Added Enable Snapshot Block Public Access

Author: jplock

dependencies/requirements.txt

@@ -1 +1 @@
-aws-lambda-powertools[tracer,validation,aws-sdk]==2.22.0
+aws-lambda-powertools[tracer,validation,aws-sdk]==2.26.1

requirements-dev.txt

@@ -1,11 +1,11 @@
-black==23.7.0
-wheel==0.41.1
-pre-commit==3.3.3
-mypy-boto3-ec2==1.28.19.post1
-mypy-boto3-ecs==1.28.20
-mypy-boto3-iam==1.28.16
-mypy-boto3-identitystore==1.28.16
-mypy-boto3-organizations==1.28.16
-mypy-boto3-sts==1.28.16
-mypy-boto3-servicecatalog==1.28.22
-mypy-boto3-sso-admin==1.28.16
+black==23.11.0
+wheel==0.41.3
+pre-commit==3.5.0
+mypy-boto3-ec2==1.29.0
+mypy-boto3-ecs==1.29.0
+mypy-boto3-iam==1.29.0
+mypy-boto3-identitystore==1.29.0
+mypy-boto3-organizations==1.29.0
+mypy-boto3-sts==1.29.0
+mypy-boto3-servicecatalog==1.29.0
+mypy-boto3-sso-admin==1.29.0

src/regional/account_setup/lambda_handler.py

@@ -37,16 +37,17 @@
 @tracer.capture_lambda_handler
 @logger.inject_lambda_context(log_event=True)
 def handler(event: Dict[str, Any], context: LambdaContext) -> None:
-    account_id = event["account_id"]
-    region_name = event["region"]
+    account_id = event["AccountId"]
+    region_name = event["Region"]
+    execution_role_arn = event["ExecutionRoleArn"]
 
     logger.append_keys(account_id=account_id, region=region_name)
     tracer.put_annotation("AccountId", account_id)
     tracer.put_annotation("Region", region_name)
 
     session = boto3.Session()
 
-    assumed_session = STS(session).assume_role(account_id)
+    assumed_session = STS(session).assume_role(execution_role_arn)
 
     ec2 = EC2(assumed_session, region_name)
     default_vpc_id = ec2.get_default_vpc_id()
@@ -56,6 +57,11 @@ def handler(event: Dict[str, Any], context: LambdaContext) -> None:
     else:
         logger.debug(f"No default VPC found in {region_name} in {account_id}")
 
+    # TODO 11/15: move this into the state machine once the aws-sdk integration has been updated
+    logger.info(f"Enabling snapshot block public access in {region_name} in {account_id}")
+    ec2.enable_snapshot_block_public_access()
+
     logger.info(f"Setting default ECS settings in {region_name} in {account_id}")
     ecs = ECS(assumed_session, region_name)
     ecs.put_account_setting_default()
+

src/regional/account_setup/resources/ec2.py

@@ -23,6 +23,7 @@
 
 from aws_lambda_powertools import Logger
 import boto3
+import botocore
 
 if TYPE_CHECKING:
     from mypy_boto3_ec2 import EC2Client, EC2ServiceResource
@@ -39,11 +40,20 @@ def __init__(self, session: boto3.Session, region: str) -> None:
         self.region_name = region
 
     def get_default_vpc_id(self) -> Optional[str]:
-        params = {"Filters": [{"Name": "isDefault", "Values": ["true"]}]}
+        params = {
+            "Filters": [
+                {
+                    "Name": "isDefault",
+                    "Values": [
+                        "true",
+                    ],
+                }
+            ]
+        }
 
         response = self.client.describe_vpcs(**params)
         for vpc in response.get("Vpcs", []):
-            if vpc["IsDefault"]:
+            if vpc.get("IsDefault", False):
                 return vpc["VpcId"]
 
         logger.debug(f"No default VPC found in {self.region_name}", region=self.region_name)
@@ -94,3 +104,9 @@ def delete_vpc(self, vpc_id: str) -> None:
         logger.info(
             f"VPC {vpc_id} and associated resources has been deleted in {self.region_name}.", region=self.region_name
         )
+
+    def enable_snapshot_block_public_access(self) -> None:
+        try:
+            self.client.enable_snapshot_block_public_access(State="block-all-sharing")
+        except botocore.exceptions.ClientError:
+            logger.exception(f"Unable to enable snapshot block public access in {self.region}")

src/regional/account_setup/resources/sts.py

@@ -19,7 +19,6 @@
 * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 """
 
