Adding password policy solution

Author: andywick-aws

README.md

@@ -28,6 +28,7 @@ platform (e.g. AWS Control Tower and AWS CloudFormation StackSets).
     * [Organization GuardDuty](solutions/guardduty/guardduty-org)
 * IAM
     * [Access Analyzer](solutions/iam/access-analyzer)
+    * [Account Password Policy](solutions/iam/password-policy-acct)
 * Macie
     * [Organization Macie](solutions/macie/macie-org)
 * SecurityHub

extras/aws-control-tower/prerequisites/prereq-lambda-s3-bucket.yaml

@@ -30,6 +30,8 @@ Parameters:
 Resources:
   rLambdaS3Bucket:
     Type: AWS::S3::Bucket
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Metadata:
       cfn_nag:
         rules_to_suppress:
@@ -54,6 +56,8 @@ Resources:
 
   rLambdaS3BucketPolicy:
     Type: AWS::S3::BucketPolicy
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Metadata:
       cfn_nag:
         rules_to_suppress:
@@ -69,7 +73,7 @@ Resources:
               StringEquals:
                 aws:PrincipalOrgID: !Ref pOrganizationId
               ArnLike:
-                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:${pDeploymentRoleName}
+                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:role/${pDeploymentRoleName}
             Effect: Allow
             Principal: "*"
             Resource: !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}/*

extras/lambda-s3-buckets.yaml

@@ -57,6 +57,7 @@ Resources:
   rLambdaS3Bucket:
     Type: AWS::S3::Bucket
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Metadata:
       cfn_nag:
         rules_to_suppress:
@@ -82,6 +83,7 @@ Resources:
   rLambdaS3BucketPolicy:
     Type: AWS::S3::BucketPolicy
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Metadata:
       cfn_nag:
         rules_to_suppress:
@@ -97,7 +99,7 @@ Resources:
               StringEquals:
                 aws:PrincipalOrgID: !Ref pOrganizationId
               ArnLike:
-                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:${pDeploymentRoleName}
+                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:role/${pDeploymentRoleName}
             Effect: Allow
             Principal: "*"
             Resource: !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}/*

solutions/iam/password-policy-acct/README.md

@@ -0,0 +1,125 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+# IAM Password Policy 
+
+The IAM Password Policy solution updates the AWS account password policy within all accounts in an AWS Organization. 
+
+----
+
+# Table of Contents
+* [Deployed Resource Details](#deployed-resource-details)
+* [Implementation Instructions](#implementation-instructions)
+* [References](#references)
+
+----
+
+# Deployed Resource Details
+
+![Architecture](./documentation/Password-Policy-Architecture.png "Architecture")
+
+## 1.0 Organization Management Account
+
+### 1.1 AWS CloudFormation
+
+**Description:**
+
+All resources deployed via CloudFormation StackSet and Stacks within member accounts
+
+**Configuration:**
+
+* StackSet Names:
+    * StackSet-...-PasswordPolicy-...
+
+### 1.2 AWS Lambda Function
+
+**Description:**
+
+The custom CloudFormation Lambda resource is required to update the existing IAM account password policy.
+
+**Configuration:**
+
+* Lambda Function Name - [Prefix]-password-policy-acct
+* Lambda S3 Bucket Name - Management account S3 bucket with the Lambda zip file
+* Lambda Zip File Name - Default = password-policy-acct.zip
+* Log Level - Default = debug, Valid Values = debug, info, warning, error, critical
+* Allow Users To Change Password - Default = true 
+* Hard Expiry - Default = false 
+* Max Password Age - Default = 90 
+* Minimum Password Length - Default = 14
+* Password Reuse Prevention - Default = 24
+* Require Lowercase Characters - Default = true
+* Require Numbers - Default = true
+* Require Symbols - Default = true
+* Require Uppercase Characters - Default = true
+    
+
+### 1.3 Amazon CloudWatch Log Group
+
+**Description:**
+
+Contains the Lambda function execution logs
+
+**Configuration:**
+
+* Log group name = /aws/lambda/[Lambda Function Name]
+* Retention = Never expire
+
+
+### 1.4 Lambda Execution IAM Role
+
+**Description:**
+
+Used by the custom CloudFormation Lambda function to update the account password policy
+
+**Configuration:**
+
+* Execution role name = [Prefix]-password-policy-lambda
+* Permissions:
+   * CloudWatch Logs - Limited: Write on LogGroupName like /aws/lambda/[Lambda Function Name]
+   * IAM - Limited: Write All resources
+
+
+### 1.5 IAM Password Policy
+
+**Description:**
+
+AWS account password policy for IAM users
+
+**Configuration:**
+
+* [Custom password policy options](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details)
+
+----
+
+## 2.0 All Organization Member Accounts
+
+Same configuration details as 1.0 Organization Management Account
+
+----
+
+# Implementation Instructions
+
+### [AWS Control Tower](./aws-control-tower)
+### CloudFormation StackSets
+
+#### Solution Deployment Order
+1. All Accounts (PasswordPolicy)
+
+#### Instructions
+
+1. Create new or use an existing S3 bucket within the region owned by the Organization Management Account
+   * Example bucket name: lambda-zips-[Management Account ID]-us-east-1
+   * [Example CloudFormation Template](../../../extras/lambda-s3-buckets.yaml)
+2. Package the Lambda code into a zip file and upload it to the S3 bucket
+   * Package and Upload the Lambda zip file to S3 (Packaging script: /extras/packaging-scripts/package-lambda.sh)
+3. Create CloudFormation StackSets using the following templates
+   
+   |     Account     |   StackSet Name   |  Template  |
+   | --------------- | ----------------- | ---------- |
+   | All Accounts | PasswordPolicy | templates/password-policy-acct.yaml |
+   
+----
+
+# References
+* [Setting an account password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html)
+* [CIS AWS Foundations Benchmark controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html)

