workteam + [Amazon Simple Email Service (SES)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SES.html) + AWS::SES::ConfigurationSet + AWS::SES::ConfigurationSetEventDestination + AWS::SES::ReceiptFilter + AWS::SES::ReceiptRule + AWS::SES::ReceiptRuleSet + AWS::SES::Template + [Amazon SimpleDB](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SDB.html) + AWS::SDB::Domain + [Amazon SNS](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SNS.html) + AWS::SNS::Subscription + AWS::SNS::Topic + [Amazon SQS](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SQS.html) + AWS::SQS::Queue + [Amazon WorkSpaces](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WorkSpaces.html) + AWS::WorkSpaces::Workspace + [Application AutoScaling](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ApplicationAutoScaling.html) + AWS::ApplicationAutoScaling::ScalableTarget + AWS::ApplicationAutoScaling::ScalingPolicy + [Amazon EC2 AutoScaling](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_AutoScaling.html) + AWS::AutoScaling::AutoScalingGroup + AWS::AutoScaling::LaunchConfiguration + AWS::AutoScaling::LifecycleHook + AWS::AutoScaling::ScalingPolicy + AWS::AutoScaling::ScheduledAction + [AWS Certificate Manager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html) + AWS::CertificateManager::Certificate + [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CloudFormation.html) + AWS::CloudFormation::CustomResource + AWS::CloudFormation::Designer + AWS::CloudFormation::WaitCondition + AWS::CloudFormation::WaitConditionHandle + [AWS CodeBuild](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodeBuild.html) + AWS::CodeBuild::Project + AWS::CodeBuild::ReportGroup + AWS::CodeBuild::SourceCredential + [AWS CodeCommit](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodeCommit.html) + AWS::CodeCommit::Repository + [AWS CodeDeploy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodeDeploy.html) + AWS::CodeDeploy::Application + AWS::CodeDeploy::DeploymentConfig + AWS::CodeDeploy::DeploymentGroup + [AWS CodePipeline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodePipeline.html) + AWS::CodePipeline::CustomActionType + AWS::CodePipeline::Pipeline + AWS::CodePipeline::Webhook + [AWS Database Migration Service (DMS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_DMS.html) + AWS::DMS::Certificate + AWS::DMS::Endpoint + AWS::DMS::EventSubscription + AWS::DMS::ReplicationInstance + AWS::DMS::ReplicationSubnetGroup + AWS::DMS::ReplicationTask The MongoDbSettings property in AWS::DMS::Endpoint resource is not allowed. The following properties are only allowed if they are resolved by AWS Secrets Manager: CertificatePem and CertificateWallet properties in the AWS::DMS::Certificate resource, and the Password property in the AWS::DMS::Endpoint resource. + [AWS Elastic Load Balancing - Application Load Balancer / Network Load Balancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ElasticLoadBalancingV2.html) + AWS::ElasticLoadBalancingV2::Listener + AWS::ElasticLoadBalancingV2::ListenerCertificate + AWS::ElasticLoadBalancingV2::ListenerRule + AWS::ElasticLoadBalancingV2::LoadBalancer + AWS::ElasticLoadBalancingV2::TargetGroup + [AWS Elastic Load Balancing - Classic Load Balancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ElasticLoadBalancing.html) + AWS::ElasticLoadBalancing::LoadBalancer + [AWS Elemental MediaConvert](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MediaConvert.html) + AWS::MediaConvert::JobTemplate + AWS::MediaConvert::Preset + AWS::MediaConvert::Queue + [AWS Elemental MediaStore](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MediaStore.html) + AWS::MediaStore::Container + [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html) + AWS::IAM::Role + [AWS Managed Streaming for Apache Kafka (MSK)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MSK.html) + AWS::MSK::Cluster + [AWS Glue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Glue.html) + AWS::Glue::Classifier + AWS::Glue::Connection + AWS::Glue::Crawler + AWS::Glue::Database + AWS::Glue::DataCatalogEncryptionSettings + AWS::Glue::DevEndpoint + AWS::Glue::Job + AWS::Glue::MLTransform + AWS::Glue::Partition + AWS::Glue::SecurityConfiguration + AWS::Glue::Table + AWS::Glue::Trigger + AWS::Glue::Workflow + [AWS Key Management Service (KMS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_KMS.html) + AWS::KMS::Key + AWS::KMS::Alias + [AWS Lake Formation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_LakeFormation.html) + AWS::LakeFormation::DataLakeSettings + AWS::LakeFormation::Permissions + AWS::LakeFormation::Resource + [AWS Lambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Lambda.html) + AWS::Lambda::Alias + AWS::Lambda::EventInvokeConfig + AWS::Lambda::EventSourceMapping + AWS::Lambda::Function + AWS::Lambda::LayerVersion + AWS::Lambda::LayerVersionPermission + AWS::Lambda::Permission + AWS::Lambda::Version + [Amazon Redshift](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Redshift.html) + AWS::Redshift::Cluster + AWS::Redshift::ClusterParameterGroup + AWS::Redshift::ClusterSubnetGroup + [AWS Secrets Manager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SecretsManager.html) + AWS::SecretsManager::ResourcePolicy + AWS::SecretsManager::RotationSchedule + AWS::SecretsManager::Secret + AWS::SecretsManager::SecretTargetAttachment + [AWS Security Hub](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SecurityHub.html) + AWS::SecurityHub::Hub + [AWS Step Functions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_StepFunctions.html) + AWS::StepFunctions::Activity + AWS::StepFunctions::StateMachine + [AWS Systems Manager (SSM)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SSM.html) + AWS::SSM::Parameter + [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Synthetics.html) + AWS::Synthetics::Canary + [AWS Transfer Family](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Transfer.html) + AWS::Transfer::Server + AWS::Transfer::User + [AWS WAF](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAF.html) + AWS::WAF::ByteMatchSet + AWS::WAF::IPSet + AWS::WAF::Rule + AWS::WAF::SizeConstraintSet + AWS::WAF::SqlInjectionMatchSet + AWS::WAF::WebACL + AWS::WAF::XssMatchSet + [AWS WAF Regional](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAFRegional.html) + AWS::WAFRegional::ByteMatchSet + AWS::WAFRegional::GeoMatchSet + AWS::WAFRegional::IPSet + AWS::WAFRegional::RateBasedRule + AWS::WAFRegional::RegexPatternSet + AWS::WAFRegional::Rule + AWS::WAFRegional::SizeConstraintSet + AWS::WAFRegional::SqlInjectionMatchSet + AWS::WAFRegional::WebACL + AWS::WAFRegional::WebACLAssociation + AWS::WAFRegional::XssMatchSet + [AWS WAFv2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAFv2.html) + AWS::WAFv2::IPSet + AWS::WAFv2::RegexPatternSet + AWS::WAFv2::RuleGroup + AWS::WAFv2::WebACL + AWS::WAFv2::WebACLAssociation # CloudFormation Ingest: Examples Find here some detailed examples of how to use the **Create stack with CloudFormation template** change type. To download a set of sample CloudFormation templates per AWS Region, see [Sample Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-sample-templates.html). For reference information on CloudFormation resources, see [AWS Resource and Property Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). However, AMS supports a smaller set of resources, which are described in [AMS CloudFormation ingest](ams-cfn-ingest.md). **Note** AMS advises you to gather all IAM or other policy-related resources and submit them in a single Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76). For example, combine all needed IAM roles, IAM instance profiles, IAM policy updates for existing IAM roles, S3 bucket policies, SNS/SQS policies, and so forth, and then submit a ct-1e1xtak34nx76 RFC so that these pre-existing resources can be referenced inside the future CFN Ingest templates. **Topics** + [CloudFormation Ingest examples: Defining resources](cfn-ingest-ex-define-resource.md) + [CloudFormation Ingest examples: 3-tier Web application](cfn-ingest-ex-3-tier.md) # CloudFormation Ingest examples: Defining resources When using AMS CloudFormation ingest, you customize a CloudFormation template and submit it to AMS in an RFC with the CloudFormation ingest change type (ct-36cn2avfrrj9v). To create a CloudFormation template that can be reused multiple times, you add the stack configuration parameters to the CloudFormation ingest change type execution input rather than hard coding them in the CloudFormation template. The biggest benefit is that you can reuse the template. The AMS CloudFormation ingest change type input schema enables you to choose up to sixty parameters in a CloudFormation template and provide custom values. This example shows how to define a resource property, which can be used in a variety of CloudFormation templates, as a parameter in the AMS CloudFormation ingest CT. The examples in this section specifically show SNS topic usage. **Topics** + [Example 1: Hard code the CloudFormation SNSTopic resource `TopicName` property](#cfn-ingest-example-1) + [Example 2: Use an SNSTopic resource to reference a parameter in the AMS change type](#cfn-ingest-example-2) + [Example 3: Create an SNS topic by submitting a JSON execution parameters file with the AMS ingest change type](#cfn-ingest-example-3) + [Example 4: Submit a new change type that references the same CloudFormation template](#cfn-ingest-example-4) + [Example 5: Use the default parameter values in the CloudFormation template](#cfn-ingest-example-5) ## Example 1: Hard code the CloudFormation SNSTopic resource `TopicName` property In this example, you hard code the CloudFormation SNSTopic resource `TopicName` property in the CloudFormation template. Note that the `Parameters` section is empty. To have a CloudFormation template that allows you to change the value for the SNSTopic name for a new stack without having to create a new CloudFormation template, you can use the AMS `Parameters` section of the CloudFormation ingest change type to make that configuration. By doing this, you use the same CloudFormation template later to create a new stack with a different `SNSTopic` name. ``` { "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "My SNS Topic", "Parameters" : { }, "Resources" : { "SNSTopic" : { "Type" : "AWS::SNS::Topic", "Properties" : { "TopicName" : "MyTopicName" } } } } ``` ## Example 2: Use an SNSTopic resource to reference a parameter in the AMS change type In this example, you use an `SNSTopic` resource `TopicName` property defined in the CloudFormation