-
Notifications
You must be signed in to change notification settings - Fork 1
/
ml-recommended-cf-template-for-aws-initial-setting.yaml
382 lines (382 loc) · 12.7 KB
/
ml-recommended-cf-template-for-aws-initial-setting.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Monstar Lab Recommended CF-Template for AWS initial setting'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'Password Policy Parameters'
Parameters:
- AllowUsersToChangePassword
- HardExpiry
- MaxPasswordAge
- MinimumPasswordLength
- PasswordReusePrevention
- RequireLowercaseCharacters
- RequireNumbers
- RequireSymbols
- RequireUppercaseCharacters
- Label:
default: 'CloudTrail Parameters'
Parameters:
- CloudWatchLogsRetentionInDays
- ExternalTrailBucket
- LogFilePrefix
- Label:
default: 'Config Parameters'
Parameters:
- DeliveryFrequency
- ExternalConfigBucket
Parameters:
AllowUsersToChangePassword:
Description: 'You can permit all IAM users in your account to use the IAM console to change their own passwords.'
Type: String
Default: true
AllowedValues:
- true
- false
HardExpiry:
Description: 'You can prevent IAM users from choosing a new password after their current password has expired.'
Type: String
Default: false
AllowedValues:
- true
- false
MaxPasswordAge:
Description: 'You can set IAM user passwords to be valid for only the specified number of days.'
Type: Number
Default: 90
ConstraintDescription: 'Must be in the range [0-1095]'
MinValue: 0
MaxValue: 1095
MinimumPasswordLength:
Description: 'You can specify the minimum number of characters allowed in an IAM user password.'
Type: Number
Default: 8
ConstraintDescription: 'Must be in the range [8-128]'
MinValue: 8
MaxValue: 128
PasswordReusePrevention:
Description: 'You can prevent IAM users from reusing a specified number of previous passwords.'
Type: Number
Default: 24
ConstraintDescription: 'Must be in the range [1-24]'
MinValue: 1
MaxValue: 24
RequireLowercaseCharacters:
Description: 'You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).'
Type: String
Default: true
AllowedValues:
- true
- false
RequireNumbers:
Description: 'You can require that IAM user passwords contain at least one numeric character (0 to 9).'
Type: String
Default: true
AllowedValues:
- true
- false
RequireSymbols:
Description: 'You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '''
Type: String
Default: true
AllowedValues:
- true
- false
RequireUppercaseCharacters:
Description: 'You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).'
Type: String
Default: true
AllowedValues:
- true
- false
CloudWatchLogsRetentionInDays:
Description: 'The number of days log events are kept in CloudWatch Logs'
Type: Number
Default: 3653
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
ExternalTrailBucket:
Description: 'Optional The name of the Amazon S3 bucket where CloudTrail publishes log files. If you leave this empty, the Amazon S3 bucket is created for you.'
Type: String
Default: ''
LogFilePrefix:
Description: 'Optional The log file prefix.'
Type: String
Default: ''
DeliveryFrequency:
Description: 'The frequency with which AWS Config delivers configuration snapshots'
Type: String
Default: Six_Hours
AllowedValues:
- One_Hour
- Three_Hours
- Six_Hours
- Twelve_Hours
- TwentyFour_Hours
ExternalConfigBucket:
Description: 'Optional The name of an S3 bucket where you want to store configuration history for the delivery channel. If you leave this empty, the Amazon S3 bucket is created for you.'
Type: String
Default: ''
Conditions:
InternalBucket-trail: !Equals [!Ref ExternalTrailBucket, '']
ExternalBucket-trail: !Not [!Equals [!Ref ExternalTrailBucket, '']]
InternalBucket-config: !Equals [!Ref ExternalConfigBucket, '']
ExternalBucket-config: !Not [!Equals [!Ref ExternalConfigBucket, '']]
Resources:
TrailBucket:
Condition: InternalBucket-trail
DeletionPolicy: Retain
Type: 'AWS::S3::Bucket'
Properties: {}
TrailBucketPolicy:
Condition: InternalBucket-trail
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref TrailBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 's3:GetBucketAcl'
Resource: !Sub 'arn:aws:s3:::${TrailBucket}'
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 's3:PutObject'
Resource: !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*'
Condition:
StringEquals:
's3:x-amz-acl': 'bucket-owner-full-control'
TrailLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: !Ref CloudWatchLogsRetentionInDays
TrailLogGroupRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRole1
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 'cloudtrail-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailCreateLogStream2014110
Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !GetAtt 'TrailLogGroup.Arn'
- Sid: AWSCloudTrailPutLogEvents20141101
Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !GetAtt 'TrailLogGroup.Arn'
TrailTopic:
Type: 'AWS::SNS::Topic'
Properties: {}
TrailTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Version: '2008-10-17'
Statement:
- Sid: AWSCloudTrailSNSPolicy
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Resource: !Ref TrailTopic
Action: 'sns:Publish'
Topics:
- !Ref TrailTopic
Trail:
Condition: InternalBucket-trail
DependsOn:
- TrailBucketPolicy
- TrailTopicPolicy
Type: 'AWS::CloudTrail::Trail'
Properties:
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
S3BucketName: !Ref TrailBucket
S3KeyPrefix: !Ref LogFilePrefix
CloudWatchLogsLogGroupArn: !GetAtt 'TrailLogGroup.Arn'
CloudWatchLogsRoleArn: !GetAtt 'TrailLogGroupRole.Arn'
SnsTopicName: !GetAtt 'TrailTopic.TopicName'
ExternalTrail:
Condition: ExternalBucket-trail
DependsOn:
- TrailTopicPolicy
Type: 'AWS::CloudTrail::Trail'
Properties:
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
S3BucketName: !Ref ExternalTrailBucket
S3KeyPrefix: !Ref LogFilePrefix
CloudWatchLogsLogGroupArn: !GetAtt 'TrailLogGroup.Arn'
CloudWatchLogsRoleArn: !GetAtt 'TrailLogGroupRole.Arn'
SnsTopicName: !GetAtt 'TrailTopic.TopicName'
mydetector:
Type: "AWS::GuardDuty::Detector"
Properties:
Enable: true
ConfigBucket:
Condition: InternalBucket-trail
DeletionPolicy: Retain
Type: 'AWS::S3::Bucket'
Properties: {}
ConfigTopic:
Type: 'AWS::SNS::Topic'
Properties: {}
DeliveryChannel:
Type: 'AWS::Config::DeliveryChannel'
Properties:
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !Ref DeliveryFrequency
S3BucketName: !If [InternalBucket-trail, !Ref ConfigBucket, !Ref ExternalConfigBucket]
SnsTopicARN: !Ref ConfigTopic
ConfigurationRecorderRole:
Condition: InternalBucket-trail
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRole1
Effect: Allow
Principal:
Service: 'config.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 's3-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 's3:PutObject'
Resource: !Sub 'arn:aws:s3:::${ConfigBucket}/*'
Condition:
StringLike:
's3:x-amz-acl': 'bucket-owner-full-control'
- Effect: Allow
Action: 's3:GetBucketAcl'
Resource: !Sub 'arn:aws:s3:::${ConfigBucket}'
- PolicyName: 'sns-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'sns:Publish'
Resource: !Ref ConfigTopic
ExternalConfigurationRecorderRole:
Condition: ExternalBucket-trail
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRole1
Effect: Allow
Principal:
Service: 'config.amazonaws.com'
Action: 'sts:AssumeRole'
ConfigurationRecorder:
Type: 'AWS::Config::ConfigurationRecorder'
Properties:
RecordingGroup:
AllSupported: true
IncludeGlobalResourceTypes: true
RoleARN: !If [InternalBucket-trail, !GetAtt 'ConfigurationRecorderRole.Arn', !GetAtt 'ExternalConfigurationRecorderRole.Arn']
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Path: '/'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyName: iam
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'iam:UpdateAccountPasswordPolicy'
- 'iam:DeleteAccountPasswordPolicy'
Resource: '*'
LambdaFunctionV2: # needs no monitoring because it is used as a custom resource
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile:
!Sub |
'use strict';
const AWS = require('aws-sdk');
const response = require('cfn-response');
const iam = new AWS.IAM({apiVersion: '2010-05-08'});
exports.handler = (event, context, cb) => {
console.log(`Invoke: ${!JSON.stringify(event)}`);
const done = (err) => {
if (err) {
console.log(`Error: ${!JSON.stringify(err)}`);
response.send(event, context, response.FAILED, {});
} else {
response.send(event, context, response.SUCCESS, {});
}
};
if (event.RequestType === 'Delete') {
iam.deleteAccountPasswordPolicy({}, done);
} else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
iam.updateAccountPasswordPolicy({
AllowUsersToChangePassword: ${AllowUsersToChangePassword},
HardExpiry: ${HardExpiry},
MaxPasswordAge: ${MaxPasswordAge},
MinimumPasswordLength: ${MinimumPasswordLength},
PasswordReusePrevention: ${PasswordReusePrevention},
RequireLowercaseCharacters: ${RequireLowercaseCharacters},
RequireNumbers: ${RequireNumbers},
RequireSymbols: ${RequireSymbols},
RequireUppercaseCharacters: ${RequireUppercaseCharacters},
}, done);
} else {
cb(new Error(`unsupported RequestType: ${!event.RequestType}`));
}
};
Handler: 'index.handler'
MemorySize: 128
Role: !GetAtt 'LambdaRole.Arn'
Runtime: 'nodejs6.10'
Timeout: 60
LambdaLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: !Sub '/aws/lambda/${LambdaFunctionV2}'
RetentionInDays: !Ref CloudWatchLogsRetentionInDays
PasswordPolicy:
Type: 'Custom::PasswordPolicy'
Version: '1.0'
Properties:
ServiceToken: !GetAtt 'LambdaFunctionV2.Arn'
Outputs:
StackName:
Description: 'Stack name.'
Value: !Sub '${AWS::StackName}'