Description: IAM User For AWS console login Parameters: NotificationEmailaddress: Description: E-mail address for notification Type: String Default: mail@example.com AllowIPrangeSwitchrole: Description: Allow IP range (switch role) Type: String Default: 0.0.0.0/0 IamUserAdmin: Description: Administrator IAM user (Notified when used) Type: String Default: origin-iam-admin SampleIamUserEnable: Description: Whether to create a sample IAM user Type: String Default: 'true' AllowedValues: - 'true' - 'false' AllowCreateAccessKey: Description: Allow users to create access keys Type: String Default: 'false' AllowedValues: - 'true' - 'false' Conditions: IsSampleIamUser: !Equals [!Ref 'SampleIamUserEnable', 'true'] IsAllowCreateAccessKey: !Equals [!Ref 'AllowCreateAccessKey', 'true'] Resources: IamUserAdminSample: Type: AWS::IAM::User Condition: IsSampleIamUser Properties: UserName: sample-iam-user-admin Groups: - !Ref 'IamGroupAdmin' IamUserPoweruserSample: Type: AWS::IAM::User Condition: IsSampleIamUser Properties: UserName: sample-iam-user-poweruser Groups: - !Ref 'IamGroupPowerUser' IamUserReadonlySample: Type: AWS::IAM::User Condition: IsSampleIamUser Properties: UserName: sample-iam-user-readonly Groups: - !Ref 'IamGroupReadonly' IamGroupAdmin: Type: AWS::IAM::Group Properties: GroupName: iam-group-admin ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess Policies: - PolicyName: PolicieAllowAssumeRoleAdmin PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - !GetAtt 'IamRoleAdmin.Arn' - !GetAtt 'IamRolePowerUser.Arn' Condition: Bool: aws:MultiFactorAuthPresent: 'true' IpAddress: aws:SourceIp: - !Ref 'AllowIPrangeSwitchrole' IamGroupPowerUser: Type: AWS::IAM::Group Properties: GroupName: iam-group-poweruser ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess Policies: - PolicyName: PolicieAllowAssumeRolePowerUser PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - !GetAtt 'IamRolePowerUser.Arn' Condition: Bool: aws:MultiFactorAuthPresent: 'true' IpAddress: aws:SourceIp: - !Ref 'AllowIPrangeSwitchrole' IamGroupReadonly: Type: AWS::IAM::Group Properties: GroupName: iam-group-readonly ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess IamPolicyAllowManageSelfcredentials: Type: AWS::IAM::Policy Properties: PolicyName: policy-manage-self-credentials PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - iam:ListAccountAliases - iam:ListUsers - iam:GetAccountPasswordPolicy - iam:GetAccountSummary Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:*' - Effect: Allow Action: - iam:ChangePassword - iam:CreateLoginProfile - iam:DeleteLoginProfile - iam:GetLoginProfile - iam:ListAccessKeys - iam:ListSigningCertificates - iam:ListSSHPublicKeys - iam:RequestSmsMfaRegistration - iam:FinalizeSmsMfaRegistration Resource: - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':user/${aws:username}']] - Effect: Allow Action: - iam:ListVirtualMFADevices Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:mfa/*' - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':user/${aws:username}']] - Effect: Allow Action: - iam:CreateVirtualMFADevice - iam:EnableMFADevice - iam:ResyncMFADevice - iam:DeleteVirtualMFADevice Resource: - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':sms-mfa/${aws:username}']] - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':mfa/${aws:username}']] - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':user/${aws:username}']] - Effect: Allow Action: - iam:DeactivateMFADevice - iam:UpdateLoginProfile Resource: - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':mfa/${aws:username}']] - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':user/${aws:username}']] Condition: Bool: aws:MultiFactorAuthPresent: 'true' Groups: - !Ref 'IamGroupAdmin' - !Ref 'IamGroupPowerUser' - !Ref 'IamGroupReadonly' IamPolicyllowCreateAccessKey: Type: AWS::IAM::Policy Condition: IsAllowCreateAccessKey Properties: PolicyName: policy-manage-self-credentials PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - iam:CreateAccessKey - iam:UpdateAccessKey - iam:DeleteAccessKey - iam:DeleteSigningCertificate - iam:UpdateSigningCertificate - iam:UploadSigningCertificate - iam:GetSSHPublicKey - iam:DeleteSSHPublicKey - iam:UpdateSSHPublicKey - iam:UploadSSHPublicKey Resource: - !