template to reference a `Parameter` in the AMS change type. ``` { "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "My SNS Topic", "Parameters" : { "TopicName" : { "Type" : "String", "Description" : "Topic ID", "Default" : "MyTopicName" } }, "Resources" : { "SNSTopic" : { "Type" : "AWS::SNS::Topic", "Properties" : { "TopicName" : { "Ref" : "TopicName"} } } } } ``` ## Example 3: Create an SNS topic by submitting a JSON execution parameters file with the AMS ingest change type In this example, you submit a JSON execution parameters file with the AMS ingest CT that creates the SNS topic `TopicName`. The SNS topic must be defined in the CloudFormation template in the modifiable way shown in this example. ``` { "Name": "cfn-ingest", "Description": "CFNIngest Web Application Stack", "CloudFormationTemplateS3Endpoint": "$S3_PRESIGNED_URL", "VpcId": "VPC_ID", "Tags": [ {"Key": "Enviroment Type", "Value": "Dev"} ], "Parameters": [ {"Name": "TopicName", "Value": "MyTopic1"} ], "TimeoutInMinutes": 60 } ``` ## Example 4: Submit a new change type that references the same CloudFormation template This JSON example changes the SNS `TopicName` value without making a change to the CloudFormation template. Instead, you submit a new Deployment \$1 Ingestion \$1 Stack from CloudFormation Template \$1 Create change type that references the same CFN template. ``` { "Name": "cfn-ingest", "Description": "CFNIngest Web Application Stack", "CloudFormationTemplateS3Endpoint": "$S3_PRESIGNED_URL", "VpcId": "VPC_ID", "Tags": [ {"Key": "Enviroment Type", "Value": "Dev"} ], "Parameters": [ {"Name": "TopicName", "Value": "MyTopic2"} ], "TimeoutInMinutes": 60 } ``` ## Example 5: Use the default parameter values in the CloudFormation template In this example, the SNS `TopicName` = 'MyTopicName' is created because no `TopicName` value was provided in the `Parameters` execution parameter. If you don't provide `Parameters` definitions, the default parameter values in the CloudFormation template are used. ``` { "Name": "cfn-ingest", "Description": "CFNIngest Web Application Stack", "CloudFormationTemplateS3Endpoint": "$S3_PRESIGNED_URL", "VpcId": "VPC_ID", "Tags": [ {"Key": "Enviroment Type", "Value": "Dev"} ], "TimeoutInMinutes": 60 } ``` # CloudFormation Ingest examples: 3-tier Web application Ingest a CloudFormation template for a standard 3-Tier Web Application. ![\[AWS Cloud architecture diagram showing VPC with two availability zones, load balancer, and multi-AZ RDS setup.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/cfn-ingest-ex-3-tier.png) This includes an Application Load Balancer, Application Load Balancer target group, Auto Scaling group, Auto Scaling group launch template, Amazon Relational Database Service (RDS for SQL Server) with a MySQL database, AWS SSM Parameter store, and AWS Secrets Manager. Allow 30-60 minutes to walk through this example. ## Prerequisites + Create a secret containing a username and password with corresponding values using the AWS Secrets Manager. You can refer to this [sample JSON template (zip file)](samples/3-tier-cfn-ingest-2025.zip) that contains the secret name `ams-shared/myapp/dev/dbsecrets`, and replace it with your secret name. For information about using AWS Secrets Manager with AMS, see [Using AWS Secrets Manager with AMS resources](secrets-manager.md). + Set up required parameters in the AWS SSM Parameter Store (PS). In this example, the `VPCId` and `Subnet-Id` of the Private and Public subnets are stored in the SSM PS in paths like `/app/DemoApp/PublicSubnet1a`, `PublicSubnet1c`, `PrivateSubnet1a`, `PrivateSubnet1c` and `VPCCidr`. Update the paths and parameter names and values for your needs. + Create an IAM Amazon EC2 instance role with read permissions to the AWS Secrets Manager and SSM Parameter Store paths (the IAM role created and used in these examples is `customer-ec2_secrets_manager_instance_profile`). If you create IAM-standard policies like instance profile role, the role name must start with `customer-`. To create a new IAM role, (you can name it `customer-ec2_secrets_manager_instance_profile`, or something else) use the AMS change type Management \$1 Applications \$1 IAM instance profile \$1 Create (ct-0ixp4ch2tiu04) CT, and attach the required policies. You can review the AMS IAM standard policies, `customer_secrets_manager_policy` and `customer_systemsmanager_parameterstore_policy`, in the AWS IAM console to be used as-is or as a reference. ## Ingest a CloudFormation template for a standard 3-Tier Web application 1. Upload the attached sample CloudFormation JSON template as a zip file, [3-tier-cfn-ingest.zip](samples/3-tier-cfn-ingest-2025.zip) to an S3 bucket and generate a signed S3 URL to use in the CFN Ingest RFC. For more information, see [presign](https://docs.aws.amazon.com/cli/latest/reference/s3/presign.html). The CFN template can also be copy/pasted into the CFN Ingest RFC when you submit the RFC through the AMS console. 