-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate_base.yml
More file actions
769 lines (722 loc) · 34.4 KB
/
template_base.yml
File metadata and controls
769 lines (722 loc) · 34.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
InputEnv:
Type: String
AllowedValues: [production, deployed_dev, development]
InputRollbarResponder:
Type: String
InputRollbarAccounts:
Type: String
InputDomainBranded:
Type: String
InputDomainUnbranded:
Type: String
InputCertArn:
Type: String
InputSesArn:
Type: String
Globals:
Function:
Runtime: nodejs24.x
MemorySize: 128
Timeout: 10
Resources:
# BUCKETS
DisplayerBucket:
# Displayer bucket holds displayer code and nothing more
# SECURITY Users must never have write access to this bucket (not even their own prefix)
# Since Cloudfront serves from this bucket, all user subdomains serve any uploads
# e.g. a user could upload malicious html that extracts secrets from indexedb
# They then get ppl to click a link to the html file but with another users' subdomain
# So users must use a separate bucket for messages (unlike when self-hosting)
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['', [!Ref AWS::StackName, -displayer]]
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
DisplayerBucketPolicy:
# Anyone can read objects in displayer bucket, no one can write
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref DisplayerBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
Effect: 'Allow'
Principal: '*'
Action: 's3:GetObject'
Resource: !Join ['', [!GetAtt DisplayerBucket.Arn, '/*']]
MessagesBucket:
# Messages bucket holds encrypted messages and supports expiring tagged objects
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref AWS::StackName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
CorsConfiguration:
CorsRules:
- AllowedMethods: [GET]
# NOTE CORS Doesn't allow wildcard subdomain so S3 will return exact value
AllowedOrigins:
- !Join ['', ['https://*.', !Ref InputDomainBranded]]
- !Join ['', ['https://*.', !Ref InputDomainUnbranded]]
LifecycleConfiguration:
Rules: [
# Ensure max 2 year expiry can't be avoided by not including a lifespan tag
{Status: Enabled, Prefix: messages/, ExpirationInDays: 731},
MESSAGE_EXPIRY_RULES
]
MessagesBucketPolicy:
# Anyone can read objects in messages bucket (user role allows writing to own prefix)
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MessagesBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
Effect: 'Allow'
Principal: '*'
Action: 's3:GetObject'
Resource: !Join ['', [!GetAtt MessagesBucket.Arn, '/*']]
ResponsesBucket:
# Responses bucket holds private encrypted responses (user role allows reading own prefix)
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['', [!Ref AWS::StackName, -stello-resp]]
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
LifecycleConfiguration:
Rules:
- Status: Enabled
Prefix: responses/
ExpirationInDays: 365 # Ensure unreceived responses eventually cleaned up
PublicAccessBlockConfiguration:
# Not necessary, but just in case...
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
# CLOUDFRONT
DisplayerCloudfront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
HttpVersion: http2 # Requires TLS 1.2
Aliases:
- !Join ['', ['*.', !Ref InputDomainBranded]]
- !Join ['', ['*.', !Ref InputDomainUnbranded]]
DefaultRootObject: index.html
ViewerCertificate:
AcmCertificateArn: !Ref InputCertArn
SslSupportMethod: sni-only
MinimumProtocolVersion: TLSv1.2_2021 # Drops insecure ciphers (still compat.)
