Gr01.6 (#84)

Adds a lambda for guardrail check 1.06. This lambda queries Identity Center and IAM for all users, then checks their policies. It gives compliant if there is at least one privileged user with admin access, and if no non-privileged users have admin access. Also updates 02 because I believe the backslash isn't needed to escape the '{' character
ssc-spc-ccoe-cei · Dec 11, 2024 · 2b66bf1 · 2b66bf1
1 parent 375a96a
commit 2b66bf1
Show file tree

Hide file tree

Showing 13 changed files with 1,098 additions and 15 deletions.
diff --git a/arch/lza_extensions/customizations/GCGuardrailsRoles.yaml b/arch/lza_extensions/customizations/GCGuardrailsRoles.yaml
@@ -49,7 +49,6 @@ Resources:
                               "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc01_check_root_mfa",
                               "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_group_access_configuration",
                               "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_iam_password_policy",
-                              "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_least_privileged_roles",
                               "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_privileged_roles_review",
                               "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_endpoint_access_config",
                               "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_iam_cloudwatch_alarms",

diff --git a/arch/templates/AuditAccountPreRequisitesPart2.yaml b/arch/templates/AuditAccountPreRequisitesPart2.yaml
@@ -37,35 +37,35 @@ Resources:
       Runtime: !Ref PythonRuntime
       Timeout: 180
 
-  ## GC02
-  GC02CheckIAMPasswordPolicyLambda:
+  GC01CheckDedicatedAdminAccountLambda:
     Condition: IsAuditAccount
     Type: AWS::Lambda::Function
     Properties:
-      FunctionName: !Sub "${OrganizationName}gc02_check_iam_password_policy"
-      Code: "../../src/lambda/gc02_check_iam_password_policy/build/GC02CheckIAMPasswordPolicyLambda/"
+      FunctionName: !Sub "${OrganizationName}gc01_check_dedicated_admin_account"
+      Code: "../../src/lambda/gc01_check_dedicated_admin_account/build/GC01CheckDedicatedAdminAccountLambda/"
       Handler: app.lambda_handler
       Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
       Runtime: !Ref PythonRuntime
       Timeout: 180
 
-  GC02CheckGroupAccessConfigurationLambda:
+  ## GC02
+  GC02CheckIAMPasswordPolicyLambda:
     Condition: IsAuditAccount
     Type: AWS::Lambda::Function
     Properties:
-      FunctionName: !Sub "${OrganizationName}gc02_check_group_access_configuration"
-      Code: "../../src/lambda/gc02_check_group_access_configuration/build/GC02CheckGroupAccessConfigurationLambda/"
+      FunctionName: !Sub "${OrganizationName}gc02_check_iam_password_policy"
+      Code: "../../src/lambda/gc02_check_iam_password_policy/build/GC02CheckIAMPasswordPolicyLambda/"
       Handler: app.lambda_handler
       Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
       Runtime: !Ref PythonRuntime
       Timeout: 180
 
-  GC02CheckLeastPrivilegedRolesLambda:
+  GC02CheckGroupAccessConfigurationLambda:
     Condition: IsAuditAccount
     Type: AWS::Lambda::Function
     Properties:
-      FunctionName: !Sub "${OrganizationName}gc02_check_least_privileged_roles"
-      Code: "../../src/lambda/gc02_check_least_privileged_roles/build/GC02CheckLeastPrivilegedRolesLambda/"
+      FunctionName: !Sub "${OrganizationName}gc02_check_group_access_configuration"
+      Code: "../../src/lambda/gc02_check_group_access_configuration/build/GC02CheckGroupAccessConfigurationLambda/"
       Handler: app.lambda_handler
       Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
       Runtime: !Ref PythonRuntime

