3.3 removal

arch/lza_extensions/customizations/GCGuardrailsRoles.yaml

@@ -53,7 +53,6 @@ Resources:
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_password_protection_mechanisms",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc02_check_privileged_roles_review",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_endpoint_access_config",
-                            "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_iam_cloudwatch_alarms",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc03_check_trusted_devices_admin_access",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc04_check_alerts_flag_misuse",
                             "arn:aws:sts::${AuditAccountID}:assumed-role/${RolePrefix}default_assessment_role/${OrganizationName}gc04_check_enterprise_monitoring",

arch/templates/AuditAccountPreRequisitesPart4.yaml

@@ -269,24 +269,6 @@ Resources:
         Variables:
           DEFAULT_CLOUD_PROFILE: !Ref DefaultCloudProfile
 
-  GC03CheckIAMCloudWatchAlarmsLambda:
-    Condition: IsAuditAccount
-    Type: AWS::Lambda::Function
-    Properties:
-      FunctionName: !Sub "${OrganizationName}gc03_check_iam_cloudwatch_alarms"
-      Code: "../../src/lambda/gc03_check_iam_cloudwatch_alarms/build/GC03CheckIAMCloudWatchAlarmsLambda/"
-      Handler: app.lambda_handler
-      Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
-      Runtime: !Ref PythonRuntime
-      Timeout: 180
-      Layers:
-        - !Ref CloudGuardrailsCommonLayer
-      LoggingConfig:
-        LogGroup: !Sub "${OrganizationName}gc_guardrails"
-        LogFormat: "JSON"
-      Environment:
-        Variables:
-          DEFAULT_CLOUD_PROFILE: !Ref DefaultCloudProfile
 
   GC03CheckTrustedDevicesAdminAccessLambda:
     Condition: IsAuditAccount

arch/templates/ConformancePack.yaml

@@ -691,38 +691,6 @@ Resources:
         SourceDetails:
           - EventSource: "aws.config"
             MessageType: "ScheduledNotification"
-  GC03CheckIAMCloudWatchAlarmsConfigRule:
-    Type: "AWS::Config::ConfigRule"
-    Properties:
-      ConfigRuleName: gc03_check_iam_cloudwatch_alarms
-      Description: Confirms if the ASEA CloudWatch Alarms for Unauthorized IPs and Sign-in without MFA are enabled
-      InputParameters:
-        ExecutionRoleName:
-          Fn::If:
-            - GCLambdaExecutionRoleName
-            - Ref: GCLambdaExecutionRoleName
-            - Ref: AWS::NoValue
-        AuditAccountID:
-          Fn::If:
-            - auditAccountID
-            - Ref: AuditAccountID
-            - Ref: AWS::NoValue
-        AlarmList: !Ref GC03AlarmList
-      Scope:
-        ComplianceResourceTypes:
-          - AWS::Account
-      MaximumExecutionFrequency: TwentyFour_Hours
-      Source:
-        Owner: CUSTOM_LAMBDA
-        SourceIdentifier:
-          Fn::Join:
-            - ""
-            - - "arn:aws:lambda:ca-central-1:"
-              - Ref: AuditAccountID
-              - !Sub ":function:${OrganizationName}gc03_check_iam_cloudwatch_alarms"
-        SourceDetails:
-          - EventSource: "aws.config"
-            MessageType: "ScheduledNotification"
   GC03CheckTrustedDevicesAdminAccessConfigRule:
     Type: "AWS::Config::ConfigRule"
     Properties:

