add some features

README.md

@@ -15,28 +15,33 @@ All configuration done by this stack should easily fit in the free tier itself.
 - Press `Create Stack`
 - ***You will get an email on the email address(ses) entered. Make sure to accept the subscription, or alerts will not be sent!***
 
-## Contents
+## Features
 
-These services are configured.
+- SNS Topic with a list of email subscribers that get alarms and notifications
 
-### SNS Topic
+- AWS Budgets
+    - Sends alarms when a pre-set daily, weekly or monthly budget is passed.
+        - Currently just a daily amount configured
 
-- SNS Topic with a list of email subscribers that get alarms and notifications
+- Root User Alarms
+    -  Send a notice every 24 hours if root user..
+        - does not have MFA configured
+        - access keys are set
+    - (In Progress) Send a notice whenever the root user is used
+        - This is already in the code as Eventbridge Event, but also requires CloudTrail to be configured
 
-### AWS Budgets
+- (In Progress) CloudTrail
+    - Creates a CloudTrail-trail
+    - Monitors if there are more than 1 trails in (any) region
 
-- Sends alarms when a pre-set daily, weekly or monthly budget is passed.
-    - Currently just a daily amount configured
 
-### Root User Alarms
+## FAQ
 
-- Send a notice every 24 hours if root user..
-    - does not have MFA configured
-    - access keys are set
-- (In Progress) Send a notice whenever the root user is used
-    - This is already in the code as Eventbridge Event, but also requires CloudTrail to be configured
+- Q: Why is this called the "aws free tier" stack? I dont see anything to do with the free tier
+  A: Because this stack aims to solve some issues that people have that rely on the free tier, and are new users to AWS. It monitors some basic security features and sets up some basic cost monitoring. On online platforms there are many first time users who's accounts are compromised or accidentally run something that they can't afford. This stack should help reduce the blast radius.
 
-### (TBD) CloudTrail
+- Q: Why are you using CloudFormation and not CDK, Terraform or something else?
+  A: Because CloudFormation has the best new-user experience. Just click the link and follow the wizard. As this stack is created for new users, this is the best solution
 
-- Creates a CloudTrail-trail
-- Monitors if there are more than 1 trails in (any) region
+- Q: I've got some ideas, can I help
+  A: Yes! Feel free to open an issue or a PR

stack.yml

@@ -130,6 +130,12 @@ Resources:
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
 
+  LambdaLogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    Properties:
+      LogGroupName: !Sub "/aws/lambda/${LambdaFunction}"
+      RetentionInDays: 30
+
   LambdaFunction:
     Type: 'AWS::Lambda::Function'
     Properties:
@@ -139,35 +145,53 @@ Resources:
         ZipFile: |
           import boto3
           import os
-          # import logging
-
-          # logger = logging.getLogger()
-          # logger.setLevel(logging.INFO)
 
           def lambda_handler(event, context):
+              # List to store messages
+              messages = []
+
+              access_keys_message = """Root user has access keys present!
+
+              Visit this URL to learn how to solve this: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user_manage_delete-key.html"""
+
+              mfa_message = """Root user does not have MFA configured!
+
+              Visit this URL to learn how to solve this: https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html"""
+
               def send_sns_message(message):
-                  sns = boto3.client('sns')
-                  sns.publish(
-                      TopicArn=os.environ['SNSTopic'],
-                      Message=message
-                  )
+                  # Append the message to the list
+                  messages.append(message)
 
               def check_root():
                   iam = boto3.client('iam')
                   response = iam.get_account_summary()
                   if response['SummaryMap']['AccountMFAEnabled'] == 0:
                       print('Root user does not have MFA set!')
-                      send_sns_message('Root user does not have MFA set!')
+                      send_sns_message(mfa_message)
                   else:
                       print('Root user has MFA set!')
                   if response['SummaryMap']['AccountAccessKeysPresent'] > 0:
                       print('Root user has access keys present!')
-                      send_sns_message('Root user has access keys present!')
+                      send_sns_message(access_keys_message)
                   else:
                       print('Root user does not have access keys present!')
 
+              # Call the function to check root user
               check_root()
 
+              # If there are messages in the list, send a single message with all accumulated messages
+              if messages:
+                  # Create an SNS client
+                  sns = boto3.client('sns')
+                  # Join all messages into a single string separated by newlines
+                  message = '\n'.join(messages)
+                  # Send the message
+                  sns.publish(
+                      TopicArn=os.environ['SNSTopic'],
+                      Message=message,
+                      Subject='AWS Free Tier Stack Alert'
+                  )
+
       Runtime: python3.12
       Timeout: 30
       Environment:
@@ -179,7 +203,7 @@ Resources:
     Type: 'AWS::Events::Rule'
     Properties:
       Description: 'Run the lambda function every 24 hours'
-      ScheduleExpression: 'rate(24 hours)'
+      ScheduleExpression: 'cron(0 12 * * ? *)'
       State: 'ENABLED'
       Targets:
         - Arn: !GetAtt LambdaFunction.Arn