A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.

This configuration will create a Lambda Function for the Custom Config Rule, as well as the supporting IAM Role to allow the execution of the function.

Items
4
Size
2.4 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CustomConfigRule:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: lambda_role_allowed_on_logging
      Scope:
        ComplianceResourceTypes:
          - 'AWS::Lambda::Function'
      Description: A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.
      Source:
        Owner: CUSTOM_LAMBDA
        SourceIdentifier:
          'Fn::GetAtt':
            - LambdaFunctionCustomConfigRule
            - Arn
        SourceDetails:
          - EventSource: aws.config
            MessageType: ConfigurationItemChangeNotification
          - EventSource: aws.config
            MessageType: OversizedConfigurationItemChangeNotification
    DependsOn: LambdaInvokePermissionsCustomConfigRule
  LambdaInvokePermissionsCustomConfigRule:
    Type: 'AWS::Lambda::Permission'
    Properties:
      FunctionName:
        'Fn::GetAtt':
          - LambdaFunctionCustomConfigRule
          - Arn
      Action: 'lambda:InvokeFunction'
      Principal: config.amazonaws.com
  LambdaFunctionCustomConfigRule:
    Type: 'AWS::Lambda::Function'
    Properties:
      FunctionName: LambdaForlambda_role_allowed_on_logging
      Handler: index.lambda_handler
      Role:
        'Fn::GetAtt':
          - LambdaIamRoleCustomConfigRule
          - Arn
      Runtime: python3.9
      Code:
        S3Bucket:
          'Fn::Sub':
            - 'asecure-cloud-cf-aux-${Region}'
            - Region:
                Ref: 'AWS::Region'
        S3Key: LAMBDA_ROLE_ALLOWED_ON_LOGGING.zip
      Timeout: 300
    DependsOn: LambdaIamRoleCustomConfigRule
  LambdaIamRoleCustomConfigRule:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: IAMRoleForlambda_role_allowed_on_loggingRfs
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters

No rule parameters

Trigger Settings

* Required field