AWSTemplateFormatVersion: 2010-09-09 Description: Enables remedition action with baseline AWS Config rules. Parameters: EnableEncryptedVolumesRule: Type: String Description: "Enables the AWS managed encrypted-volumes config rule. To disable, change the parameter value to false." Default: true AllowedValues: - true - false EnableS3ServerSideEncryptionRule: Type: String Description: "Enables the AWS managed s3-bucket-server-side-encryption-enabled config rule. To enable, change the parameter value to true." Default: true AllowedValues: - true - false EnableRdsEncryptionRule: Type: String Description: "Enables the AWS managed rds-storage-encrypted config rule. To disable, change the parameter value to false." Default: true AllowedValues: - true - false EnableS3PublicReadRule: Type: String Description: "Enables the AWS managed s3-bucket-public-read-prohibited config rule. To disable, change the parameter value to false." Default: true AllowedValues: - true - false EnableS3PublicWriteRule: Type: String Description: "Enables the AWS managed s3-bucket-public-write-prohibited config rule. To disable, change the parameter value to false." Default: true AllowedValues: - true - false KMSId: Type: String Description: "KMS ID" EnableS3PublicSecGr: Type: String Description: "Enables custom rule if there is open security group" Default: true AllowedValues: - true - false S3BucketSources: Type: String Description: S3 bucket with sources MaxLength: 63 MinLength: 3 Default: sources-ir-vesselin S3SourcesPrefix: Type: String Description: S3 prefix with sources with ending slash EnableRestrictedSecurityGroup: Type: String Description: "Enables the custom rule for open Security Group" Default: true AllowedValues: - true - false Conditions: EnableEncryptedVolumes: !Equals - !Ref EnableEncryptedVolumesRule - 'true' EnableRdsEncryption: !Equals - !Ref EnableRdsEncryptionRule - 'true' EnableS3PublicRead: !Equals - !Ref EnableS3PublicReadRule - 'true' EnableS3PublicWrite: !Equals - !Ref EnableS3PublicWriteRule - 'true' EnableS3ServerSideEncryption: !Equals - !Ref EnableS3ServerSideEncryptionRule - 'true' # EnableRestrictedCommonPortsPolicy: !Equals # - !Ref EnableRestrictedCommonPortsRule # - 'true' EnableRestrictedSecurityGroup: !Equals - !Ref EnableRestrictedSecurityGroup - 'true' HasKMSKeyId: !Not - !Equals - !Ref KMSId - "" Resources: CheckForS3ServerSideEncryption: Type: AWS::Config::ConfigRule Condition: EnableS3ServerSideEncryption Properties: ConfigRuleName: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Description: Checks for explicit denies on put-object requests without server side encryption. Source: Owner: AWS SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED Scope: ComplianceResourceTypes: - AWS::S3::Bucket CheckForEncryptedVolumes: Type: AWS::Config::ConfigRule Condition: EnableEncryptedVolumes Properties: ConfigRuleName: ENCRYPTED_VOLUMES Description: Checks whether EBS volumes that are in an attached state are encrypted. Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Scope: ComplianceResourceTypes: - AWS::EC2::Volume InputParameters: kmsId: !If - HasKMSKeyId - !Ref KMSId - !Ref AWS::NoValue CheckForRdsEncryption: Type: AWS::Config::ConfigRule Condition: EnableRdsEncryption Properties: ConfigRuleName: RDS_STORAGE_ENCRYPTED Description: Checks whether storage encryption is enabled for your RDS DB instances. Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance InputParameters: kmsId: !If - HasKMSKeyId - !Ref KMSId - !Ref AWS::NoValue CheckForS3PublicRead: Type: AWS::Config::ConfigRule Condition: EnableS3PublicRead Properties: ConfigRuleName: S3_BUCKET_PUBLIC_READ_PROHIBITED Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket CheckForS3PublicWrite: Type: AWS::Config::ConfigRule Condition: EnableS3PublicWrite Properties: ConfigRuleName: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket OpenSecGrLambda: Type: 'AWS::Lambda::Function' Properties: FunctionName: !Sub CustomConfigRule-OpenSecurityGroup Handler: config_secgr_lambda_function.lambda_handler Runtime: python3.7 Code: S3Bucket: !Ref S3BucketSources S3Key: !Sub '${S3SourcesPrefix}service_lambda_functions.zip' Description: 'Config rule that check if security group is open' Timeout: 20 Role: !GetAtt ConfigLambdaRole.Arn ConfigPermissionLambda: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt OpenSecGrLambda.Arn Action: lambda:InvokeFunction Principal: config.amazonaws.com CheckForOpenSecGr: DependsOn: - ConfigPermissionLambda Type: AWS::Config::ConfigRule Properties: Description: Check that S3 buckets have default encryption enabled ConfigRuleName: SECURITY_GROUP_OPEN_PROHIBITED Source: Owner: "CUSTOM_LAMBDA" SourceIdentifier: !GetAtt OpenSecGrLambda.Arn SourceDetails: - EventSource: aws.config MessageType: ConfigurationItemChangeNotification - EventSource: aws.config MessageType: ScheduledNotification Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup ConfigLambdaRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub security-IR-custom-config-${AWS::Region} Path: / AssumeRolePolicyDocument: Version: "2012-10-17" Statement: Effect: Allow Principal: Service: "lambda.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: lambda-custom PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* - Effect: Allow Action: - config:PutEvaluations Resource: "*"