Origins:
- Id: primary
DomainName: !GetAtt DisplayerBucket.RegionalDomainName
CustomOriginConfig:
OriginProtocolPolicy: https-only
OriginSSLProtocols: [TLSv1.2] # Only needs supporting by S3
DefaultCacheBehavior:
TargetOriginId: primary
ViewerProtocolPolicy: https-only
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized
FunctionAssociations:
- EventType: viewer-response
FunctionARN: !GetAtt DisplayerCloudfrontFunction.FunctionMetadata.FunctionARN
DisplayerCloudfrontFunction:
Type: AWS::CloudFront::Function
Properties:
Name: viewer_response
AutoPublish: true
FunctionConfig:
Runtime: cloudfront-js-1.0
Comment: ''
# SECURITY headers (must be lowercase)
# referrer-policy: Ensure linked sites cannot identify user via displayer domain
# x-robots-tag: Ensure search engines never index displayer and reveal it publicly
# x-content-type-options: Protect against content type manipulation
# permissions-policy: Disable document.domain to reduce risk of subdomain exploit
# cross-origin-opener-policy: Prevent sites from opening displayer and controlling it
# cross-origin-resource-policy: Prevent other sites from loading displayer's assets
# cross-origin-embedder-policy: Require CORP/CORS for all resources (no exceptions)
# NOTE Can't use as would block video iframes
# strict-transport-security: Tell browsers to only ever use HTTPS for future requests
# content-security-policy: Prevent requests to other origins & inline attacks etc
# WARN Keep CSP in sync with displayer's meta tag CSP
# NOTE 'unsafe-hashes' & 'sha256-tbWZ...' is for Chrome 100's PDF viewer
# See https://bugs.chromium.org/p/chromium/issues/detail?id=1117326
# This allows any element to have style="position:absolute; left: 0; top: 0;"
# Not ideal, but low risk, only allows moving something to top left of window
# TODO Rm once Chrome fixes the issue and enough users update Chrome to that ver.
FunctionCode: !Sub |
function handler(event){
event.response.headers['referrer-policy'] = {value: 'no-referrer'}
event.response.headers['x-robots-tag'] = {value: 'none'}
event.response.headers['x-content-type-options'] = {value: 'nosniff'}
event.response.headers['permissions-policy'] = {value: 'document-domain=()'}
event.response.headers['cross-origin-opener-policy'] = {value: 'same-origin'}
event.response.headers['cross-origin-resource-policy'] = {value: 'same-origin'}
event.response.headers['strict-transport-security'] =
{value: 'max-age=63072000; includeSubDomains; preload'}
event.response.headers['content-security-policy'] = {
value: ""
+ "frame-ancestors 'none';"
+ "form-action 'none';"
+ "base-uri 'none';"
+ "default-src 'none';"
+ "img-src 'self' blob:;"
+ "script-src 'self';"
+ "style-src 'self' 'sha256-cqgHpNtbR0J523Ke5PUmEVVN9xHiKgXSborCQc3QnFA=' 'unsafe-hashes' 'sha256-tbWZ4NP1341cpcrZVDn7B3o9bt/muXgduILAnC0Zbaw=';"
+ "connect-src 'self' https://api.${InputDomainBranded} https://api.${InputDomainUnbranded} https://${MessagesBucket.RegionalDomainName} https://api.rollbar.com;"
+ "frame-src https://www.youtube-nocookie.com https://player.vimeo.com;"
}
return event.response
}
# GATEWAY
Gateway:
Type: AWS::Serverless::HttpApi
Properties:
DisableExecuteApiEndpoint: true
GatewayDomainBranded:
Type: AWS::ApiGatewayV2::ApiMapping
Properties:
ApiId: !Ref Gateway
DomainName: !Join ['', ['api.', !Ref InputDomainBranded]]
Stage: !Ref Gateway.Stage
GatewayDomainUnbranded:
Type: AWS::ApiGatewayV2::ApiMapping
Properties:
ApiId: !Ref Gateway
DomainName: !Join ['', ['api.', !Ref InputDomainUnbranded]]
Stage: !Ref Gateway.Stage
# RESPONDER
ResponderOptions:
# Separate route for options as shouldn't have permissions
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: OPTIONS
Path: /{all+}
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
InviterImage:
# NOTE For simpler deployment, inviter code is embedded in responder
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: GET
Path: /inviter/image
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: !Join ['', [!GetAtt MessagesBucket.Arn, '/messages/*/invite_images/*']]
Action: ['s3:GetObject']
ResponderRead:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway # Legit property, despite linter error
Method: POST
Path: /responder/read
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
# Needed for read response only
- Effect: Allow
Resource: !Join ['', [!GetAtt MessagesBucket.Arn, '/messages/*/copies/*']]