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':user/${aws:username}']] Condition: Bool: aws:MultiFactorAuthPresent: 'true' Groups: - !Ref 'IamGroupAdmin' - !Ref 'IamGroupPowerUser' - !Ref 'IamGroupReadonly' IamPolicyDenyS3DynamoDB: Type: AWS::IAM::Policy Properties: PolicyName: Policy-deny-S3-DynamoDB-access PolicyDocument: Version: '2012-10-17' Statement: - Effect: Deny Action: - s3:GetObject - DynamoDB:Get* - DynamoDB:Scan - DynamoDB:Query - DynamoDB:BatchGetItem Resource: - '*' Groups: - !Ref 'IamGroupAdmin' - !Ref 'IamGroupPowerUser' - !Ref 'IamGroupReadonly' IamRoleAdmin: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: sts:AssumeRole Condition: Bool: aws:MultiFactorAuthPresent: 'true' Policies: - PolicyName: PolicyIamRoleAdmin PolicyDocument: Version: '2012-10-17' Statement: - Effect: Deny Action: - CloudTrail:DeleteTrail - CloudTrail:StopLogging Resource: - '*' RoleName: iam-role-admin IamRolePowerUser: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/PowerUserAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: sts:AssumeRole Condition: Bool: aws:MultiFactorAuthPresent: 'true' Policies: - PolicyName: PolicyIamRolePoweruser PolicyDocument: Version: '2012-10-17' Statement: - Effect: Deny Action: - CloudTrail:DeleteTrail - CloudTrail:StopLogging - CloudTrail:UpdateTrail Resource: - '*' - Effect: Deny Action: - s3:Delete* - s3:Put* Resource: arn:aws:s3:::cloudtrail-* RoleName: iam-role-poweruser EventRuleAdminswich: Type: AWS::Events::Rule Properties: Description: EventRule EventPattern: detail-type: - AWS API Call via CloudTrail detail: eventSource: - sts.amazonaws.com eventName: - AssumeRole requestParameters: roleArn: - !GetAtt 'IamRoleAdmin.Arn' State: ENABLED Targets: - Arn: !Ref 'SnsTopicAdminNotification' Id: EventRuleAdminswich InputTransformer: InputTemplate: '"Usage of the administrator role () by the IAM user (). eventTime: , sourceIPAddress: , userAgent: "' InputPathsMap: eventTime: $.detail.eventTime userIdentity: $.detail.userIdentity.arn requestParameters: $.detail.requestParameters.roleArn sourceIPAddress: $.detail.sourceIPAddress userAgent: $.detail.userAgent EventRuleAdminUserLogin: Type: AWS::Events::Rule Properties: Description: EventRule EventPattern: detail-type: - AWS API Call via CloudTrail detail: eventSource: - signin.amazonaws.com eventName: - ConsoleLogin eventType: - AwsConsoleSignIn userIdentity: userName: - !Ref 'IamUserAdmin' State: ENABLED Targets: - Arn: !Ref 'SnsTopicAdminNotification' Id: EventRuleAdminUserLogin InputTransformer: InputTemplate: '"Administrator IAM user login has occurred. (). eventTime: , sourceIPAddress: , userAgent: "' InputPathsMap: eventTime: $.detail.eventTime userIdentity: $.detail.userIdentity.arn sourceIPAddress: $.detail.sourceIPAddress userAgent: $.detail.userAgent EventRuleRootLogin: Type: AWS::Events::Rule Properties: Description: EventRule EventPattern: detail-type: - AWS API Call via CloudTrail detail: eventSource: - signin.amazonaws.com eventName: - ConsoleLogin eventType: - AwsConsoleSignIn userIdentity: type: - Root State: ENABLED Targets: - Arn: !Ref 'SnsTopicAdminNotification' Id: EventRuleRootLogin InputTransformer: InputTemplate: '"Root login has occurred. (). eventTime: , sourceIPAddress: , userAgent: "' InputPathsMap: eventTime: $.detail.eventTime userIdentity: $.detail.userIdentity.arn sourceIPAddress: $.detail.sourceIPAddress userAgent: $.detail.userAgent SnsTopicAdminNotification: Type: AWS::SNS::Topic Properties: DisplayName: !Sub 'AWS-AdminRole-Notification (${AWS::AccountId})' Subscription: - Endpoint: !Ref 'NotificationEmailaddress' Protocol: email SnsTopicAdminNotificationPolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Version: '2012-10-17' Id: SnsTopicAdminNotificationPolicy Statement: - Sid: SnsTopicAdminNotificationPolicy Effect: Allow Principal: Service: - events.amazonaws.com Action: - sns:Publish Resource: !Ref 'SnsTopicAdminNotification' Topics: - !Ref 'SnsTopicAdminNotification'