Create CloudFormation stacks in AWS


Prerequisites

  1. (Optional) Install the AWS command-line interface (CLI). All versions are supported.
  2. Obtain an External ID

Create an all-in-one stack using template link

  1. Create the all-in-one stack in AWS

    • Log in to the AWS account where you want to deploy the stack.
    • Select this link: Launch Stack button

      You will be redirected to the AWS Quick create stack page.

    • Select the AWS region (top-right) that corresponds to the region of your S3 bucket to scan. For supported regions, see What regions are supported?

    • Follow the instructions in Deploy the all-in-one stack to fill in the required fields (including the ExternalID and CloudOneRegion field) and create the stack.
  2. Verify that the stack creation is complete

    • Go to CloudFormation > Stacks.
    • Look for your all-in-one stack and the nested scanner and storage stacks. When all three stacks have reached the CREATE COMPLETE state, your all-in-one stack is ready.

Create a scanner stack using template link

  1. Create the scanner stack in AWS

    • Select this link: Launch Stack button

      You will be redirected to the AWS Quick create stack page.

    • Select the AWS region (top-right) that corresponds to the region of your scanner stack. For supported regions, see What regions are supported?

    • Follow the instructions in Add a scanner stack to fill in the required fields (including the ExternalID and CloudOneRegion field) and create the stack.
  2. Verify that the stack creation is complete

    • Go to CloudFormation > Stacks.
    • Look for your scanner stack. It will display CREATE COMPLETE when done.

Create a storage stack using template link

  1. Create the storage stack in AWS

    • Select this link: Launch Stack button

      You will be redirected to the AWS Quick create stack page.

    • Select the AWS region (top-right) that corresponds to the region of your S3 bucket to scan. For supported regions, see What regions are supported?

    • Follow the instructions in Add a storage stack to fill in the required fields (including the ExternalID and CloudOneRegion field) and create the stack.
  2. Verify that the stack creation is complete

    • Go to CloudFormation > Stacks.
    • Look for your storage stack. It will display CREATE COMPLETE when done.

Using AWS CLI

Create an all-in-one stack using AWS CLI

  1. Create the all-in-one stack in AWS

    • On the computer where you installed the AWS CLI, in a program such as bash or PowerShell, enter the following command to create the stack:
      aws cloudformation create-stack \
          --stack-name ALLINONE-STACK-NAME \
          --region REGION \
          --template-url https://file-storage-security.s3.amazonaws.com/latest/templates/FSS-All-In-One.template \
          --parameters \
              ParameterKey=S3BucketToScan,ParameterValue=S3-BUCKET-TO-SCAN \
              ParameterKey=KMSKeyARNForBucketSSE,ParameterValue=KMS-MASTER-KEY-ARN \
              ParameterKey=KMSKeyARNForQueueSSE,ParameterValue=KMS-MASTER-KEY-ARN-FOR-SQS \
              ParameterKey=CloudOneRegion,ParameterValue=CLOUD-ONE-REGION \
              ParameterKey=ExternalID,ParameterValue=EXTERNAL-ID \
          --capabilities CAPABILITY_NAMED_IAM
      

    where...

    • ALLINONE-STACK-NAME must be replaced with the name of the stack. You can use any name. Example: FileStorageSecurity-All-In-One
    • REGION must be replaced with the region where you want to install the stack. Choose the region that corresponds to the region of your S3 bucket to scan. For supported regions, see What regions are supported? Examples: ap-east-2, us-west-2
    • S3-BUCKET-TO-SCAN must be replaced with the name of your S3 bucket to scan, as it appears in S3. You can only specify one bucket. Example: my-s3-bucket-to-scan-01

      The S3 bucket name cannot contain a period or "dot" (.) character.

