AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Resources: RiskCredentialsExposedRule: Type: "AWS::Events::Rule" Properties: Name: RiskCredentialsExposedRule EventPattern: source: - "aws.health" detail-type: - "AWS Health Event" detail: service: - "RISK" eventTypeCategory: - "issue" eventTypeCode: - "AWS_RISK_CREDENTIALS_EXPOSED" State: "ENABLED" Targets: - Arn: !Ref ExposedKeyStepFunction Id: "TargetFunctionV1" RoleArn: !GetAtt ExecuteStateMachineRole.Arn ExecuteStateMachineRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowCWEServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "events.amazonaws.com" Path: "/" Policies: - PolicyName: "ExecuteStateMachine" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "states:StartExecution" Resource: "*" ExposedKeyStepFunction: Type: AWS::StepFunctions::StateMachine Properties: DefinitionString: !Sub |- { "Comment": "Deletes exposed IAM access keypairs and notifies security", "StartAt": "DeleteAccessKeyPair", "States": { "DeleteAccessKeyPair": { "Type": "Task", "Resource": "${DeleteAccessKeyPair.Arn}", "Catch": [ { "ErrorEquals": [ "ClientError" ], "ResultPath": "$.error-info", "Next": "NotifySecurity" } ], "Next": "LookupCloudTrailEvents" }, "LookupCloudTrailEvents": { "Type": "Task", "Resource": "${LookupCloudTrailEvents.Arn}", "Next": "NotifySecurity" }, "NotifySecurity": { "Type": "Task", "Resource": "${NotifySecurity.Arn}", "End": true } } } RoleArn: !GetAtt StepFunctionExecutionRole.Arn StepFunctionExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: !Sub |- states.${AWS::Region}.amazonaws.com Action: "sts:AssumeRole" Path: "/" Policies: - PolicyName: StatesExecutionPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "lambda:InvokeFunction" Resource: "*" DeleteAccessKeyPair: Type: AWS::Serverless::Function Properties: Handler: delete_access_key_pair.lambda_handler Runtime: python3.8 CodeUri: ../lambda_functions/ Role: !GetAtt LambdaDeleteAccessKeyPairRole.Arn LookupCloudTrailEvents: Type: AWS::Serverless::Function Properties: Handler: lookup_cloudtrail_events.lambda_handler Runtime: python3.8 CodeUri: ../lambda_functions/ Role: !GetAtt LambdaLookupCloudTrailEventsRole.Arn NotifySecurity: Type: AWS::Serverless::Function Properties: Handler: notify_security.lambda_handler Runtime: python3.8 CodeUri: ../lambda_functions/ Role: !GetAtt LambdaSnsPublishRole.Arn Environment: Variables: TOPIC_ARN: !Ref NotificationTopic LambdaDeleteAccessKeyPairRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com" Path: "/" Policies: - PolicyName: "DeleteIAMAccessKeyPair" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "iam:DeleteAccessKey" - "iam:GetAccessKeyLastUsed" Resource: "*" - PolicyName: "WriteToCWLogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:CreateLogGroup" - "logs:PutLogEvents" Resource: "*" LambdaLookupCloudTrailEventsRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com" Path: "/" Policies: - PolicyName: "LookupCloudTrailEvents" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "cloudtrail:LookupEvents" Resource: "*" - PolicyName: "WriteToCWLogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:CreateLogGroup" - "logs:PutLogEvents" Resource: "*" LambdaSnsPublishRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com" Path: "/" Policies: - PolicyName: "PublishToSNSTopic" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "sns:Publish" Resource: !Ref NotificationTopic - PolicyName: "WriteToCWLogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:CreateLogGroup" - "logs:PutLogEvents" Resource: "*" NotificationTopic: Type: "AWS::SNS::Topic" Properties: KmsMasterKeyId: "alias/aws/sns" TopicName: "SecurityNotificationTopic"