in access-analyzer/iam-role-findings-resolution/functions/access_analyzer_event_bridge_target.py [0:0]
def send_notifications(sns_topic, principal, resource_arn, finding_id, resource_name, region):
sns_client = boto3.client("sns")
console_deep_link = "https://console.aws.amazon.com/iam/home?region={}#/roles/{}".format(
region, resource_name)
message = "The IAM Role resource {} ({}) allows access to the principal {}. Trust policy for the role has been updated to deny the external access. Please review the IAM Role and its trust policy. If this access is intended, update the IAM Role trust policy to remove a statement with SID matching with the finding id {} and mark the finding as archived or create an archive rule. If this access is not intended then delete the IAM Role.".format(
resource_arn, console_deep_link, principal, finding_id)
subject = "Access Analyzer finding {} was automatically resolved".format(
finding_id)
sns_response = sns_client.publish(
TopicArn=sns_topic,
Message=message,
Subject=subject
)
logger.debug(sns_response)