    • KMS-MASTER-KEY-ARN must be replaced with the ARN of your KMS master key which is used to encrypt objects in your S3 bucket to scan. Leave it blank if you haven't enabled SSE-KMS on your S3 bucket.
    • KMS-MASTER-KEY-ARN-FOR-SQS must be replaced with the ARN of your KMS master key which is used to encrypt SQS messages in your scanner stack. Leave it blank if you haven't enabled SSE-KMS for SQS.
    • CLOUD-ONE-REGION must be one of the supported Cloud One regions. Example: us-1
    • EXTERNAL-ID must be replaced with the external ID obtained previously.
    • CAPABILITY_NAMED_IAM must remain as is.

    To deploy on a bucket that has existing s3:ObjectCreated:* event notifications, see s3:ObjectCreated:* event in use.

    To control the permissions created by the templates, see AWS permissions control.

    To specify a custom prefix for a resource name, see Resource prefixes.

    To deploy a storage stack with dead-letter queues, see Storage Stack DLQ.

    To attach Lambda functions to VPC, see Deploy in VPC.

    To enable scan on getObject request, see Scan on getObject request.

    For details on what values to use, see the Deploy the all-in-one stack page. This page includes descriptions of the parameters in the all-in-one CloudFormation template, which are the same as the parameters in the CLI.

  2. Verify that the stack creation is complete

    • Enter the following AWS CLI command:

      aws cloudformation describe-stacks --stack-name ALLINONE-STACK-NAME --output json --query 'Stacks[0].StackStatus'

      where...

      ALLINONE-STACK-NAME is replaced with the name of your all-in-one stack.

    • When the stack is ready, the status will become CREATE_COMPLETE.

Create a scanner stack using AWS CLI

  1. Create the scanner stack in AWS

    • On the computer where you installed the AWS CLI, in a program such as bash or PowerShell, enter the following command to create the stack:
      aws cloudformation create-stack \
          --stack-name SCANNER-STACK-NAME \
          --region REGION \
          --template-url https://file-storage-security.s3.amazonaws.com/latest/templates/FSS-Scanner-Stack.template \
          --parameters \
              ParameterKey=KMSKeyARNForQueueSSE,ParameterValue=KMS-MASTER-KEY-ARN-FOR-SQS \
              ParameterKey=CloudOneRegion,ParameterValue=CLOUD-ONE-REGION \
              ParameterKey=ExternalID,ParameterValue=EXTERNAL-ID \
          --capabilities CAPABILITY_NAMED_IAM
      

    where...

    • SCANNER-STACK-NAME must be replaced with the name of the stack. You can use any name. Example: FSSScanner2
    • REGION must be replaced with the region where you want to install the stack. Examples: ap-east-2, us-west-2
    • KMS-MASTER-KEY-ARN-FOR-SQS must be replaced with the ARN of your KMS master key that is used to encrypt SQS messages in your scanner stack. Use the same KMS master key if you deploy the corresponding storage stack. Leave it blank if you haven't enabled SSE-KMS for SQS.
    • CLOUD-ONE-REGION must be one of the supported Cloud One regions. Example: us-1
    • EXTERNAL-ID must be replaced with the external ID obtained previously.
    • CAPABILITY_NAMED_IAM must remain as is.

    To control the permissions created by the templates, see AWS permissions control.

    To specify a custom prefix for a resource name, see Resource prefixes.

    To attach Lambda functions to VPC, see Deploy in VPC.

    For details on the values to use, see the Add a scanner stack page. This page includes descriptions of the parameters in the scanner stack CloudFormation template, which are the same as the parameters in the CLI.

  2. Verify that the stack creation is complete

    • Enter the following AWS CLI command:

      aws cloudformation describe-stacks --stack-name SCANNER-STACK-NAME --output json --query 'Stacks[0].StackStatus'

      where...

      SCANNER-STACK-NAME is replaced with the name of your scanner stack.

    • When the stack is ready, the status will become CREATE_COMPLETE.

Create a storage stack using AWS CLI

  1. Create the storage stack in AWS

    • On the computer where you installed the AWS CLI, in a program such as bash or PowerShell, enter the following command to create the stack:
      aws cloudformation create-stack \
          --stack-name STORAGE-STACK-NAME \
          --region REGION \
          --template-url https://file-storage-security.s3.amazonaws.com/latest/templates/FSS-Storage-Stack.template \
          --parameters \
              ParameterKey=S3BucketToScan,ParameterValue=S3-BUCKET-TO-SCAN \
              ParameterKey=KMSKeyARNForBucketSSE,ParameterValue=KMS-MASTER-KEY-ARN \
              ParameterKey=ScannerAWSAccount,ParameterValue=SCANNER-AWS-ACCOUNT \
              ParameterKey=ScannerSQSURL,ParameterValue=SCANNER-QUEUE-URL \
              ParameterKey=KMSKeyARNForQueueSSE,ParameterValue=KMS-MASTER-KEY-ARN-FOR-SQS \
              ParameterKey=CloudOneRegion,ParameterValue=CLOUD-ONE-REGION \
              ParameterKey=ExternalID,ParameterValue=EXTERNAL-ID \
          --capabilities CAPABILITY_NAMED_IAM
      

    where...

    • STORAGE-STACK-NAME must be replaced with the name of the stack. You can use any name. Example: FSSStorage2
    • REGION must be replaced with the region where you want to install the stack. Examples: ap-east-2, us-west-2
    • S3-BUCKET-TO-SCAN must be replaced with the name of your S3 bucket to scan, as it appears in S3. You can only specify one bucket. Example: my-s3-bucket-to-scan-02

      The S3 bucket name cannot contain a period or "dot" (.) character.

    • KMS-MASTER-KEY-ARN must be replaced with the ARN of your KMS master key which is used to encrypt objects in your S3 bucket to scan. Leave it blank if you haven't enabled SSE-KMS on your S3 bucket.
    • SCANNER-AWS-ACCOUNT must be replaced with the ID of the AWS account where the scanner stack was installed. You can find this ID in the AWS console > Account name > My Account > Account Id.
    • SCANNER-QUEUE-URL must be replaced with the SQS ScannerQueue URL. You can find this URL:

      • Through the AWS console, under CloudFormation > Stacks > all-in-one or scanner stack > Outputs > ScannerQueueURL.
      • Through the AWS CLI, by entering the following command:

        aws cloudformation describe-stacks --stack-name STACK-NAME --output json --query 'Stacks[0].Outputs'

        where...

        STACK-NAME is replaced with the name of your all-in-one or scanner stack.

    • KMS-MASTER-KEY-ARN-FOR-SQS must be replaced with the ARN of your KMS master key that is used to encrypt SQS messages in your scanner stack. Use the same KMS master key that you used in the corresponding scanner stack. Leave it blank if you haven't enabled SSE-KMS for SQS.

    • CLOUD-ONE-REGION must be one of the supported Cloud One regions. Example: us-1
    • EXTERNAL-ID must be replaced with the external ID obtained previously.
    • CAPABILITY_NAMED_IAM must remain as is.

    To deploy on a bucket that has existing s3:ObjectCreated:* event notifications, see s3:ObjectCreated:* event in use.

    To control the permissions created by the templates, see AWS permissions control.

    To specify a custom prefix for a resource name, see Resource prefixes.

    To deploy a storage stack with dead-letter queues, see Storage Stack DLQ.

    To attach Lambda functions to VPC, see Deploy in VPC.

    To enable scan on getObject request, see Scan on getObject request.

    For details on the values to use, see the Add a storage stack page. This page includes descriptions of the parameters in the storage stack CloudFormation template, which are the same as the parameters in the CLI.

  2. Verify that the stack creation is complete

    • Enter the following AWS CLI command:

      aws cloudformation describe-stacks --stack-name STORAGE-STACK-NAME --output json --query 'Stacks[0].StackStatus'

      where...

      STORAGE-STACK-NAME is replaced with the name of your storage stack.

    • When the stack is ready, the status will become CREATE_COMPLETE.