-import os
 from typing import TYPE_CHECKING
 
 from aws_lambda_powertools import Logger
@@ -29,8 +28,6 @@
     from mypy_boto3_sts import STSClient
 
 logger = Logger(child=True)
-EXECUTION_ROLE_NAME = os.environ["EXECUTION_ROLE_NAME"]
-AWS_PARTITION = os.environ["AWS_PARTITION"]
 
 __all__ = ["STS"]
 
@@ -39,14 +36,12 @@ class STS:
     def __init__(self, session: boto3.Session) -> None:
         self.client: STSClient = session.client("sts")
 
-    def assume_role(self, account_id: str, role_session_name: str = "AccountSetup") -> boto3.Session:
+    def assume_role(self, role_arn: str, role_session_name: str = "AccountSetup") -> boto3.Session:
         """
         Assume the AWSControlTowerExecution role in an account
         """
 
-        role_arn = f"arn:{AWS_PARTITION}:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
-
-        logger.info(f"Assuming role {EXECUTION_ROLE_NAME} in {account_id}")
+        logger.info(f"Assuming role {role_arn}")
         response = self.client.assume_role(
             RoleArn=role_arn,
             RoleSessionName=role_session_name,

src/regional/account_setup/schemas.py

@@ -23,12 +23,15 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "type": "object",
     "properties": {
-        "account_id": {
+        "AccountId": {
             "type": "string",
         },
-        "region": {
+        "Region": {
+            "type": "string",
+        },
+        "ExecutionRoleArn": {
             "type": "string",
         },
     },
-    "required": ["account_id", "region"],
+    "required": ["AccountId", "Region", "ExecutionRoleArn"],
 }

src/service_catalog_portfolio/account_setup/lambda_handler.py

@@ -20,12 +20,14 @@
 """
 
 import os
-from typing import Dict, Any, List, Optional
+from typing import Dict, Any, List
 
 from aws_lambda_powertools import Logger, Tracer
 from aws_lambda_powertools.utilities.typing import LambdaContext
+from aws_lambda_powertools.utilities.validation import validator
 
-from .resources import IAM, ServiceCatalog, STS
+from account_setup.resources import IAM, ServiceCatalog, STS
+from account_setup.schemas import INPUT
 
 tracer = Tracer()
 logger = Logger()
@@ -35,22 +37,19 @@ def get_env_list(key: str) -> List[str]:
     """
     Return an optional environment variable as a list
     """
-    value = os.environ.get(key, "").split(",")
+    value = os.getenv(key, "").split(",")
     return list(filter(None, value))
 
 
 PORTFOLIO_IDS = get_env_list("PORTFOLIO_IDS")
 PERMISSION_SET_NAMES = get_env_list("PERMISSION_SET_NAMES")
 
 
+@validator(inbound_schema=INPUT)
 @tracer.capture_lambda_handler
 @logger.inject_lambda_context(log_event=True)
 def handler(event: Dict[str, Any], context: LambdaContext) -> None:
-    account_id: Optional[str] = event.get("account", {}).get("accountId")
-    if not account_id:
-        raise Exception("Account ID not found in event")
-
-    session = STS().assume_role(account_id, "service_catalog_portfolio")
+    session = STS().assume_role(event["ExecutionRoleArn"], "service_catalog_portfolio")
 
     iam = IAM(session)
 

src/service_catalog_portfolio/account_setup/resources/iam.py

@@ -51,7 +51,7 @@ def get_sso_roles(self) -> Dict[str, str]:
         page_iterator = paginator.paginate(PaginationConfig={"PageSize": 1000})
         for page in page_iterator:
             for role in page.get("Roles", []):
-                if role["RoleName"].startswith(AWS_SSO_ROLE_PREFIX):
+                if role.get("RoleName", "").startswith(AWS_SSO_ROLE_PREFIX):
                     # AWSReservedSSO_AWSAdministratorAccess_a1ff75f56dfb0e2f -> AWSAdministratorAccess
                     permission_set_name = role["RoleName"].rsplit("_", 1)[0].replace(AWS_SSO_ROLE_PREFIX, "")
                     roles[permission_set_name] = role["Arn"]

src/service_catalog_portfolio/account_setup/resources/sts.py

@@ -19,16 +19,15 @@
 * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 """
 
