iam-key-auto-rotation-and-notifier.yaml

# (c) 2020 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content
# is provided subject to the terms of the AWS Customer Agreement available at
# https://aws.amazon.com/agreement/ or other written agreement between Customer
# and Amazon Web Services, Inc.

AWSTemplateFormatVersion: '2010-09-09'
Description: "AWS CloudFormation template to set up Auto-rotation function for AWS IAM Access Keys."

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Configure the Deployment
        Parameters:
          - S3BucketName
          - S3BucketPrefix
          - KMSKeyID
      - Label:
          default: Configure Notifier Tool
        Parameters:
          - CSVBucketName
          - CSVFileName
          - EmailTableName
          - AdminEmailAddress

    ParameterLabels:
      # Deployment Configuration
      S3BucketName:
        default: CloudFormation S3 Bucket Name
      S3BucketPrefix:
        default: CloudFormation S3 Bucket Prefix
      KMSKeyID:
        default: KMS Key ID for SNS Encryption

      # Notifier Settings
      CSVBucketName:
        default: NEW CSV Bucket Name
      CSVFileName:
        default: CSV File Name
      EmailTableName:
        default: Email Table Name
      AdminEmailAddress:
        default: Admin Email Address


Parameters:
  S3BucketName:
    Description: S3 Bucket Name where code is located.
    Type: String

  S3BucketPrefix:
    Description: The prefix or directory where resources will be stored.
    Type: String
    Default: "iam-rotation"

  KMSKeyID:
    Description: The KMS Key ID you wish to use for encryption of your SNS Topic. (If using a custom Master Key, you must have permissions to utilize this key.)
    Type: String

  CSVBucketName:
    Description: Name of a NEW S3 bucket that you will upload your CSV of email accounts.
    Type: String
    ConstraintDescription: Must be a valid bucket name

  CSVFileName:
    Description: Name of the S3 file (including suffix)
    Type: String
    Default: "csv-to-s3-account-emails.csv"

  EmailTableName:
    Description: Name of the dynamoDB table you will use
    Type: String
    Default: "aws-account-emails"

  AdminEmailAddress:
    Description: Email address that will be used in the "sent from" section of the email
    Type: String


Resources:
  # NOTIFIER SERVICE RESOURCES
  EmailTable:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: !Ref EmailTableName
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: uuid
          AttributeType: S
      KeySchema:
        - AttributeName: uuid
          KeyType: HASH
      Tags:
        - Key: Name
          Value: !Ref EmailTableName

  CsvToDDBLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - s3.amazonaws.com
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSLambdaInvocation-DynamoDB"
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess"
      Policies:
        - PolicyName: CsvToDDBPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Resource: "*"
                Action:
                  - "dynamodb:PutItem"
                  - "dynamodb:BatchWriteItem"

  CsvToDDBLambdaFunction:
    Type: "AWS::Lambda::Function"
    Properties:
      Handler: main.lambda_handler
      Description: |
        Imports CSV file from S3 to DynamoDB - specifically formatted
        to work with "accountid, accountname, accountemail, accountowner"
      FunctionName: CSV-to-DynamoDB-Import-Tool
      Role: !GetAtt CsvToDDBLambdaRole.Arn
      Code:
        S3Bucket: !Ref S3BucketName
        S3Key: !Sub ${S3BucketPrefix}/account_handler_0.83.0.zip
      Runtime: python3.8
      Timeout: 900
      MemorySize: 3008
      Environment:
        Variables:
          S3_BUCKET: !Ref CSVBucketName
          S3_KEY: !Ref CSVFileName
          DYNAMODB_TABLE_NAME: !Ref EmailTableName

  CsvBucketPermission:
    Type: "AWS::Lambda::Permission"
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref CsvToDDBLambdaFunction
      Principal: s3.amazonaws.com
      SourceAccount: !Ref "AWS::AccountId"

  CsvS3Bucket:
    DependsOn:
      - CsvBucketPermission
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: !Ref CSVBucketName
      AccessControl: BucketOwnerFullControl
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      VersioningConfiguration:
        Status: Enabled
      NotificationConfiguration:
        LambdaConfigurations:
          - Event: "s3:ObjectCreated:*"
            Function: !GetAtt CsvToDDBLambdaFunction.Arn

  NotifierFunctionExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowExecutionPermissionsOnFunction
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: AllowS3ZipRetrieval
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource:
                  - !GetAtt CsvS3Bucket.Arn
                  - !Join
                    - ''
                    - - !GetAtt CsvS3Bucket.Arn
                      - /*
              - Effect: Allow
                Action:
                  - dynamodb:GetItem
                Resource: !GetAtt EmailTable.Arn
              - Effect: Allow
                Action:
                  - ses:SendEmail
                Resource: "*"
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource:
                  - !Sub "arn:aws:s3:::${S3BucketName}/${S3BucketPrefix}"
                  - !Sub "arn:aws:s3:::${S3BucketName}/${S3BucketPrefix}/*"

  NotifierLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Function that received SNS events from config rules and emails end users who own the account id of the resource violation.
      FunctionName: Notifier
      Handler: main.lambda_handler
      Runtime: python3.8
      Code:
        S3Bucket: !Ref S3BucketName
        S3Key: !Sub ${S3BucketPrefix}/notifier_0.83.0.zip
      Role: !GetAtt NotifierFunctionExecutionRole.Arn
      Timeout: 300
      Environment:
        Variables:
          ADMIN_EMAIL: !Ref AdminEmailAddress
          DYNAMODB_TABLE_NAME: !Ref EmailTableName
          S3_BUCKET_NAME: !Ref S3BucketName
          S3_BUCKET_PREFIX: !Sub ${S3BucketPrefix}

  # IAM KEY ROTATION RESOURCES
  RotationLambdaFunctionExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowExecutionPermissionsOnFunction
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - events.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: AllowRotationFunctionPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource:
                  - !Sub "arn:${AWS::Partition}:s3:::${S3BucketName}/*"
              - Effect: Allow
                Action:
                  - iam:List*
                  - iam:CreatePolicy
                  - iam:CreateAccessKey
                  - iam:DeleteAccessKey
                  - iam:UpdateAccessKey
                  - iam:PutUserPolicy
                  - iam:GetUserPolicy
                Resource: "*"
              - Effect: Allow
                Action:
                  - iam:AttachUserPolicy
                Resource:
                  - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*"
              - Effect: Allow
                Action:
                  - secretsmanager:PutResourcePolicy
                  - secretsmanager:PutSecretValue
                  - secretsmanager:DescribeSecret
                  - secretsmanager:CreateSecret
                  - secretsmanager:GetResourcePolicy
                Resource:
                  - !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"

  RotationSNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: SNSNotificationForNewAccessKeyCreation
      KmsMasterKeyId: !Ref KMSKeyID
      Subscription:
        - Endpoint: !GetAtt NotifierLambdaFunction.Arn
          Protocol: lambda

  RotationAccessKeyRotateLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Rotates IAM Access Keys on specified schedule
      FunctionName: IAM-Access-Key-Rotation-LambdaFunctionName
      Handler: main.lambda_handler
      Runtime: python3.8
      Role: !GetAtt RotationLambdaFunctionExecutionRole.Arn
      Timeout: 240
      Environment:
        Variables:
          RotationPeriod: 90
          InactivePeriod: 100
          RetentionPeriod: 110
      Code:
        S3Bucket: !Ref S3BucketName
        S3Key: !Sub ${S3BucketPrefix}/access_key_auto_rotation_0.83.0.zip

  RotationCloudWatchEventLambdaTrigger:
    Type: AWS::Events::Rule
    DependsOn:
      - RotationLambdaFunctionExecutionRole
    Properties:
      Description: CloudWatch Event to trigger Access Key auto-rotation Lambda Function daily
      ScheduleExpression: rate(24 hours)
      State: ENABLED
      Targets:
        - Arn: !GetAtt RotationAccessKeyRotateLambdaFunction.Arn
          Id: AccessKeyRotationFunction

  RotationCloudWatchEventsLambdaPermissions:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref NotifierLambdaFunction
      Action: lambda:InvokeFunction
      Principal: sns.amazonaws.com
      SourceArn: !Ref RotationSNSTopic

  RotationCloudWatchEventTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sns:Publish
            Resource: "*"
      Topics:
        - !Ref RotationSNSTopic

  RotationCloudWatchEventSNSTrigger:
    Type: AWS::Events::Rule
    Properties:
      Description: CloudWatch Event to trigger SNS notification for IAM Access Key generation
      EventPattern:
        source:
          - "aws.iam"
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventSource:
            - "iam.amazonaws.com"
          eventName:
            - "CreateAccessKey"
      State: ENABLED
      Targets:
        - Arn: !Ref RotationSNSTopic
          Id: "AccessKeyRotationSNSNotification"