{ "Description": "(SO0284) innovation-sandbox-on-aws v1.2.9", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterLabels": { "Namespace": { "default": "Namespace" }, "HubAccountId": { "default": "Hub Account Id" }, "ParentOuId": { "default": "Parent OU Id" }, "IsbManagedRegions": { "default": "ISB Managed Regions" } }, "ParameterGroups": [ { "Label": { "default": "AccountPool Stack Configuration" }, "Parameters": [ "Namespace", "HubAccountId", "ParentOuId", "IsbManagedRegions" ] } ] } }, "Parameters": { "Namespace": { "Type": "String", "Default": "myisb", "AllowedPattern": "^[0-9a-zA-Z]{3,8}$", "Description": "The namespace for this deployment of Innovation Sandbox (must be the same for all member stacks). Alphanumeric characters of length between 3 and 8" }, "HubAccountId": { "Type": "String", "AllowedPattern": "^[0-9]{12}$", "Description": "The AWS Account Id where the Innovation Sandbox hub application is (to be) deployed" }, "ParentOuId": { "Type": "String", "AllowedPattern": "^(r-[0-9a-z]{4,32})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$", "Description": "Provide Root id or organization unit id where Innovation Sandbox OUs will be created" }, "IsbManagedRegions": { "Type": "CommaDelimitedList", "AllowedPattern": "^[a-z]{2}(-[a-z]+-\\d{1})(,[ ]*[a-z]{2}(-[a-z]+-\\d{1}))*$", "ConstraintDescription": "Must be a comma-separated list of valid AWS Region codes, e.g., us-east-1,eu-west-1", "Description": "Provide list of AWS Regions to limit the use to specific regions." } }, "Resources": { "InnovationSandboxAccountPoolOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_InnovationSandboxAccountPool" ] ] }, "ParentId": { "Ref": "ParentOuId" }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/InnovationSandboxAccountPoolOu" } }, "AvailableOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "Available", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/AvailableOu" } }, "ActiveOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "Active", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/ActiveOu" } }, "CleanUpOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "CleanUp", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CleanUpOu" } }, "QuarantineOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "Quarantine", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/QuarantineOu" } }, "EntryOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "Entry", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/EntryOu" } }, "ExitOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "Exit", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/ExitOu" } }, "FrozenOu": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "Frozen", "ParentId": { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/FrozenOu" } }, "InnovationSandboxAwsNukeSupportedServicesScp": { "Type": "AWS::Organizations::Policy", "Properties": { "Content": { "Statement": [ { "NotAction": [ "access-analyzer:*", "acm:*", "acm-pca:*", "amplify:*", "aoss:*", "apigateway:*", "appconfig:*", "application-autoscaling:*", "applicationinsights:*", "appmesh:*", "apprunner:*", "appstream:*", "appsync:*", "athena:*", "autoscaling:*", "backup:*", "batch:*", "bedrock:*", "budgets:*", "cloud9:*", "clouddirectory:*", "cloudformation:*", "cloudfront:*", "cloudhsm:*", "cloudsearch:*", "cloudshell:*", "cloudtrail:*", "cloudwatch:*", "codebuild:*", "codecommit:*", "codedeploy:*", "codeguru-profiler:*", "codeguru-reviewer:*", "codepipeline:*", "codestar:*", "cognito-identity:*", "cognito-idp:*", "comprehend:*", "config:*", "dms:*", "datapipeline:*", "dax:*", "devicefarm:*", "ds:*", "dynamodb:*", "ec2:*", "ec2messages:*", "ecr:*", "ecs:*", "elasticfilesystem:*", "eks:*", "elasticache:*", "elasticbeanstalk:*", "es:*", "elastictranscoder:*", "elasticloadbalancing:*", "elasticmapreduce:*", "events:*", "firehose:*", "fms:*", "fsx:*", "gamelift:*", "globalaccelerator:*", "glue:*", "guardduty:*", "iam:*", "imagebuilder:*", "inspector:*", "iot:*", "iotsitewise:*", "iottwinmaker:*", "kendra:*", "kinesis:*", "kinesisanalytics:*", "kinesisvideo:*", "kms:*", "lambda:*", "lex:*", "lightsail:*", "logs:*", "machinelearning:*", "macie2:*", "mediaconvert:*", "medialive:*", "mediapackage:*", "mediastore:*", "mediatailor:*", "memorydb:*", "mgn:*", "mq:*", "kafka:*", "neptune-db:*", "networkmanager:*", "opensearch:*", "opsworks:*", "opsworks-cm:*", "sms-voice:*", "q:*", "pipes:*", "polly:*", "qldb:*", "quicksight:*", "rds:*", "redshift:*", "redshift-serverless:*", "rekognition:*", "resource-explorer-2:*", "resource-groups:*", "robomaker:*", "route53:*", "route53resolver:*", "s3:*", "sagemaker:*", "scheduler:*", "secretsmanager:*", "securityhub:*", "servicecatalog:*", "servicediscovery:*", "ses:*", "states:*", "signer:*", "sdb:*", "sns:*", "sqs:*", "ssm:*", "ssmmessages:*", "storagegateway:*", "transcribe:*", "transfer:*", "waf:*", "wafv2:*", "workspaces:*", "xray:*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": "*", "Sid": "DenyAllExceptAwsNukeSupportedServices" } ], "Version": "2012-10-17" }, "Description": "Service Control Policy (SCP) to allow only services supported by AWS Nuke clean workflow. ", "Name": "InnovationSandboxAwsNukeSupportedServicesScp", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "TargetIds": [ { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] } ], "Type": "SERVICE_CONTROL_POLICY" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/InnovationSandboxAwsNukeSupportedServicesScp" } }, "InnovationSandboxRestrictionsScp": { "Type": "AWS::Organizations::Policy", "Properties": { "Content": { "Statement": [ { "Action": [ "aws-portal:ModifyAccount", "aws-portal:ViewAccount", "cloudtrail:CreateServiceLinkedChannel", "cloudtrail:UpdateServiceLinkedChannel", "iam:CreateUser", "networkmanager:AssociateTransitGatewayConnectPeer", "networkmanager:DisassociateTransitGatewayConnectPeer", "networkmanager:StartOrganizationServiceAccessUpdate", "ram:CreateResourceShare", "ram:EnableSharingWithAwsOrganization", "ssm:ModifyDocumentPermission", "wafv2:DisassociateFirewallManager", "wafv2:PutFirewallManagerRuleGroups", "cloudtrail:LookupEvents" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": "*", "Sid": "SecurityAndIsolationRestrictions" }, { "Action": [ "aws-portal:ModifyBilling", "aws-portal:ModifyPaymentMethods", "ce:CreateAnomalyMonitor", "ce:CreateAnomalySubscription", "ce:CreateCostCategoryDefinition", "ce:CreateNotificationSubscription", "ce:CreateReport", "ce:UpdatePreferences", "devicefarm:Purchase*", "devicefarm:RenewOffering", "dynamodb:Purchase*", "ec2:AcceptReservedInstancesExchangeQuote", "ec2:EnableIpamOrganizationAdminAccount", "ec2:ModifyReservedInstances", "ec2:Purchase*", "elasticache:Purchase*", "es:Purchase*", "glacier:Purchase*", "mediaconnect:Purchase*", "medialive:Purchase*", "rds:Purchase*", "redshift:Purchase*", "shield:AssociateDRTRole", "shield:CreateProtection", "shield:CreateSubscription", "shield:UpdateEmergencyContactSettings" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": "*", "Sid": "CostImplicationRestrictions" }, { "Action": [ "account:EnableRegion", "auditmanager:DeregisterOrganizationAdminAccount", "auditmanager:RegisterOrganizationAdminAccount", "backup:PutBackupVaultLockConfiguration", "cassandra:UpdatePartitioner", "chime:*", "cloudhsm:*", "deepcomposer:AssociateCoupon", "directconnect:AllocateConnectionOnInterconnect", "directconnect:AllocateHostedConnection", "directconnect:AssociateHostedConnection", "directconnect:CreateInterconnect", "drs:CreateExtendedSourceServer", "elasticache:PurchaseReservedCacheNodesOffering", "events:CreatePartnerEventSource", "glacier:AbortVaultLock", "glacier:CompleteVaultLock", "glacier:InitiateVaultLock", "glacier:SetVaultAccessPolicy", "iotevents:PutLoggingOptions", "iotsitewise:CreateBulkImportJob", "lambda:CreateCodeSigningConfig", "license-manager:CreateLicenseConversionTaskForResource", "macie2:UpdateOrganizationConfiguration", "mediaConvert:CreateQueue", "medialive:ClaimDevice", "mgn:*", "robomaker:CreateDeploymentJob", "robomaker:CreateFleet", "robomaker:CreateRobot", "robomaker:DeregisterRobot", "robomaker:RegisterRobot", "robomaker:SyncDeploymentJob", "robomaker:UpdateRobotDeployment", "route53domains:*", "s3-object-lambda:PutObjectLegalHold", "s3-object-lambda:PutObjectRetention", "s3:PutObjectLegalHold", "ses:PutDeliverabilityDashboardOption", "storagegateway:*", "wam:*", "wellarchitected:UpdateGlobalSettings", "workmail:AssumeImpersonationRole", "workmail:CreateImpersonationRole", "workmail:UpdateImpersonationRole", "workspaces:ModifyAccount" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": "*", "Sid": "OperationalRestrictions" } ], "Version": "2012-10-17" }, "Description": "Service