-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathenable-access-analyser.yaml
135 lines (135 loc) · 5.01 KB
/
enable-access-analyser.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
AWSTemplateFormatVersion: 2010-09-09
Description: Creates a Lambda function to delegate Access Analyser to a master account in an AWS Organization. A custom resource is created to immediately invoke the lambda function upon successful deployment.
Parameters:
OrganizationId:
Type: String
Description: "The Amazon Organizations ID for Control Tower."
MinLength: 12
MaxLength: 12
AllowedPattern: '^[o][\-][a-z0-9]{10}$'
ConstraintDescription: "The Organization ID must be a 12 character string starting with o- and followed by 10 Lowercase Alphanumeric Characters."
AccessAnalyserMasterAccountId:
Type: String
Description: "The AWS Account ID that will be configured as the Delegated Admin."
AllowedPattern: '^[0-9]{12}$'
ConstraintDescription: "This must be a 12 character string."
MinLength: 12
MaxLength: 12
S3SourceBucket:
Type: String
Description: "The S3 Bucket that contains the Lambda Zip File."
S3Key:
Type: String
Description: "The S3 Path to the Lambda Zip File"
RoleToAssume:
Type: String
Default: 'AWSControlTowerExecution'
Description: "What role should be assumed in accounts to enable GuardDuty? The Default is AWSControlTowerExecution for a Control Tower environment."
Resources:
CustomResourceEnableAccessAnalyser:
Type: Custom::EnableAccessAnalyser
Properties:
ServiceToken: !GetAtt LambdaEnableAccessAnalyser.Arn
LambdaEnableAccessAnalyser:
Type: AWS::Lambda::Function
Properties:
Architectures:
- x86_64
Code:
S3Bucket: !Ref S3SourceBucket
S3Key: !Ref S3Key
Description: "Lambda Function that is triggered by CloudFormation Custom Resource to Enable Access Analyser by Default."
FunctionName: Lambda-Enable-Access-Analyser
Handler: index.lambda_handler
Layers:
- !Ref LambdaLayerCfnresponse
Role: !GetAtt LambdaRoleEnableAccessAnalyser.Arn
Runtime: python3.9
MemorySize: 128
Timeout: 300
Environment:
Variables:
ACCESS_ANALYSER_MASTER_ACCOUNT: !Ref AccessAnalyserMasterAccountId
ROLE_TO_ASSUME: !Ref RoleToAssume
LambdaLayerCfnresponse:
Type: AWS::Lambda::LayerVersion
Properties:
CompatibleRuntimes:
- python3.9
Content:
S3Bucket: !Ref S3SourceBucket
S3Key: "lambda-layers/cfnresponse.zip"
Description: v1.1.2 of cfnresponse
LayerName: cfnresponse
LambdaRoleEnableAccessAnalyser:
Type: AWS::IAM::Role
Properties:
Description: "Service-Role for Lambda-Enable-Access-Analyser to have the required access to execute successfully"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
RoleName: "LambdaExecutionRole-EnableAccessAnalyser"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: "Enable-Access-Analyser"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !Sub "arn:aws:iam::*:role/${RoleToAssume}"
Condition:
StringEquals:
"aws:PrincipalOrgId": !Ref OrganizationId
- Effect: "Allow"
Action:
- organizations:DeregisterDelegatedAdministrator
Resource: !Sub "arn:aws:organizations::${AWS::AccountId}:account/${OrganizationId}/*"
- Effect: "Allow"
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- !Sub "arn:aws:logs:{AWS::Region}:${AWS::AccountId}:*"
- !Sub "arn:aws:logs:{AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/Lambda-Enable-Access-Analyser:*"
- Effect: "Allow"
Action:
- organizations:RegisterDelegatedAdministrator
- organizations:ListAccounts
- organizations:ListDelegatedAdministrators
- cloudtrail:DescribeTrails
- cloudformation:ListStackInstances
Resource: "*"
LifeCycleRuleAccessAnalyser:
Type: AWS::Events::Rule
Properties:
Description: "AWS Access Analyser LifeCycle Trigger"
EventPattern:
source:
- "aws.controltower"
detail-type:
- "AWS Service Event via CloudTrail"
detail:
eventName:
- "CreateManagedAccount"
State: "ENABLED"
Targets:
- Arn: !GetAtt LambdaEnableAccessAnalyser.Arn
Id: "NewAccount"
PermissionForCTEventToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt LambdaEnableAccessAnalyser.Arn
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn: !GetAtt LifeCycleRuleAccessAnalyser.Arn