# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
# Provisions custom AWS Audit Manager assessment based on Config checks that create a conformance pack
# Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager
# framework
# kmmahaj
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation template to create custom Audit Manager assessments. You will be
billed for the AWS resources used if you create a stack from this template. (qs-1t0eilb5g)
Parameters:
SourceBucket:
Description: S3 Bucket that contains the Custom Audit Manager Framework Lambda
Type: String
Default: 's3-customauditmanagerframework-<AccountId>-<Region>'
MinLength: '1'
MaxLength: '255'
ConfPackControlsMappingFile:
Description: CSV file that maps AWS Config rules to the Compliance controls from the Conformance Pack
Type: String
Default: 'nerc-cipmappingfile.csv'
MinLength: '1'
MaxLength: '255'
Resources:
#---------------------------------------------------------------------------------------------------
#
# 1- Create Custom Audit Manager Control Sets based on AWS Config Conformance Pack checks
# 2- Create Custom Audit Manager Framework based on custom Audit Manager control set
# --------------------------------------------------------------------------------------------------
#Custom Lambda backed Resource for creating the Custom Audit Manager Framework
CreateCustomAuditManagerFramework:
Type: 'Custom::CreateCustomAuditManagerFramework'
DependsOn:
- CustomAuditManagerFrameworkExecutePermission
Properties:
ServiceToken: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn'
SourceAccountId: !Ref 'AWS::AccountId'
#Permission for CFN to invoke custom lambda backed resource
CustomAuditManagerFrameworkExecutePermission:
Type: 'AWS::Lambda::Permission'
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn'
Principal: 'cloudformation.amazonaws.com'
SourceAccount: !Ref 'AWS::AccountId'
#Lambda Function that creates the custom Audit Manager framework
CustomAuditManagerFrameworkLambda:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: !Join
- ''
- - CustomAuditManagerFramework_
- Lambda
Role: !GetAtt CustomAuditManagerFrameworkLambdaRole.Arn
Code:
S3Bucket: !Ref SourceBucket
S3Key: !Join
- ''
- - CustomAuditManagerFramework_Lambda
- /
- CustomAuditManagerFramework_Lambda
- .zip
Description: CustomAuditManagerFrameworkLambda
Handler: CustomAuditManagerFramework_Lambda.lambda_handler
MemorySize: '256'
Runtime: python3.7
Environment:
Variables:
SourceAccountId : !Ref 'AWS::AccountId'
MappingFile: !Ref ConfPackControlsMappingFile
S3Bucket: !Ref SourceBucket
Timeout: 300
#IAM Role for the CustomAuditManagerFramework Lambda
CustomAuditManagerFrameworkLambdaRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub confpack-customauditmanagerframeworkrole-${AWS::Region}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowLambdaAssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: CustomAuditManagerFrameworkLambdaPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:PutBucketLogging
- s3:PutBucketVersioning
- s3:GetObject
- s3:GetBucketLocation
- s3:ListBucket
Resource:
- !Sub arn:${AWS::Partition}:s3:::${SourceBucket}
- !Sub arn:${AWS::Partition}:s3:::${SourceBucket}/*
- Effect: Allow
Action:
- kms:Decrypt
- ssm:PutParameter
Resource: '*'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSAuditManagerAdministratorAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'