The code provided within this subcomponent will create the AWS resource required for the implementation of several policies utilizing the Cloud Custodian serverless rules engine. Cloud Custodian is an open source tool developed by Capital One to help provide automated governance, security, compliance, and cost optimization to their cloud environments. The grace-cloudcustodian subcomponent focuses on providing policies around IAM user managment and helps to cover several Security Controls dealing with Identification and Authentication.
NOTE: Additional information reagarding the usage and configuration of Cloud Custodian can be found here
- Description
- Diagram
- Cloud Custodian Policies
- Inputs
- Deployment Guide
- Usage
- Security Compliance
- Public Domain
| Name | Description | Schedule |
|---|---|---|
| iam-user-keys-expiration | Notifies IAM users with AWS Access Keys older than 80 days | Daily |
| iam-user-keys-disable | Deletes IAM user AWS Access Keys older than 90 days | Daily |
| iam-user-mfa-false | Notifies IAM users that have not activated MFA after 24 hours | Daily |
| iam-user-password-expiration | Notifies IAM users with passwords older than 80 days | Daily |
| iam-user-password-disable | Deletes console access for IAM users with passwords older than 90 days | Daily |
| iam-new-user-initial-password-expire | Deletes console access and access keys for IAM users that have not changed their initial temporary password within 24 hours | Hourly |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| sender | (required) eMail address of sender for AWS SES" | string | n/a | yes |
| schedule | (optional) The frequency at which custodian policy is ran to check for compliance." | string | rate(1 day) | no |
| appenv | (optional) The environment in which the script is running (development | test | production)" | string |
| recipient | (required) email address for aws account holder" | string | n/a | yes |
| mfa_false_template | (optional) SES template name of MFA false" | string | MFAFalse | no |
| key_expiration_template | (optional) SES template name of AccessKey Expiration" | string | KeyExpiration | no |
| password_expiration_template | (optional) SES template name of Password Expiration" | string | PasswordExpiration | no |
| excluded_tag | (optional) excluded user tags to not disable" | string | tag:ServiceAccount | no |
| excluded_value | (optional) excluded users to disable" | string | Excluded | no |
| temp_pass_template | (optional) SES template name of Temp Password Expired" | string | TempPass | no |
| kms_key_id | (required) KMS key ID for sqs and lambda encryption | string | n/a | yes |
- Dependencies
- Terraform (minimum version v0.12.1; recommend v0.12.6 or greater)
- provider.aws ~v2.24.0
- provider.template ~v2.1.2
- Python3 and PIP3
- zip
- Terraform (minimum version v0.12.1; recommend v0.12.6 or greater)
To use the Cloud Custodian terraform module to deploy custom policies as lambda functions, you will be required to download the binary release from Github.
To apply custodian policies to a single AWS account to which the Lambda function is deployed, include the following in your root terraform module:
module "example_grace_cc" {
source = "github.com/GSA/grace-cloudcustodian?ref=v0.1.2"
appenv = "development"
sender = "validated-sender@your.org"
recipient = "validated-recipient@your.org"
kms_key_id = "c6af3dc4-0247-4638-a85d-892b8e66c754"
}
The GRACE Cloud Custodian subcomponent provides various levels of coverage for several NIST Special Publication 800-53 (Rev. 4) Security Controls. These security controls are designated for FIPS 199 Moderate Impact Systems. Additional information regarding the implementation method utilized can be found within the GRACE Component Control Coverage Repository.
Subcomponent approval status: Pending Assessment
Relevant controls:
| Control Description | Control ID |
|---|---|
| Access Controls | AC-2, AC-2(1), AC-2(4) |
| Identification and Authentication Controls | IA-4, IA-5, IA-5(1) |
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.