forked from widdix/aws-cf-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
98d564f
commit 5a22e3a
Showing
3 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,6 +26,31 @@ Use the `cloudtrail.json` template to setup CloudTrail across all regions. | |
1. Click **Create** to start the creation of the stack. | ||
1. Wait until the stack reaches the state **CREATE_COMPLETE** | ||
|
||
## Account Password Policy | ||
|
||
Use the `account-password-policy.json` template to create a account password policy for your IAM users. | ||
|
||
### Components | ||
|
||
#### AWS services | ||
|
||
* IAM: Identity & Access Management | ||
* Lambda: Used to implement the custom resource in the CloudFormation template | ||
|
||
### Installation Guide | ||
|
||
1. Download the template [account-password-policy.json](https://raw.githubusercontent.com/widdix/aws-cf-templates/master/security/account-password-policy.json) | ||
1. Open AWS CloudFormation within the Management Console: [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation). | ||
1. Create a new stack by clicking on the **Create Stack** button. | ||
1. Select **Upload a template to Amazon S3** and upload the template `account-password-policy.json`. | ||
1. Click **Next** to proceed with the next step of the wizard. | ||
1. Specify a name for the stack. | ||
1. Click **Next** to proceed with the next step of the wizard. | ||
1. Click **Next** to skip the **Options** step of the wizard. | ||
1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. | ||
1. Click **Create** to start the creation of the stack. | ||
1. Wait until the stack reaches the state **CREATE_COMPLETE** | ||
|
||
## Support needed? | ||
|
||
Do you need help? Mail to [[email protected]](mailto:[email protected]). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
var AWS = require('aws-sdk'); | ||
var response = require('cfn-response'); | ||
var iam = new AWS.IAM(); | ||
exports.handler = function(event, context) { | ||
console.log('Invoke: ' + JSON.stringify(event)); | ||
function cb(err) { | ||
if (err) { | ||
console.log('Error: ' + JSON.stringify(err)); | ||
response.send(event, context, response.FAILED, {}); | ||
} else { | ||
response.send(event, context, response.SUCCESS, {}); | ||
} | ||
} | ||
if (event.RequestType === 'Delete') { | ||
iam.deleteAccountPasswordPolicy({}, cb); | ||
} else if (event.RequestType === 'Create' || event.RequestType === 'Update') { | ||
iam.updateAccountPasswordPolicy({ | ||
AllowUsersToChangePassword: true, | ||
HardExpiry: false, | ||
MaxPasswordAge: 90, | ||
MinimumPasswordLength: 6, | ||
PasswordReusePrevention: 6, | ||
RequireLowercaseCharacters: true, | ||
RequireNumbers: true, | ||
RequireSymbols: true, | ||
RequireUppercaseCharacters: true | ||
}, cb); | ||
} else { | ||
context.fail(new Error('unsupported RequestType: ' + event.RequestType)); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
{ | ||
"AWSTemplateFormatVersion": "2010-09-09", | ||
"Description": "Security: Account Password Policy, a cloudonaut.io template", | ||
"Parameters": { | ||
}, | ||
"Resources": { | ||
"LambdaRole": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"AssumeRolePolicyDocument": { | ||
"Version": "2012-10-17", | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "lambda.amazonaws.com" | ||
}, | ||
"Action": ["sts:AssumeRole"] | ||
}] | ||
}, | ||
"Path": "/", | ||
"Policies": [{ | ||
"PolicyName": "logs", | ||
"PolicyDocument": { | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"logs:CreateLogGroup", | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents" | ||
], | ||
"Resource": "arn:aws:logs:*:*:*" | ||
}] | ||
} | ||
}, { | ||
"PolicyName": "iam", | ||
"PolicyDocument": { | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"iam:UpdateAccountPasswordPolicy", | ||
"iam:DeleteAccountPasswordPolicy" | ||
], | ||
"Resource": "*" | ||
}] | ||
} | ||
}] | ||
} | ||
}, | ||
"LambdaFunction": { | ||
"Type": "AWS::Lambda::Function", | ||
"Properties": { | ||
"Code": { | ||
"ZipFile": {"Fn::Join": ["", [ | ||
"var AWS = require('aws-sdk');", "\n", | ||
"var response = require('cfn-response');", "\n", | ||
"var iam = new AWS.IAM();", "\n", | ||
"exports.handler = function(event, context) {", "\n", | ||
" console.log('Invoke: ' + JSON.stringify(event));", "\n", | ||
" function cb(err) {", "\n", | ||
" if (err) {", "\n", | ||
" console.log('Error: ' + JSON.stringify(err));", "\n", | ||
" response.send(event, context, response.FAILED, {});", "\n", | ||
" } else {", "\n", | ||
" response.send(event, context, response.SUCCESS, {});", "\n", | ||
" }", "\n", | ||
" }", "\n", | ||
" if (event.RequestType === 'Delete') {", "\n", | ||
" iam.deleteAccountPasswordPolicy({}, cb);", "\n", | ||
" } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {", "\n", | ||
" iam.updateAccountPasswordPolicy({", "\n", | ||
" AllowUsersToChangePassword: true,", "\n", | ||
" HardExpiry: false,", "\n", | ||
" MaxPasswordAge: 90,", "\n", | ||
" MinimumPasswordLength: 12,", "\n", | ||
" PasswordReusePrevention: 6,", "\n", | ||
" RequireLowercaseCharacters: true,", "\n", | ||
" RequireNumbers: true,", "\n", | ||
" RequireSymbols: true,", "\n", | ||
" RequireUppercaseCharacters: true", "\n", | ||
" }, cb);", "\n", | ||
" } else {", "\n", | ||
" context.fail(new Error('unsupported RequestType: ' + event.RequestType));", "\n", | ||
" }", "\n", | ||
"};", "\n" | ||
]]} | ||
}, | ||
"Handler": "index.handler", | ||
"MemorySize": 128, | ||
"Role": {"Fn::GetAtt": ["LambdaRole", "Arn"]}, | ||
"Runtime": "nodejs", | ||
"Timeout": 60 | ||
} | ||
}, | ||
"PasswordPolicy": { | ||
"DependsOn": "LambdaFunction", | ||
"Type": "Custom::PasswordPolicy", | ||
"Version": "1.0", | ||
"Properties": { | ||
"ServiceToken": {"Fn::GetAtt": ["LambdaFunction", "Arn"]} | ||
} | ||
} | ||
} | ||
} |