Created
January 19, 2022 13:11
-
-
Save HrushikeshK/41d0ead337b26556c0309e95cbf1743e to your computer and use it in GitHub Desktop.
Deactivate IAM users Cloudformation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Description": "Deploy Lambda Function to Deactivate IAM users and access keys that are inactive for more than 90 days.", | |
"Parameters" : { | |
"SlackWebhookParameter" : { | |
"Type" : "String", | |
"Default" : "", | |
"Description" : "Webhook for Slack Channel" | |
} | |
}, | |
"Resources": { | |
"iamDeactivateDormantLambda": { | |
"Type": "AWS::Lambda::Function", | |
"Properties": { | |
"FunctionName": "iamDeactivateDormant", | |
"Handler": "deactivate-iam.lambda_handler", | |
"Environment" : { | |
"Variables": { "WEBHOOK_URL": {"Ref": "SlackWebhookParameter"} } | |
}, | |
"Role": { | |
"Fn::GetAtt": [ | |
"iamDeactivateDormantLambdaRole", | |
"Arn" | |
] | |
}, | |
"Code": { | |
"S3Bucket": "<S3_Bucket_Name>", | |
"S3Key": "deactivate-iam.zip" | |
}, | |
"Runtime": "python3.7", | |
"Timeout": 300 | |
} | |
}, | |
"iamDeactivateDormantLambdaRole": { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"RoleName": "iamDeactivateDormantLambdaRole", | |
"AssumeRolePolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": [ "lambda.amazonaws.com" ] | |
}, | |
"Action": [ "sts:AssumeRole" ] | |
}] | |
}, | |
"Path": "/", | |
"Policies": [{ | |
"PolicyName": "iamDeactivateDormantLambdaPolicy", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [{ | |
"Effect": "Allow", | |
"Action": [ | |
"iam:ListUsers", | |
"iam:ListAccessKeys", | |
"iam:GetAccessKeyLastUsed", | |
"iam:DeleteLoginProfile", | |
"iam:GetAccessKeyLastUsed", | |
"iam:ListAccessKeys", | |
"iam:ListUsers", | |
"iam:GetUser", | |
"iam:GetLoginProfile", | |
"iam:UpdateAccessKey" | |
], | |
"Resource": "*" | |
}] | |
} | |
}] | |
} | |
}, | |
"ScheduledRule": { | |
"Type": "AWS::Events::Rule", | |
"Properties": { | |
"Description": "Rule to trigger iamDeactivateDormant Lambda", | |
"Name" : "iamDeactivateDormantLambdaRule", | |
"ScheduleExpression": "cron(0 10 * * ? *)", | |
"State": "ENABLED", | |
"Targets": [{ | |
"Arn": { "Fn::GetAtt": ["iamDeactivateDormantLambda", "Arn"] }, | |
"Id": "TargetFunctionV1" | |
}] | |
} | |
}, | |
"PermissionForEventsToInvokeLambda": { | |
"Type": "AWS::Lambda::Permission", | |
"Properties": { | |
"FunctionName": { "Ref": "iamDeactivateDormantLambda" }, | |
"Action": "lambda:InvokeFunction", | |
"Principal": "events.amazonaws.com", | |
"SourceArn": { "Fn::GetAtt": ["ScheduledRule", "Arn"] } | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment