Description
This solution sends an alert notification when cross account access is granted through an IAM role. When a new role is created (event name: CreateRole) or the trust relationship of an existing IAM role is updated (event name: UpdateAssumeRolePolicy) an Amazon Event Bridge rule delivers those specific IAM events to a default event bus in Security Tools account. The default event bus delivers the event to the matching rule which then sends the event object to lambda function for processing.
The lambda function analyses the trust realationship (assume role policy document) of the role to find out cross account access. If cross account access is present, it determines if the AWS account to which cross account access has been granted is internal or external to the AWS Organization. It then publishes an alert message to the SNS topic and a typical alert email looks like this -
How to deploy?
Management Account
Deploy the CloudFormation template GetAWSAccounts.yml to create an IAM role in the management account to get the list of AWS accounts present in the organization. Lambda function assumes this role from the securty tools account to get the AWS accounts list.
All AWS Accounts
Deploy the CloudFormation template EventBridgeRule.yml to create an Event Bridge rule in all the AWS accounts present in the organization to send specific IAM events (CreateRole, UpdateAssumeRolePolicy) to the default Event Bus in Security Tools account.
Security Tools Account
Deploy the CloudFormation template MonitorCrossAccountRoles.yml to create
• Lambda function
• Event Bridge rule under default Event Bus send the CreateRole, UpdateAssumeRolePolicy events to Lambda function for processing
• SNS topic to send notifications to
How to test?
Create an IAM role with cross account access or modify an existing role and provide cross account access. You should get an email similar to the one shown above.