Add Event Bridge rules and SNS topics for account creation/move events

EventBridgeRulesAndSNSTopics.yml

@@ -0,0 +1,101 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Use this template to define EventBridge rules, which capture events from
+  various services, such as CloudWatch and CloudTrail, for use by other services,
+  such as Lambda.
+
+Resources: 
+  NewAccountCreationRule:
+    Type: AWS::Events::Rule
+    Properties: 
+      Description: "Captures CreateAccountResult event generated by Organizations"
+      EventPattern:
+        source:
+          - "aws.organizations"
+        detail-type:
+          - "AWS Service Event via CloudTrail"
+        detail:
+          eventSource:
+            - "organizations.amazonaws.com"
+          eventName:
+            - "CreateAccountResult"
+      Name: AccountCreationEvent
+      State: "ENABLED"
+      Targets:
+        - Id: "AccountCreationEventSNSTopic"
+          Arn: !Ref NewAccountSNSTopic
+
+  NewAccountSNSTopic:
+    Type: AWS::SNS::Topic
+    Properties:
+      DisplayName: "AccountCreationEvent"
+      TopicName: "AccountCreationEvent"
+
+  NewAccountSNSTopicPolicy:
+    Type: AWS::SNS::TopicPolicy
+    Properties:
+      PolicyDocument:
+        Id: MyTopicPolicy
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service: events.amazonaws.com
+          Action: sns:Publish
+          Resource: "*"
+      Topics:
+      - !Ref NewAccountSNSTopic
+
+  MoveAccountRule:
+    Type: AWS::Events::Rule
+    Properties: 
+      Description: "Captures MoveAccount event generated by Organizations"
+      EventPattern:
+        source:
+          - "aws.organizations"
+        detail-type:
+          - "AWS API Call via CloudTrail"
+        detail:
+          eventSource:
+            - "organizations.amazonaws.com"
+          eventName:
+            - "MoveAccount"
+      Name: MoveAccountEvent
+      State: "ENABLED"
+      Targets:
+        - Id: "MoveAccountEventSNSTopic"
+          Arn: !Ref MoveAccountSNSTopic
+          InputPath: "$.detail"
+
+  MoveAccountSNSTopic:
+    Type: AWS::SNS::Topic
+    Properties:
+      DisplayName: "MoveAccountEvent"
+      TopicName: "MoveAccountEvent"
+
+  MoveAccountSNSTopicPolicy:
+    Type: AWS::SNS::TopicPolicy
+    Properties:
+      PolicyDocument:
+        Id: MyTopicPolicy
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service: events.amazonaws.com
+          Action: sns:Publish
+          Resource: "*"
+      Topics:
+      - !Ref MoveAccountSNSTopic
+
+Outputs:
+  oAccountCreationEventSNSTopicArn:
+    Description: "AccountCreationEvent SNS Topic Arn"
+    Value: !Ref NewAccountSNSTopic
+    Export: 
+      Name: oAccountCreationEventSNSTopicArn
+
+  oMoveAccountEventSNSTopicArn:
+    Description: "MoveAccountEvent SNS Topic Arn"
+    Value: !Ref MoveAccountSNSTopic
+    Export: 
+      Name: oMoveAccountEventSNSTopicArn

README.md

@@ -16,4 +16,15 @@ to the Master account. This can be deployed via StackSets from the Master (assum
 you have the necessary StackSet execution roles created on Master and client accounts).
 This allows the GuardyDuty setup script to assume role into the client accounts through
 the Master account in order to enable GuardDuty in the clients and accept the 
-invitation from the Master.
+invitation from the Master.
+
+## EventBridgeRulesAndSNSTopics.yml
+This CFN template creates two Event rules and associated SNS topics. It is intended
+for deployment in the Master Organization account. One rule captures
+a 'CreateAccountResult' event from an Organization, which happens shortly after a 
+new account is created in the Org. It sends the Event JSON to SNS, where it can then be 
+accessed by a Lambda function for further action. In the Control Tower context, the
+'MoveAccount' event is more useful, as it happens further along in the account
+provisioning sequence, and the event it generates can be used to determine 
+OU-based provisioning items, such as applying different Config Rules depending on
+which OU an account is moved into.