Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
aws-cf-templates/security/account-password-policy.yaml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
227 lines (227 sloc)
8.32 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Copyright 2018 widdix GmbH | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: 'Security: Account Password Policy, a cloudonaut.io template' | |
| Metadata: | |
| 'AWS::CloudFormation::Interface': | |
| ParameterGroups: | |
| - Label: | |
| default: 'Password Policy Parameters' | |
| Parameters: | |
| - AllowUsersToChangePassword | |
| - HardExpiry | |
| - MaxPasswordAge | |
| - MinimumPasswordLength | |
| - PasswordReusePrevention | |
| - RequireLowercaseCharacters | |
| - RequireNumbers | |
| - RequireSymbols | |
| - RequireUppercaseCharacters | |
| - Label: | |
| default: 'Operational Parameters' | |
| Parameters: | |
| - LogsRetentionInDays | |
| - Label: | |
| default: 'Permission Parameters' | |
| Parameters: | |
| - PermissionsBoundary | |
| Parameters: | |
| PermissionsBoundary: | |
| Description: 'Optional ARN for a policy that will be used as the permission boundary for all roles created by this template.' | |
| Type: String | |
| Default: '' | |
| AllowUsersToChangePassword: | |
| Description: 'You can permit all IAM users in your account to use the IAM console to change their own passwords.' | |
| Type: String | |
| Default: true | |
| AllowedValues: | |
| - true | |
| - false | |
| HardExpiry: | |
| Description: 'You can prevent IAM users from choosing a new password after their current password has expired.' | |
| Type: String | |
| Default: false | |
| AllowedValues: | |
| - true | |
| - false | |
| MaxPasswordAge: | |
| Description: 'You can set IAM user passwords to be valid for only the specified number of days. Choose 0 if you don not want passwords to expire.' | |
| Type: Number | |
| Default: 90 | |
| ConstraintDescription: 'Must be in the range [0-1095]' | |
| MinValue: 0 | |
| MaxValue: 1095 | |
| MinimumPasswordLength: | |
| Description: 'You can specify the minimum number of characters allowed in an IAM user password.' | |
| Type: Number | |
| Default: 14 | |
| ConstraintDescription: 'Must be in the range [6-128]' | |
| MinValue: 6 | |
| MaxValue: 128 | |
| PasswordReusePrevention: | |
| Description: 'You can prevent IAM users from reusing a specified number of previous passwords.' | |
| Type: Number | |
| Default: 24 | |
| ConstraintDescription: 'Must be in the range [0-24]' | |
| MinValue: 0 | |
| MaxValue: 24 | |
| RequireLowercaseCharacters: | |
| Description: 'You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).' | |
| Type: String | |
| Default: true | |
| AllowedValues: | |
| - true | |
| - false | |
| RequireNumbers: | |
| Description: 'You can require that IAM user passwords contain at least one numeric character (0 to 9).' | |
| Type: String | |
| Default: true | |
| AllowedValues: | |
| - true | |
| - false | |
| RequireSymbols: | |
| Description: 'You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | ''' | |
| Type: String | |
| Default: true | |
| AllowedValues: | |
| - true | |
| - false | |
| RequireUppercaseCharacters: | |
| Description: 'You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).' | |
| Type: String | |
| Default: true | |
| AllowedValues: | |
| - true | |
| - false | |
| LogsRetentionInDays: | |
| Description: 'Specifies the number of days you want to retain log events in the specified log group.' | |
| Type: Number | |
| Default: 14 | |
| AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] | |
| Conditions: | |
| HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundary, '']] | |
| Resources: | |
| LambdaRole: | |
| Type: 'AWS::IAM::Role' | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: 'lambda.amazonaws.com' | |
| Action: 'sts:AssumeRole' | |
| PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundary, !Ref 'AWS::NoValue'] | |
| Policies: | |
| - PolicyName: iam | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'iam:UpdateAccountPasswordPolicy' | |
| - 'iam:DeleteAccountPasswordPolicy' | |
| Resource: '*' | |
| LambdaPolicy: | |
| Type: 'AWS::IAM::Policy' | |
| Properties: | |
| Roles: | |
| - !Ref LambdaRole | |
| PolicyName: lambda | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - 'logs:CreateLogStream' | |
| - 'logs:PutLogEvents' | |
| Resource: !GetAtt 'LambdaLogGroup.Arn' | |
| LambdaFunctionV2: # needs no monitoring because it is used as a custom resource | |
| Type: 'AWS::Lambda::Function' | |
| Properties: | |
| Code: | |
| ZipFile: | | |
| 'use strict'; | |
| const AWS = require('aws-sdk'); | |
| const response = require('cfn-response'); | |
| const iam = new AWS.IAM({apiVersion: '2010-05-08'}); | |
| exports.handler = (event, context, cb) => { | |
| console.log(`Invoke: ${JSON.stringify(event)}`); | |
| function done(err) { | |
| if (err) { | |
| console.log(`Error: ${JSON.stringify(err)}`); | |
| response.send(event, context, response.FAILED, {}); | |
| } else { | |
| response.send(event, context, response.SUCCESS, {}); | |
| } | |
| } | |
| if (event.RequestType === 'Delete') { | |
| iam.deleteAccountPasswordPolicy({}, done); | |
| } else if (event.RequestType === 'Create' || event.RequestType === 'Update') { | |
| const params = { | |
| MinimumPasswordLength: parseInt(event.ResourceProperties.MinimumPasswordLength, 10), | |
| RequireSymbols: event.ResourceProperties.RequireSymbols === 'true', | |
| RequireNumbers: event.ResourceProperties.RequireNumbers === 'true', | |
| RequireUppercaseCharacters: event.ResourceProperties.RequireUppercaseCharacters === 'true', | |
| RequireLowercaseCharacters: event.ResourceProperties.RequireLowercaseCharacters === 'true', | |
| AllowUsersToChangePassword: event.ResourceProperties.AllowUsersToChangePassword === 'true', | |
| HardExpiry: event.ResourceProperties.HardExpiry === 'true' | |
| }; | |
| if (parseInt(event.ResourceProperties.MaxPasswordAge, 10) > 0) { | |
| params.MaxPasswordAge = parseInt(event.ResourceProperties.MaxPasswordAge, 10); | |
| } | |
| if (parseInt(event.ResourceProperties.PasswordReusePrevention, 10) > 0) { | |
| params.PasswordReusePrevention = parseInt(event.ResourceProperties.PasswordReusePrevention, 10); | |
| } | |
| iam.updateAccountPasswordPolicy(params, done); | |
| } else { | |
| cb(new Error(`unsupported RequestType: ${event.RequestType}`)); | |
| } | |
| }; | |
| Handler: 'index.handler' | |
| MemorySize: 128 | |
| Role: !GetAtt 'LambdaRole.Arn' | |
| Runtime: 'nodejs16.x' | |
| Timeout: 60 | |
| LambdaLogGroup: | |
| Type: 'AWS::Logs::LogGroup' | |
| Properties: | |
| LogGroupName: !Sub '/aws/lambda/${LambdaFunctionV2}' | |
| RetentionInDays: !Ref LogsRetentionInDays | |
| PasswordPolicy: | |
| Type: 'Custom::PasswordPolicy' | |
| DependsOn: | |
| - LambdaLogGroup | |
| - LambdaPolicy | |
| Version: '1.0' | |
| Properties: | |
| HardExpiry: !Ref HardExpiry | |
| AllowUsersToChangePassword: !Ref AllowUsersToChangePassword | |
| MaxPasswordAge: !Ref MaxPasswordAge | |
| MinimumPasswordLength: !Ref MinimumPasswordLength | |
| PasswordReusePrevention: !Ref PasswordReusePrevention | |
| RequireLowercaseCharacters: !Ref RequireLowercaseCharacters | |
| RequireNumbers: !Ref RequireNumbers | |
| RequireSymbols: !Ref RequireSymbols | |
| RequireUppercaseCharacters: !Ref RequireUppercaseCharacters | |
| ServiceToken: !GetAtt 'LambdaFunctionV2.Arn' | |
| Outputs: | |
| TemplateID: | |
| Description: 'cloudonaut.io template id.' | |
| Value: 'security/account-password-policy' | |
| TemplateVersion: | |
| Description: 'cloudonaut.io template version.' | |
| Value: '__VERSION__' | |
| StackName: | |
| Description: 'Stack name.' | |
| Value: !Sub '${AWS::StackName}' |