Name: aws-cf-templates
Description: CloudFormation templates for AWS
Created: 2016-07-05 07:51:58.0
Updated: 2018-02-17 14:57:18.0
Pushed: 2018-02-14 04:11:21.0
Homepage: null
Size: 117
Language: null
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This repository tracks the templates used within the Sophos NSG CloudFormation template S3 bucket s3://sophos-nsg-cf/
With the templates we provide, you can instantly deploy our UTM solutions on AWS using any of the Amazon 1-Click launch options below.
You can use any of the templates with CloudFormation by referencing its S3 URL.
For using the template in all regions except the AWS GovCloud (US) region prepend
s://s3.amazonaws.com/sophos-nsg-cf/
to the template filename from the Sophos NSG template repository.
As an example the URL for utm/autoscaling.template is
s://s3.amazonaws.com/sophos-nsg-cf/utm/autoscaling.template
For GovCloud you need to use the following prefix:
s://s3-us-gov-west-1.amazonaws.com/sophos-nsg-cf/
When using utm/autoscaling.template the URL is
s://s3-us-gov-west-1.amazonaws.com/sophos-nsg-cf/utm/autoscaling.template
| Feature | Statement ID | Service | Action | Resources |
|———|————–|———|——–|———–|
| configuration synchronization and backup | ConfigSyncAndBackup | S3 | Get*
List* | S3 Bucket of the stack |
| basic functionality | ReportingSync | S3 | Get*
List*
Delete*
Put* | S3 Bucket of the stack |
| Feature | Statement ID | Service | Action | Resources |
|———|————–|———|——–|———–|
| basic functionality | DisableSrcDestCheck | EC2 | ModifyInstanceAttribute | * (1) |
| basic functionality | EipAssociation1 | AutoScaling | DescribeAutoScalingGroups | * (1) |
| basic functionality | EipAssociation2 | CloudFormation | DescribeStackResources | * (1) |
| basic functionality | EipAssociation3 | EC2 | AssociateAddress
DescribeAddresses
DisassociateAddress | * (1) |
| configuration synchronization and backup | ConfigSyncAndBackup | S3 | * | S3 bucket of the stack |
| ELB and SG management | WafElbManagement1 | ElasticLoadBalancing | ConfigureHealthCheck
CreateLoadBalancerListeners
DeleteLoadBalancerListeners
SetLoadBalancerPoliciesForBackendServer | ELB of the stack |
| ELB and SG management | WafElbManagement2 | ElasticLoadBalancing | DescribeLoadBalancers
DescribeLoadBalancerPolicies | * (1) |
| ELB and SG management | WafElbManagement3 | CloudFormation | DescribeStackResources | * (1) |
| ELB and SG management | SecurityGroupManagement1 | EC2 | AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress | only this stack |
| ELB and SG management | SecurityGroupManagement2 | EC2 | DescribeSecurityGroups | * (1) |
| license pool | LicensePool1 | EC2 | CreateTags | UTM stack |
| license pool | LicensePool2 | EC2 | DescribeInstances | * (1) |
| license pool | LicensePool3 | S3 | Get*
List* | stack license pool bucket |
| OGW auto recovery | OGWAutoRecovery | IAM | AttachRolePolicy
CreateRole
DeleteRole
PassRole | EC2ActionsAccess role |
| remote logging | CloudWatchLogging | Logs | CreateLogGroup
CreateLogStream
PutLogEvents | * |
| UTM update | UtmUpdate1 | AutoScaling | SetDesiredCapacity
TerminateInstanceInAutoScalingGroup
UpdateAutoScalingGroup | UTM stack |
| UTM update | UtmUpdate2 | AutoScaling | CreateLaunchConfiguration
DeleteLaunchConfiguration
DescribeAutoScalingGroups
DescribeAutoScalingInstances
DescribeLaunchConfigurations
DescribeScalingActivities
DescribeScheduledActions | * (1) |
| UTM update | UtmUpdate3 | CloudFormation | DescribeStacks | * (1) |
| UTM update | UtmUpdate4 | CloudFormation | UpdateStack | UTM stack |
| UTM update | UtmUpdate5 | EC2 | DescribeAvailabilityZones
DescribeInstances
DescribeImages
DescribeKeyPairs
DescribeSecurityGroups | * (1) |
| UTM update | UtmUpdate6 | IAM | PassRole | UTM role |
| UTM update | UtmUpdate7 | S3 | Get*
List* | Sophos template buckets |
(1) AWS does not allow restriction of these permissions on resource level.
