# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # Provisions Custom Config Rule # Pre-req: Lambda for Custom Rule. RDK optional # kmmahaj AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation template to create custom AWS Config rules. You will be billed for the AWS resources used if you create a stack from this template. Parameters: RuleName: Description: Name of the Rule Type: String MinLength: '1' MaxLength: '255' Default: 'CLOUDKNOX_PCI' Description: Description: Description of the Rule Type: String MinLength: '1' MaxLength: '255' Default: 'CLOUDKNOX_PCI' LambdaRoleArn: Description: >- ARN of the existing IAM role that you want to attach to the lambda function. Type: String Default: '' BoundaryPolicyArn: Description: 'ARN of a Boundary Policy, will be used only if LambdaRoleArn is NOT set.' Type: String Default: '' SourceBucket: Description: Name of the S3 bucket that you have stored the rule zip files in. Type: String MinLength: '1' MaxLength: '255' Default: 'config-rule-code-bucket--' SourcePath: Description: Location in the S3 bucket where you have stored the rule zip files. Type: String MinLength: '1' MaxLength: '255' Default: 'CLOUDKNOX_PCI/CLOUDKNOX_PCI.zip' SourceEvents: Description: Event Type Type: CommaDelimitedList Default: NONE SourceRuntime: Description: Runtime Language Type: String MinLength: '1' MaxLength: '255' Default: 'python3.7' SourcePeriodic: Description: Execution Frequency Type: String MinLength: '1' MaxLength: '255' Default: 'TwentyFour_Hours' SourceInputParameters: Description: Input Parameters Type: String Default: '{}' SourceHandler: Description: Lambda Function Handler Type: String Default: 'CLOUDKNOX_PCI.lambda_handler' Layers: Description: >- Comma-separated list of Lambda layers to be included with Lambda Function deployment Type: String Default: '' SecurityGroupIds: Description: Comma-separated list of Security Group Ids for Lambda Function deployment Type: String Default: '' SubnetIds: Description: Comma-separated list of Subnet Ids for Lambda Function deployment Type: String Default: '' Timeout: Description: Lambda Function timeout Type: String Default: 60 Conditions: CreateNewLambdaRole: !Equals - !Ref LambdaRoleArn - '' UseBoundaryPolicyInRole: !Not - !Equals - !Ref BoundaryPolicyArn - '' EventTriggered: !Not - !Equals - !Join - ',' - !Ref SourceEvents - NONE PeriodicTriggered: !Not - !Equals - !Ref SourcePeriodic - NONE UseAdditionalLayers: !Not - !Equals - !Ref Layers - '' UseVpcConfig: !And - !Not - !Equals - !Ref SecurityGroupIds - '' - !Not - !Equals - !Ref SubnetIds - '' Resources: rdkRuleCodeLambda: Type: 'AWS::Lambda::Function' Properties: FunctionName: !Join - '' - - RDK-Rule-Function- - !Ref RuleName Code: S3Bucket: !Ref SourceBucket S3Key: !Join - '' - - !Ref RuleName - / - !Ref RuleName - .zip Description: Create a new AWS lambda function for rule code Handler: !Ref SourceHandler MemorySize: '256' Role: !If - CreateNewLambdaRole - !GetAtt - rdkLambdaRole - Arn - !Ref LambdaRoleArn Runtime: !Ref SourceRuntime Timeout: !Ref Timeout Layers: !If - UseAdditionalLayers - !Split - ',' - !Ref Layers - !Ref 'AWS::NoValue' VpcConfig: !If - UseVpcConfig - SecurityGroupIds: !Split - ',' - !Ref SecurityGroupIds SubnetIds: !Split - ',' - !Ref SubnetIds - !Ref 'AWS::NoValue' ConfigPermissionToCallrdkRuleCodeLambda: Type: 'AWS::Lambda::Permission' DependsOn: rdkRuleCodeLambda Properties: FunctionName: !GetAtt - rdkRuleCodeLambda - Arn Action: 'lambda:InvokeFunction' Principal: config.amazonaws.com rdkConfigRule: Type: 'AWS::Config::ConfigRule' DependsOn: - ConfigPermissionToCallrdkRuleCodeLambda Properties: ConfigRuleName: !Ref RuleName Description: !Ref Description Scope: !If - EventTriggered - ComplianceResourceTypes: !Ref SourceEvents - !Ref 'AWS::NoValue' Source: Owner: CUSTOM_LAMBDA SourceIdentifier: !GetAtt - rdkRuleCodeLambda - Arn SourceDetails: - !If - EventTriggered - EventSource: aws.config MessageType: ConfigurationItemChangeNotification - !Ref 'AWS::NoValue' - !If - PeriodicTriggered - EventSource: aws.config MessageType: ScheduledNotification MaximumExecutionFrequency: !Ref SourcePeriodic - !Ref 'AWS::NoValue' InputParameters: !Ref SourceInputParameters rdkLambdaRole: Condition: CreateNewLambdaRole Type: 'AWS::IAM::Role' Properties: Path: /rdk/ PermissionsBoundary: !If - UseBoundaryPolicyInRole - !Ref BoundaryPolicyArn - !Ref 'AWS::NoValue' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowLambdaAssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ConfigRulePolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: '1' Action: - 's3:GetObject' Effect: Allow Resource: !Sub 'arn:${AWS::Partition}:s3:::${SourceBucket}/${SourcePath}' - Sid: '2' Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' - 'logs:DescribeLogStreams' Effect: Allow Resource: '*' - Sid: '3' Action: - 'config:PutEvaluations' Effect: Allow Resource: '*' - Sid: '4' Action: - 'iam:List*' - 'iam:Describe*' - 'iam:Get*' Effect: Allow Resource: '*' - Sid: '5' Action: - 'secretsmanager:*' Effect: Allow Resource: '*' - Sid: '6' Action: - 'sts:AssumeRole' Effect: Allow Resource: '*' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess' Outputs: RuleCodeLambda: Description: ARN for the Rule Code lambda Value: !GetAtt - rdkRuleCodeLambda - Arn