AWSTemplateFormatVersion: '2010-09-09' Description: "Creates solution to check if IAM Roles are not used within allowed time period" Parameters: Scope: Description: Run this solution against an AWS account, an Organization or an Organizational Unit that you have delegated admin permission. Default: Organization Type: String AllowedValues: [Organization, OrganizationalUnit] ConstraintDescription: must choose between Organization, or OrganizationalUnit OrganizationId: Type: String Description: Required. Organization ID is used to scope down cross account role permission Default: '' OrgRootId: Description: Provide Organization Root ID when you want to run this solution against an Organization. Otherwise leave blank Default: '' Type: String OrganizationalUnitId: Description: Provide organizational unit IDs for target OU when you want to run this solution against an Organizational Unit. Otherwise leave blank Type: String Default: '' Frequency: Description: How often the automation should run. Minimum is 2 days Type: Number Default: 30 MinValue: 2 MaxValue: 365 MaxDaysForLastUsed: Description: Checks the number of days allowed for a role to not be used before being non-compliant Type: Number Default: 60 MaxValue: 365 RolePatternAllowedlist: Description: Pipe separated whitelist of role pathnames using simple pathname matching Type: String Default: '' AllowedPattern: '[-a-zA-Z0-9+=,.@_/|*]+|^$' ITSecurityEmail: Type: String Description: Default email address of IT Security Team to notified unused IAM Role if Owner email isn't available from tag Conditions: ScopeOrganization: !Equals [!Ref Scope, Organization] ScopeOrganizationalUnit: !Equals [!Ref Scope, OrganizationalUnit] Resources: CheckIAMRoleScopeOrg: #check for IAM role for all accounts in Organization Type: AWS::CloudFormation::Stack Condition: ScopeOrganization Properties: TemplateURL: check_role_org.yml Parameters: Scope: 'Organization' StateMachineHumanApprovalArn: !GetAtt StateMachineStack.Outputs.StateMachineHumanApprovalArn NameOfSolution: !Ref AWS::StackName Frequency: !Ref Frequency MaxDaysForLastUsed: !Ref MaxDaysForLastUsed RolePatternAllowedlist: !Ref RolePatternAllowedlist CrossAccountRole: !Sub "${AWS::StackName}CrossAccountRole" OrgPaths: !Sub "${OrganizationId}/*" DefaultEmail: !Ref ITSecurityEmail CheckIAMRoleScopeOU: #check for IAM role for all accounts in Organizational Unit Type: AWS::CloudFormation::Stack Condition: ScopeOrganizationalUnit Properties: TemplateURL: check_role_org.yml Parameters: Scope: 'OrganizationalUnit' StateMachineHumanApprovalArn: !GetAtt StateMachineStack.Outputs.StateMachineHumanApprovalArn NameOfSolution: !Ref AWS::StackName Frequency: !Ref Frequency MaxDaysForLastUsed: !Ref MaxDaysForLastUsed RolePatternAllowedlist: !Ref RolePatternAllowedlist OrgPaths: !Sub "${OrganizationId}/*" OUId: !Ref OrganizationalUnitId CrossAccountRole: !Sub "${AWS::StackName}CrossAccountRole" DefaultEmail: !Ref ITSecurityEmail CrossAccountRoleScopeOrganization: Type: AWS::CloudFormation::StackSet Condition: ScopeOrganization Properties: StackSetName: !Sub "${AWS::StackName}CrossAccountRole" Description: Create roles in member accounts for assume role PermissionModel: SERVICE_MANAGED AutoDeployment: Enabled: True RetainStacksOnAccountRemoval: False Capabilities: - CAPABILITY_NAMED_IAM CallAs: DELEGATED_ADMIN #Security Account must be registered as a delegated admin in the Organization master account TemplateURL: https://awsiammedia.s3.amazonaws.com/public/sample/1157-how-to-centralize-findings-automate-deletion/cross_account_role_org.yml StackInstancesGroup: - Regions: - !Ref "AWS::Region" DeploymentTargets: OrganizationalUnitIds: - !Ref OrgRootId Parameters: - ParameterKey: LambdaAssumeRole ParameterValue: !GetAtt CheckIAMRoleScopeOrg.Outputs.LambdaAssumeRole - ParameterKey: OrgPaths ParameterValue: !Sub "${OrganizationId}/*" - ParameterKey: NameOfSolution ParameterValue: !Ref AWS::StackName CrossAccountRoleScopeOU: Type: AWS::CloudFormation::StackSet Condition: ScopeOrganizationalUnit Properties: StackSetName: !Sub "${AWS::StackName}CrossAccountRole" Description: Create roles in accounts under OU for assume role PermissionModel: SERVICE_MANAGED AutoDeployment: Enabled: True RetainStacksOnAccountRemoval: False CallAs: DELEGATED_ADMIN #Security Account must be registered as a delegated admin in the Organization master account Capabilities: - CAPABILITY_NAMED_IAM TemplateURL: https://awsiammedia.s3.amazonaws.com/public/sample/1157-how-to-centralize-findings-automate-deletion/cross_account_role_org.yml StackInstancesGroup: - Regions: - !Ref "AWS::Region" DeploymentTargets: OrganizationalUnitIds: - !Ref OrganizationalUnitId Parameters: - ParameterKey: LambdaAssumeRole ParameterValue: !GetAtt CheckIAMRoleScopeOU.Outputs.LambdaAssumeRole - ParameterKey: OrgPaths ParameterValue: !Sub "${OrganizationId}/*" - ParameterKey: NameOfSolution ParameterValue: !Ref AWS::StackName StateMachineStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: state_machine.yml Parameters: ApiGatewayInvokeURL: !GetAtt PrivateAPIGW.Outputs.ApiGatewayInvokeURL MaxDaysForLastUsed: !Ref MaxDaysForLastUsed NameOfSolution: !Ref AWS::StackName SenderEmail: !Ref ITSecurityEmail CrossAccountRole: !Sub "${AWS::StackName}CrossAccountRole" PrivateAPIGW: #private APIGW that connect to state machine Type: AWS::CloudFormation::Stack Properties: TemplateURL: private_api_gw.yml Parameters: NameOfSolution: !Ref AWS::StackName