-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathSetPasswordPolicy.yml
More file actions
168 lines (168 loc) · 5.59 KB
/
SetPasswordPolicy.yml
File metadata and controls
168 lines (168 loc) · 5.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Security: Account Password Policy, a cloudonaut.io template'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'Password Policy Parameters'
Parameters:
- AllowUsersToChangePassword
- HardExpiry
- MaxPasswordAge
- MinimumPasswordLength
- PasswordReusePrevention
- RequireLowercaseCharacters
- RequireNumbers
- RequireSymbols
- RequireUppercaseCharacters
Parameters:
AllowUsersToChangePassword:
Description: 'You can permit all IAM users in your account to use the IAM console to change their own passwords.'
Type: String
Default: true
AllowedValues:
- true
- false
HardExpiry:
Description: 'You can prevent IAM users from choosing a new password after their current password has expired.'
Type: String
Default: false
AllowedValues:
- true
- false
MaxPasswordAge:
Description: 'You can set IAM user passwords to be valid for only the specified number of days.'
Type: Number
Default: 90
ConstraintDescription: 'Must be in the range [0-1095]'
MinValue: 0
MaxValue: 1095
MinimumPasswordLength:
Description: 'You can specify the minimum number of characters allowed in an IAM user password.'
Type: Number
Default: 12
ConstraintDescription: 'Must be in the range [6-128]'
MinValue: 6
MaxValue: 128
PasswordReusePrevention:
Description: 'You can prevent IAM users from reusing a specified number of previous passwords.'
Type: Number
Default: 6
ConstraintDescription: 'Must be in the range [1-24]'
MinValue: 1
MaxValue: 24
RequireLowercaseCharacters:
Description: 'You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z).'
Type: String
Default: true
AllowedValues:
- true
- false
RequireNumbers:
Description: 'You can require that IAM user passwords contain at least one numeric character (0 to 9).'
Type: String
Default: true
AllowedValues:
- true
- false
RequireSymbols:
Description: 'You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '''
Type: String
Default: true
AllowedValues:
- true
- false
RequireUppercaseCharacters:
Description: 'You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).'
Type: String
Default: true
AllowedValues:
- true
- false
Resources:
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Path: '/'
Policies:
- PolicyName: logs
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*'
- PolicyName: iam
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'iam:UpdateAccountPasswordPolicy'
- 'iam:DeleteAccountPasswordPolicy'
Resource: '*'
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile:
!Sub |
'use strict';
const AWS = require('aws-sdk');
const response = require('cfn-response');
const iam = new AWS.IAM({apiVersion: '2010-05-08'});
exports.handler = (event, context, cb) => {
console.log(`Invoke: ${!JSON.stringify(event)}`);
const done = (err) => {
if (err) {
console.log(`Error: ${!JSON.stringify(err)}`);
response.send(event, context, response.FAILED, {});
} else {
response.send(event, context, response.SUCCESS, {});
}
};
if (event.RequestType === 'Delete') {
iam.deleteAccountPasswordPolicy({}, done);
} else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
iam.updateAccountPasswordPolicy({
AllowUsersToChangePassword: ${AllowUsersToChangePassword},
HardExpiry: ${HardExpiry},
MaxPasswordAge: ${MaxPasswordAge},
MinimumPasswordLength: ${MinimumPasswordLength},
PasswordReusePrevention: ${PasswordReusePrevention},
RequireLowercaseCharacters: ${RequireLowercaseCharacters},
RequireNumbers: ${RequireNumbers},
RequireSymbols: ${RequireSymbols},
RequireUppercaseCharacters: ${RequireUppercaseCharacters},
}, done);
} else {
cb(new Error(`unsupported RequestType: ${!event.RequestType}`));
}
};
Handler: 'index.handler'
MemorySize: 128
Role: !GetAtt 'LambdaRole.Arn'
Runtime: 'nodejs6.10'
Timeout: 60
PasswordPolicy:
DependsOn: LambdaFunction
Type: 'Custom::PasswordPolicy'
Version: '1.0'
Properties:
ServiceToken: !GetAtt 'LambdaFunction.Arn'
Outputs:
TemplateID:
Description: 'cloudonaut.io template id'
Value: 'security/account-password-policy'
StackName:
Description: 'Stack name'
Value: !Sub '${AWS::StackName}'