Action: ['s3:GetObjectTagging', 's3:PutObjectTagging', 's3:DeleteObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt MessagesBucket.Arn, '/messages/*/invite_images/*']]
Action: ['s3:DeleteObject']
ResponderReply:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: POST
Path: /responder/reply
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
# Needed to send notifications
- Effect: Allow
Resource: !GetAtt ResponsesBucket.Arn
Action: ['s3:ListBucket']
- Effect: Allow
Resource: !Ref InputSesArn
Action: ['ses:SendEmail']
ResponderReaction:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: POST
Path: /responder/reaction
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
# Needed to send notifications
- Effect: Allow
Resource: !GetAtt ResponsesBucket.Arn
Action: ['s3:ListBucket']
- Effect: Allow
Resource: !Ref InputSesArn
Action: ['ses:SendEmail']
ResponderSubscribe:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: POST
Path: /responder/subscribe
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
# Needed to send notifications
- Effect: Allow
Resource: !GetAtt ResponsesBucket.Arn
Action: ['s3:ListBucket']
- Effect: Allow
Resource: !Ref InputSesArn
Action: ['ses:SendEmail']
ResponderSubscription:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: POST
Path: /responder/subscription
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
ResponderAddress:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: POST
Path: /responder/address
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
ResponderResend:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: responder.entry
CodeUri: responder/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway
Method: POST
Path: /responder/resend
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_msgs_bucket: !Ref AWS::StackName
stello_region: !Ref AWS::Region
stello_rollbar_responder: !Ref InputRollbarResponder
stello_domain_branded: !Ref InputDomainBranded
stello_domain_unbranded: !Ref InputDomainUnbranded
Policies:
- Version: '2012-10-17'
Statement:
# Get config and put responses
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/config/*/config']]
Action: ['s3:GetObject']
- Effect: Allow
Resource: !Join ['', [!GetAtt ResponsesBucket.Arn, '/responses/*/*']]
Action: ['s3:PutObject']
# Needed to send notifications
- Effect: Allow
Resource: !GetAtt ResponsesBucket.Arn
Action: ['s3:ListBucket']
- Effect: Allow
Resource: !Ref InputSesArn
Action: ['ses:SendEmail']
# ACCOUNTS
AccountsAvailable:
Type: AWS::Serverless::Function
Properties:
Handler: dist/handle_available.handler
CodeUri: accounts/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway # Legit property, despite linter error
Method: POST
Path: /accounts/available
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_region: !Ref AWS::Region
stello_rollbar: !Ref InputRollbarAccounts
stello_user_pool: !Ref UserPool
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: !GetAtt UserPool.Arn
Action:
- cognito-idp:AdminGetUser
AccountsCreate:
Type: AWS::Serverless::Function
Properties:
Handler: dist/handle_create.handler
CodeUri: accounts/
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref Gateway # Legit property, despite linter error
Method: POST
Path: /accounts/create
Environment:
Variables:
stello_env: !Ref InputEnv
stello_version: INPUT_VERSION
stello_region: !Ref AWS::Region
stello_rollbar: !Ref InputRollbarAccounts
stello_user_pool: !Ref UserPool
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: !GetAtt UserPool.Arn
Action:
- cognito-idp:ListUsers
- cognito-idp:AdminCreateUser
- cognito-idp:AdminSetUserPassword
# COGNITO
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Ref AWS::StackName
MfaConfiguration: 'OFF'
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UsernameConfiguration:
CaseSensitive: false # Will be used as a subdomain which isn't case-sensitive
Schema:
# WARN Keep all mutable so can update if needed, as Cognito forbids schema changes
# NOTE Non-dev attributes are returned in API calls, so not hidden from user
# NOTE Depending on the context, attributes may need prefix dev:custom: or custom:
# NOTE cognito:username is the attribute for the builtin username field
- Name: hashed_email
AttributeDataType: String
Mutable: true
- Name: hashed_email_init
AttributeDataType: String