solutions/iam/password-policy-acct/aws-control-tower/README.md

@@ -0,0 +1,44 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+----
+   
+# Implementation Instructions
+
+1. Make sure the required [prerequisites](../../../../extras/aws-control-tower/prerequisites/README.md) are completed
+2. Package and upload the password-policy-acct Lambda function
+   ```shell
+    export AWS_ACCESS_KEY_ID=INSERT_AWS_ACCESS_KEY_ID
+    export AWS_SECRET_ACCESS_KEY=INSERT_AWS_SECRET_ACCESS_KEY
+    export AWS_SESSION_TOKEN=INSERT_AWS_SESSION_TOKEN
+   
+    export BUCKET=lambda-zips-CHANGE_ME_ACCOUNT_ID-CHANGE_ME_REGION
+    sh ~/aws-security-reference-architecture-examples/extras/packaging-scripts/package-lambda.sh \
+    --file_name password-policy-acct.zip \
+    --bucket $BUCKET \
+    --src_dir ~/aws-security-reference-architecture-examples/solutions/iam/password-policy-acct/code/src
+   ```
+3. Copy the files to the Customizations for AWS Control Tower configuration 
+   1. customizations-for-control-tower-configuration
+       1. [manifest.yaml](manifest.yaml) -> manifest.yaml
+       2. [parameters/password-policy-acct.json](parameters/password-policy-acct.json) 
+           -> parameters/password-policy-acct.json
+       3. [templates/password-policy-acct.yaml](../templates/password-policy-acct.yaml) 
+           -> templates/password-policy-acct.yaml
+        
+4. Update the parameter files with any specific values for your environment
+5. Update the manifest.yaml file with your account names and SSM parameters
+6. Deploy the Customizations for AWS Control Tower configuration
+7. How to verify after the pipeline completes?
+   1. Log into any account within the AWS Organization
+      1. Navigate to the IAM -> Account settings page
+      2. Verify the custom password policy settings
+      
+# Delete Instructions
+
+1. Within the Customizations for AWS Control Tower configuration
+   1. Remove the Password Policy configuration from the manifest.yaml file
+   2. (Optional) Delete the parameter and template files for the Password Policy solution
+2. Deploy the Customizations for AWS Control Tower configuration
+3. After the pipeline completes, log into the Management account and navigate to the CloudFormation StackSet page
+   1. Delete the Stack Instances from the CustomControlTower-PasswordPolicy CloudFormation StackSet
+   2. After the Stack Instance deletes, delete the CustomControlTower-PasswordPolicy CloudFormation StackSet

