-
Notifications
You must be signed in to change notification settings - Fork 16
Expand file tree
/
Copy pathtemplate.yaml
More file actions
207 lines (185 loc) · 6.44 KB
/
template.yaml
File metadata and controls
207 lines (185 loc) · 6.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
AWSTemplateFormatVersion: 2010-09-09
Description: Conformity - Cloudwatch integration via SNS topic
Parameters:
RetentionPeriod:
Type: Number
Description: cloudwatch log retention period
Default: 90
LogName:
Type: String
Description: Log name
Default: notifications
Resources:
ConformityKMSKey:
Type: "AWS::KMS::Key"
Properties:
Description: "CloudConformityEncryptionKey"
KeyPolicy:
Version: "2012-10-17"
Id: "CloudConformityEncryptionKey"
Statement:
- Sid: "Enable Conformity Permissions"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::717210094962:root"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
Resource: "arn:aws:kms:*:*:key/*"
- Sid: "Allow access for Key Administrators"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:TagResource"
- "kms:UntagResource"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "arn:aws:kms:*:*:key/*"
ConformityKMSKeyAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: !Join ["", ["alias/CloudConformity_",!Ref LogName]]
TargetKeyId: !Ref ConformityKMSKey
ConformitySNSTopic:
Type: "AWS::SNS::Topic"
Properties:
DisplayName: !Ref LogName
KmsMasterKeyId: !Ref ConformityKMSKey
TopicName: !Ref LogName
ConformitySNSTopicPolicy:
Type: "AWS::SNS::TopicPolicy"
Properties:
Topics:
- !Ref ConformitySNSTopic
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AllowPublishFromConformity"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::717210094962:root"
Action:
- "sns:Publish"
Resource: !Ref ConformitySNSTopic
AlertsLogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Join ["", ["/aws", "/lambda", "/conformity_alerts_",!Ref LogName]]
RetentionInDays: !Ref RetentionPeriod
ConformityAlertsLambdaRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Join ["-", [!Ref LogName, "lambda", "alerts","role"]]
Description: "IAM role for lambda setup"
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: !Join ["-", [!Ref LogName, "lambda", "alerts","policy"]]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- !GetAtt AlertsLogGroup.Arn
- Effect: Allow
Action:
- sns:Subscribe
- sns:Receive
Resource:
- !Ref ConformitySNSTopic
ConformityAlertsLambda:
Type: "AWS::Lambda::Function"
Properties:
Description: "Lambda to send SNS messages to cloudwatch"
FunctionName: "conformity_alerts_lambda"
Handler: index.lambda_handler
MemorySize: 256
PackageType: "Zip"
Role: !GetAtt ConformityAlertsLambdaRole.Arn
Runtime: python3.9
Timeout: 180
Code:
ZipFile: |
import json
import boto3
import time
import os
def lambda_handler(event, context):
log_name = os.environ['LOG_NAME']
# Create a CloudWatch Logs client
cloudwatch_logs = boto3.client('logs')
# Define the Log Group and Log Stream names
log_group_name = '/aws/lambda/conformity_alerts_'+log_name
log_stream_name = 'alerts'
try:
response = cloudwatch_logs.create_log_stream(
logGroupName=log_group_name,
logStreamName=log_stream_name
)
print("Log stream created successfully.")
except cloudwatch_logs.exceptions.ResourceAlreadyExistsException:
print("Log stream already exists.")
except Exception as e:
print("Error creating log stream:", str(e))
# Put the log message to CloudWatch Logs
cloudwatch_logs.put_log_events(
logGroupName=log_group_name,
logStreamName=log_stream_name,
logEvents=[
{
'timestamp': int(round(time.time() * 1000)),
'message': str(json.loads(event['Records'][0]['Sns']['Message']))
}
]
)
Environment:
Variables:
LOG_NAME: !Ref LogName
ConformityLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref ConformityAlertsLambda
Action: lambda:InvokeFunction
Principal: sns.amazonaws.com
SourceArn: !Ref ConformitySNSTopic
ConformityLambdaSNSSubscription:
Type: AWS::SNS::Subscription
Properties:
TopicArn: !Ref ConformitySNSTopic
Protocol: lambda
Endpoint: !GetAtt ConformityAlertsLambda.Arn
Outputs:
TopicArn:
Value: !Ref ConformitySNSTopic
Description: SNS Topic ARN
LogGroupName:
Value: !Ref AlertsLogGroup
Description: Cloudwatch Log Group