forked from aws-samples/aws-iam-credential-report
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam-credential-report-s3-bucket.yaml
136 lines (125 loc) · 4.11 KB
/
iam-credential-report-s3-bucket.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates the Amazon S3 Bucket for the IAM Credential Report Blog Post
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: IAM Credential Report Delivery S3 Attributes
Parameters:
- pIAMCredReportBucketPrefix
- pIAMCredReportKeyArn
- pOrganizationId
- pOrgPrimaryLambdaRoleName
- pTagKey1
- pTagValue1
ParameterLabels:
pIAMCredReportBucketPrefix:
default: IAM Credential Report Delivery Bucket Prefix
pIAMCredReportKeyArn:
default: IAM Credential Report Delivery KMS Key
pOrganizationId:
default: Organization ID
pOrgPrimaryLambdaRoleName:
default: Organization Primary Lambda Role Name
pTagKey1:
default: Tag Key
pTagValue1:
default: Tag Value
Parameters:
pIAMCredReportBucketPrefix:
Type: String
Description: IAM Credential Report Delivery S3 bucket prefix. The account and region will get added to the end. e.g. iam-credential-report-delivery-123456789012-us-east-1
Default: iam-credentials-report
pIAMCredReportKeyArn:
Type: String
Description: KMS Key ARN to use for encrypting IAM Credential Report sent to S3
pOrganizationId:
Type: String
Description: AWS Organization ID
MinLength: 12
MaxLength: 12
AllowedPattern: '^o-[a-z0-9]{10,32}$'
ConstraintDescription: >
The Organization Id must be a 12 character string starting with o- and followed by 10 lower case
alphanumeric characters
pOrgPrimaryLambdaRoleName:
Type: String
Description: Organization Primary Account Lambda Role Name
Default: iam-credential-report-lambda-role
pTagKey1:
Type: String
Description: Tag key
Default: managed-by
pTagValue1:
Type: String
Description: Tag key value
Default: credential-cfn
Resources:
rS3Bucket:
Type: AWS::S3::Bucket
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: S3 access logging covered by CloudTrail S3 data events
Properties:
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerPreferred
BucketName: !Sub ${pIAMCredReportBucketPrefix}-${AWS::AccountId}-${AWS::Region}-aws
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Ref pIAMCredReportKeyArn
SSEAlgorithm: aws:kms
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
Tags:
- Key: !Ref pTagKey1
Value: !Ref pTagValue1
rS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Metadata:
cfn_nag:
rules_to_suppress:
- id: F16
reason: Resource is scoped down by Conditional
Properties:
Bucket: !Ref rS3Bucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: SecureTransport
Effect: Deny
Principal: "*"
Action: "s3:*"
Resource: !Sub arn:aws:s3:::${rS3Bucket}
Condition:
Bool:
"aws:SecureTransport": "false"
- Sid: AWSBucketDelivery
Effect: Allow
Principal: "*"
Action: s3:PutObject
Resource: !Sub arn:aws:s3:::${rS3Bucket}/*
Condition:
StringEquals:
"aws:PrincipalOrgID": !Ref pOrganizationId
StringLike:
aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:role/${pOrgPrimaryLambdaRoleName}
Outputs:
oIAMCredDeliveryS3Bucket:
Description: IAM Credential Report Delivery S3 Bucket
Value: !Ref rS3Bucket
oIAMCredDeliveryS3BucketArn:
Description: IAM Credential Report Delivery S3 Bucket Arn
Value: !GetAtt rS3Bucket.Arn
oOrgPrimaryLambdaRoleName:
Description: IAM Credential Report Lambda Execution Role Name
Value: !Ref pOrgPrimaryLambdaRoleName