solutions/iam/password-policy-acct/aws-control-tower/manifest-v2.yaml

@@ -0,0 +1,47 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2021-03-15
+
+# Control Tower Custom Resources (Service Control Policies or CloudFormation)
+resources:
+  # -----------------------------------------------------------------------------
+  # IAM Password Policy
+  # -----------------------------------------------------------------------------
+  - name: PasswordPolicy
+    resource_file: templates/password-policy-acct.yaml
+    parameters:
+      - parameter_key: pAllowUsersToChangePassword
+        parameter_value: "true"
+      - parameter_key: pHardExpiry
+        parameter_value: "false"
+      - parameter_key: pMaxPasswordAge
+        parameter_value: "90"
+      - parameter_key: pMinimumPasswordLength
+        parameter_value: "14"
+      - parameter_key: pPasswordReusePrevention
+        parameter_value: "24"
+      - parameter_key: pRequireLowercaseCharacters
+        parameter_value: "true"
+      - parameter_key: pRequireNumbers
+        parameter_value: "true"
+      - parameter_key: pRequireSymbols
+        parameter_value: "true"
+      - parameter_key: pRequireUppercaseCharacters
+        parameter_value: "true"
+      - parameter_key: pLambdaExecutionRoleName
+        parameter_value: "cfct-password-policy-acct-lambda"
+      - parameter_key: pLambdaFunctionName
+        parameter_value: "cfct-password-policy-acct"
+      - parameter_key: pLambdaS3BucketName
+        parameter_value: $[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]
+      - parameter_key: pLambdaZipFileName
+        parameter_value: "password-policy-acct.zip"
+      - parameter_key: pLogLevel
+        parameter_value: "debug"
+    deploy_method: stack_set
+    deployment_targets:
+      organizational_units:
+        - Core
+        - management
+        - workloads

solutions/iam/password-policy-acct/aws-control-tower/manifest.yaml

@@ -0,0 +1,21 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2020-01-01
+
+# Control Tower Custom Service Control Policies
+organization_policies: []
+
+# Control Tower Custom CloudFormation Resources
+cloudformation_resources:
+  # -----------------------------------------------------------------------------
+  # IAM Password Policy
+  # -----------------------------------------------------------------------------
+  - name: PasswordPolicy
+    template_file: templates/password-policy-acct.yaml
+    parameter_file: parameters/password-policy-acct.json
+    deploy_method: stack_set
+    deploy_to_ou:
+      - Core
+      - management
+      - workloads

solutions/iam/password-policy-acct/aws-control-tower/parameters/password-policy-acct.json

@@ -0,0 +1,58 @@
+[
+    {
+        "ParameterKey": "pAllowUsersToChangePassword",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pHardExpiry",
+        "ParameterValue": "false"
+    },
+    {
+        "ParameterKey": "pMaxPasswordAge",
+        "ParameterValue": "90"
+    },
+    {
+        "ParameterKey": "pMinimumPasswordLength",
+        "ParameterValue": "14"
+    },
+    {
+        "ParameterKey": "pPasswordReusePrevention",
+        "ParameterValue": "24"
+    },
+    {
+        "ParameterKey": "pRequireLowercaseCharacters",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pRequireNumbers",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pRequireSymbols",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pRequireUppercaseCharacters",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pLambdaExecutionRoleName",
+        "ParameterValue": "cfct-password-policy-acct-lambda"
+    },
+    {
+        "ParameterKey": "pLambdaFunctionName",
+        "ParameterValue": "cfct-password-policy-acct"
+    },
+    {
+        "ParameterKey": "pLambdaS3BucketName",
+        "ParameterValue": "$[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]"
+    },
+    {
+        "ParameterKey": "pLambdaZipFileName",
+        "ParameterValue": "password-policy-acct.zip"
+    },
+    {
+        "ParameterKey": "pLogLevel",
+        "ParameterValue": "debug"
+    }
+]