################################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). # You may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################## AWSTemplateFormatVersion: 2010-09-09 Parameters: eventBridgeARN: Type: String lambdaARN: Type: String Resources: EvidenceCollectionRule: Type: AWS::Events::Rule DeletionPolicy: Retain Properties: Name: 'EvidenceCollectionRule' Description: 'Evidence Collection Event bus rule for Compliance Change' EventPattern: source: - 'aws.securityhub' detail-type: - 'Security Hub Findings - Imported' State: 'ENABLED' Targets: - Arn: !Ref 'eventBridgeARN' Id: 'SHubEvidenceCollection' EvidenceCollectionRole: Type: 'AWS::IAM::Role' Properties: RoleName: 'EvidenceCollectorReadOnlyRole' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - !Ref 'lambdaARN' Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: evidenceCollectionPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'tag:Get*' Resource: '*' - Effect: Allow Action: - 'config:Describe*' - 'config:Get*' - 'config:List*' - 'config:BatchGetAggregateResourceConfig' - 'config:BatchGetResourceConfig' Resource: '*'