######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda and updates the account password policy. - 'iam_password_policy' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse59) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pRootOrganizationalUnitId - Label: default: IAM Password Properties Parameters: - pAllowUsersToChangePassword - pHardExpiry - pMaxPasswordAge - pMinimumPasswordLength - pPasswordReusePrevention - pRequireLowercaseCharacters - pRequireNumbers - pRequireSymbols - pRequireUppercaseCharacters - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAllowUsersToChangePassword: default: Allow Users to Change Password pCreateLambdaLogGroup: default: Create Lambda Log Group pHardExpiry: default: Hard Expiry pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pMaxPasswordAge: default: Max Password Age pMinimumPasswordLength: default: Minimum Password Length pPasswordReusePrevention: default: Password Reuse Prevention pRequireLowercaseCharacters: default: Require Lowercase Characters pRequireNumbers: default: Require Numbers pRequireSymbols: default: Require Symbols pRequireUppercaseCharacters: default: Require Uppercase Characters pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRASolutionName: default: SRA Solution Name pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAllowUsersToChangePassword: AllowedValues: ['true', 'false'] Default: 'true' Description: You can permit all IAM users in your account to use the IAM console to change their own passwords. Type: String pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pHardExpiry: AllowedValues: ['true', 'false'] Default: 'false' Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pMaxPasswordAge: ConstraintDescription: Must be in the range [1-1095] Default: 90 Description: You can set IAM user passwords to be valid for only the specified number of days. MaxValue: 1095 MinValue: 1 Type: Number pMinimumPasswordLength: ConstraintDescription: Must be in the range [6-128] Default: 14 Description: You can specify the minimum number of characters allowed in an IAM user password. MaxValue: 128 MinValue: 6 Type: Number pPasswordReusePrevention: ConstraintDescription: Must be in the range [1-24] Default: 24 Description: You can prevent IAM users from reusing a specified number of previous passwords. MaxValue: 24 MinValue: 1 Type: Number pRequireLowercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). Type: String pRequireNumbers: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one numeric character (0 to 9). Type: String pRequireSymbols: AllowedValues: ['true', 'false'] Default: 'true' Description: "You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '" Type: String pRequireUppercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). Type: String pRootOrganizationalUnitId: AllowedPattern: '^r-[0-9a-z]{4,32}$' ConstraintDescription: Must start with 'r-' followed by from 4 to 32 lowercase letters or digits. (e.g. r-abc123) Description: Root Organizational Unit ID Type: String pSRASolutionName: AllowedValues: [sra-iam-password-policy] Default: sra-iam-password-policy Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String pSRAStagingS3BucketName: AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)' ConstraintDescription: SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String Resources: rIAMPasswordPolicyStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-password-policy.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pAllowUsersToChangePassword: !Ref pAllowUsersToChangePassword pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pHardExpiry: !Ref pHardExpiry pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pMaxPasswordAge: !Ref pMaxPasswordAge pMinimumPasswordLength: !Ref pMinimumPasswordLength pPasswordReusePrevention: !Ref pPasswordReusePrevention pRequireLowercaseCharacters: !Ref pRequireLowercaseCharacters pRequireNumbers: !Ref pRequireNumbers pRequireSymbols: !Ref pRequireSymbols pRequireUppercaseCharacters: !Ref pRequireUppercaseCharacters pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName rIAMPasswordPolicyStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-iam-password-policy AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys a custom resource Lambda via ${pSRASolutionName} for updating the IAM password policy ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-password-policy.yaml Parameters: - ParameterKey: pAllowUsersToChangePassword ParameterValue: !Ref pAllowUsersToChangePassword - ParameterKey: pCreateLambdaLogGroup ParameterValue: !Ref pCreateLambdaLogGroup - ParameterKey: pHardExpiry ParameterValue: !Ref pHardExpiry - ParameterKey: pLambdaLogGroupKmsKey ParameterValue: !Ref pLambdaLogGroupKmsKey - ParameterKey: pLambdaLogGroupRetention ParameterValue: !Ref pLambdaLogGroupRetention - ParameterKey: pLambdaLogLevel ParameterValue: !Ref pLambdaLogLevel - ParameterKey: pMaxPasswordAge ParameterValue: !Ref pMaxPasswordAge - ParameterKey: pMinimumPasswordLength ParameterValue: !Ref pMinimumPasswordLength - ParameterKey: pPasswordReusePrevention ParameterValue: !Ref pPasswordReusePrevention - ParameterKey: pRequireLowercaseCharacters ParameterValue: !Ref pRequireLowercaseCharacters - ParameterKey: pRequireNumbers ParameterValue: !Ref pRequireNumbers - ParameterKey: pRequireSymbols ParameterValue: !Ref pRequireSymbols - ParameterKey: pRequireUppercaseCharacters ParameterValue: !Ref pRequireUppercaseCharacters - ParameterKey: pSRAStagingS3BucketName ParameterValue: !Ref pSRAStagingS3BucketName Tags: - Key: sra-solution Value: !Ref pSRASolutionName