diff --git a/EventBridgeRulesAndSNSTopics.yml b/EventBridgeRulesAndSNSTopics.yml new file mode 100644 index 0000000..d15513c --- /dev/null +++ b/EventBridgeRulesAndSNSTopics.yml @@ -0,0 +1,101 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Use this template to define EventBridge rules, which capture events from + various services, such as CloudWatch and CloudTrail, for use by other services, + such as Lambda. + +Resources: + NewAccountCreationRule: + Type: AWS::Events::Rule + Properties: + Description: "Captures CreateAccountResult event generated by Organizations" + EventPattern: + source: + - "aws.organizations" + detail-type: + - "AWS Service Event via CloudTrail" + detail: + eventSource: + - "organizations.amazonaws.com" + eventName: + - "CreateAccountResult" + Name: AccountCreationEvent + State: "ENABLED" + Targets: + - Id: "AccountCreationEventSNSTopic" + Arn: !Ref NewAccountSNSTopic + + NewAccountSNSTopic: + Type: AWS::SNS::Topic + Properties: + DisplayName: "AccountCreationEvent" + TopicName: "AccountCreationEvent" + + NewAccountSNSTopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + PolicyDocument: + Id: MyTopicPolicy + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sns:Publish + Resource: "*" + Topics: + - !Ref NewAccountSNSTopic + + MoveAccountRule: + Type: AWS::Events::Rule + Properties: + Description: "Captures MoveAccount event generated by Organizations" + EventPattern: + source: + - "aws.organizations" + detail-type: + - "AWS API Call via CloudTrail" + detail: + eventSource: + - "organizations.amazonaws.com" + eventName: + - "MoveAccount" + Name: MoveAccountEvent + State: "ENABLED" + Targets: + - Id: "MoveAccountEventSNSTopic" + Arn: !Ref MoveAccountSNSTopic + InputPath: "$.detail" + + MoveAccountSNSTopic: + Type: AWS::SNS::Topic + Properties: + DisplayName: "MoveAccountEvent" + TopicName: "MoveAccountEvent" + + MoveAccountSNSTopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + PolicyDocument: + Id: MyTopicPolicy + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sns:Publish + Resource: "*" + Topics: + - !Ref MoveAccountSNSTopic + +Outputs: + oAccountCreationEventSNSTopicArn: + Description: "AccountCreationEvent SNS Topic Arn" + Value: !Ref NewAccountSNSTopic + Export: + Name: oAccountCreationEventSNSTopicArn + + oMoveAccountEventSNSTopicArn: + Description: "MoveAccountEvent SNS Topic Arn" + Value: !Ref MoveAccountSNSTopic + Export: + Name: oMoveAccountEventSNSTopicArn diff --git a/README.md b/README.md index 7c09bd7..c838dc8 100644 --- a/README.md +++ b/README.md @@ -16,4 +16,15 @@ to the Master account. This can be deployed via StackSets from the Master (assum you have the necessary StackSet execution roles created on Master and client accounts). This allows the GuardyDuty setup script to assume role into the client accounts through the Master account in order to enable GuardDuty in the clients and accept the -invitation from the Master. \ No newline at end of file +invitation from the Master. + +## EventBridgeRulesAndSNSTopics.yml +This CFN template creates two Event rules and associated SNS topics. It is intended +for deployment in the Master Organization account. One rule captures +a 'CreateAccountResult' event from an Organization, which happens shortly after a +new account is created in the Org. It sends the Event JSON to SNS, where it can then be +accessed by a Lambda function for further action. In the Control Tower context, the +'MoveAccount' event is more useful, as it happens further along in the account +provisioning sequence, and the event it generates can be used to determine +OU-based provisioning items, such as applying different Config Rules depending on +which OU an account is moved into. \ No newline at end of file