diff --git a/arch/templates/ConformancePack.yaml b/arch/templates/ConformancePack.yaml
@@ -51,6 +51,10 @@ Parameters:
   PasswordPolicyHardExpiry:
     Default: "False"
     Type: String
+  PrivilegedUsersFilePath:
+    Type: String
+  NonPrivilegedUsersFilePath:
+    Type: String
   # GC02
   S3AccountManagementPlanPath:
     Type: String
@@ -309,6 +313,49 @@ Resources:
         SourceDetails:
           - EventSource: "aws.config"
             MessageType: "ScheduledNotification"
+
+  GC01CheckDedicatedAdminAccount:
+    Type: "AWS::Config::ConfigRule"
+    Properties:
+      ConfigRuleName: gc01_check_dedicated_admin_account
+      Description: Checks that there are dedicated user accounts for administration.
+      InputParameters:
+        PrivilegedUsersFilePath:
+          Fn::If:
+            - privilegedUsersFilePath
+            - Ref: PrivilegedUsersFilePath
+            - Ref: AWS::NoValue
+        NonPrivilegedUsersFilePath:
+          Fn::If:
+            - nonPrivilegedUsersFilePath
+            - Ref: NonPrivilegedUsersFilePath
+            - Ref: AWS::NoValue
+        ExecutionRoleName:
+          Fn::If:
+            - GCLambdaExecutionRoleName
+            - Ref: GCLambdaExecutionRoleName
+            - Ref: AWS::NoValue
+        AuditAccountID:
+          Fn::If:
+            - auditAccountID
+            - Ref: AuditAccountID
+            - Ref: AWS::NoValue
+      Scope:
+        ComplianceResourceTypes:
+          - AWS::Account
+      MaximumExecutionFrequency: TwentyFour_Hours
+      Source:
+        Owner: CUSTOM_LAMBDA
+        SourceIdentifier:
+          Fn::Join:
+            - ""
+            - - "arn:aws:lambda:ca-central-1:"
+              - Ref: AuditAccountID
+              - !Sub ":function:${OrganizationName}gc01_check_dedicated_admin_account"
+        SourceDetails:
+          - EventSource: "aws.config"
+            MessageType: "ScheduledNotification"
+
   GC01CheckMFAIAMUsersConfigRule:
     Type: "AWS::Config::ConfigRule"
     Properties:
@@ -1753,6 +1800,16 @@ Conditions:
       - Fn::Equals:
           - ""
           - Ref: PasswordPolicyHardExpiry
+  privilegedUsersFilePath:
+    Fn::Not:
+      - Fn::Equals:
+          - ""
+          - Ref: PrivilegedUsersFilePath
+  nonPrivilegedUsersFilePath:
+    Fn::Not:
+      - Fn::Equals:
+          - ""
+          - Ref: NonPrivilegedUsersFilePath
   # GC02
   s3AccountManagementPlanPath:
     Fn::Not:

