AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Parameters: SlackWebhookURL: Type: String Description: "Enter the Slack Webhook URL as the input event to the Lambda function in JSON format {\"SlackWebhookURL\":\"\"}" Default: "{\"SlackWebhookURL\":\"\"}" Resources: TrustedAdvisorExposedKeyRule: Type: "AWS::Events::Rule" Properties: Name: ExposedKeyEventRule EventPattern: source: - "aws.trustedadvisor" detail-type: - "Trusted Advisor Check Item Refresh Notification" detail: status: - "ERROR" check-name: - "Exposed Access Keys" State: "ENABLED" Targets: - Arn: !Ref ExposedKeyStepFunction Id: "TargetFunctionV1" RoleArn: !GetAtt ExecuteStateMachineRole.Arn ExecuteStateMachineRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowCWEServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "events.amazonaws.com" Path: "/" Policies: - PolicyName: "ExecuteStateMachine" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "states:StartExecution" Resource: "*" ExposedKeyStepFunction: Type: AWS::StepFunctions::StateMachine Properties: DefinitionString: !Sub |- { "Comment": "Deletes exposed IAM access keypairs and notifies security", "StartAt": "DeleteAccessKeyPair", "States": { "DeleteAccessKeyPair": { "Type": "Task", "Resource": "${DeleteAccessKeyPair.Arn}", "Next": "LookupCloudTrailEvents" }, "LookupCloudTrailEvents": { "Type": "Task", "Resource": "${LookupCloudTrailEvents.Arn}", "Next": "NotifySecurity" }, "NotifySecurity": { "Type": "Task", "Resource": "${NotifySecurity.Arn}", "End": true } } } RoleArn: !GetAtt StepFunctionExecutionRole.Arn StepFunctionExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: states.amazonaws.com Action: "sts:AssumeRole" Path: "/" Policies: - PolicyName: StatesExecutionPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "lambda:InvokeFunction" Resource: "*" DeleteAccessKeyPair: Type: AWS::Serverless::Function Properties: Handler: delete_access_key_pair.lambda_handler Runtime: python3.9 CodeUri: s3://aws-trusted-advisor-open-source-us-east-1/ExposedAccessKeys/lambda_functions.zip Role: !GetAtt LambdaDeleteAccessKeyPairRole.Arn LookupCloudTrailEvents: Type: AWS::Serverless::Function Properties: Handler: lookup_cloudtrail_events.lambda_handler Runtime: python3.9 CodeUri: s3://aws-trusted-advisor-open-source-us-east-1/ExposedAccessKeys/lambda_functions.zip Role: !GetAtt LambdaLookupCloudTrailEventsRole.Arn NotifySecurity: Type: AWS::Serverless::Function Properties: Handler: notify_security.lambda_handler Runtime: python3.9 CodeUri: s3://aws-trusted-advisor-open-source-us-east-1/ExposedAccessKeys/lambda_functions.zip Role: !GetAtt LambdaSnsPublishRole.Arn Environment: Variables: TOPIC_ARN: !Ref NotificationTopic SlackWebhook_URL: !Ref SlackWebhookURL LambdaDeleteAccessKeyPairRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com" Path: "/" Policies: - PolicyName: "DeleteIAMAccessKeyPair" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "iam:DeleteAccessKey" Resource: "*" - PolicyName: "WriteToCWLogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:CreateLogGroup" - "logs:PutLogEvents" Resource: "*" LambdaLookupCloudTrailEventsRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com" Path: "/" Policies: - PolicyName: "LookupCloudTrailEvents" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "cloudtrail:LookupEvents" Resource: "*" - PolicyName: "WriteToCWLogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:CreateLogGroup" - "logs:PutLogEvents" Resource: "*" LambdaSnsPublishRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com" Path: "/" Policies: - PolicyName: "PublishToSNSTopic" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "sns:Publish" Resource: !Ref NotificationTopic - PolicyName: "WriteToCWLogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:CreateLogGroup" - "logs:PutLogEvents" Resource: "*" NotificationTopic: Type: "AWS::SNS::Topic" Properties: DisplayName: "SecurityNotificationTopic"