-import os
 from typing import TYPE_CHECKING, Optional
 
+from aws_lambda_powertools import Logger
 import boto3
 
 if TYPE_CHECKING:
     from mypy_boto3_sts import STSClient
 
-EXECUTION_ROLE_NAME = os.environ["EXECUTION_ROLE_NAME"]
-AWS_PARTITION = os.environ["AWS_PARTITION"]
+logger = Logger(child=True)
 
 __all__ = ["STS"]
 
@@ -39,12 +38,11 @@ def __init__(self, session: Optional[boto3.Session] = None) -> None:
             session = boto3._get_default_session()
         self.client: STSClient = session.client("sts")
 
-    def assume_role(self, account_id: str, role_session_name: str) -> boto3.Session:
+    def assume_role(self, role_arn: str, role_session_name: str) -> boto3.Session:
         """
         Assume a role and return a new boto3 session
         """
-        role_arn = f"arn:{AWS_PARTITION}:iam::{account_id}:role/{EXECUTION_ROLE_NAME}"
-
+        logger.info(f"Assuming role {role_arn}")
         response = self.client.assume_role(
             RoleArn=role_arn,
             RoleSessionName=role_session_name,

src/service_catalog_portfolio/account_setup/schemas.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+* SPDX-License-Identifier: MIT-0
+*
+* Permission is hereby granted, free of charge, to any person obtaining a copy of this
+* software and associated documentation files (the "Software"), to deal in the Software
+* without restriction, including without limitation the rights to use, copy, modify,
+* merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+* permit persons to whom the Software is furnished to do so.
+*
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+* INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+* PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+* HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+"""
+
+INPUT = {
+    "$schema": "http://json-schema.org/draft-07/schema",
+    "type": "object",
+    "properties": {
+        "ExecutionRoleArn": {
+            "type": "string",
+        },
+    },
+    "required": ["ExecutionRoleArn"],
+}

src/sso_assignment/account_setup/lambda_handler.py

@@ -95,7 +95,7 @@ def handler(event: Dict[str, Any], context: LambdaContext) -> None:
 
     # Below handles organizational groups
 
-    account_id: Optional[str] = event.get("account", {}).get("accountId")
+    account_id: Optional[str] = event.get("AccountId")
     if not account_id:
         raise Exception("Account ID not found in event")
 