Mutable: true
DeveloperOnlyAttribute: true
- Name: hashed_ip
AttributeDataType: String
Mutable: true
DeveloperOnlyAttribute: true
- Name: plan
AttributeDataType: String
Mutable: true
DeveloperOnlyAttribute: true
# These attributes are no longer used and only exist as Cognito forbids deletion
- Name: hashed_email_orig
AttributeDataType: String
Mutable: false
DeveloperOnlyAttribute: true
- Name: ip
AttributeDataType: String
Mutable: false
DeveloperOnlyAttribute: true
AccountRecoverySetting:
RecoveryMechanisms:
- Name: admin_only
Priority: 1
Policies:
PasswordPolicy:
# Don't require char groups as a random password may not fulfill one or more
RequireLowercase: false
RequireUppercase: false
RequireNumbers: false
RequireSymbols: false
MinimumLength: 32 # Length of a uuid4
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: stello
UserPoolId: !Ref UserPool
GenerateSecret: false # Can't keep secret in desktop clients
EnableTokenRevocation: true
TokenValidityUnits:
AccessToken: days
IdToken: days
RefreshToken: days
AccessTokenValidity: 1
IdTokenValidity: 1 # Can't be greater than refresh
RefreshTokenValidity: 1 # Refresh tokens are not used since have access to user/pass
ExplicitAuthFlows: [ALLOW_USER_PASSWORD_AUTH, ALLOW_REFRESH_TOKEN_AUTH]
PreventUserExistenceErrors: 'ENABLED' # Recommended, but provide availability fn anyway
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: !Ref AWS::StackName
AllowUnauthenticatedIdentities: false
AllowClassicFlow: false
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !GetAtt UserPool.ProviderName
ServerSideTokenCheck: true # Check user not e.g. deleted before granting access
IdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
authenticated: !GetAtt IdentityPoolRole.Arn
IdentityPoolRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['', [!Ref AWS::StackName, -user]]
AssumeRolePolicyDocument:
# See https://docs.aws.amazon.com/cognito/latest/developerguide/using-attributes-for-access-control-policy-example.html
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
# NOTE TagSession needed for using PrincipalTag variables
Action: [sts:AssumeRoleWithWebIdentity, sts:TagSession]
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud: !Ref IdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: authenticated
Policies:
- PolicyName: main
PolicyDocument:
Version: '2012-10-17'
Statement:
# SECURITY Every permission granted must be for own prefix/resource only
# List own messages
- Effect: Allow
Resource: !GetAtt MessagesBucket.Arn
Action: ['s3:ListBucket']
Condition:
StringLike:
s3:prefix: 'messages/${aws:PrincipalTag/username}/*'
# Put/delete own messages
- Effect: Allow
Resource: !Join ['/', [!GetAtt MessagesBucket.Arn,
'messages/${aws:PrincipalTag/username}/*']]
Action: ['s3:PutObject', 's3:PutObjectTagging', 's3:DeleteObject']
# SECURITY tags could be used for other reasons in an AWS account
# So must ensure user can only set stello- tags
# NOTE Tags can be set via PutObject (not just PutObjectTagging)
# NOTE ForAllValues:StringLike means for every value in
# s3:RequestObjectTagKeys, ensure it is included in given array
# See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html
Condition:
ForAllValues:StringLike:
s3:RequestObjectTagKeys: ['stello-lifespan', 'stello-reads',
'stello-max-reads']
# Put/delete own displayer config (config prefix not subject to expiry)
- Effect: Allow
Resource: !Join ['/', [!GetAtt MessagesBucket.Arn,
'config/${aws:PrincipalTag/username}/config']]
Action: ['s3:PutObject', 's3:DeleteObject']
# Put/delete own subscribe config (config prefix not subject to expiry)
- Effect: Allow
Resource: !Join ['/', [!GetAtt MessagesBucket.Arn,
'config/${aws:PrincipalTag/username}/subscribe']]
Action: ['s3:PutObject', 's3:DeleteObject']
# List own responses
- Effect: Allow
Resource: !GetAtt ResponsesBucket.Arn
Action: ['s3:ListBucket']
Condition:
StringLike:
s3:prefix: 'responses/${aws:PrincipalTag/username}/*'
# Get/delete own responses
- Effect: Allow
Resource: !Join ['/', [!GetAtt ResponsesBucket.Arn,
'responses/${aws:PrincipalTag/username}/*']]
Action: ['s3:GetObject', 's3:DeleteObject']
# Put/Delete own responder config (config prefix not subject to expiry)
- Effect: Allow
Resource: !Join ['/', [!GetAtt ResponsesBucket.Arn,
'config/${aws:PrincipalTag/username}/config']]
Action: ['s3:PutObject', 's3:DeleteObject']