{ "Description": "AWS Service Management Connector for ServiceNow Demo & IAM Setup v4.5.0 This is for example, demonstration, and POC only. Do not use this for Production. (fdp-1qj64b3jt)", "Outputs": { "Portfolio": { "Value": { "Fn::GetAtt": [ "Portfolio", "PortfolioName" ] } }, "ProductID": { "Value": { "Ref": "S3Product" } }, "SCEndUserAccessKey": { "Value": { "Ref": "SCEndUserAccessKeys" } }, "SCEndUserSecretAccessKey": { "Value": { "Fn::GetAtt": [ "SCEndUserAccessKeys", "SecretAccessKey" ] } }, "SCSnowConSecHubQueueName": { "Value": { "Fn::GetAtt": [ "SCSnowConSecHubQueue", "QueueName" ] } }, "SCSyncUserAccessKey": { "Value": { "Ref": "SCSyncUserAccessKeys" } }, "SCSyncUserSecretAccessKey": { "Value": { "Fn::GetAtt": [ "SCSyncUserAccessKeys", "SecretAccessKey" ] } } }, "Parameters": { "SecurityHubSQSName":{ "Default": "AwsServiceManagementConnectorForSecurityHubQueue", "Description": "This is the name of the SQS queue which the connector will use to pass Security hub findings to the ITSM connector. This name must match the value in the ITSM tool connector settings. Do Not Change this unless you make corresponding changes in the ITSM application setup.", "Type": "String" }, "HealthDashboardSQSName":{ "Default": "AwsServiceManagementConnectorForHealthDashboardQueue", "Description": "This is the name of the SQS queue which the connector will use to pass Health Dashboard events to the ITSM connector. This name must match the value in the ITSM tool connector settings. Do Not Change this unless you make corresponding changes in the ITSM application setup.", "Type": "String" } }, "Resources": { "AdminPortfolioPrincipalAssociation": { "Properties": { "AcceptLanguage": "en", "PortfolioId": { "Ref": "Portfolio" }, "PrincipalARN": { "Fn::GetAtt": [ "SCEndUser", "Arn" ] }, "PrincipalType": "IAM" }, "Type": "AWS::ServiceCatalog::PortfolioPrincipalAssociation" }, "Portfolio": { "Properties": { "AcceptLanguage": "en", "Description": "SMC Example Portfolio.", "DisplayName": "SMC Example Portfolio", "ProviderName": "AWS Service Management Connectors Team" }, "Type": "AWS::ServiceCatalog::Portfolio" }, "S3PortfolioProductAssociation": { "Properties": { "AcceptLanguage": "en", "PortfolioId": { "Ref": "Portfolio" }, "ProductId": { "Ref": "S3Product" } }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation" }, "S3LaunchConstraint": { "DependsOn": [ "S3PortfolioProductAssociation" ], "Properties": { "AcceptLanguage": "en", "Description": "Launch role", "PortfolioId": { "Ref": "Portfolio" }, "ProductId": { "Ref": "S3Product" }, "RoleArn": { "Fn::GetAtt": [ "SCConnectLaunchRole", "Arn" ] } }, "Type": "AWS::ServiceCatalog::LaunchRoleConstraint" }, "EC2PortfolioProductAssociation": { "Properties": { "AcceptLanguage": "en", "PortfolioId": { "Ref": "Portfolio" }, "ProductId": { "Ref": "WebserverProduct" } }, "Type": "AWS::ServiceCatalog::PortfolioProductAssociation" }, "EC2LaunchConstraint": { "DependsOn": [ "EC2PortfolioProductAssociation" ], "Properties": { "AcceptLanguage": "en", "Description": "Launch role", "PortfolioId": { "Ref": "Portfolio" }, "ProductId": { "Ref": "WebserverProduct" }, "RoleArn": { "Fn::GetAtt": [ "SCConnectLaunchRole", "Arn" ] } }, "Type": "AWS::ServiceCatalog::LaunchRoleConstraint" }, "WebserverProduct": { "Type": "AWS::ServiceCatalog::CloudFormationProduct", "Properties": { "Name": "Demo NGINX Webserver", "Description": "This product builds a NGINX webserver EC2 instance.", "Owner": "AWS SMC Team", "Distributor": "AWS SMC Team", "SupportDescription": "This is a sample webserver for SMC.", "SupportEmail": "aws-servicemanagement-connector@amazon.com", "AcceptLanguage": "en", "SupportUrl": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-servicenow.html", "ProvisioningArtifactParameters": [ { "Description": "NGINX