diff --git a/arch/templates/main.yaml b/arch/templates/main.yaml
@@ -266,6 +266,8 @@ Resources:
                     "rds:Describe*",
                     "resource-explorer-2:ListIndexes",
                     "resource-explorer-2:Search",
+                    "sso:List*",
+                    "sso:GetInlinePolicyForPermissionSet",
                     "s3:Get*",
                     "s3:GetBucketPublicAccessBlock",
                     "s3:List*",
@@ -1179,6 +1181,14 @@ Resources:
               - "iam:Get*"
               - "iam:List*"
               - "iam:Simulate*"
+              - "iam:ListUserPolicies"
+              - "iam:GetUserPolicy"
+              - "iam:ListAttachedUserPolicies"
+              - "iam:ListPolicies"
+              - "iam:ListGroupsForUser"
+              - "iam:ListAttachedGroupPolicies"
+              - "iam:ListGroupPolicies"
+              - "iam:GetPolicyVersion"
             Resource: "*"
             Effect: Allow
           - Sid: AllowCloudWatchAlarmQueries
@@ -1243,6 +1253,13 @@ Resources:
               - "s3:ListAllMyBuckets"
               - "s3:ListBucket"
               - "s3:GetBucketPublicAccessBlock"
+              - "sso:ListInstances"
+              - "sso:ListUsers"
+              - "sso:ListManagedPoliciesInPermissionSet"
+              - "sso:GetInlinePolicyForPermissionSet"
+              - "sso:ListCustomerManagedPolicyReferencesInPermissionSet"
+              - "sso:ListPermissionSetsProvisionedToAccount"
+              - "sso:ListAccountAssignments"
               - "sns:GetSubscriptionAttributes"
               - "sns:GetTopicAttributes"
               - "sns:ListSubscriptionsByTopic"
@@ -1490,6 +1507,14 @@ Resources:
           ParameterValue: !Sub
             - "s3://${ClientEvidenceBucket}/gc-03/vpn_ip_ranges.txt"
             - ClientEvidenceBucket: !If [ GenerateEvidenceBucketName, !GetAtt GenerateEvidenceBucketName.EvidenceBucketName, !Ref EvidenceBucketName ]
+        - ParameterName: PrivilegedUsersFilePath
+          ParameterValue: !Sub
+            - "s3://${ClientEvidenceBucket}/gc-01/privileged_users.txt"
+            - ClientEvidenceBucket: !If [ GenerateEvidenceBucketName, !GetAtt GenerateEvidenceBucketName.EvidenceBucketName, !Ref EvidenceBucketName ]
+        - ParameterName: NonPrivilegedUsersFilePath
+          ParameterValue: !Sub
+            - "s3://${ClientEvidenceBucket}/gc-01/non_privileged_users.txt"
+            - ClientEvidenceBucket: !If [ GenerateEvidenceBucketName, !GetAtt GenerateEvidenceBucketName.EvidenceBucketName, !Ref EvidenceBucketName ]
       OrganizationConformancePackName: !Sub "${OrganizationName}-GC-CP-Guardrails"
       TemplateS3Uri: !Sub s3://${PipelineBucket}/${DeployVersion}/ConformancePack.yaml
 

diff --git a/src/lambda/aws_lambda_permissions_setup/app.py b/src/lambda/aws_lambda_permissions_setup/app.py
@@ -72,6 +72,7 @@ def apply_lambda_permissions():
     lambda_functions = {
         f"{organization_name}gc01_check_alerts_flag_misuse": ["GC01CheckAlertsFlagMisuseLambda"],
         f"{organization_name}gc01_check_attestation_letter": ["GC01CheckAttestationLetterLambda"],
+        f"{organization_name}gc01_check_dedicated_admin_account": ["GC01CheckDedicatedAdminAccountLambda"],
         f"{organization_name}gc01_check_federated_users_mfa": ["GC01CheckFederatedUsersMFALambda"],
         f"{organization_name}gc01_check_iam_users_mfa": ["GC01CheckIAMUsersMFALambda"],
         f"{organization_name}gc01_check_mfa_digital_policy": ["GC01CheckMFADigitalPolicy"],
@@ -81,7 +82,6 @@ def apply_lambda_permissions():
         f"{organization_name}gc02_check_password_protection_mechanisms": ["GC02CheckPasswordProtectionMechanismsLambda"],
         f"{organization_name}gc02_check_iam_password_policy": ["GC02CheckIAMPasswordPolicyLambda"],
         f"{organization_name}gc02_check_group_access_configuration": ["GC02CheckGroupAccessConfigurationLambda"],
-        f"{organization_name}gc02_check_least_privileged_roles": ["GC02CheckLeastPrivilegedRolesLambda"],
         f"{organization_name}gc02_check_privileged_roles_review": ["GC02CheckPrivilegedRolesReviewLambda"],
         f"{organization_name}gc03_check_endpoint_access_config": ["GC03CheckEndpointAccessConfigLambda"],
         f"{organization_name}gc03_check_iam_cloudwatch_alarms": ["GC03CheckIAMCloudWatchAlarmsLambda"],