This template describes a SNS topic that can be used by many other templates to receive alerts. You can add one or multiple subscribers to this topic and they will all receive the same alerts. Supported transports are: * Email * HTTP endpoint * HTTPS endpoint (can be used by marbot)


Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

Access Logs Anonymizer

IPv4 addresses are anonymized to XXX.YYY.ZZZ.0 and IPv6 addresses to XXXX:YYYY::.

Access logs are stored in S3 buckets (created via state/s3). The following order of creation is recommended:

  1. Create S3 Bucket stack.
  2. Create Access Logs Anonymizer stack.
  3. Update S3 Bucket stack and set the parameter LambdaFunctionArn to the FunctionARN output of the Access Logs Anonymizer stack.


This template describes a Lambda function that can be used to anonymize IP addresses in CloudFront access logs.

Installation Guide

  1. This template depends on our state/s3.yaml template. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE
  10. Update S3 Bucket stack and set the parameter LambdaFunctionArn to the FunctionARN output of the Access Logs Anonymizer stack.



This template describes a Lambda function that can be used to anonymize IP addresses in ALB access logs.

Installation Guide

  1. This template depends on our state/s3.yaml template. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE
  10. Update S3 Bucket stack and set the parameter LambdaFunctionArn to the FunctionARN output of the Access Logs Anonymizer stack.


GitHub OpenID Connect

Allow GitHub Actions to assume IAM Roles in your AWS account without IAM users.

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

Terraform State

Creates S3 bucket and DynamoDB table used to manage remote Terraform state.

Installation Guide

  1. This template depends on our security/kms.yaml template. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

Be aware that the template creates a bucket policy using a Deny statement with a NotPrincipal element when defining the TerraformStateUserARNs and TerraformStateAdminARNs parameters. Therefore, both parameters should include the following inforamtion: account ARN (e.g., arn:aws:iam::111111111111:root), IAM user (e.g., arn:aws:iam::111111111111:user/tfuser), IAM role (e.g., arn:aws:iam::111111111111:role/tfadmin) and assumed-role user (e.g., arn:aws:sts::111111111111:assumed-role/tfadmin/session). Check out NotPrincipal with Deny to learn more.