webserver", "Info": { "LoadTemplateFromURL": "https://raw.githubusercontent.com/aws-samples/aws-service-catalog-reference-architectures/master/ec2/sc-ec2-linux-nginx-nokey.json" }, "Name": "NGINX v1.0" } ] } }, "S3Product": { "Type": "AWS::ServiceCatalog::CloudFormationProduct", "Properties": { "AcceptLanguage": "en", "Name": "Simple S3 Private Bucket", "Description": "This product builds an Amazon AWS S3 bucket with private ACL.", "Distributor": "AWS SMC Team", "Owner": "AWS SMC Team", "SupportDescription": "This is a sample S3 product for SMC.", "SupportEmail": "aws-servicemanagement-connector@amazon.com", "SupportUrl": "https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-servicenow.html", "ProvisioningArtifactParameters": [ { "Description": "baseline version", "Info": { "LoadTemplateFromURL": "https://raw.githubusercontent.com/aws-samples/aws-service-catalog-reference-architectures/master/s3/sc-s3-simple-ra.json" }, "Name": "v1.0" } ] } }, "SCConnectLaunchRole": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "servicecatalog.amazonaws.com" ] } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess" ], "Path": "/", "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:List*", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet", "s3:GetObject" ], "Effect": "Allow", "Resource": "*", "Sid": "AWSCloudFormationFullAccess" } ], "Version": "2012-10-17" }, "PolicyName": "AWSCloudFormationFullAccess" }, { "PolicyDocument": { "Statement": [ { "Action": [ "servicecatalog:AssociateResource", "servicecatalog:DisassociateResource", "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteprovisionedProductServiceAction", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:StartAutomationExecution", "ssm:StopAutomationExecution", "ssm:GetParameters" ], "Effect": "Allow", "Resource": "*", "Sid": "ServiceCatalogAdditionalActions" } ], "Version": "2012-10-17" }, "PolicyName": "ServiceCatalogAdditionalActions" } ], "RoleName": "SCConnectLaunchRole" }, "Type": "AWS::IAM::Role" }, "ServiceNowChangeManagerRole": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "ssm.amazonaws.com" ] } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole" ], "Path": "/", "RoleName": "ServiceNowChangeManagerRole" }, "Type": "AWS::IAM::Role" }, "SCEndUser": { "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/AWSConfigUserAccess", "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess" ], "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:StartAutomationExecution", "ssm:StartChangeRequestExecution" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "ssm.amazonaws.com" } } } ], "Version": "2012-10-17" }, "PolicyName": "SSMExecutionPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:CreateOpsItem", "ssm:GetOpsItem", "ssm:UpdateOpsItem", "ssm:DescribeOpsItems" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "OpsCenterExecutionPolicy" } ], "UserName": "SCEndUser" }, "Type": "AWS::IAM::User" }, "SCEndUserAccessKeys": { "DependsOn": "SCEndUser", "Properties": { "Status": "Active", "UserName": "SCEndUser" }, "Type": "AWS::IAM::AccessKey" }, "SCSyncUser": { "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AWSServiceCatalogAdminReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/AWSConfigUserAccess", "arn:aws:iam::aws:policy/AWSSupportAccess" ], "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:CreateOpsItem", "ssm:GetOpsItem", "ssm:UpdateOpsItem", "ssm:DescribeOpsItems" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "OpsCenterActionPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:DescribeQuery", "cloudtrail:ListEventDataStores", "cloudtrail:StartQuery", "cloudtrail:GetQueryResults" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ChangeMangerCloudtrail" },{ "PolicyDocument": { "Statement": [ { "Action": [ "ssm-incidents:ListIncidentRecords", "ssm-incidents:GetIncidentRecord", "ssm-incidents:UpdateRelatedItems", "ssm-incidents:ListTimelineEvents", "ssm-incidents:GetTimelineEvent", "ssm-incidents:UpdateIncidentRecord", "ssm:ListOpsItemRelatedItems" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "AWSIncidentBaselineAccessPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "budgets:ViewBudget" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SSMActionPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:RegisterType", "cloudformation:DescribeTypeRegistration", "cloudformation:DeregisterType", "config:PutResourceConfig" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ConfigBiDirectionalPolicy" }, { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": ["SCSnowConSecHubQueue","Arn"]}, { "Fn::GetAtt": ["SCSnowHealthDashQueue","Arn"]} ] }, { "Action": [ "securityhub:BatchUpdateFindings" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SecurityHubPolicy" } ], "UserName": "SCSyncUser" }, "Type": "AWS::IAM::User" }, "SCSyncUserAccessKeys": { "DependsOn": "SCSyncUser", "Properties": { "Status": "Active", "UserName": "SCSyncUser" }, "Type": "AWS::IAM::AccessKey" }, "SecHubRuleLifeCycleEvents": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Send Security Hub imported findings to the AwsServiceManagementConnectorForSecurityHubQueue SQS.", "EventPattern": { "source": [ "aws.securityhub" ] }, "Targets": [ { "Arn": {"Fn::GetAtt": [ "SCSnowConSecHubQueue","Arn"] }, "Id": "IDRuleLifeCycleSecHubEventsSNOW" } ] } }, "HealthDashRuleLifeCycleEvents": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Send Health Dashboard events to the AwsServiceManagementConnectorForHealthDashboardQueue SQS.", "EventPattern": { "source": [ "aws.health" ] }, "Targets": [ { "Arn": {"Fn::GetAtt": [ "SCSnowHealthDashQueue","Arn"] }, "Id": "IDRuleLifeCycleHealthEventsSNOW" } ] } }, "SCSnowConSecHubQueue": { "Type": "AWS::SQS::Queue", "Properties": { "QueueName": {"Ref":"SecurityHubSQSName"}, "SqsManagedSseEnabled":true, "Tags": [ { "Key": "Name", "Value": {"Ref":"SecurityHubSQSName"} } ], "RedrivePolicy": { "deadLetterTargetArn" : {"Fn::GetAtt": ["SCSnowConSecHubDeadLetterQueue", "Arn"]}, "maxReceiveCount" : 5 }, "VisibilityTimeout": 3600 } }, "SCSnowConSecHubDeadLetterQueue": { "Type": "AWS::SQS::Queue", "Properties": { "SqsManagedSseEnabled":true, "QueueName": {"Fn::Sub": "${SecurityHubSQSName}-DLQ"} } }, "SCSnowHealthDashQueue": { "Type": "AWS::SQS::Queue", "Properties": { "QueueName": {"Ref":"HealthDashboardSQSName"}, "SqsManagedSseEnabled":true, "Tags": [ { "Key": "Name", "Value": {"Ref":"HealthDashboardSQSName"} } ], "RedrivePolicy": { "deadLetterTargetArn" : {"Fn::GetAtt": ["SCSnowHealthDashDeadLetterQueue", "Arn"]}, "maxReceiveCount" : 5 }, "VisibilityTimeout": 3600 } }, "SCSnowHealthDashDeadLetterQueue": { "Type": "AWS::SQS::Queue", "Properties": { "SqsManagedSseEnabled":true, "QueueName": {"Fn::Sub": "${HealthDashboardSQSName}-DLQ"} } }, "SecHubSQSPolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "Queues": [ { "Ref": "SCSnowConSecHubQueue"} ], "PolicyDocument": { "Statement": [ { "Action": "SQS:SendMessage", "Effect": "Allow", "Resource": [ {"Fn::GetAtt": [ "SCSnowConSecHubQueue","Arn"] } ], "Principal": { "Service": "events.amazonaws.com" }, "Condition": { "ArnEquals": { "aws:SourceArn": { "Fn::GetAtt": ["SecHubRuleLifeCycleEvents","Arn"]} } } }]} } }, "HealthDashSQSPolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "Queues": [ { "Ref": "SCSnowHealthDashQueue"} ], "PolicyDocument": { "Statement": [ { "Action": "SQS:SendMessage", "Effect": "Allow", "Resource": [ {"Fn::GetAtt": [ "SCSnowHealthDashQueue","Arn"] } ], "Principal": { "Service": "events.amazonaws.com" }, "Condition": { "ArnEquals": { "aws:SourceArn": { "Fn::GetAtt": ["HealthDashRuleLifeCycleEvents","Arn"]} } } }]} } } } }