enable-access-analyser.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Creates a Lambda function to delegate Access Analyser to a master account in an AWS Organization.  A custom resource is created to immediately invoke the lambda function upon successful deployment.
Parameters:
  OrganizationId:
    Type: String
    Description: "The Amazon Organizations ID for Control Tower."
    MinLength: 12
    MaxLength: 12
    AllowedPattern: '^[o][\-][a-z0-9]{10}$'
    ConstraintDescription: "The Organization ID must be a 12 character string starting with o- and followed by 10 Lowercase Alphanumeric Characters."
  AccessAnalyserMasterAccountId:
    Type: String
    Description: "The AWS Account ID that will be configured as the Delegated Admin."
    AllowedPattern: '^[0-9]{12}$'
    ConstraintDescription: "This must be a 12 character string."
    MinLength: 12
    MaxLength: 12
  S3SourceBucket:
    Type: String
    Description: "The S3 Bucket that contains the Lambda Zip File."
  S3Key:
    Type: String
    Description: "The S3 Path to the Lambda Zip File"
  RoleToAssume:
    Type: String
    Default: 'AWSControlTowerExecution'
    Description: "What role should be assumed in accounts to enable GuardDuty?  The Default is AWSControlTowerExecution for a Control Tower environment."
Resources:
  CustomResourceEnableAccessAnalyser:
    Type: Custom::EnableAccessAnalyser
    Properties:
      ServiceToken: !GetAtt LambdaEnableAccessAnalyser.Arn
  LambdaEnableAccessAnalyser:
    Type: AWS::Lambda::Function
    Properties:
      Architectures:
        - x86_64
      Code:
        S3Bucket: !Ref S3SourceBucket
        S3Key: !Ref S3Key
      Description: "Lambda Function that is triggered by CloudFormation Custom Resource to Enable Access Analyser by Default."
      FunctionName: Lambda-Enable-Access-Analyser
      Handler: index.lambda_handler
      Layers:
        - !Ref LambdaLayerCfnresponse
      Role: !GetAtt LambdaRoleEnableAccessAnalyser.Arn
      Runtime: python3.9
      MemorySize: 128
      Timeout: 300
      Environment:
        Variables:
            ACCESS_ANALYSER_MASTER_ACCOUNT: !Ref AccessAnalyserMasterAccountId
            ROLE_TO_ASSUME: !Ref RoleToAssume
  LambdaLayerCfnresponse:
    Type: AWS::Lambda::LayerVersion
    Properties:
      CompatibleRuntimes:
        - python3.9
      Content:
        S3Bucket: !Ref S3SourceBucket
        S3Key: "lambda-layers/cfnresponse.zip"
      Description: v1.1.2 of cfnresponse
      LayerName: cfnresponse
  LambdaRoleEnableAccessAnalyser:
    Type: AWS::IAM::Role
    Properties:
      Description: "Service-Role for Lambda-Enable-Access-Analyser to have the required access to execute successfully"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      RoleName: "LambdaExecutionRole-EnableAccessAnalyser"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
      - PolicyName: "Enable-Access-Analyser"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: "Allow"
            Action:
              - "sts:AssumeRole"
            Resource: !Sub "arn:aws:iam::*:role/${RoleToAssume}"
            Condition:
              StringEquals:
                "aws:PrincipalOrgId": !Ref OrganizationId
          - Effect: "Allow"
            Action:
              - organizations:DeregisterDelegatedAdministrator
            Resource: !Sub "arn:aws:organizations::${AWS::AccountId}:account/${OrganizationId}/*"
          - Effect: "Allow"
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource:
              - !Sub "arn:aws:logs:{AWS::Region}:${AWS::AccountId}:*"
              - !Sub "arn:aws:logs:{AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/Lambda-Enable-Access-Analyser:*"
          - Effect: "Allow"
            Action:
              - organizations:RegisterDelegatedAdministrator
              - organizations:ListAccounts
              - organizations:ListDelegatedAdministrators
              - cloudtrail:DescribeTrails
              - cloudformation:ListStackInstances
            Resource: "*"
  LifeCycleRuleAccessAnalyser:
    Type: AWS::Events::Rule
    Properties:
      Description: "AWS Access Analyser LifeCycle Trigger"
      EventPattern:
        source:
          - "aws.controltower"
        detail-type:
          - "AWS Service Event via CloudTrail"
        detail:
          eventName:
            - "CreateManagedAccount"
      State: "ENABLED"
      Targets:
        - Arn: !GetAtt LambdaEnableAccessAnalyser.Arn
          Id: "NewAccount"
  PermissionForCTEventToInvokeLambda:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt LambdaEnableAccessAnalyser.Arn
      Action: "lambda:InvokeFunction"
      Principal: "events.amazonaws.com"
      SourceArn: !GetAtt LifeCycleRuleAccessAnalyser.Arn