{"id":25445525,"url":"https://github.com/juliusmarkwei/cfn-aws","last_synced_at":"2026-01-24T20:17:37.213Z","repository":{"id":277510795,"uuid":"932645248","full_name":"juliusmarkwei/cfn-aws","owner":"juliusmarkwei","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-04T13:24:24.000Z","size":30,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-16T05:08:59.928Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/juliusmarkwei.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-14T09:03:25.000Z","updated_at":"2025-03-04T13:24:27.000Z","dependencies_parsed_at":"2025-02-17T16:22:33.010Z","dependency_job_id":"55c05a92-b085-4733-9a93-ab06d7cf7f02","html_url":"https://github.com/juliusmarkwei/cfn-aws","commit_stats":null,"previous_names":["juliusmarkwei/aws-cfn-new","juliusmarkwei/aws-cfn-new2","juliusmarkwei/aws-cfn-new3","juliusmarkwei/aws-cfn-new4","juliusmarkwei/aws-cfn-new5","juliusmarkwei/aws-cfn-new6","juliusmarkwei/aws-cfn-new7","juliusmarkwei/cfn-aws"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/juliusmarkwei/cfn-aws","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juliusmarkwei%2Fcfn-aws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juliusmarkwei%2Fcfn-aws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juliusmarkwei%2Fcfn-aws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juliusmarkwei%2Fcfn-aws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/juliusmarkwei","download_url":"https://codeload.github.com/juliusmarkwei/cfn-aws/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juliusmarkwei%2Fcfn-aws/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28736503,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-24T19:23:36.361Z","status":"ssl_error","status_checked_at":"2026-01-24T19:23:28.966Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-17T16:31:09.205Z","updated_at":"2026-01-24T20:17:37.198Z","avatar_url":"https://github.com/juliusmarkwei.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# CloudFormation Template for IAM User Management\n\nThis CloudFormation template creates IAM users, assigns permissions, and configures event-driven automation using AWS services such as Secrets Manager, IAM, SSM Parameter Store, EventBridge, and Lambda.\n\n## Resources Created\n\n### 1. Store Temporary Password in Secrets Manager\n\n- **Resource Name**: `TemporaryPassword`\n- **Type**: `AWS::SecretsManager::Secret`\n- **Description**: Stores a temporary password for all IAM users.\n- **Properties**:\n - `Name`: `TempUserPassword`\n - `GenerateSecretString`:\n - `SecretStringTemplate`: `{\"password\": \"\"}`\n - `GenerateStringKey`: `password`\n - `PasswordLength`: 12\n - `ExcludeCharacters`: `\"@/\\`\n\n### 2. IAM Group for S3 Read-Only Access\n\n- **Resource Name**: `S3UserGroup`\n- **Type**: `AWS::IAM::Group`\n- **Description**: IAM group with read-only access to S3.\n- **Properties**:\n - `GroupName`: `S3UserGroup`\n - `Policies`:\n - `PolicyName`: `S3ReadOnlyPolicy`\n - `PolicyDocument`:\n - `Version`: `2012-10-17`\n - `Statement`:\n - `Effect`: `Allow`\n - `Action`:\n - `s3:ListBucket`\n - `s3:GetObject`\n - `Resource`: `*`\n\n### 3. IAM Group for EC2 Read-Only Access\n\n- **Resource Name**: `EC2UserGroup`\n- **Type**: `AWS::IAM::Group`\n- **Description**: IAM group with read-only access to EC2.\n- **Properties**:\n - `GroupName`: `EC2UserGroup`\n - `Policies`:\n - `PolicyName`: `EC2ReadOnlyPolicy`\n - `PolicyDocument`:\n - `Version`: `2012-10-17`\n - `Statement`:\n - `Effect`: `Allow`\n - `Action`:\n - `ec2:DescribeInstances`\n - `Resource`: `*`\n\n### 4. Create IAM Users\n\n- **Resource Names**: `EC2User`, `S3User`\n- **Type**: `AWS::IAM::User`\n- **Description**: Creates IAM users for EC2 and S3 with login profiles.