doc/NOTES.md

@@ -129,7 +129,6 @@ Note: since both buckets are generated by the same lambda function, ensure to pr
         f"{organization_name}gc02_check_account_mgmt_plan": ["GC02CheckAccountManagementPlanLambda"],
         f"{organization_name}gc02_check_iam_password_policy": ["GC02CheckIAMPasswordPolicyLambda"],
         f"{organization_name}gc03_check_endpoint_access_config": ["GC03CheckEndpointAccessConfigLambda"],
-        f"{organization_name}gc03_check_iam_cloudwatch_alarms": ["GC03CheckIAMCloudWatchAlarmsLambda"],
         f"{organization_name}gc03_check_trusted_devices_admin_access": ["GC03CheckTrustedDevicesAdminAccessLambda"],
         f"{organization_name}gc04_check_enterprise_monitoring": ["GC04CheckEnterpriseMonitoringLambda"],
         f"{organization_name}gc05_check_data_location": ["GC05CheckDataLocationLambda"],
@@ -277,28 +276,6 @@ The following lambdas (starting with gc(n)\_ prefix) are used as part of AWS Con
 - Testing Status: SUCCESS ✅
   - Note: evaluation not recorded in AWS Config when there are no IAM users
 
-## gc03_check_iam_cloudwatch_alarms
-
-- Hardcoded values (defaults) 🔥
-
-  ```py
-  def check_cloudwatch_alarms(
-      alarm_names=[
-          "ASEA-AWS-IAM-Authentication-From-Unapproved-IP",
-          "ASEA-AWS-SSO-Authentication-From-Unapproved-IP",
-          "ASEA-AWS-Console-SignIn-Without-MFA",
-      ]
-  ):
-  ```
-
-- Linting info
-  - Score 9.15/10 💡
-  - Line Length >100 (mainly loggers)
-  - Unused arguments
-  - Global variables (from main handler method)
-- Check against the Management Account
-- Testing Status: SUCCESS ✅
-
 ## gc04_check_enterprise_monitoring
 
 - No hardcoding ✅

src/lambda/aws_auditmanager_resources_config_setup/audit_manager_custom_framework.py

@@ -337,27 +337,6 @@
                         ],
                         "tags": {},
                     },
-                    {
-                        "type": "Custom",
-                        "name": "gc03_check_iam_cloudwatch_alarms",
-                        "description": "Confirm ASEA CloudWatch Alarms are configured for access from Unauthorized IP addresses and sign-in without MFA..Source: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/03_Secure-Endpoints.md",
-                        "testingInformation": "",
-                        "actionPlanTitle": "Review CloudWatch Alarms",
-                        "actionPlanInstructions": "Go to AWS CloudWatch Alarms, and ensure alarms have been configured as required.",
-                        "controlSources": "AWS Config",
-                        "controlMappingSources": [
-                            {
-                                "sourceName": "CW-check",
-                                "sourceSetUpOption": "System_Controls_Mapping",
-                                "sourceType": "AWS_Config",
-                                "sourceKeyword": {
-                                    "keywordInputType": "SELECT_FROM_LIST",
-                                    "keywordValue": "Custom_gc03_check_iam_cloudwatch_alarms-conformance-pack",
-                                },
-                            }
-                        ],
-                        "tags": {},
-                    },
                     {
                         "type": "Custom",
                         "name": "gc03_check_trusted_devices_admin_access",

src/lambda/aws_lambda_permissions_setup/app.py

@@ -85,7 +85,6 @@ def apply_lambda_permissions():
         f"{organization_name}gc02_check_password_protection_mechanisms": ["GC02CheckPasswordProtectionMechanismsLambda"],
         f"{organization_name}gc02_check_privileged_roles_review": ["GC02CheckPrivilegedRolesReviewLambda"],
         f"{organization_name}gc03_check_endpoint_access_config": ["GC03CheckEndpointAccessConfigLambda"],
-        f"{organization_name}gc03_check_iam_cloudwatch_alarms": ["GC03CheckIAMCloudWatchAlarmsLambda"],
         f"{organization_name}gc03_check_trusted_devices_admin_access": ["GC03CheckTrustedDevicesAdminAccessLambda"],
         f"{organization_name}gc04_check_alerts_flag_misuse": ["GC04CheckAlertsFlagMisuseLambda"],
         f"{organization_name}gc04_check_enterprise_monitoring": ["GC04CheckEnterpriseMonitoringLambda"],