Skip to content

Commit

Permalink
Merge pull request #2 from cloud/lifecyle-events
Browse files Browse the repository at this point in the history 
Add Event Bridge rules and SNS topics for account creation/move events
  • Loading branch information
@sjeanes
sjeanes authored Apr 22, 2020
2 parents 048c2a6 + 2c1d9f8 commit 9045903
Show file tree
Hide file tree
Showing 2 changed files with 113 additions and 1 deletion.
101 changes: 101 additions & 0 deletions EventBridgeRulesAndSNSTopics.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
AWSTemplateFormatVersion: 2010-09-09
Description: Use this template to define EventBridge rules, which capture events from
various services, such as CloudWatch and CloudTrail, for use by other services,
such as Lambda.

Resources:
NewAccountCreationRule:
Type: AWS::Events::Rule
Properties:
Description: "Captures CreateAccountResult event generated by Organizations"
EventPattern:
source:
- "aws.organizations"
detail-type:
- "AWS Service Event via CloudTrail"
detail:
eventSource:
- "organizations.amazonaws.com"
eventName:
- "CreateAccountResult"
Name: AccountCreationEvent
State: "ENABLED"
Targets:
- Id: "AccountCreationEventSNSTopic"
Arn: !Ref NewAccountSNSTopic

NewAccountSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: "AccountCreationEvent"
TopicName: "AccountCreationEvent"

NewAccountSNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sns:Publish
Resource: "*"
Topics:
- !Ref NewAccountSNSTopic

MoveAccountRule:
Type: AWS::Events::Rule
Properties:
Description: "Captures MoveAccount event generated by Organizations"
EventPattern:
source:
- "aws.organizations"
detail-type:
- "AWS API Call via CloudTrail"
detail:
eventSource:
- "organizations.amazonaws.com"
eventName:
- "MoveAccount"
Name: MoveAccountEvent
State: "ENABLED"
Targets:
- Id: "MoveAccountEventSNSTopic"
Arn: !Ref MoveAccountSNSTopic
InputPath: "$.detail"

MoveAccountSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: "MoveAccountEvent"
TopicName: "MoveAccountEvent"

MoveAccountSNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sns:Publish
Resource: "*"
Topics:
- !Ref MoveAccountSNSTopic

Outputs:
oAccountCreationEventSNSTopicArn:
Description: "AccountCreationEvent SNS Topic Arn"
Value: !Ref NewAccountSNSTopic
Export:
Name: oAccountCreationEventSNSTopicArn

oMoveAccountEventSNSTopicArn:
Description: "MoveAccountEvent SNS Topic Arn"
Value: !Ref MoveAccountSNSTopic
Export:
Name: oMoveAccountEventSNSTopicArn
13 changes: 12 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,15 @@ to the Master account. This can be deployed via StackSets from the Master (assum
you have the necessary StackSet execution roles created on Master and client accounts).
This allows the GuardyDuty setup script to assume role into the client accounts through
the Master account in order to enable GuardDuty in the clients and accept the
invitation from the Master.
invitation from the Master.

## EventBridgeRulesAndSNSTopics.yml
This CFN template creates two Event rules and associated SNS topics. It is intended
for deployment in the Master Organization account. One rule captures
a 'CreateAccountResult' event from an Organization, which happens shortly after a
new account is created in the Org. It sends the Event JSON to SNS, where it can then be
accessed by a Lambda function for further action. In the Control Tower context, the
'MoveAccount' event is more useful, as it happens further along in the account
provisioning sequence, and the event it generates can be used to determine
OU-based provisioning items, such as applying different Config Rules depending on
which OU an account is moved into.

0 comments on commit 9045903

Please sign in to comment.