# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # Provisions custom AWS Audit Manager assessment based on Config checks that create a conformance pack # Pre-req: AWS Lambda that creates a custom AWS Audit Manager control set and custom AWS Audit Manager # framework # kmmahaj AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation template to create custom Audit Manager assessments. You will be billed for the AWS resources used if you create a stack from this template. Parameters: SourceBucket: Description: S3 Bucket that contains the Custom Audit Manager Framework Lambda Type: String Default: 's3-customauditmanagerframework--' MinLength: '1' MaxLength: '255' ConfPackControlsMappingFile: Description: CSV file that maps AWS Config rules to the Compliance controls from the Conformance Pack Type: String Default: 'nerc-cipmappingfile.csv' MinLength: '1' MaxLength: '255' Resources: #--------------------------------------------------------------------------------------------------- # # 1- Create Custom Audit Manager Control Sets based on AWS Config Conformance Pack checks # 2- Create Custom Audit Manager Framework based on custom Audit Manager control set # -------------------------------------------------------------------------------------------------- #Custom Lambda backed Resource for creating the Custom Audit Manager Framework CreateCustomAuditManagerFramework: Type: 'Custom::CreateCustomAuditManagerFramework' DependsOn: - CustomAuditManagerFrameworkExecutePermission Properties: ServiceToken: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn' SourceAccountId: !Ref 'AWS::AccountId' #Permission for CFN to invoke custom lambda backed resource CustomAuditManagerFrameworkExecutePermission: Type: 'AWS::Lambda::Permission' Properties: Action: 'lambda:InvokeFunction' FunctionName: !GetAtt 'CustomAuditManagerFrameworkLambda.Arn' Principal: 'cloudformation.amazonaws.com' SourceAccount: !Ref 'AWS::AccountId' #Lambda Function that creates the custom Audit Manager framework CustomAuditManagerFrameworkLambda: Type: 'AWS::Lambda::Function' Properties: FunctionName: !Join - '' - - CustomAuditManagerFramework_ - Lambda Role: !GetAtt CustomAuditManagerFrameworkLambdaRole.Arn Code: S3Bucket: !Ref SourceBucket S3Key: !Join - '' - - CustomAuditManagerFramework_Lambda - / - CustomAuditManagerFramework_Lambda - .zip Description: CustomAuditManagerFrameworkLambda Handler: CustomAuditManagerFramework_Lambda.lambda_handler MemorySize: '256' Runtime: python3.7 Layers: - !Ref AuditManagerLayer Environment: Variables: SourceAccountId : !Ref 'AWS::AccountId' MappingFile: !Ref ConfPackControlsMappingFile S3Bucket: !Ref SourceBucket Timeout: 300 #Lambda Layer for AWS Audit Manager AuditManagerLayer: Type: AWS::Lambda::LayerVersion Properties: CompatibleRuntimes: - python3.6 - python3.7 - python3.8 Content: S3Bucket: !Ref SourceBucket S3Key: auditmanagerlayer.zip Description: Boto3 layer for audit manager LayerName: AuditManagerLayer LicenseInfo: MIT #IAM Role for the CustomAuditManagerFramework Lambda CustomAuditManagerFrameworkLambdaRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub confpack-customauditmanagerframeworkrole-${AWS::Region} AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowLambdaAssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: CustomAuditManagerFrameworkLambdaPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: '1' Action: - 's3:*' Effect: Allow Resource: - !Sub arn:${AWS::Partition}:s3:::${SourceBucket} - !Sub arn:${AWS::Partition}:s3:::${SourceBucket}/* - Sid: '2' Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' - 'logs:DescribeLogStreams' Effect: Allow Resource: '*' - Sid: '3' Action: - 'ssm:*' Effect: Allow Resource: '*' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSAuditManagerAdministratorAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'