Control Policy (SCP) to add restrictions for security, isolation, cost and operations related resources.", "Name": "InnovationSandboxRestrictionsScp", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "TargetIds": [ { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] } ], "Type": "SERVICE_CONTROL_POLICY" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/InnovationSandboxRestrictionsScp" } }, "InnovationSandboxProtectISBScp": { "Type": "AWS::Organizations::Policy", "Properties": { "Content": { "Statement": [ { "Action": "*", "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, "arn:aws:iam::*:role/AWSReservedSSO*", { "Fn::Join": [ "", [ "arn:aws:*:*:*:*Isb-", { "Ref": "Namespace" }, "*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:saml-provider/*AWSSSO*" ], "Sid": "ProtectIsbControlPlaneResources" }, { "Action": "*", "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/AWSControlTowerExecution", "arn:aws:iam::*:role/stacksets-exec-*" ] } }, "Effect": "Deny", "Resource": [ "arn:aws:cloudtrail:*:*:trail/aws-controltower-*", "arn:aws:events:*:*:rule/aws-controltower-*", "arn:aws:events:*:*:rule/*AWSControlTower*", "arn:aws:lambda:*:*:function:aws-controltower-*", "arn:aws:logs:*:*:log-group:*aws-controltower*", "arn:aws:sns:*:*:aws-controltower-*", "arn:aws:iam::*:role/aws-controltower-*", "arn:aws:iam::*:role/*AWSControlTower*" ], "Sid": "ProtectControlTowerResources" }, { "Action": [ "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteRetentionConfiguration", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:PutRetentionConfiguration", "config:StopConfigurationRecorder" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } }, "Effect": "Deny", "Resource": "*", "Sid": "DenyConfigActions" }, { "Action": "config:*", "Condition": { "StringEquals": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" }, "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } }, "Effect": "Deny", "Resource": "*", "Sid": "ProtectControlTowerTaggedConfigResources" }, { "Action": [ "config:TagResource", "config:UntagResource" ], "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "aws-control-tower" }, "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } }, "Effect": "Deny", "Resource": "*", "Sid": "DenyControlTowerConfigTagActions" } ], "Version": "2012-10-17" }, "Description": "Service Control Policy (SCP) for Innovation Sandbox to protect ISB control plane resources.", "Name": "InnovationSandboxProtectISBResourcesScp", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "TargetIds": [ { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] } ], "Type": "SERVICE_CONTROL_POLICY" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/InnovationSandboxProtectISBScp" } }, "InnovationSandboxLimitRegionsScp": { "Type": "AWS::Organizations::Policy", "Properties": { "Content": { "Statement": [ { "Action": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": { "Ref": "IsbManagedRegions" } }, "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": "*", "Sid": "DenyRegionAccess" } ], "Version": "2012-10-17" }, "Description": "Service Control Policy (SCP) for Innovation Sandbox to limit use of AWS Regions.", "Name": "InnovationSandboxLimitRegionsScp", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "TargetIds": [ { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] } ], "Type": "SERVICE_CONTROL_POLICY" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/InnovationSandboxLimitRegionsScp" } }, "InnovationSandboxWriteProtectionScp": { "Type": "AWS::Organizations::Policy", "Properties": { "Content": { "Statement": [ { "Action": "*", "Condition": { "ArnNotLike": { "aws:PrincipalARN": [ { "Fn::Join": [ "", [ "arn:aws:iam::*:role/InnovationSandbox-", { "Ref": "Namespace" }, "*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*AWSReservedSSO_", { "Ref": "Namespace" }, "_IsbAdmins*" ] ] }, "arn:aws:iam::*:role/stacksets-exec-*", "arn:aws:iam::*:role/AWSControlTowerExecution" ] } }, "Effect": "Deny", "Resource": "*", "Sid": "DenyAllExceptIsbRoles" } ], "Version": "2012-10-17" }, "Description": "Service Control Policy (SCP) for Innovation Sandbox to restrict all resource to create or modify actions.", "Name": "InnovationSandboxWriteProtectionScp", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "TargetIds": [ { "Fn::GetAtt": [ "AvailableOu", "Id" ] }, { "Fn::GetAtt": [ "CleanUpOu", "Id" ] }, { "Fn::GetAtt": [ "QuarantineOu", "Id" ] }, { "Fn::GetAtt": [ "EntryOu", "Id" ] }, { "Fn::GetAtt": [ "ExitOu", "Id" ] } ], "Type": "SERVICE_CONTROL_POLICY" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/InnovationSandboxWriteProtectionScp" } }, "OrgMgtRoleADB4C27C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:PrincipalArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "HubAccountId" }, ":role/InnovationSandbox-", { "Ref": "Namespace" }, "-IntermediateRole" ] ] } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "HubAccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Role to be assumed for operations on the org management account", "RoleName": { "Fn::Join": [ "", [ "InnovationSandbox-", { "Ref": "Namespace" }, "-OrgMgtRole" ] ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/OrgMgtRole/Resource", "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "OrganizationsPolicyFD65B3A6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Arn" ] }, { "Fn::GetAtt": [ "AvailableOu", "Arn" ] }, { "Fn::GetAtt": [ "ActiveOu", "Arn" ] }, { "Fn::GetAtt": [ "CleanUpOu", "Arn" ] }, { "Fn::GetAtt": [ "QuarantineOu", "Arn" ] }, { "Fn::GetAtt": [ "EntryOu", "Arn" ] }, { "Fn::GetAtt": [ "ExitOu", "Arn" ] }, { "Fn::GetAtt": [ "FrozenOu", "Arn" ] } ] }, { "Action": "organizations:MoveAccount", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "AvailableOu", "Arn" ] }, { "Fn::GetAtt": [ "ActiveOu", "Arn" ] }, { "Fn::GetAtt": [ "CleanUpOu", "Arn" ] }, { "Fn::GetAtt": [ "QuarantineOu", "Arn" ] }, { "Fn::GetAtt": [ "EntryOu", "Arn" ] }, { "Fn::GetAtt": [ "ExitOu", "Arn" ] }, { "Fn::GetAtt": [ "FrozenOu", "Arn" ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":organizations::", { "Ref": "AWS::AccountId" }, ":account/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Arn" ] } ] } ] }, "/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":organizations::", { "Ref": "AWS::AccountId" }, ":root/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Arn" ] } ] } ] }, "/*" ] ] } ] }, { "Action": "organizations:DescribeAccount", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":organizations::", { "Ref": "AWS::AccountId" }, ":account/", { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Arn" ] } ] } ] }, "/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "OrganizationsPolicyFD65B3A6", "Roles": [ { "Ref": "OrgMgtRoleADB4C27C" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/OrganizationsPolicy/Resource" } }, "CostExplorerPolicy2242901C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ce:GetCostAndUsage", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "CostExplorerPolicy2242901C", "Roles": [ { "Ref": "OrgMgtRoleADB4C27C" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostExplorerPolicy/Resource" } }, "AccountPoolConfigurationCF37E5E0": { "Type": "AWS::SSM::Parameter", "Properties": { "Description": "The Account pool configuration for Innovation Sandbox", "Name": { "Fn::Join": [ "", [ "InnovationSandbox_", { "Ref": "Namespace" }, "_AccountPool_Configuration" ] ] }, "Tags": { "aws-solutions:isb-id": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } }, "Tier": "Advanced", "Type": "String", "Value": { "Fn::Join": [ "", [ "{\"sandboxOuId\":\"", { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] }, "\",\"availableOuId\":\"", { "Fn::GetAtt": [ "AvailableOu", "Id" ] }, "\",\"activeOuId\":\"", { "Fn::GetAtt": [ "ActiveOu", "Id" ] }, "\",\"frozenOuId\":\"", { "Fn::GetAtt": [ "FrozenOu", "Id" ] }, "\",\"cleanupOuId\":\"", { "Fn::GetAtt": [ "CleanUpOu", "Id" ] }, "\",\"quarantineOuId\":\"", { "Fn::GetAtt": [ "QuarantineOu", "Id" ] }, "\",\"entryOuId\":\"", { "Fn::GetAtt": [ "EntryOu", "Id" ] }, "\",\"exitOuId\":\"", { "Fn::GetAtt": [ "ExitOu", "Id" ] }, "\",\"solutionVersion\":\"", { "Fn::FindInMap": [ "Mapping", "context", "version", { "DefaultValue": "" } ] }, "\",\"supportedSchemas\":\"[\\\"1\\\"]\",\"isbManagedRegions\":\"", { "Fn::Join": [ ",", { "Ref": "IsbManagedRegions" } ] }, "\"}" ] ] } }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/AccountPoolConfiguration/Resource" } }, "AccountPoolConfigParameterShare": { "Type": "AWS::RAM::ResourceShare", "Properties": { "AllowExternalPrincipals": false, "Name": { "Fn::Join": [ "", [ "Isb-", { "Ref": "Namespace" }, "-AccountPoolConfigShare" ] ] }, "PermissionArns": [ "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMParameterReadOnly" ], "Principals": [ { "Ref": "HubAccountId" } ], "ResourceArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/", { "Ref": "AccountPoolConfigurationCF37E5E0" } ] ] } ], "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/AccountPoolConfigParameterShare" } }, "IsbStackSet": { "Type": "AWS::CloudFormation::StackSet", "Properties": { "AutoDeployment": { "Enabled": true, "RetainStacksOnAccountRemoval": false }, "Capabilities": [ "CAPABILITY_NAMED_IAM" ], "Description": "StackSet for Innovation Sandbox", "ManagedExecution": { "Active": true }, "OperationPreferences": { "ConcurrencyMode": "SOFT_FAILURE_TOLERANCE", "FailureTolerancePercentage": 100, "MaxConcurrentPercentage": 100, "RegionConcurrencyType": "PARALLEL" }, "Parameters": [ { "ParameterKey": "Namespace", "ParameterValue": { "Ref": "Namespace" } }, { "ParameterKey": "HubAccountId", "ParameterValue": { "Ref": "HubAccountId" } } ], "PermissionModel": "SERVICE_MANAGED", "StackInstancesGroup": [ { "DeploymentTargets": { "OrganizationalUnitIds": [ { "Fn::GetAtt": [ "InnovationSandboxAccountPoolOu", "Id" ] } ] }, "Regions": [ { "Ref": "AWS::Region" } ] } ], "StackSetName": { "Fn::Join": [ "", [ "Isb-", { "Ref": "Namespace" }, "-SandboxAccountResources" ] ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "TemplateURL": { "Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/solutions-${AWS::Region}/innovation-sandbox-on-aws/v1.2.9/asset.5344367d4358e3b51856b9273635c6848534db54e0fbfae834351e461fb93852.json" } }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/IsbStackSet" } }, "CostAllocationTagActivatorFunctionRole1DE7A39F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/FunctionRole/Resource" } }, "CostAllocationTagActivatorFunctionRoleDefaultPolicy6801705B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "ISBLogGroupCustomResources63629E09", "Arn" ] } }, { "Action": "ce:UpdateCostAllocationTagsStatus", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "CostAllocationTagActivatorFunctionRoleDefaultPolicy6801705B", "Roles": [ { "Ref": "CostAllocationTagActivatorFunctionRole1DE7A39F" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/FunctionRole/DefaultPolicy/Resource" } }, "CostAllocationTagActivatorFunctionBF9E923D": { "Type": "AWS::Lambda::Function", "Properties": { "Architectures": [ "arm64" ], "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.9/asset.1a39ed24e76686046be3b69b7100d6060a6dca7c4f85c58a5eb55cb8f3742ca9.zip" }, "Description": "Custom resource lambda that activates the cost allocation tag", "Environment": { "Variables": { "NODE_OPTIONS": "--enable-source-maps", "USER_AGENT_EXTRA": "AwsSolution/SO0284/v1.2.9", "POWERTOOLS_LOG_LEVEL": { "Fn::FindInMap": [ "Mapping", "context", "logLevel", { "DefaultValue": "" } ] }, "POWERTOOLS_SERVICE_NAME": "innovation-sandbox", "AWS_XRAY_CONTEXT_MISSING": "IGNORE_ERROR", "ISB_TAG_NAME": "aws-solutions:isb-id" } }, "FunctionName": { "Fn::Join": [ "", [ "ISB-CostAllocationTagActivator-", { "Ref": "Namespace" } ] ] }, "Handler": "index.handler", "Layers": [ { "Ref": "CostAllocationTagActivatorISBLambdaLayerInnovationSandboxAccountPoolDependenciesLayerVersion6803FFB4" }, { "Ref": "CostAllocationTagActivatorISBLambdaLayerInnovationSandboxAccountPoolCommonLayerVersion50519BCF" } ], "LoggingConfig": { "LogFormat": "JSON", "LogGroup": { "Ref": "ISBLogGroupCustomResources63629E09" }, "SystemLogLevel": "INFO" }, "MemorySize": 1024, "Role": { "Fn::GetAtt": [ "CostAllocationTagActivatorFunctionRole1DE7A39F", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "Timeout": 60, "TracingConfig": { "Mode": "Active" } }, "DependsOn": [ "CostAllocationTagActivatorFunctionRoleDefaultPolicy6801705B", "CostAllocationTagActivatorFunctionRole1DE7A39F" ], "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/Function/Resource", "aws:asset:path": "asset.1a39ed24e76686046be3b69b7100d6060a6dca7c4f85c58a5eb55cb8f3742ca9", "aws:asset:is-bundled": true, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleBB4B75CD": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] ] } ], "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/IsbProvider/framework-onEvent/ServiceRole/Resource" } }, "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleDefaultPolicyF20A12B0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CostAllocationTagActivatorFunctionBF9E923D", "Arn" ] }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CostAllocationTagActivatorFunctionBF9E923D", "Arn" ] }, ":*" ] ] } ] }, { "Action": "lambda:GetFunction", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CostAllocationTagActivatorFunctionBF9E923D", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleDefaultPolicyF20A12B0", "Roles": [ { "Ref": "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleBB4B75CD" } ] }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/IsbProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource" } }, "CostAllocationTagActivatorIsbProviderframeworkonEvent12245C05": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.9/asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57.zip" }, "Description": "AWS CDK resource provider framework - onEvent (InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/IsbProvider)", "Environment": { "Variables": { "USER_ON_EVENT_FUNCTION_ARN": { "Fn::GetAtt": [ "CostAllocationTagActivatorFunctionBF9E923D", "Arn" ] } } }, "Handler": "framework.onEvent", "LoggingConfig": { "ApplicationLogLevel": "FATAL", "LogFormat": "JSON", "LogGroup": { "Ref": "ISBLogGroupCustomResources63629E09" } }, "Role": { "Fn::GetAtt": [ "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleBB4B75CD", "Arn" ] }, "Runtime": "nodejs22.x", "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ], "Timeout": 900 }, "DependsOn": [ "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleDefaultPolicyF20A12B0", "CostAllocationTagActivatorIsbProviderframeworkonEventServiceRoleBB4B75CD" ], "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/IsbProvider/framework-onEvent/Resource", "aws:asset:path": "asset.07a90cc3efdfc34da22208dcd9d211f06f5b0e01b21e778edc7c3966b1f61d57", "aws:asset:is-bundled": false, "aws:asset:property": "Code", "guard": { "SuppressedRules": [ "LAMBDA_INSIDE_VPC", "LAMBDA_CONCURRENCY_CHECK" ] } } }, "CostAllocationTagActivatorIsbCustomResourceDADB260C": { "Type": "Custom::CostAllocationTag", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CostAllocationTagActivatorIsbProviderframeworkonEvent12245C05", "Arn" ] } }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/CostAllocationTagActivator/IsbCustomResource/Default" } }, "CostAllocationTagActivatorISBLambdaLayerInnovationSandboxAccountPoolCommonLayerVersion50519BCF": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleArchitectures": [ "arm64" ], "CompatibleRuntimes": [ "nodejs22.x" ], "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.9/asset.20202146712d3b89f251ede916c1e4754817958a925afe4f440cc17bba831193.zip" }, "Description": "Common