# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: > Creates Lambda function to be invoked by EventBridge rule and SNS topic for violation notification. Lambda function will validate policy and/or role document using Access Analyzer. It will send notification if there is any findings. Parameters: NotificationEmail: Type: String Default: example@example.com Description: Email address to alert of any security control violations AllowedPattern: "^[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-z]{2,})$" Resources: LambdaFunction: Type: AWS::Lambda::Function # checkov:skip=CKV_AWS_116:Code log errors on CloudWatch logs # checkov:skip=CKV_AWS_117:Not required to run inside a VPC # checkov:skip=CKV_AWS_173:Variable is not sensitive Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: "Permission is defined with much restriction as possible" - id: W89 reason: "Not required to run inside a VPC" Properties: Description: 'This Lambda function, invoked by an EventBridge rule, validates policy document when a policy or role is created or updated.' Architectures: - 'arm64' Environment: Variables: LOG_LEVEL: 'INFO' SNS_TOPIC_ARN: !Ref NotifyTopicSNS Handler: 'validate_policy.lambda_handler' MemorySize: 256 Role: !GetAtt 'LambdaIamRole.Arn' Runtime: python3.10 Timeout: 300 ReservedConcurrentExecutions: 2 Code: ZipFile: | def lambda_handler(event, context): print(event) LambdaIamRole: Type: AWS::IAM::Role # checkov:skip=CKV_AWS_111:CloudWatch Logs doesn't support condition Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: "Policy has conditions when it is allowed" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Description: Validate policy Lambda function Policies: - PolicyName: 'CloudWatchLogsPermissions' PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - 'logs:CreateLogGroup' Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' - Effect: 'Allow' Action: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*LambdaFunction*:*' - PolicyName: 'SNSPermissions' PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - 'sns:Publish' Resource: !Ref NotifyTopicSNS - PolicyName: 'AccessAnalyzerPermissions' PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - 'access-analyzer:ValidatePolicy' Resource: '*' ConfigEventRule: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.iam detail-type: - "AWS API Call via CloudTrail" detail: eventSource: - iam.amazonaws.com eventName: - CreatePolicy - CreatePolicyVersion - CreateRole - UpdateAssumeRolePolicy - PutRolePolicy - PutGroupPolicy - PutUserPolicy Targets: - Arn: !GetAtt LambdaFunction.Arn Id: LambdaFunction LambdaPermission: Type: 'AWS::Lambda::Permission' Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref LambdaFunction Principal: 'events.amazonaws.com' SourceArn: !GetAtt ConfigEventRule.Arn # Notification SNS topic NotifyTopicSNS: Type: AWS::SNS::Topic # checkov:skip=CKV_AWS_26:Data not sensitive Metadata: cfn_nag: rules_to_suppress: - id: W47 reason: "Data not sensitive" Properties: Subscription: - Endpoint: !Ref NotificationEmail Protocol: email