1. Create a CloudFormation Ingest RFC (Deployment \$1 Ingestion \$1 Stack from CloudFormation template \$1 Create (ct-36cn2avfrrj9v)), either via the AMS console or the AMS CLI. The CloudFormation ingest automation process validates the CloudFormation template to ensure that the template has valid AMS-supported resources, and adheres to security standards. + Using the console - For the change type, select **Deployment** -> **Ingestion** -> **Stack from CloudFormation Template** -> **Create**, and then add the following parameters as an example (note that the default for **MultiAZDatabase** is false): ``` CloudFormationTemplateS3Endpoint: "https://s3-ap-southeast-2.amazonaws.com/amzn-s3-demo-bucket/3-tier-cfn-ingest.json?AWSAccessKeyId=#{S3_ACCESS_KEY_ID}&Expires=#{EXPIRE_DATE}&Signature=#{SIGNATURE}" VpcId: "VPC_ID" TimeoutInMinutes: 120 IAMEC2InstanceProfile: "customer_ec2_secrets_manager_instance_profile" MultiAZDatabase: "true" WebServerCapacity: "2" ``` + Using the AWS CLI - For details about creating RFCs using the AWS CLI, see [Creating RFCs](https://docs.aws.amazon.com/managedservices/latest/userguide/create-rfcs.html). For example, run the following command: ``` aws --profile=saml amscm create-rfc --change-type-id ct-36cn2avfrrj9v --change-type-version "2.0" --title "TEST_CFN_INGEST" --execution-parameters "{\"CloudFormationTemplateS3Endpoint\":\"https://s3-ap-southeast-2.amazonaws.com/my-bucket/3-tier-cfn-ingest.json?AWSAccessKeyId=#{S3_ACCESS_KEY_ID}&Expires=#{EXPIRE_DATE}&Signature=#{SIGNATURE}\",\"TimeoutInMinutes\":120,\"Description\":\"TEST\",\”VpcId”\”:\”VPC_ID\”,\"Name\":\"MY_TEST\",\"Tags\":[{\"Key\":\"env\",\"Value\":\"test\"}],\"Parameters\":[{\"Name\":\"IAMEC2InstanceProfile\",\"Value\":\"customer_ec2_secrets_manager_instance_profile\"},{\"Name\":\"MultiAZDatabase\",\"Value\":\"true\"},{\"Name\":\"VpcId\",\"Value\":\"VPC_ID\"},{\"Name\":\"WebServerCapacity\",\"Value\":\"2\"}]}" --endpoint-url https://amscm.us-east-1.amazonaws.com/operational/ --no-verify-ssl ``` Find the Application Load Balancer URL in the CloudFormation RFC execution output to access the website. For information about accessing resources, see [Accessing instances](https://docs.aws.amazon.com/managedservices/latest/userguide/access-instance.html). ## Create CloudFormation ingest stack ### Creating a CloudFormation ingest stack using the console ![\[Create Stack From CloudFormation Template interface showing description, ID, and version.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/guiCfnIngestCT.png) **To create a CloudFormation ingest stack using the console** 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. ### Creating a CloudFormation ingest stack using the CLI **To create a CloudFormation ingest stack using the CLI** 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). 1. Prepare the CloudFormation template that you will use to create the stack, and upload it to your S3 bucket. For important details, see [AWS CloudFormation Ingest Guidelines, Best Practices, and Limitations](https://docs.aws.amazon.com/managedservices/latest/appguide/cfn-author-templates.html). 1. Create and submit the RFC to AMS: 1. Create and save the execution parameters JSON file, include the CloudFormation template parameters that you want. The following example names it CreateCfnParams.json. Example Web application stack CreateCfnParams.json file: ``` { "Name": "cfn-ingest", "Description": "CFNIngest Web Application Stack", "VpcId": "VPC_ID", "CloudFormationTemplateS3Endpoint": "$S3_URL", "TimeoutInMinutes": 120, "Tags": [ { "Key": "Enviroment Type" "Value": "Dev", }, { "Key": "Application" "Value": "PCS", } ], "Parameters": [ { "Name": "Parameter-for-S3Bucket-Name", "Value": "BUCKET-NAME" }, { "Name": "Parameter-for-Image-Id", "Value": "AMI-ID" } ], } ``` Example SNS topic CreateCfnParams.json file: ``` { "Name": "cfn-ingest", "Description": "CFNIngest Web Application Stack", "CloudFormationTemplateS3Endpoint": "$S3_URL", "Tags": [ {"Key": "Enviroment Type", "Value": "Dev"} ], "Parameters": [ {"Name": "TopicName", "Value": "MyTopic1"} ] } ``` 1. Create and save the RFC parameters JSON file with the following content. The following example names it CreateCfnRfc.json file: ``` { "ChangeTypeId": "ct-36cn2avfrrj9v", "ChangeTypeVersion": "2.0", "Title": "cfn-ingest" } ``` 1. Create the RFC, specifying the CreateCfnRfc file and the CreateCfnParams file: ``` aws amscm create-rfc --cli-input-json file://CreateCfnRfc.json --execution-parameters file://CreateCfnParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. ### Tips **Note** This change type is at version 2.0 and is automated (not manually executed). This allows the CT execution to go more quickly, and, a new parameter, **CloudFormationTemplate**, allows you to paste into the RFC a custom CloudFormation template. Additionally, In this version, we do not attach the default AMS security groups if the you specify your own security groups. If you do not specify your own security groups in the request, AMS will attach the AMS default security groups. In CFN Ingest v1.0, we always appended the AMS default security groups whether or not you provided your own security groups. AMS has enabled 17 AMS Self-Provisioned services for use in this change type. For information about supported resources, see [ CloudFormation Ingest Stack: Supported Resources](https://docs.aws.amazon.com/managedservices/latest/appguide/cfn-ingest-supp-services.html). **Note** Version 2.0 accepts an S3 endpoint that is not a presigned URL. If you use the previous version of this CT, the **CloudFormationTemplateS3Endpoint** parameter value must