Skip to content
This repository has been archived by the owner on Jul 22, 2021. It is now read-only.

Cloudformation template for lambda function #47

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Cloudformation template for lambda function #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions aws_cis_foundation_framework/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,14 @@ Specify profile by using the -p or --profile
## IAM Policy
The IAM policy required to run the script is located in the file
aws-cis-foundation-benchmark-checklist-lambdarole.json

## Cloud formation template for aws-cis-foundation-benchmark-checklist.py
1. Zip aws-cis-foundation-benchmark-checklist.py
`zip cis_report_lambda.zip aws-cis-foundation-benchmark-checklist.py`
2. Upload zip in s3 bucket
3. Upload cloud formation template in AWS
4. Enter variables values:
`LambdaBucketName` - bucket where lambda code is stored
`BucketForReport` - bucket where cis report will be stored
`EmailAddress` - which should receive cis report
`SnsTopicName` - name of cis sns topic
8 changes: 5 additions & 3 deletions aws_cis_foundation_framework/aws-cis-foundation-benchmark-checklist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@

# Where should the report be delivered to?
# Make sure to update permissions for the Lambda role if you change bucket name.
S3_WEB_REPORT_BUCKET = "CHANGE_ME_TO_YOUR_S3_BUCKET"
# Use lambda variable BUCKET_FOR_REPORT or setup environment variable
S3_WEB_REPORT_BUCKET = os.environ['BUCKET_FOR_REPORT']

# Create separate report files?
# This will add date and account number as prefix. Example: cis_report_111111111111_161220_1213.html
Expand All @@ -51,8 +52,9 @@
S3_WEB_REPORT_OBFUSCATE_ACCOUNT = False

# Would you like to send the report signedURL to an SNS topic
SEND_REPORT_URL_TO_SNS = False
SNS_TOPIC_ARN = "CHANGE_ME_TO_YOUR_TOPIC_ARN"
SEND_REPORT_URL_TO_SNS = True
# Use lambda variable SNS_TOPIC_ARN or setup environment variable
SNS_TOPIC_ARN = os.environ['SNS_TOPIC_ARN']

# Would you like to print the results as JSON to output?
SCRIPT_OUTPUT_JSON = True
Expand Down
142 changes: 142 additions & 0 deletions aws_cis_foundation_framework/cis-report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
---
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
LambdaBucketName:
Type: String
Description: Name of S3 Bucket Lambda Function lives in
LambdaMemorySize:
Type: String
Default: 1024
Description: Allocated memory for Lambda Function
PythonVersion:
Type: String
Default: python2.7
LambdaTimeout:
Type: String
Default: 300
Description: Timeout for Lambda Function
BucketForReport:
Type: String
Description: Bucket which will be used for storing reports
EmailAddress:
Type: String
Description: Email address which should recieve weekly CIS report
SnsTopicName:
Type: String
Description: Sns topic name

#==================================================
# Create S3 bucket for report storing
#==================================================
Resources:
CisReportBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref BucketForReport
#==================================================
# Create Role to give Lambda IAM, Cloudwatch, SNS, S3, Config, Cloudwatch logs
#==================================================
RoleForCisReport:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
- arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess
Policies:
-
PolicyName: LambdaCisPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Action:
- "s3:GetBucketAcl"
- "s3:GetBucketLogging"
- "cloudwatch:DescribeAlarmsForMetric"
- "cloudtrail:DescribeTrails"
- "cloudtrail:GetTrailStatus"
- "config:DescribeConfigurationRecorderStatus"
- "config:DescribeConfigurationRecorders"
- "config:DescribeDeliveryChannelStatus"
- "config:PutEvaluations"
- "kms:DescribeKey"
- "kms:GetKeyRotationStatus"
- "kms:ListKeys"
Resource: "*"
-
PolicyName: LambdaCisPolicyS3Report
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Action:
- "s3:PutObject"
- "s3:GetObject"
- "s3:DeleteObject"
Resource: !Join ['', ['arn:aws:s3:::', !Ref BucketForReport, /*]]
#==================================================
# Create Lambda Function that generate CIS report
#==================================================
ArnTopicForReports:
Type: "AWS::SNS::Topic"
Properties:
DisplayName: !Ref SnsTopicName
Subscription:
-
Endpoint:
Ref: EmailAddress
Protocol: "email"
TopicName: !Ref SnsTopicName

FunctionToGenerateCisReport:
Type: "AWS::Lambda::Function"
DependsOn: RoleForCisReport
Properties:
FunctionName: GenerateCisReport
Environment:
Variables:
SNS_TOPIC_ARN: !Ref ArnTopicForReports
BUCKET_FOR_REPORT:
Ref: BucketForReport
Code:
S3Bucket:
Ref: LambdaBucketName
S3Key: "cis_report_lambda.zip"

Description: Sends report to admin users
Handler: aws-cis-foundation-benchmark-checklist.lambda_handler
MemorySize:
Ref: LambdaMemorySize
Role: !GetAtt RoleForCisReport.Arn
Runtime:
Ref: PythonVersion
Timeout:
Ref: LambdaTimeout

ScheduledRuleForGeneratingReports:
Type: "AWS::Events::Rule"
Properties:
Name: ScheduledReportGenerating
Description: Run Lambda Function weekly
ScheduleExpression: "rate(7 days)"
State: ENABLED
Targets:
-
Arn: !GetAtt FunctionToGenerateCisReport.Arn
Id: "TargetFunctionV1"