template.yml

@@ -38,9 +38,7 @@ Globals:
     Environment:
       Variables:
         POWERTOOLS_METRICS_NAMESPACE: AccountSetup
-        EXECUTION_ROLE_NAME: !Ref ExecutionRoleName
         LOG_LEVEL: INFO
-        AWS_PARTITION: !Ref "AWS::Partition"
     Handler: lambda_handler.handler
     Layers:
       - !Ref DependencyLayer
@@ -348,13 +346,20 @@ Resources:
     Type: "AWS::Serverless::StateMachine"
     Properties:
       Definition:
-        StartAt: UpdatePasswordPolicy
+        StartAt: BuildParameters
         States:
+          BuildParameters:
+            Type: Pass
+            InputPath: "$.account"
+            Parameters:
+              "AccountId.$": "$.accountId"
+              "ExecutionRoleArn.$": "States.Format('arn:aws:iam::{}:role/${ExecutionRoleName}', $.accountId)"
+            Next: UpdatePasswordPolicy
           UpdatePasswordPolicy:
             Type: Task
             Resource: "arn:aws:states:::aws-sdk:iam:updateAccountPasswordPolicy"
             Credentials:
-              "RoleArn.$": "States.Format('arn:aws:iam::{}:role/${ExecutionRoleName}', $.account.accountId)"
+              "RoleArn.$": "$.ExecutionRoleArn"
             Parameters:
               MinimumPasswordLength: 14  # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.9
               RequireSymbols: true  # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7
@@ -371,14 +376,14 @@ Resources:
             Type: Task
             Resource: "arn:aws:states:::aws-sdk:s3control:putPublicAccessBlock"
             Credentials:
-              "RoleArn.$": "States.Format('arn:aws:iam::{}:role/${ExecutionRoleName}', $.account.accountId)"
+              "RoleArn.$": "$.ExecutionRoleArn"
             Parameters:
               PublicAccessBlockConfiguration:
                 BlockPublicAcls: true
                 IgnorePublicAcls: true
                 BlockPublicPolicy: true
                 RestrictPublicBuckets: true
-              "AccountId.$": $.account.accountId
+              "AccountId.$": "$.AccountId"
             ResultPath: null # discard result and keep original input
             Next: Route53PolicyDocument
           Route53PolicyDocument:
@@ -413,10 +418,10 @@ Resources:
             Type: Task
             Resource: "arn:aws:states:::aws-sdk:cloudwatchlogs:putResourcePolicy"
             Credentials:
-              "RoleArn.$": "States.Format('arn:aws:iam::{}:role/${ExecutionRoleName}', $.account.accountId)"
+              "RoleArn.$": "$.ExecutionRoleArn"
             Parameters:
               PolicyName: AWSServiceRoleForRoute53
-              "PolicyDocument.$": States.Format($.Policy.PolicyDocument, $.account.accountId, $.account.accountId)
+              "PolicyDocument.$": States.Format($.Policy.PolicyDocument, $.AccountId, $.AccountId)
             ResultPath: null # discard result and keep original input
             Next: DescribeRegions
           DescribeRegions:
@@ -436,35 +441,39 @@ Resources:
             Type: Map
             ItemsPath: "$.Regions.RegionNames"
             MaxConcurrency: 0
-            Parameters:
-              "account_id.$": "$.account.accountId"
-              "region.$": "$$.Map.Item.Value"
-            Iterator:
+            ItemSelector:
+              "AccountId.$": "$.AccountId"
+              "Region.$": "$$.Map.Item.Value"
+              "ExecutionRoleArn.$": "$.ExecutionRoleArn"
+            ItemProcessor:
               StartAt: EbsEncryptionByDefault
               States:
                 EbsEncryptionByDefault:
                   Type: Task
                   Resource: "arn:aws:states:::aws-sdk:ec2:enableEbsEncryptionByDefault"
                   Credentials:
-                    "RoleArn.$": "States.Format('arn:aws:iam::{}:role/${ExecutionRoleName}', $.account_id)"
+                    "RoleArn.$": "$.ExecutionRoleArn"
                   Parameters: {}
                   ResultPath: null # discard result and keep original input
                   Next: DisableSsmPublicSharing
                 DisableSsmPublicSharing:
                   Type: Task
                   Resource: "arn:aws:states:::aws-sdk:ssm:updateServiceSetting"
                   Credentials:
-                    "RoleArn.$": "States.Format('arn:aws:iam::{}:role/${ExecutionRoleName}', $.account_id)"
+                    "RoleArn.$": "$.ExecutionRoleArn"
                   Parameters:
-                    "SettingId.$": "States.Format('arn:aws:ssm:{}:{}:servicesetting/ssm/documents/console/public-sharing-permission', $.region, $.account_id)"
+                    "SettingId.$": "States.Format('arn:aws:ssm:{}:{}:servicesetting/ssm/documents/console/public-sharing-permission', $.Region, $.AccountId)"
                     SettingValue: Disable
                   Catch:
                     - ErrorEquals:
                         - States.ALL
                       ResultPath: null # discard result and keep original input
-                      Next: Regional
+                      Next: IgnoreError
                   ResultPath: null # discard result and keep original input
                   Next: Regional
+                IgnoreError:
+                  Type: Pass
+                  Next: Regional
                 Regional:
                   Type: Task
                   Resource: !GetAtt RegionalFunction.Arn