be a presigned URL. Example command for generating a presigned S3 bucket URL (Mac/Linux): ``` export S3_PRESIGNED_URL=$(aws s3 presign DASHDASHexpires-in 86400 s3://BUCKET_NAME/CFN_TEMPLATE.json) ``` Example command for generating a presigned S3 bucket URL (Windows): ``` for /f %i in ('aws s3 presign DASHDASHexpires-in 86400 s3://BUCKET_NAME/CFN_TEMPLATE.json') do set S3_PRESIGNED_URL=%i ``` See also [ Creating Pre-Signed URLs for Amazon S3 Buckets](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/s3-example-presigned-urls.html). **Note** If the S3 bucket exists in an AMS account, you must use your AMS credentials for this command. For example, you may need to append `--profile saml` after obtaining your AMS AWS Security Token Service (AWS STS) credentials. Related change types: [Approve a CloudFormation ingest stack changeset](#ex-cfn-ingest-approve-and-update-col), [Update CloudFormation ingest stack](#ex-cfn-ingest-update-col) To learn more about AWS CloudFormation, see [AWS Cloud​Formation](https://aws.amazon.com/cloudformation/). To see CloudFormation templates, open the AWS CloudFormation [Template Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-reference.html). ### Validating a CloudFormation ingest The template is validated to ensure that it can be created in an AMS account. If it passes validation, it's updated to include any resources or configurations required for it to conform with AMS. This includes adding resources such as Amazon CloudWatch alarms in order to allow AMS Operations to monitor the stack. The RFC is rejected if any of the following are true: + RFC JSON Syntax is incorrect or does not follow the given format. + The provided S3 bucket presigned URL is not valid. + The template is not valid CloudFormation syntax. + The template does not have defaults set for all parameter values. + The template fails AMS validation. For AMS validation steps, see the information later in this topic. The RFC fails if the CloudFormation stack fails to create due to a resource creation issue. To learn more about CFN validation and validator, see [Template Validation](https://docs.aws.amazon.com/managedservices/latest/appguide/cfn-author-templates.html) and [CloudFormation ingest stack: CFN validator examples](https://docs.aws.amazon.com/managedservices/latest/appguide/ex-cfn-ingest-validator.html). ## Update CloudFormation ingest stack ### Updating a CloudFormation ingest stack using the console ![\[CloudFormation stack update interface showing description, ID, and version details.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/guiCfnStackUpdateCT-v2.png) **To update a CloudFormation Ingest Stack using the console** 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. ### Updating a CloudFormation ingest stack using the CLI **To update a CloudFormation ingest stack using the CLI** 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). 1. Prepare the CloudFormation template that you want to use to update the stack, and upload it to your S3 bucket. For important details, see [AWS CloudFormation Ingest Guidelines, Best Practices, and Limitations](https://docs.aws.amazon.com/managedservices/latest/appguide/cfn-author-templates.html). 1. Create and submit the RFC to AMS: 1. Create and save the execution parameters JSON file, include the CloudFormation template parameters that you want. This example names it UpdateCfnParams.json. Example UpdateCfnParams.json file with inline parameter updates: ``` { "StackId": "stack-yjjoo9aicjyqw4ro2", "VpcId": "VPC_ID", "CloudFormationTemplate": "{\"AWSTemplateFormatVersion\":\"2010-09-09\",\"Description\":\"Create a SNS topic\",\"Parameters\":{\"TopicName\":{\"Type\":\"String\"},\"DisplayName\":{\"Type\":\"String\"}},\"Resources\":{\"SnsTopic\":{\"Type\":\"AWS::SNS::Topic\",\"Properties\":{\"TopicName\":{\"Ref\":\"TopicName\"},\"DisplayName\":{\"Ref\":\"DisplayName\"}}}}}", "TemplateParameters": [ { "Key": "TopicName", "Value": "TopicNameCLI" }, { "Key": "DisplayName", "Value": "DisplayNameCLI" } ], "TimeoutInMinutes": 1440 } ``` Example UpdateCfnParams.json file with S3 bucket endpoint containing an updated CloudFormation template: ``` { "StackId": "stack-yjjoo9aicjyqw4ro2", "VpcId": "VPC_ID", "CloudFormationTemplateS3Endpoint": "s3_url", "TemplateParameters": [ { "Key": "TopicName", "Value": "TopicNameCLI" }, { "Key": "DisplayName", "Value": "DisplayNameCLI" } ], "TimeoutInMinutes": 1080 } ``` 1. Create and save the RFC parameters JSON file with the following content. This example names it UpdateCfnRfc.json file. ``` { "ChangeTypeId": "ct-361tlo1k7339x", "ChangeTypeVersion": "1.0", "Title": "cfn-ingest-template-update" } ``` 1. Create the RFC, specifying the UpdateCfnRfc file and the UpdateCfnParams file: ``` aws amscm create-rfc --cli-input-json file://UpdateCfnRfc.json --execution-parameters file://UpdateCfnParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. ### Tips + This change type is now at version 2.0. Changes include removing the **AutoApproveUpdateForResources** parameter, which was used in version 1.0 of this CT, and adding two new parameters: **AutoApproveRiskyUpdates** and **BypassDriftCheck**. + If the S3 bucket exists in an AMS account, you must use your AMS credentials for this command. For example, you may need to append `--profile