forked from davidclin/cloudcustodian-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mfa-audit-broken.yml
87 lines (85 loc) · 2.74 KB
/
mfa-audit-broken.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
policies:
- name: mfa-audit-reminder
description: Cloud Custodian MFA Audit Notification
comment: |
Retrieve list of all IAM users with MFA disabled
in the group 'Administrators' and send notification
if MFA is not enabled after 3 days of the create date.
Send notification via SES and Slack.
resource: iam-user
mode:
type: periodic
role: arn:aws:iam::1234567890:role/CloudCustodian
schedule: "rate(5 minutes)"
filters:
- type: credential
key: mfa_active
value: false
- type: group
key: GroupName
value: Administrators
- type: value
key: CreateDate
op: less-than
value_type: age
value: 3
actions:
- type: notify
template: mfa-audit-reminder.html
template_format: 'html'
slack_template: slack-mfa-audit-reminder
priority_header: '5'
subject: 'Security Audit: IAM users in Administrators group with MFA Disabled'
to:
- <your-verified-email-address-goes-here>
- slack://#ie-stratus
owner_absent_contact:
- <your-verified-email-address-goes-here>
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/1234567890/cloud-cloudcustodian
- name: mfa-audit-disable-access
description: Cloud Custodian MFA Audit Disable Access
comment: |
Retrieve list of all IAM users with MFA disabled
in the group 'Administrators' and send notification
if MFA is not enabled after 5 days of inactivity.
Send notification via SES and Slack.
Disable user access to management console.
Delete user access-keys.
resource: iam-user
mode:
type: periodic
role: arn:aws:iam::1234567890:role/CloudCustodian
schedule: "rate(5 minutes)"
filters:
- type: credential
key: mfa_active
value: false
- type: group
key: GroupName
value: Administrators
- type: value
key: CreateDate
op: greater-than
value_type: age
value: 5
actions:
- type: delete
options:
- access-keys
- console-access
- type: notify
template: mfa-audit-disable-access
template_format: 'html'
slack_template: slack-mfa-audit-disable-access
priority_header: '5'
subject: 'Security Audit: AWS Console Access Disabled and Access Keys Deleted'
to:
- <your-verified-email-address-goes-here>
- slack://#<slack-channel>
owner_absent_contact:
- <your-verified-email-address-goes-here>
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/1234567890/cloud-cloudcustodian