in access-analyzer/iam-role-findings-resolution/functions/access_analyzer_event_bridge_target.py [0:0]
def lambda_handler(event, context):
logger.info("event: {}".format(event))
sns_topic = os.environ["SNS_TOPIC_ARN"]
analyzer_arn = event['resources'][0]
external_principal = event['detail']['principal']['AWS']
logger.info("External Principal:{}".format(external_principal))
finding_id = event['detail']['id'].replace("-", "")
resource_arn = event['detail']['resource']
resource_name = resource_arn.split("/")[1]
resource_type = event['detail']['resourceType']
arn = arnparse(analyzer_arn)
if external_principal:
if "arn:{}".format(arn.partition) in external_principal:
ext_arn = external_principal
else:
ext_arn = "arn:{}:iam::{}:root".format(
arn.partition, external_principal)
logger.debug(ext_arn)
if resource_type == 'AWS::IAM::Role':
logger.debug("Deny access in the trust policy")
disable_iam_access(resource_name, ext_arn, finding_id)
logger.debug("send message")
send_notifications(
sns_topic, external_principal, resource_arn, finding_id, resource_name, arn.region)