AWSTemplateFormatVersion: 2010-09-09 Description: Create an SNS Topic to publish results for AWS Config Rule Access-Key-Rotation. Creates an Automation Document for distributing info on noncompliant Access Keys to an SNS distro. To accomplish this, creates an AWS Systems Manager Automation Document creates a role to allow AWS Config to execute SSM Automation Documents, execute the configservice list-discovered-resources API call, and publish to the SNS topic passed in enables the AWS Config Rule access-keys-rotated hooks up the Automation Document created as the Config rule's automatic remediation action Parameters: MaximumExecutionFrequency: Type: String Default: TwentyFour_Hours Description: The frequency that you want AWS Config to run evaluations for the rule. MinLength: '1' ConstraintDescription: This parameter is required. AllowedValues: - One_Hour - Three_Hours - Six_Hours - Twelve_Hours - TwentyFour_Hours maxAccessKeyAge: Type: String Default: '90' Description: Maximum number of days without rotation. Default 90. MinLength: '1' ConstraintDescription: This parameter is required. Resources: SNSTopic: Type: 'AWS::SNS::Topic' Properties: DisplayName: >- SNS topic to distribute information regarding access key rotation rule non-compliance TopicName: AccessKeyRotationTopic KmsMasterKeyId: alias/aws/sns SNSTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Sid: SnsTopicPublishPolicy Action: sns:Publish Effect: Allow Resource: - !Join - '' - - 'arn:aws:sns:' - !Ref 'AWS::Region' - ":" - !Ref 'AWS::AccountId' - ':AccessKeyRotationTopic' Principal: AWS: !Ref 'AWS::AccountId' Topics: - !Ref SNSTopic AccessKeyRotationRemediationRole: Type: 'AWS::IAM::Role' Properties: Description: Policies required for Config to execute SSM and SSM to execute Config API call and publish to SNS AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: Action: 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole' Policies: - PolicyName: AccessKeyRotationConfigListResourcesPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'config:ListDiscoveredResources' Resource: '*' - PolicyName: AccessKeyRotationPublishToSnsPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'sns:Publish' Resource: !Ref SNSTopic RoleName: AccessKeyRotationRemediationRole AccessKeyRotationAutomationDoc: Type: "AWS::SSM::Document" Properties: Content: description: Automation Document For resolving a User from a ResourceId schemaVersion: "0.3" assumeRole: "{{ AutomationAssumeRole }}" parameters: ResourceId: type: String description: (Required) The ResourceId of a User AutomationAssumeRole: type: String description: >- (Optional) The ARN of the role that allows Automation to perform the actions on your behalf. mainSteps: - name: resolveUsername action: "aws:executeAwsApi" inputs: Service: config Api: ListDiscoveredResources resourceType: "AWS::IAM::User" resourceIds: - "{{ResourceId}}" outputs: - Name: configUserName Selector: "$.resourceIdentifiers[0].resourceName" Type: String - name: publishMessage action: "aws:executeAutomation" maxAttempts: 1 timeoutSeconds: 30 onFailure: Abort inputs: DocumentName: AWS-PublishSNSNotification RuntimeParameters: TopicArn: !Ref SNSTopic Message: Account "{{global:ACCOUNT_ID}}" User "{{resolveUsername.configUserName}}" needs to rotate their Access Key outputs: - resolveUsername.configUserName DocumentType: Automation AWSConfigAccessKeyRotationRule: Type: 'AWS::Config::ConfigRule' Properties: ConfigRuleName: access-keys-rotated Description: >- Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: !If - maxAccessKeyAge - !Ref maxAccessKeyAge - !Ref 'AWS::NoValue' Scope: {} Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED MaximumExecutionFrequency: !Ref MaximumExecutionFrequency AWSConfigAccessKeyRotationRuleRemediation: Type: "AWS::Config::RemediationConfiguration" Properties: ConfigRuleName: !Ref AWSConfigAccessKeyRotationRule Automatic: true MaximumAutomaticAttempts: 2 RetryAttemptSeconds: 60 Parameters: AutomationAssumeRole: StaticValue: Values: - !Join - '' - - 'arn:aws:iam::' - !Ref 'AWS::AccountId' - ':role/AccessKeyRotationRemediationRole' ResourceId: ResourceValue: Value: "RESOURCE_ID" TargetId: !Ref AccessKeyRotationAutomationDoc TargetType: "SSM_DOCUMENT" Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Required Parameters: - maxAccessKeyAge - Label: default: Optional Parameters: [] Conditions: maxAccessKeyAge: !Not - !Equals - '' - !Ref maxAccessKeyAge Outputs: SNSTopicOutput: Description: The SNS Topic that was created Value: !Ref SNSTopic RoleCreated: Description: The IAM Role that was created Value: !Ref AccessKeyRotationRemediationRole SSMDocumentCreated: Description: The System Manager Automation Document that was created Value: !Ref AccessKeyRotationAutomationDoc AWSConfigRuleEnabled: Description: The AWS Config Rule that was enabled Value: !Ref AWSConfigAccessKeyRotationRule