######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda to update the account password policy - 'iam_password_policy' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse59) Metadata: SRA: Version: 1.1 Order: 2 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Custom Resource Properties Parameters: - pAllowUsersToChangePassword - pHardExpiry - pMaxPasswordAge - pMinimumPasswordLength - pPasswordReusePrevention - pRequireLowercaseCharacters - pRequireNumbers - pRequireSymbols - pRequireUppercaseCharacters - Label: default: Lambda Function Properties Parameters: - pIAMPasswordPolicyLambdaRoleName - pIAMPasswordPolicyLambdaFunctionName - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAllowUsersToChangePassword: default: Allow Users to Change Password pHardExpiry: default: Hard Expiry pIAMPasswordPolicyLambdaFunctionName: default: Lambda Function Name pIAMPasswordPolicyLambdaRoleName: default: Lambda Role Name pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pMaxPasswordAge: default: Max Password Age pMinimumPasswordLength: default: Minimum Password Length pPasswordReusePrevention: default: Password Reuse Prevention pRequireLowercaseCharacters: default: Require Lowercase Characters pRequireNumbers: default: Require Numbers pRequireSymbols: default: Require Symbols pRequireUppercaseCharacters: default: Require Uppercase Characters pSRASolutionName: default: SRA Solution Name pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAllowUsersToChangePassword: AllowedValues: ['true', 'false'] Default: 'true' Description: You can permit all IAM users in your account to use the IAM console to change their own passwords. Type: String pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pHardExpiry: AllowedValues: ['true', 'false'] Default: 'false' Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' Type: String pIAMPasswordPolicyLambdaRoleName: AllowedPattern: '^[\w+=,.@-]{1,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] Default: sra-iam-password-policy-lambda Description: Lambda role name Type: String pIAMPasswordPolicyLambdaFunctionName: AllowedPattern: '^[\w-]{0,64}$' ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -] Default: sra-iam-password-policy Description: Lambda function name Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pMaxPasswordAge: ConstraintDescription: Must be in the range [1-1095] Default: 90 Description: You can set IAM user passwords to be valid for only the specified number of days. MaxValue: 1095 MinValue: 1 Type: Number pMinimumPasswordLength: ConstraintDescription: Must be in the range [6-128] Default: 14 Description: You can specify the minimum number of characters allowed in an IAM user password. MaxValue: 128 MinValue: 6 Type: Number pPasswordReusePrevention: ConstraintDescription: Must be in the range [1-24] Default: 24 Description: You can prevent IAM users from reusing a specified number of previous passwords. MaxValue: 24 MinValue: 1 Type: Number pRequireLowercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). Type: String pRequireNumbers: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one numeric character (0 to 9). Type: String pRequireSymbols: AllowedValues: ['true', 'false'] Default: 'true' Description: "You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '" Type: String pRequireUppercaseCharacters: AllowedValues: ['true', 'false'] Default: 'true' Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). Type: String pSRASolutionName: AllowedValues: [sra-iam-password-policy] Default: sra-iam-password-policy Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRAStagingS3BucketName: AllowedPattern: '^(?=^.{3,63}$)(?!.*[.-]{2})(?!.*[--]{2})(?!^(?:(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(?!$)|$)){4}$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$)' ConstraintDescription: SRA Staging S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String Conditions: cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true'] cUseGraviton: !Or - !Equals [!Ref 'AWS::Region', ap-northeast-1] - !Equals [!Ref 'AWS::Region', ap-south-1] - !Equals [!Ref 'AWS::Region', ap-southeast-1] - !Equals [!Ref 'AWS::Region', ap-southeast-2] - !Equals [!Ref 'AWS::Region', eu-central-1] - !Equals [!Ref 'AWS::Region', eu-west-1] - !Equals [!Ref 'AWS::Region', eu-west-2] - !Equals [!Ref 'AWS::Region', us-east-1] - !Equals [!Ref 'AWS::Region', us-east-2] - !Equals [!Ref 'AWS::Region', us-west-2] Resources: rIAMPasswordPolicyLambdaLogGroup: Condition: cCreateLambdaLogGroup DeletionPolicy: Retain Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain Properties: LogGroupName: !Sub /aws/lambda/${pIAMPasswordPolicyLambdaFunctionName} KmsKeyId: !If - cUseKmsKey - !Ref pLambdaLogGroupKmsKey - !Ref AWS::NoValue RetentionInDays: !Ref pLambdaLogGroupRetention rIAMPasswordPolicyLambdaRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: Allow Resource * for IAM APIs. The password policy does not have the ARN namespace. - id: W28 reason: The role name is defined Properties: RoleName: !Ref pIAMPasswordPolicyLambdaRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Path: '/' Policies: - PolicyName: sra-iam-password-policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: CreateLogStreamAndEvents Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pIAMPasswordPolicyLambdaFunctionName}:log-stream:* - Sid: IAMUpdateAccountPasswordPolicy Effect: Allow Action: iam:UpdateAccountPasswordPolicy Resource: '*' rIAMPasswordPolicyLambdaFunction: Type: AWS::Lambda::Function Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: CloudWatch access provided by the attached IAM role - id: W89 reason: Lambda is not deployed within a VPC - id: W92 reason: Lambda does not need reserved concurrent executions. checkov: skip: - id: CKV_AWS_115 comment: Lambda does not need reserved concurrent executions. - id: CKV_AWS_116 comment: DLQ not needed, as Lambda function only triggered by CloudFormation events. - id: CKV_AWS_117 comment: Lambda does not need to communicate with VPC resources. - id: CKV_AWS_173 comment: Environment variables are not sensitive. Properties: FunctionName: !Ref pIAMPasswordPolicyLambdaFunctionName Description: SRA Update IAM password policy Role: !GetAtt rIAMPasswordPolicyLambdaRole.Arn Architectures: !If - cUseGraviton - [arm64] - !Ref AWS::NoValue Handler: app.lambda_handler MemorySize: 128 Runtime: python3.9 Timeout: 60 Code: S3Bucket: !Ref pSRAStagingS3BucketName S3Key: !Sub ${pSRASolutionName}/lambda_code/${pSRASolutionName}.zip Environment: Variables: LOG_LEVEL: !Ref pLambdaLogLevel Tags: - Key: sra-solution Value: !Ref pSRASolutionName rIAMPasswordPolicyCustomResource: Type: Custom::IAMPasswordPolicy Version: '1.0' Properties: ALLOW_USERS_TO_CHANGE_PASSWORD: !Ref pAllowUsersToChangePassword HARD_EXPIRY: !Ref pHardExpiry MAX_PASSWORD_AGE: !Ref pMaxPasswordAge MINIMUM_PASSWORD_LENGTH: !Ref pMinimumPasswordLength PASSWORD_REUSE_PREVENTION: !Ref pPasswordReusePrevention REQUIRE_LOWERCASE_CHARACTERS: !Ref pRequireLowercaseCharacters REQUIRE_NUMBERS: !Ref pRequireNumbers REQUIRE_SYMBOLS: !Ref pRequireSymbols REQUIRE_UPPERCASE_CHARACTERS: !Ref pRequireUppercaseCharacters ServiceToken: !GetAtt rIAMPasswordPolicyLambdaFunction.Arn