A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.
This configuration will create a Lambda Function for the Custom Config Rule, as well as the supporting IAM Role to allow the execution of the function.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CustomConfigRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: lambda_role_allowed_on_logging
Scope:
ComplianceResourceTypes:
- 'AWS::Lambda::Function'
Description: >-
A config rule that checks whether each Lambda function has the
permission for logging. Each Lambda functions should have an IAM role
with appropriate IAM permissions to publish its Lambda function logs to
CloudWatch.
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier:
'Fn::GetAtt':
- LambdaFunction
- Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
DependsOn: LambdaInvokePermissions
LambdaInvokePermissions:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName:
'Fn::GetAtt':
- LambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: config.amazonaws.com
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: LambdaForlambda_role_allowed_on_logging
Handler: index.lambda_handler
Role:
'Fn::GetAtt':
- LambdaIamRole
- Arn
Runtime: python3.6
Code:
S3Bucket:
'Fn::Sub':
- 'asecure-cloud-cf-aux-${Region}'
- Region:
Ref: 'AWS::Region'
S3Key: LAMBDA_ROLE_ALLOWED_ON_LOGGING.zip
Timeout: 300
DependsOn: LambdaIamRole
LambdaIamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies: []
RoleName: IAMRoleForlambda_role_allowed_on_loggingEDU
Parameters: {}
Metadata: {}
Conditions: {}
Configuration Source: AWS Config Rule Repository
Additional Documentation: