@k9securityio/k9-cdk
Version:
Provision strong AWS security policies easily using the AWS CDK.
1,326 lines • 29.8 kB
JSON
{
"Resources": {
"TestBucket560B80BC": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "K9Example/TestBucket/Resource"
}
},
"S3BucketPolicy189C1E8E": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "TestBucket560B80BC"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectVersionAcl",
"s3:PutReplicationConfiguration"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "Allow Restricted administer-resource"
},
{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "Allow Restricted read-config"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTorrent",
"s3:ListBucket"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "Allow Restricted read-data"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:InitiateReplication",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:RestoreObject"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "Allow Restricted write-data"
},
{
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "Allow Restricted delete-data"
},
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "DenyInsecureCommunications"
},
{
"Action": [
"s3:PutObject",
"s3:ReplicateObject"
],
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": true
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "DenyUnencryptedStorage"
},
{
"Action": [
"s3:PutObject",
"s3:ReplicateObject"
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "DenyUnexpectedEncryptionMethod"
},
{
"Action": "s3:*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Deny",
"Principal": {
"AWS": [
"*",
"*"
]
},
"Resource": [
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestBucket560B80BC",
"Arn"
]
},
"/*"
]
]
}
],
"Sid": "DenyEveryoneElse"
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "K9Example/S3BucketPolicy/Resource"
}
},
"TestQueue6F0069AA": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "app-queue-with-k9-policy"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "K9Example/TestQueue/Resource"
}
},
"TestQueuePolicyA65327BC": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:AddPermission",
"sqs:CancelMessageMoveTask",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:RemovePermission",
"sqs:SetQueueAttributes"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted administer-resource 1"
},
{
"Action": [
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted administer-resource 2"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted read-config"
},
{
"Action": "sqs:ReceiveMessage",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted read-data"
},
{
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:SendMessage"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted write-data"
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted delete-data"
},
{
"Action": "sqs:*",
"Condition": {
"Bool": {
"aws:PrincipalIsAWSService": [
"false"
]
},
"ArnNotEquals": {
"aws:PrincipalArn": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
},
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Deny",
"Principal": {
"AWS": [
"*",
"*"
]
},
"Resource": "*",
"Sid": "DenyEveryoneElse"
}
],
"Version": "2012-10-17"
},
"Queues": [
{
"Ref": "TestQueue6F0069AA"
}
]
},
"Metadata": {
"aws:cdk:path": "K9Example/TestQueue/Policy/Resource"
}
},
"TestKey4CACAF33": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Statement": [
{
"Action": [
"kms:CancelKeyDeletion",
"kms:ConnectCustomKeyStore",
"kms:CreateAlias",
"kms:CreateCustomKeyStore",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:DisableKey",
"kms:DisableKeyRotation",
"kms:DisconnectCustomKeyStore",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:RevokeGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:UpdateAlias",
"kms:UpdateCustomKeyStore",
"kms:UpdateKeyDescription"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted administer-resource"
},
{
"Action": [
"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:GetParametersForImport",
"kms:GetPublicKey",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeyPolicies",
"kms:ListKeys",
"kms:ListResourceTags",
"kms:ListRetirableGrants"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted read-config"
},
{
"Action": [
"kms:Decrypt",
"kms:Verify"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted read-data"
},
{
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateRandom",
"kms:ImportKeyMaterial",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:Sign"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted write-data"
},
{
"Action": [
"kms:DeleteCustomKeyStore",
"kms:DeleteImportedKeyMaterial"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "Allow Restricted delete-data"
}
],
"Version": "2012-10-17"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "K9Example/TestKey/Resource"
}
},
"TestTable5769773A": {
"Type": "AWS::DynamoDB::GlobalTable",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "pk",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "pk",
"KeyType": "HASH"
}
],
"Replicas": [
{
"Region": {
"Ref": "AWS::Region"
},
"ResourcePolicy": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:CreateBackup",
"dynamodb:DeleteResourcePolicy",
"dynamodb:DeleteTableReplica",
"dynamodb:DisableKinesisStreamingDestination",
"dynamodb:EnableKinesisStreamingDestination",
"dynamodb:ExportTableToPointInTime",
"dynamodb:PutResourcePolicy",
"dynamodb:RestoreTableToPointInTime",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateContributorInsights",
"dynamodb:UpdateKinesisStreamingDestination",
"dynamodb:UpdateTable",
"dynamodb:UpdateTableReplicaAutoScaling",
"dynamodb:UpdateTimeToLive"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "AllowRestrictedAdministerResource"
},
{
"Action": [
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeContributorInsights",
"dynamodb:DescribeExport",
"dynamodb:DescribeKinesisStreamingDestination",
"dynamodb:DescribeTable",
"dynamodb:DescribeTableReplicaAutoScaling",
"dynamodb:DescribeTimeToLive",
"dynamodb:GetResourcePolicy",
"dynamodb:ListTagsOfResource"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "AllowRestrictedReadConfig"
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:GetItem",
"dynamodb:PartiQLSelect",
"dynamodb:Query",
"dynamodb:Scan"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "AllowRestrictedReadData"
},
{
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/app-backend"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "AllowRestrictedWriteData"
},
{
"Action": [
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DeleteTableReplica",
"dynamodb:PartiQLDelete"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": []
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "*",
"Sid": "AllowRestrictedDeleteData"
},
{
"Action": "dynamodb:*",
"Condition": {
"Bool": {
"aws:PrincipalIsAWSService": [
"false"
]
},
"ArnNotEquals": {
"aws:PrincipalArn": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
},
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1",
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::123456789012:role/app-backend",
"arn:aws:iam::123456789012:role/customer-service"
]
}
},
"Effect": "Deny",
"Principal": {
"AWS": [
"*",
"*"
]
},
"Resource": "*",
"Sid": "DenyEveryoneElse"
}
],
"Version": "2012-10-17"
}
}
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "K9Example/TestTable/Resource"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/02NwQ6CMBBEv8V7WQGN3uXggYui8WpKuyalpY0slZCm/24AE7zszLzJZnLIjgdIN3ygREidGFVDuPVcaMYHegbaQTh5obFnxcv+3CIXZ5QYV7zkyOhNEK4ePU7dYua7PvzFyHRLEEqcixLHyORoeetkDeHOa4OPfGrOxtXczCDGCVRIzndiHimclapXzkZmnURoaPvJU8j2kG4aUirpvO1Vi1At+gWhj+v29gAAAA=="
},
"Metadata": {
"aws:cdk:path": "K9Example/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
"Conditions": {
"CDKMetadataAvailable": {
"Fn::Or": [
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"af-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-3"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-4"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-northwest-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-2"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"il-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"sa-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-1"
]
}
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-2"
]
}
]
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}