Account Password Policy

security/README.md

@@ -26,6 +26,31 @@ Use the `cloudtrail.json` template to setup CloudTrail across all regions.
 1. Click **Create** to start the creation of the stack.
 1. Wait until the stack reaches the state **CREATE_COMPLETE**
 
+## Account Password Policy
+
+Use the `account-password-policy.json` template to create a account password policy for your IAM users.
+
+### Components
+
+#### AWS services
+
+* IAM: Identity & Access Management
+* Lambda: Used to implement the custom resource in the CloudFormation template
+
+### Installation Guide
+
+1. Download the template [account-password-policy.json](https://raw.githubusercontent.com/widdix/aws-cf-templates/master/security/account-password-policy.json)
+1. Open AWS CloudFormation within the Management Console: [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation).
+1. Create a new stack by clicking on the **Create Stack** button.
+1. Select **Upload a template to Amazon S3** and upload the template `account-password-policy.json`.
+1. Click **Next** to proceed with the next step of the wizard.
+1. Specify a name for the stack.
+1. Click **Next** to proceed with the next step of the wizard.
+1. Click **Next** to skip the **Options** step of the wizard.
+1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox.
+1. Click **Create** to start the creation of the stack.
+1. Wait until the stack reaches the state **CREATE_COMPLETE**
+
 ## Support needed?
 
 Do you need help? Mail to [[email protected]](mailto:[email protected]).

security/account-password-policy-lambda.js

@@ -0,0 +1,31 @@
+var AWS = require('aws-sdk');
+var response = require('cfn-response');
+var iam = new AWS.IAM();
+exports.handler = function(event, context) {
+  console.log('Invoke: ' + JSON.stringify(event));
+  function cb(err) {
+    if (err) {
+      console.log('Error: ' + JSON.stringify(err));
+      response.send(event, context, response.FAILED, {});
+    } else {
+      response.send(event, context, response.SUCCESS, {});
+    }
+  }
+  if (event.RequestType === 'Delete') {
+    iam.deleteAccountPasswordPolicy({}, cb);
+  } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
+    iam.updateAccountPasswordPolicy({
+      AllowUsersToChangePassword: true,
+      HardExpiry: false,
+      MaxPasswordAge: 90,
+      MinimumPasswordLength: 6,
+      PasswordReusePrevention: 6,
+      RequireLowercaseCharacters: true,
+      RequireNumbers: true,
+      RequireSymbols: true,
+      RequireUppercaseCharacters: true
+    }, cb);
+  } else {
+    context.fail(new Error('unsupported RequestType: ' + event.RequestType));
+  }
+};

security/account-password-policy.json

@@ -0,0 +1,103 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Security: Account Password Policy, a cloudonaut.io template",
+  "Parameters": {
+  },
+  "Resources": {
+    "LambdaRole": {
+      "Type": "AWS::IAM::Role",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [{
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "lambda.amazonaws.com"
+            },
+            "Action": ["sts:AssumeRole"]
+          }]
+        },
+        "Path": "/",
+        "Policies": [{
+          "PolicyName": "logs",
+          "PolicyDocument": {
+            "Statement": [{
+              "Effect": "Allow",
+              "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+              ],
+              "Resource": "arn:aws:logs:*:*:*"
+            }]
+          }
+        }, {
+          "PolicyName": "iam",
+          "PolicyDocument": {
+            "Statement": [{
+              "Effect": "Allow",
+              "Action": [
+                "iam:UpdateAccountPasswordPolicy",
+                "iam:DeleteAccountPasswordPolicy"
+              ],
+              "Resource": "*"
+            }]
+          }
+        }]
+      }
+    },
+    "LambdaFunction": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        "Code": {
+          "ZipFile": {"Fn::Join": ["", [
+"var AWS = require('aws-sdk');", "\n",
+"var response = require('cfn-response');", "\n",
+"var iam = new AWS.IAM();", "\n",
+"exports.handler = function(event, context) {", "\n",
+"  console.log('Invoke: ' + JSON.stringify(event));", "\n",
+"  function cb(err) {", "\n",
+"    if (err) {", "\n",
+"      console.log('Error: ' + JSON.stringify(err));", "\n",
+"      response.send(event, context, response.FAILED, {});", "\n",
+"    } else {", "\n",
+"      response.send(event, context, response.SUCCESS, {});", "\n",
+"    }", "\n",
+"  }", "\n",
+"  if (event.RequestType === 'Delete') {", "\n",
+"    iam.deleteAccountPasswordPolicy({}, cb);", "\n",
+"  } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {", "\n",
+"    iam.updateAccountPasswordPolicy({", "\n",
+"      AllowUsersToChangePassword: true,", "\n",
+"      HardExpiry: false,", "\n",
+"      MaxPasswordAge: 90,", "\n",
+"      MinimumPasswordLength: 12,", "\n",
+"      PasswordReusePrevention: 6,", "\n",
+"      RequireLowercaseCharacters: true,", "\n",
+"      RequireNumbers: true,", "\n",
+"      RequireSymbols: true,", "\n",
+"      RequireUppercaseCharacters: true", "\n",
+"    }, cb);", "\n",
+"  } else {", "\n",
+"    context.fail(new Error('unsupported RequestType: ' + event.RequestType));", "\n",
+"  }", "\n",
+"};", "\n"
+          ]]}
+        },
+        "Handler": "index.handler",
+        "MemorySize": 128,
+        "Role": {"Fn::GetAtt": ["LambdaRole", "Arn"]},
+        "Runtime": "nodejs",
+        "Timeout": 60
+      }
+    },
+    "PasswordPolicy": {
+      "DependsOn": "LambdaFunction",
+      "Type": "Custom::PasswordPolicy",
+      "Version": "1.0",
+      "Properties": {
+        "ServiceToken": {"Fn::GetAtt": ["LambdaFunction", "Arn"]}
+      }
+    }
+  }
+}