######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda and updates the account password policy. - 'iam_password_policy' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse59) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution with resolving SSM parameters Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pRootOrganizationalUnitId - Label: default: IAM Password Properties Parameters: - pAllowUsersToChangePassword - pHardExpiry - pMaxPasswordAge - pMinimumPasswordLength - pPasswordReusePrevention - pRequireLowercaseCharacters - pRequireNumbers - pRequireSymbols - pRequireUppercaseCharacters - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAllowUsersToChangePassword: default: Allow Users to Change Password pCreateLambdaLogGroup: default: Create Lambda Log Group pHardExpiry: default: Hard Expiry pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pMaxPasswordAge: default: Max Password Age pMinimumPasswordLength: default: Minimum Password Length pPasswordReusePrevention: default: Password Reuse Prevention pRequireLowercaseCharacters: default: Require Lowercase Characters pRequireNumbers: default: Require Numbers pRequireSymbols: default: Require Symbols pRequireUppercaseCharacters: default: Require Uppercase Characters pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRASolutionName: default: SRA Solution Name pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAllowUsersToChangePassword: AllowedValues: ['true', 'false'] Default: 'true' Description: You can permit all IAM users in your account to use the IAM console to change their own passwords. Type: String pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pHardExpiry: AllowedValues: ['true', 'false'] Default: 'false' Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pMaxPasswordAge: ConstraintDescription: Must be in the range [1-1095] Default: 90 Description: You can set IAM user passwords to be valid for only the specified number of days. MaxValue: 1095 MinValue: 1 Type: Number pMinimumPasswordLength: ConstraintDescription: Must be in the range [6-128] Default: 14 Description: You can specify the minimum number of characters allowed in an IAM user password. MaxValue: 128 MinValue: 6 Type: Number pPasswordReusePrevention: ConstraintDescription: Must be in the range [1-24] Default: 24 Description: You can prevent IAM users from reusing a specified number of previous passwords. MaxValue: 24 MinValue: 1 Type: Number pRequireLowercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). Type: String pRequireNumbers: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one numeric character (0 to 9). Type: String pRequireSymbols: AllowedValues: ['true', 'false'] Default: 'true' Description: "You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '" Type: String pRequireUppercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). Type: String pRootOrganizationalUnitId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/root-organizational-unit-id Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRASolutionName: AllowedValues: [sra-iam-password-policy] Default: sra-iam-password-policy Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/staging-s3-bucket-name Description: SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: AWS::SSM::Parameter::Value Resources: rIAMPasswordPolicyStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-password-policy.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pAllowUsersToChangePassword: !Ref pAllowUsersToChangePassword pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pHardExpiry: !Ref pHardExpiry pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pMaxPasswordAge: !Ref pMaxPasswordAge pMinimumPasswordLength: !Ref pMinimumPasswordLength pPasswordReusePrevention: !Ref pPasswordReusePrevention pRequireLowercaseCharacters: !Ref pRequireLowercaseCharacters pRequireNumbers: !Ref pRequireNumbers pRequireSymbols: !Ref pRequireSymbols pRequireUppercaseCharacters: !Ref pRequireUppercaseCharacters pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rIAMPasswordPolicyStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-iam-password-policy AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys a custom resource Lambda via ${pSRASolutionName} for updating the IAM password policy ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-password-policy.yaml Parameters: - ParameterKey: pAllowUsersToChangePassword ParameterValue: !Ref pAllowUsersToChangePassword - ParameterKey: pCreateLambdaLogGroup ParameterValue: !Ref pCreateLambdaLogGroup - ParameterKey: pHardExpiry ParameterValue: !Ref pHardExpiry - ParameterKey: pLambdaLogGroupKmsKey ParameterValue: !Ref pLambdaLogGroupKmsKey - ParameterKey: pLambdaLogGroupRetention ParameterValue: !Ref pLambdaLogGroupRetention - ParameterKey: pLambdaLogLevel ParameterValue: !Ref pLambdaLogLevel - ParameterKey: pMaxPasswordAge ParameterValue: !Ref pMaxPasswordAge - ParameterKey: pMinimumPasswordLength ParameterValue: !Ref pMinimumPasswordLength - ParameterKey: pPasswordReusePrevention ParameterValue: !Ref pPasswordReusePrevention - ParameterKey: pRequireLowercaseCharacters ParameterValue: !Ref pRequireLowercaseCharacters - ParameterKey: pRequireNumbers ParameterValue: !Ref pRequireNumbers - ParameterKey: pRequireSymbols ParameterValue: !Ref pRequireSymbols - ParameterKey: pRequireUppercaseCharacters ParameterValue: !Ref pRequireUppercaseCharacters - ParameterKey: pSRAStagingS3BucketName ParameterValue: !Ref pSRAStagingS3BucketName Tags: - Key: sra-solution Value: !Ref pSRASolutionName