AWSTemplateFormatVersion: '2010-09-09' Description: Creates the Amazon S3 Bucket for the IAM Credential Report Blog Post Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: IAM Credential Report Delivery S3 Attributes Parameters: - pIAMCredReportBucketPrefix - pIAMCredReportKeyArn - pOrganizationId - pOrgPrimaryLambdaRoleName - pTagKey1 - pTagValue1 ParameterLabels: pIAMCredReportBucketPrefix: default: IAM Credential Report Delivery Bucket Prefix pIAMCredReportKeyArn: default: IAM Credential Report Delivery KMS Key pOrganizationId: default: Organization ID pOrgPrimaryLambdaRoleName: default: Organization Primary Lambda Role Name pTagKey1: default: Tag Key pTagValue1: default: Tag Value Parameters: pIAMCredReportBucketPrefix: Type: String Description: IAM Credential Report Delivery S3 bucket prefix. The account and region will get added to the end. e.g. iam-credential-report-delivery-123456789012-us-east-1 Default: iam-credentials-report pIAMCredReportKeyArn: Type: String Description: KMS Key ARN to use for encrypting IAM Credential Report sent to S3 pOrganizationId: Type: String Description: AWS Organization ID MinLength: 12 MaxLength: 12 AllowedPattern: '^o-[a-z0-9]{10,32}$' ConstraintDescription: > The Organization Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters pOrgPrimaryLambdaRoleName: Type: String Description: Organization Primary Account Lambda Role Name Default: iam-credential-report-lambda-role pTagKey1: Type: String Description: Tag key Default: managed-by pTagValue1: Type: String Description: Tag key value Default: credential-cfn Resources: rS3Bucket: Type: AWS::S3::Bucket Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: S3 access logging covered by CloudTrail S3 data events Properties: OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred BucketName: !Sub ${pIAMCredReportBucketPrefix}-${AWS::AccountId}-${AWS::Region}-aws VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: KMSMasterKeyID: !Ref pIAMCredReportKeyArn SSEAlgorithm: aws:kms PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True IgnorePublicAcls: True RestrictPublicBuckets: True Tags: - Key: !Ref pTagKey1 Value: !Ref pTagValue1 rS3BucketPolicy: Type: AWS::S3::BucketPolicy Metadata: cfn_nag: rules_to_suppress: - id: F16 reason: Resource is scoped down by Conditional Properties: Bucket: !Ref rS3Bucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: SecureTransport Effect: Deny Principal: "*" Action: "s3:*" Resource: !Sub arn:aws:s3:::${rS3Bucket} Condition: Bool: "aws:SecureTransport": "false" - Sid: AWSBucketDelivery Effect: Allow Principal: "*" Action: s3:PutObject Resource: !Sub arn:aws:s3:::${rS3Bucket}/* Condition: StringEquals: "aws:PrincipalOrgID": !Ref pOrganizationId StringLike: aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:role/${pOrgPrimaryLambdaRoleName} Outputs: oIAMCredDeliveryS3Bucket: Description: IAM Credential Report Delivery S3 Bucket Value: !Ref rS3Bucket oIAMCredDeliveryS3BucketArn: Description: IAM Credential Report Delivery S3 Bucket Arn Value: !GetAtt rS3Bucket.Arn oOrgPrimaryLambdaRoleName: Description: IAM Credential Report Lambda Execution Role Name Value: !Ref pOrgPrimaryLambdaRoleName