saml` after obtaining your AMS AWS Security Token Service (AWS STS) credentials. + All `Parameter` values for resources in the CloudFormation template must have a value, either through a default or a custom value through the parameters section of the CT. You can override the parameter value by structuring the CloudFormation template resources to reference a Parameters key. For examples that show how to do, see [CloudFormation ingest stack: CFN validator examples](https://docs.aws.amazon.com/managedservices/latest/appguide/ex-cfn-ingest-validator.html). IMPORTANT: Missing parameters not supplied explicitly in the form, default to the currently set values on the existing stack or template. + For a list of which self-provisioned services you can add using CloudFormation Ingest, see [CloudFormation Ingest Stack: Supported Resources](https://docs.aws.amazon.com/managedservices/latest/appguide/cfn-ingest-supp-services.html). To learn more about CloudFormation, see [AWS Cloud​Formation](https://aws.amazon.com/cloudformation/). ### Validating a CloudFormation ingest The template is validated to ensure that it can be created in an AMS account. If it passes validation, it's updated to include any resources or configurations required for it to conform with AMS. This includes adding resources such as Amazon CloudWatch alarms in order to allow AMS Operations to monitor the stack. The RFC is rejected if any of the following are true: + RFC JSON Syntax is incorrect or does not follow the given format. + The provided S3 bucket presigned URL is not valid. + The template is not valid CloudFormation syntax. + The template does not have defaults set for all parameter values. + The template fails AMS validation. For AMS validation steps, see the information later in this topic. The RFC fails if the CloudFormation stack fails to create due to a resource creation issue. To learn more about CFN validation and validator, see [Template Validation](https://docs.aws.amazon.com/managedservices/latest/appguide/cfn-author-templates.html) and [CloudFormation ingest stack: CFN validator examples](https://docs.aws.amazon.com/managedservices/latest/appguide/ex-cfn-ingest-validator.html). ## Approve a CloudFormation ingest stack changeset ### Approving and updating a CloudFormation ingest stack using the console ![\[Details of a CloudFormation ChangeSet for approving and updating a stack, including ID and execution mode.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/guiCfnStackApproveAndUpdateCT.png) **To approve and update a CloudFormation ingest stack using the console** 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. ### Approving and updating a CloudFormation ingest stack using the CLI **To approve and update a CloudFormation ingest stack using the CLI** 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). 1. Output the execution parameters JSON schema for this change type to a file in your current folder. This example names it CreateAsgParams.json: ``` aws amscm create-rfc --change-type-id "ct-1404e21baa2ox" --change-type-version "1.0" --title "Approve Update" --execution-parameters file://PATH_TO_EXECUTION_PARAMETERS --profile saml ``` 1. Modify and save the schema as follows: ``` { "StackId": "STACK_ID", "VpcId": "VPC_ID", "ChangeSetName": "UPDATE-ef81e2bc-03f6-4b17-a3c7-feb700e78faa", "TimeoutInMinutes": 1080 } ``` ### Tips **Note** If there are multiple resources in a stack, and you want to delete only a subset of the stack resources, use the CloudFormation Update CT; see [CloudFormation Ingest Stack: Updating](https://docs.aws.amazon.com/managedservices/latest/appguide/ex-cfn-ingest-update-col.html). You can also submit a Service request case and AMS engineers can help you craft the changeset, if needed. To learn more about AWS CloudFormation, see [AWS CloudFormation](https://aws.amazon.com/cloudformation/). ## Update CloudFormation stacks termination protection ### Updating an CloudFormation termination protection stack with the console The following shows this change type in the AMS console. ![\[Update Termination Protection interface showing description, ID, and version fields.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/guiCfnProTermUpdateCT.png) How it works: 1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**. 1. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view. + **Browse by change type**: You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create. To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button. + **Choose by category**: Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page. 1. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC. In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area. 1. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 1. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page. ### Updating an CloudFormation stack termination protection with the CLI How it works: 1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here. 1. Submit the RFC: `aws amscm submit-rfc --rfc-id ID` command with the returned RFC ID. Monitor the RFC: `aws amscm get-rfc --rfc-id ID` command. To check the change type version, use this command: ``` aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID ``` **Note** You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html). Only specify the parameters you want to change. Absent parameters retain the existing values. *INLINE CREATE*: Issue the create RFC command with execution parameters provided inline (escape quotation marks when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this: ``` aws amscm create-rfc \ --change-type-id "ct-2uzbqr7x7mekd" \ --change-type-version "1.0" \ --title "Enable termination protection on CFN stack" \ --execution-parameters "{\"DocumentName\":\"AWSManagedServices-ManageResourceTerminationProtection\",\"Region\":\"us-east-1\",\"Parameters\":{\"ResourceId\":[\"stack-psvnq6cupymio3enl\"],\"TerminationProtectionDesiredState\":[\"enabled\"]}}" ``` *TEMPLATE CREATE*: 1. Output the execution parameters for this change type to a JSON file; this example names it EnableTermProCFNParams.json: ``` aws amscm get-change-type-version --change-type-id "ct-2uzbqr7x7mekd" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > EnableTermProCFNParams.json ``` 1. Modify and save the EnableTermProCFNParams file, retaining only the parameters that you want to change. For example, you can replace the contents with something like this: ``` { "DocumentName": "AWSManagedServices-ManageResourceTerminationProtection", "Region": "us-east-1", "Parameters": { "ResourceId": ["stack-psvnq6cupymio3enl"], "TerminationProtectionDesiredState": ["enabled"] } } ``` 1. Output the RFC template to a file in your current folder; this example names it EnableTermProCFNRfc.json: ``` aws amscm create-rfc --generate-cli-skeleton > EnableTermProCFNRfc.json ``` 1. Modify and save the EnableTermProCFNRfc.json file. For example, you can replace the contents with something like this: ``` { "ChangeTypeId": "ct-2uzbqr7x7mekd", "ChangeTypeVersion": "1.0", "Title": "Enable termination protection on CFN instance" } ``` 1. Create the RFC, specifying the EnableTermProCFNRfc file and the EnableTermProCFNParams file: ``` aws amscm create-rfc --cli-input-json file://EnableTermProCFNRfc.json --execution-parameters file://EnableTermProCFNParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. ### Tips **Note** There is a related CT for Amazon EC2, [EC2 stack: Updating termination protection](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-ec2-term-pro-update-col.html). To learn more about termination protection, see [ Protecting a stack from being deleted](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html). # Automated IAM deployments using CFN ingest or stack update CTs in AMS You can use these AMS change types to deploy IAM roles (the `AWS::IAM::Role` resource) in both multi-account landing zone (MALZ) and single-account landing zone (SALZ): + Deployment \$1 Ingestion \$1 Stack from CloudFormation Template \$1 Create (ct-36cn2avfrrj9v) + Management \$1 Custom Stack \$1 Stack From CloudFormation Template \$1 Update (ct-361tlo1k7339x) + Management \$1 Custom Stack \$1 Stack From CloudFormation Template \$1 Approve and Update (ct-1404e21baa2ox) **Validations performed on the IAM roles in your CFN template:** + **ManagedPolicyArns**: The attribute **ManagedPolicyArns** must not exist in `AWS::IAM::Role`. The validation disallows attaching managed policies to the role being provisioned. Instead, the permissions for the role can be managed using the inline policy through the property Policies. + **PermissionsBoundary**: The policy used to set the permissions boundary for the role can only be the AMS vended managed policy: `AWSManagedServices_IAM_PermissionsBoundary`. This policy acts as a guard rail that protects the AMS infrastructure resources from being modified using the role being provisioned. With this default permissions boundary, the security benefits that AMS provides are preserved. The `AWSManagedServices_IAM_PermissionsBoundary` (the default) is required, without it, the request is rejected. + **MaxSessionDuration**: The maximum session duration that can be set for the IAM role is 1 to 4 hours. AMS technical standard require a customer risk acceptance for session duration beyond 4 hours. + **RoleName**: The following namespaces are preserved by AMS and cannot be used as IAM role name prefixes: ``` AmazonSSMRole, AMS, Ams, ams, AWSManagedServices, customer_developer_role, customer-mc-, Managed_Services, MC, Mc, mc, SENTINEL, Sentinel, sentinel, StackSet-AMS, StackSet-Ams, StackSet-ams, StackSet-AWS, StackSet-MC, StackSet-Mc, StackSet-mc ``` + **Policies**: The inline policy embedded in the IAM role can only include a set of IAM actions that are pre-approved by AMS. This is the upper bound of all IAM actions allowed to create an IAM role with (control policy). The control policy consists of: + All actions in the AWS managed policy ReadOnlyAccess that provides read-only access to all AWS services and resources + The following actions, with the restriction on cross-account S3 actions i.e. allowed S3 actions can only be performed on resources present in the same account as the role being created: ``` amscm:*, amsskms:*, lambda:InvokeFunction, logs:CreateLogStream, logs:PutLogEvents, s3:AbortMultipartUpload, s3:DeleteObject, s3:DeleteObjectVersion, s3:ObjectOwnerOverrideToBucketOwner, s3:PutObject, s3:ReplicateTags, secretsmanager:GetRandomPassword, sns:Publish ``` Any IAM role created or updated through CFN ingest can