| Service | Action | Resources | Required for |
|———|——–|———–|————–|
| EC2 | DescribeRouteTables
DescribeSubnets
ReplaceRoute | * | updating the client network route tables |
| Feature | Statement ID | Service | Action | Resources |
|———|————–|———|——–|———–|
| OGW deployment and monitoring | InitiateDeployment1 | CloudFormation | CreateStack | Sophos OGW templates |
| OGW deployment and monitoring | InitiateDeployment2 | EC2 | DescribeInternetGateways | * (1) |
| OGW deployment and monitoring | InitiateDeployment3 | S3 | ListBucket | Sophos template bucket |
| OGW deployment and monitoring | InitiateDeployment4 | S3 | GetObject | Sophos template bucket |
| OGW deployment and monitoring | MonitorDeployment1 | CloudFormation | DescribeStacks | * (1) |
| OGW deployment and monitoring | MonitorDeployment2 | EC2 | DescribeInstances | * (1) |
| OGW deployment and monitoring | MonitorAndTerminateDeployment | CloudFormation | DeleteStack
DescribeStackResources | Stacks with OGW naming scheme |
| OGW stack creation/deletion | ManageOGWStackResources1 | EC2 | AssociateRouteTable
AuthorizeSecurityGroupIngress
CreateRoute
CreateRouteTable
CreateSecurityGroup
CreateTags
DescribeInstances
DescribeKeyPairs
DescribeRouteTables
DescribeSecurityGroups
DescribeSubnets
DescribeVpcs
DisassociateRouteTable
ModifyInstanceAttribute | * (1) |
| OGW stack creation/deletion | ManageOGWStackResources2 | EC2 | RunInstances | Instances with the OGW profile |
| OGW stack creation/deletion | ManageOGWStackResources3 | EC2 | RunInstances | Resources required for launching an instance |
| OGW stack creation/deletion | ManageOGWStackResources4 | EC2 | DeleteRoute
DeleteRouteTable
DeleteSecurityGroup
TerminateInstances | OGW stack resources |
| OGW stack creation/deletion | ManageOGWStackResources5 | IAM | CreateRole
DeleteRole
DeleteRolePolicy
PassRole
PutRolePolicy | OGW IAM roles |
| OGW stack creation/deletion | ManageOGWStackResources6 | IAM | AddRoleToInstanceProfile
CreateInstanceProfile
DeleteInstanceProfile
RemoveRoleFromInstanceProfile | IAM profiles with OGW naming scheme |
| OGW stack creation/deletion | ManageOGWStackResources7 | CloudWatch | PutMetricAlarm
DeleteAlarms | * (1) |
| OGW stack creation/deletion | RequiredForCloudWatchPutMetricAlarm | EC2 | DescribeInstanceRecoveryAttribute
DescribeInstanceStatus
RecoverInstances | * (1) |
| OGW stack creation/deletion | RequiredForOGWInstancePolicy | EC2 | DescribeRouteTables
DescribeSubnets
ReplaceRoute | * (1) |
(1) AWS does not allow restriction of these permissions on resource level.
| Service | Action | Resources | Required for |
|———|——–|———–|————–|
| * (except IAM) | * | * | the HA feature to manage its resources. We work on limiting the permissions in the future. |
| CloudFormation | UpdateStack | * | UTM update |
| IAM | PassRole | * | UTM update |
| Logs | CreateLogGroup
CreateLogStream
DescribeLogStreams
PutLogEvents | * | sending logs to CloudWatch |