AWSTemplateFormatVersion: "2010-09-09"
Transform: "AWS::Serverless-2016-10-31"
Description: Detect public access to the customer KMS keys using IAM Access Analyzer

Parameters:
  NotificationEmail:
    Type: String
    Description: Notification email for Access Analyzer findings for KMS keys

Resources:
  AccessAnalyzerKMSFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      CodeUri: ./functions/access-analyzer-kms
      Runtime: python3.8
      Timeout: 120
      Events:
        CWKMSPolicyOrGrantChange:
          Type: EventBridgeRule
          Properties:
            Pattern:
                    {
                      "source": [
                        "aws.kms"
                      ],
                      "detail-type": [
                        "AWS API Call via CloudTrail"
                      ],
                      "detail": {
                        "eventSource": [
                          "kms.amazonaws.com"
                        ],
                        "eventName": [
                          "PutKeyPolicy",
                          "CreateGrant"
                        ]
                      }
                    }
      FunctionName: access-analyzer-kms-function
      Handler: access_analyzer_kms_function.lambda_handler  
      Policies:
        - Statement:
          - Sid: AccessAnalyzerCreateServiceLinkedRole
            Effect: Allow
            Action:
            - iam:CreateServiceLinkedRole
            Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer
          - Sid: AccessAnalyzerAccessPolicy
            Effect: Allow
            Action:
            - access-analyzer:Get*
            - access-analyzer:List*
            - access-analyzer:Start*
            - access-analyzer:CreateAnalyzer
            Resource: '*'
          - Sid: KMSAccessPolicy
            Effect: Allow
            Action:
            - kms:ListKeys
            - kms:DescribeKey
            Resource: '*'
          - Sid: EventBridgeAccess
            Effect: Allow
            Action:
            - events:PutEvents
            Resource: '*'       
      ReservedConcurrentExecutions: 1
      Tags:   
        Project: access-analyzer-kms
        FunctionType: checker      

  AccessAnalyzerKMSFindingsTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Protocol: email
          Endpoint: !Ref NotificationEmail

  AccessAnalyzerKMSFindingsTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties: 
      PolicyDocument:
        Id: PublishEventsToSNSTopic
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sns:Publish
          Resource: !Ref AccessAnalyzerKMSFindingsTopic
      Topics: 
        - !Ref AccessAnalyzerKMSFindingsTopic

  AccessAnalyzerKMSFindingsRule:
    Type: AWS::Events::Rule
    Properties: 
      Description: Publishes Access Analyzer KMS findings from the lambda function to the SNS topic
      EventPattern: 
        source:
          - "access-analyzer-kms-function"
        detail-type:
          - "Access Analyzer KMS Findings"
      Targets: 
        - Arn: !Ref AccessAnalyzerKMSFindingsTopic
          Id: '1'