allow actions listed on this control policy, or actions that are scoped down from (less permissive than) the actions listed on the control policy. Currently we allow these safe IAM actions that can be categorized as readonly actions, plus the above mentioned non-readonly actions that can't be accomplished through CTs and are pre-approved per AMS technical standard. + **AssumeRolePolicyDocument**: The following entities are pre-approved and can be included in the trust policy to assume the role being created: + Any IAM entity (role, user, root user, STS assumed-role session) in the same account can assume the role. + The following AWS services can assume the role: ``` apigateway.amazonaws.com, autoscaling.amazonaws.com, cloudformation.amazonaws.com, codebuild.amazonaws.com, codedeploy.amazonaws.com, codepipeline.amazonaws.com, datapipeline.amazonaws.com, datasync.amazonaws.com, dax.amazonaws.com, dms.amazonaws.com, ec2.amazonaws.com, ecs-tasks.amazonaws.com, ecs.application-autoscaling.amazonaws.com, elasticmapreduce.amazonaws.com, es.amazonaws.com, events.amazonaws.com, firehose.amazonaws.com, glue.amazonaws.com, lambda.amazonaws.com, monitoring.rds.amazonaws.com, pinpoint.amazonaws.com, rds.amazonaws.com, redshift.amazonaws.com, s3.amazonaws.com, sagemaker.amazonaws.com, servicecatalog.amazonaws.com, sns.amazonaws.com, ssm.amazonaws.com, states.amazonaws.com, storagegateway.amazonaws.com, transfer.amazonaws.com, vmie.amazonaws.com ``` + The SAML provider in the same account can assume the role. Currently, the only supported SAML provider name is `customer-saml`. If one or more of the validations fail, the RFC is rejected. A sample RFC rejection reason look like this: ``` {"errorMessage":"[ 'LambdaRole: The maximum session duration (in seconds) should be a numeric value in the range 3600 to 14400 (i.e. 1 to 4 hours).', 'lambda-policy: Policy document is too permissive.']","errorType":"ClientError"} ``` If you need assistance with a failed RFC validation or execution, use the RFC correspondence to reach out to AMS. For instructions, see [RFC correspondence and attachment (console)](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-rfc-correspondence.html). For any other questions, submit a service request. For a how-to, see [Creating a Service Request](https://docs.aws.amazon.com/managedservices/latest/userguide/gui-ex-create-service-request.html). **Note** We do not currently enforce any IAM best practices as part of our IAM validations. For IAM best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). **Creating IAM roles with more permissive actions or enforcing IAM best practices** Create your IAM entities with the following manual change types: + Deployment \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Create entity or policy (ct-3dpd8mdd9jn1r) + Management \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Update entity or policy (ct-27tuth19k52b4) We recommend that you read and understand our technical standards before filing these manual RFCs. For access, see [How to access technical standards](https://docs.aws.amazon.com/managedservices/latest/ctref/rfc-security.html#rfc-sec-tech-standards-access). **Note** Each IAM role directly created with these manual change types belongs to its own individual stack and does not reside in the same stack where the other infrastructure resources are created through CFN Ingest CT. **Updating IAM Roles created with CFN ingest through manual change types when updates cannot be done through automated change types** Use the Management \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Update entity or policy (ct-27tuth19k52b4) change type. **Important** Updates on IAM roles through the manual CT are not reflected in the CFN stack templates and cause stack drift. Once the role has been updated through a manual request to a state that doesn’t pass our validations, the role cannot be further updated using the Stack Update CT (ct-361tlo1k7339x) again as long as it continues to be non-compliant with our validations. The update CT can be used only if the CFN stack template is compliant with our validations. However, the stack can still be updated via the Stack Update CT (ct-361tlo1k7339x), as long as the IAM resource that’s non-compliant with our validations is not being updated and the CFN template passes our validations. **Deleting your IAM roles created through AWS CloudFormation ingest** If you want to delete the whole stack, use the following automated Delete Stack change type. For instructions, see [Delete Stack](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-stack-delete-col.html): + Change Type ID: ct-0q0bic0ywqk6c + Classification: Management \$1 Standard stacks \$1 Stack \$1 Delete and Management \$1 Advanced stack components \$1 Stack \$1 Delete If you want to delete an IAM role without deleting the whole stack, you can remove the IAM role from the CloudFormation template and use the updated template as an input to the automated Stack Update change type: + Change Type ID: ct-361tlo1k7339x + Classification: Management \$1 Custom stack \$1 Stack from CloudFormation template \$1 Update For instructions, see [Update AWS CloudFormation ingest stack](https://docs.aws.amazon.com/managedservices/latest/appguide/ex-cfn-ingest-update-col.html).