\n- **Properties**:\n - `UserName`: `ec2-user` / `s3-user`\n - `Groups`: `!Ref EC2UserGroup` / `!Ref S3UserGroup`\n - `LoginProfile`:\n - `Password`: `!Sub \"{{resolve:secretsmanager:TempUserPassword:SecretString:password}}\"`\n - `PasswordResetRequired`: `true`\n\n### 5. Store User Emails in Parameter Store\n\n- **Resource Names**: `EC2UserEmail`, `S3UserEmail`\n- **Type**: `AWS::SSM::Parameter`\n- **Description**: Stores the email addresses of IAM users in the Parameter Store.\n- **Properties**:\n - `Name`: `/user/emails/ec2-user` / `/user/emails/s3-user`\n - `Type`: `String`\n - `Value`: `ec2-user@example.com` / `s3-user@example.com`\n\n### 6. EventBridge Rule to Detect IAM User Creation\n\n- **Resource Name**: `UserCreationEventRule`\n- **Type**: `AWS::Events::Rule`\n- **Description**: Triggers a Lambda function when a new IAM user is created.\n- **Properties**:\n - `Name`: `IAMUserCreationRule`\n - `Description`: `Triggers a Lambda function when a new IAM user is created`\n - `EventPattern`:\n - `source`: `aws.iam`\n - `detail-type`: `AWS API Call via CloudTrail`\n - `detail`:\n - `eventSource`: `iam.amazonaws.com`\n - `eventName`: `CreateUser`\n - `Targets`:\n - `Arn`: `!GetAtt IAMUserLoggingLambda.Arn`\n - `Id`: `IAMUserLoggingLambdaTarget`\n\n### 7. Lambda Function to Log Email \u0026 Password\n\n- **Resource Name**: `IAMUserLoggingLambda`\n- **Type**: `AWS::Lambda::Function`\n- **Description**: Logs the email and temporary password of newly created IAM users.\n- **Properties**:\n\n - `FunctionName`: `IAMUserLogger`\n - `Runtime`: `python3.8`\n - `Handler`: `index.lambda_handler`\n - `Role`: `!GetAtt IAMUserLoggingLambdaRole.Arn`\n - `Code`:\n\n - `ZipFile`:\n\n ```python\n import json\n import boto3\n import os\n\n ssm = boto3.client('ssm')\n secrets_manager = boto3.client('secretsmanager')\n\n def lambda_handler(event, context):\n username = event['detail']['requestParameters']['userName']\n\n # Retrieve email from Parameter Store\n param_name = f\"/user/emails/{username}\"\n email = ssm.get_parameter(Name=param_name)['Parameter']['Value']\n\n # Retrieve password from Secrets Manager\n secret = secrets_manager.get_secret_value(SecretId=\"TempUserPassword\")\n password = json.loads(secret['SecretString'])['password']\n\n # Log the credentials\n print(f\"New IAM user created: {username}\")\n print(f\"Email: {email}\")\n print(f\"Temporary Password: {password}\")\n ```\n\n### 8. IAM Role for Lambda Execution\n\n- **Resource Name**: `IAMUserLoggingLambdaRole`\n- **Type**: `AWS::IAM::Role`\n- **Description**: IAM role for the Lambda function to log email and password.\n- **Properties**:\n - `RoleName`: `IAMUserLoggerRole`\n - `AssumeRolePolicyDocument`:\n - `Version`: `2012-10-17`\n - `Statement`:\n - `Effect`: `Allow`\n - `Principal`:\n - `Service`: `lambda.amazonaws.com`\n - `Action`: `sts:AssumeRole`\n - `Policies`:\n - `PolicyName`: `IAMUserLoggerPolicy`\n - `PolicyDocument`:\n - `Version`: `2012-10-17`\n - `Statement`:\n - `Effect`: `Allow`\n - `Action`:\n - `ssm:GetParameter`\n - `secretsmanager:GetSecretValue`\n - `Resource`: `*`\n - `Effect`: `Allow`\n - `Action`:\n - `logs:CreateLogGroup`\n - `logs:CreateLogStream`\n - `logs:PutLogEvents`\n - `Resource`: `*`\n\n## Outputs\n\n### IAMUserLoggingLambdaARN\n\n- **Description**: ARN of the Lambda function that logs IAM user credentials.\n- **Value**: `!GetAtt IAMUserLoggingLambda.Arn`\n\n## Usage\n\nTo deploy this CloudFormation stack, use the AWS Management Console, AWS CLI, or any other CloudFormation deployment tool. Ensure that you have the necessary permissions to create the resources defined in the template.\n\n```sh\naws cloudformation create-stack --stack-name iam-user-management --template-body file://index.yaml --capabilities CAPABILITY_NAMED_IAM\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuliusmarkwei%2Fcfn-aws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjuliusmarkwei%2Fcfn-aws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuliusmarkwei%2Fcfn-aws/lists"}