lib for Innovation Sandbox on AWS" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/ISB-Lambda-Layer-InnovationSandbox-AccountPool/CommonLayerVersion/Resource", "aws:asset:path": "asset.20202146712d3b89f251ede916c1e4754817958a925afe4f440cc17bba831193", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "CostAllocationTagActivatorISBLambdaLayerInnovationSandboxAccountPoolDependenciesLayerVersion6803FFB4": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleArchitectures": [ "arm64" ], "CompatibleRuntimes": [ "nodejs22.x" ], "Content": { "S3Bucket": { "Fn::Sub": "solutions-${AWS::Region}" }, "S3Key": "innovation-sandbox-on-aws/v1.2.9/asset.551db05928001969d2f0267f8dbd17b3cc136a528008cc94ac1eea9145f5003e.zip" }, "Description": "Third party runtime dependencies for Innovation Sandbox on AWS" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CostAllocationTagActivator/ISB-Lambda-Layer-InnovationSandbox-AccountPool/DependenciesLayerVersion/Resource", "aws:asset:path": "asset.551db05928001969d2f0267f8dbd17b3cc136a528008cc94ac1eea9145f5003e", "aws:asset:is-bundled": false, "aws:asset:property": "Content" } }, "IsbKmsKeyInnovationSandboxAccountPool0065BC85": { "Type": "AWS::KMS::Key", "Properties": { "Description": "Encryption Key for Innovation Sandbox: InnovationSandbox-AccountPool", "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } }, "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Effect": "Allow", "Principal": { "Service": "logs.amazonaws.com" }, "Resource": "*" } ], "Version": "2012-10-17" }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/IsbKmsKey-InnovationSandbox-AccountPool/Resource" } }, "IsbKmsKeyInnovationSandboxAccountPoolAliasB9DAB86A": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Join": [ "", [ "alias/AwsSolutions/InnovationSandbox/", { "Ref": "Namespace" }, "/InnovationSandbox-AccountPool" ] ] }, "TargetKeyId": { "Fn::GetAtt": [ "IsbKmsKeyInnovationSandboxAccountPool0065BC85", "Arn" ] } }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/IsbKmsKey-InnovationSandbox-AccountPool/Alias/Resource" } }, "ISBLogGroupCustomResources63629E09": { "Type": "AWS::Logs::LogGroup", "Properties": { "KmsKeyId": { "Fn::GetAtt": [ "IsbKmsKeyInnovationSandboxAccountPool0065BC85", "Arn" ] }, "RetentionInDays": { "Fn::FindInMap": [ "Mapping", "context", "cloudWatchLogRetentionInDays", { "DefaultValue": "" } ] }, "Tags": [ { "Key": "aws-solutions:isb-id", "Value": { "Fn::Join": [ "", [ { "Ref": "Namespace" }, "_isb" ] ] } } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/ISBLogGroup-CustomResources/Resource", "guard": { "SuppressedRules": [ "CW_LOGGROUP_RETENTION_PERIOD_CHECK" ] } } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/01QXW/CMAz8LbwHD5XtBwDS9jC2IarttTKp26XNB4pTEKvy36cExvp0dz47zrmA4ukRFjM881zW/VyrA4xlQNmLTWN36NFQIC/wzNXofItW/WBQzjKMm8Z+TCqoP60KecxpJS9RKDQw7p2mVMx4daY9zCYt9Mq2/9umq6PwaCA9QOwGL6n8Rk+ClxUyU2BYJRC8hPUgewprZBJSu6FunDf5Z2k6ZyopCI3mUGNlXU0dw3uG58HK1Hgzc7R77U62eCH/RZ6T2DR2qqPoDcP4SjlcgpVWyElkEoV2LcO4de2Ld8Mxz994jEm94fGobCtynDJgm4QcODhT+Vt0hp13J1WnE2Xn7yZicp8oUjbo+OFUFFAUsJh1rNTcDzYoQ7C/4i99ta5Y+gEAAA==" }, "Metadata": { "aws:cdk:path": "InnovationSandbox-AccountPool/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Mappings": { "Mapping": { "context": { "solutionName": "innovation-sandbox-on-aws", "solutionId": "SO0284", "version": "v1.2.9", "distOutputBucket": "solutions", "publicEcrRegistry": "public.ecr.aws/aws-solutions", "publicEcrTag": "v1.2.9", "logLevel": "INFO", "deploymentMode": "prod", "cloudWatchLogRetentionInDays": 90, "s3LogsArchiveRetentionInDays": 365, "s3LogsGlacierRetentionInDays": 2555, "apiThrottlingRateLimit": 100, "apiThrottlingBurstLimit": 200, "bucketPrefix": "innovation-sandbox-on-aws/v1.2.9/asset." } } }, "Conditions": { "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-3" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-4" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "il-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] } ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } } }