# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
schemaVersion: "0.3"
description: |
  ### Document name - ASR-RemoveLambdaPublicAccess

  ## What does this document do?
  This document removes the public resource policy. A public resource policy
  contains a principal "*" or AWS: "*", which allows public access to the
  function. The remediation is to remove the SID of the public policy.

  ## Input Parameters
  * FunctionName: name of the AWS Lambda function that has open access policies
  * AutomationAssumeRole: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  ## Output Parameters

  * RemoveLambdaPublicAccess.Output - stdout messages from the remediation

  ## Security Standards / Controls
  * AFSBP v1.0.0: Lambda.1
  * CIS v1.2.0:   n/a
  * PCI:          Lambda.1

assumeRole: "{{ AutomationAssumeRole }}"
parameters:
  FunctionName:
    type: String
    allowedPattern: ^[a-zA-Z0-9\-_]{1,64}$
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'

outputs:
  -  RemoveLambdaPublicAccess.Output
mainSteps:
  - name: RemoveLambdaPublicAccess
    action: 'aws:executeScript'
    outputs:
      - Name: Output
        Selector: $.Payload.response
        Type: StringMap
    inputs:
      InputPayload:
        FunctionName: '{{FunctionName}}'
      Runtime: python3.8
      Handler: remove_lambda_public_access
      Script: |-
        %%SCRIPT=RemoveLambdaPublicAccess.py%%