You must be logged in to view saved presets
A config rule that checks that Customer Managed keys are not scheduled for deletion. The rule is NON_COMPLAINT if the Customer Managed Keys are scheduled for deletion. This rule does not include AWS-managed and Imported Keys.
This configuration will create a Lambda Function for the Custom Config Rule, as well as the supporting IAM Role to allow the execution of the function.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CustomConfigRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: kms_keys_to_not_delete
Scope:
ComplianceResourceTypes:
- 'AWS::KMS::Key'
Description: A config rule that checks that Customer Managed keys are not scheduled for deletion. The rule is NON_COMPLAINT if the Customer Managed Keys are scheduled for deletion. This rule does not include AWS-managed and Imported Keys.
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier:
'Fn::GetAtt':
- LambdaFunctionCustomConfigRule
- Arn
SourceDetails:
- EventSource: aws.config
MessageType: ScheduledNotification
MaximumExecutionFrequency: One_Hour
DependsOn: LambdaInvokePermissionsCustomConfigRule
LambdaInvokePermissionsCustomConfigRule:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName:
'Fn::GetAtt':
- LambdaFunctionCustomConfigRule
- Arn
Action: 'lambda:InvokeFunction'
Principal: config.amazonaws.com
LambdaFunctionCustomConfigRule:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: LambdaForkms_keys_to_not_delete
Handler: index.lambda_handler
Role:
'Fn::GetAtt':
- LambdaIamRoleCustomConfigRule
- Arn
Runtime: python3.9
Code:
S3Bucket:
'Fn::Sub':
- 'asecure-cloud-cf-aux-${Region}'
- Region:
Ref: 'AWS::Region'
S3Key: KMS_KEYS_TO_NOT_DELETE.zip
Timeout: 300
DependsOn: LambdaIamRoleCustomConfigRule
LambdaIamRoleCustomConfigRule:
Type: 'AWS::IAM::Role'
Properties:
RoleName: IAMRoleForkms_keys_to_not_deleteMeL
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Parameters: {}
Metadata: {}
Conditions: {}