HrushikeshK/iam-deactivate-cft.template

## iam-deactivate-cft.template
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Deploy Lambda Function to Deactivate IAM users and access keys that are inactive for more than 90 days.",
  "Parameters" : {
    "SlackWebhookParameter" : {
      "Type" : "String",
      "Default" : "",
      "Description" : "Webhook for Slack Channel"
    }
  },
  "Resources": {
    "iamDeactivateDormantLambda": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "FunctionName": "iamDeactivateDormant",
        "Handler": "deactivate-iam.lambda_handler",
        "Environment" : {
            "Variables": { "WEBHOOK_URL": {"Ref": "SlackWebhookParameter"} }
        },
        "Role": {
          "Fn::GetAtt": [
            "iamDeactivateDormantLambdaRole",
            "Arn"
          ]
        },
        "Code": {
          "S3Bucket": "<S3_Bucket_Name>",
          "S3Key": "deactivate-iam.zip"
        },
        "Runtime": "python3.7",
        "Timeout": 300
      }
    },
    "iamDeactivateDormantLambdaRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
          "RoleName": "iamDeactivateDormantLambdaRole",
          "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {
                "Service": [ "lambda.amazonaws.com" ]
              },
              "Action": [ "sts:AssumeRole" ]
            }]
          },
          "Path": "/",
          "Policies": [{
            "PolicyName": "iamDeactivateDormantLambdaPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "iam:ListUsers",
                    "iam:ListAccessKeys",
                    "iam:GetAccessKeyLastUsed",
                    "iam:DeleteLoginProfile",
                    "iam:GetAccessKeyLastUsed",
                    "iam:ListAccessKeys",
                    "iam:ListUsers",
                    "iam:GetUser",
                    "iam:GetLoginProfile",
                    "iam:UpdateAccessKey"
                ],
                "Resource": "*"
              }]
            }
          }]
        }
      },
      "ScheduledRule": {
        "Type": "AWS::Events::Rule",
        "Properties": {
          "Description": "Rule to trigger iamDeactivateDormant Lambda",
          "Name" : "iamDeactivateDormantLambdaRule",
          "ScheduleExpression": "cron(0 10 * * ? *)",
          "State": "ENABLED",
          "Targets": [{
            "Arn": { "Fn::GetAtt": ["iamDeactivateDormantLambda", "Arn"] },
            "Id": "TargetFunctionV1"
          }]
        }
      },
      "PermissionForEventsToInvokeLambda": {
        "Type": "AWS::Lambda::Permission",
        "Properties": {
          "FunctionName": { "Ref": "iamDeactivateDormantLambda" },
          "Action": "lambda:InvokeFunction",
          "Principal": "events.amazonaws.com",
          "SourceArn": { "Fn::GetAtt": ["ScheduledRule", "Arn"] }
        }
      }
  }
}
	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Deploy Lambda Function to Deactivate IAM users and access keys that are inactive for more than 90 days.",
	"Parameters" : {
	"SlackWebhookParameter" : {
	"Type" : "String",
	"Default" : "",
	"Description" : "Webhook for Slack Channel"
	}
	},
	"Resources": {
	"iamDeactivateDormantLambda": {
	"Type": "AWS::Lambda::Function",
	"Properties": {
	"FunctionName": "iamDeactivateDormant",
	"Handler": "deactivate-iam.lambda_handler",
	"Environment" : {
	"Variables": { "WEBHOOK_URL": {"Ref": "SlackWebhookParameter"} }
	},
	"Role": {
	"Fn::GetAtt": [
	"iamDeactivateDormantLambdaRole",
	"Arn"
	]
	},
	"Code": {
	"S3Bucket": "<S3_Bucket_Name>",
	"S3Key": "deactivate-iam.zip"
	},
	"Runtime": "python3.7",
	"Timeout": 300
	}
	},
	"iamDeactivateDormantLambdaRole": {
	"Type": "AWS::IAM::Role",
	"Properties": {
	"RoleName": "iamDeactivateDormantLambdaRole",
	"AssumeRolePolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [{
	"Effect": "Allow",
	"Principal": {
	"Service": [ "lambda.amazonaws.com" ]
	},
	"Action": [ "sts:AssumeRole" ]
	}]
	},
	"Path": "/",
	"Policies": [{
	"PolicyName": "iamDeactivateDormantLambdaPolicy",
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [{
	"Effect": "Allow",
	"Action": [
	"iam:ListUsers",
	"iam:ListAccessKeys",
	"iam:GetAccessKeyLastUsed",
	"iam:DeleteLoginProfile",
	"iam:GetAccessKeyLastUsed",
	"iam:ListAccessKeys",
	"iam:ListUsers",
	"iam:GetUser",
	"iam:GetLoginProfile",
	"iam:UpdateAccessKey"
	],
	"Resource": "*"
	}]
	}
	}]
	}
	},
	"ScheduledRule": {
	"Type": "AWS::Events::Rule",
	"Properties": {
	"Description": "Rule to trigger iamDeactivateDormant Lambda",
	"Name" : "iamDeactivateDormantLambdaRule",
	"ScheduleExpression": "cron(0 10 * * ? *)",
	"State": "ENABLED",
	"Targets": [{
	"Arn": { "Fn::GetAtt": ["iamDeactivateDormantLambda", "Arn"] },
	"Id": "TargetFunctionV1"
	}]
	}
	},
	"PermissionForEventsToInvokeLambda": {
	"Type": "AWS::Lambda::Permission",
	"Properties": {
	"FunctionName": { "Ref": "iamDeactivateDormantLambda" },
	"Action": "lambda:InvokeFunction",
	"Principal": "events.amazonaws.com",
	"SourceArn": { "Fn::GetAtt": ["ScheduledRule", "Arn"] }
	}
	}
	}
	}