-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathApplicationAcnts-RolesTemplate.yml
117 lines (117 loc) · 4.9 KB
/
ApplicationAcnts-RolesTemplate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Step 2 - This template should be deployed only in the primary region of all the application accounts to create the IAM roles and polcies used for sending Inspector findings to central Audit Account.'
Parameters:
CentralSecurityAccountID:
Type: String
Description: Account ID of the Central Audit Account
PrimaryRegion:
Type: String
Description: Specify the region which can be used to create all the global resources in all the application accounts
Default: us-east-1
InspectorEventRoleName:
Type: String
Description: Name of the role (not ARN) that is assumed by CloudWatch Event to start a scheduled Inspector run
Default: Event-to-start-InspectorRun.iamrole
CrossAccountRoleName:
Type: String
Description: Name of the role (not ARN) that is assumed by Lambda Role of Audit account for fetching Inspector findings
Default: CrossAccountInspector.iamrole
InspectorToSNSLambdaRoleName:
Type: String
Description: Name of the execution role (not ARN) that is assumed by regional Lambda function to attach a SNS topic to an Inspector template
Default: Attach-SNS-to-Inspector-Lambda.iamrole
LambdaExecutionRoleName:
Type: String
Description: Name of the execution role (not ARN) that is assumed by Lambda function in Central Audit Account for sending Inspector findings
Default: Inspector-to-S3-ES-LambdaExec.iamrole
Resources:
EventsInspectorRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref InspectorEventRoleName
Description: "This role starts an Inspector Assessement run based on an event schedules interval. Do not delete this role."
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
EventRolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: 'Inspector-Assessment-EventRule.iampolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "inspector:StartAssessmentRun"
Resource: "*"
Roles:
- !Ref EventsInspectorRole
CrossAccountInspectorRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref CrossAccountRoleName
AssumeRolePolicyDocument: !Sub "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::${CentralSecurityAccountID}:role/${LambdaExecutionRoleName}\"\n },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {}\n }\n ]\n}"
Description: "This role is assumed by Inspector-to-S3ES-crossAcnt Lambda function of central audit account for collection of Inspector findings from each application account. Do not delete this role."
LambdaAssumeRolePolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: 'CrossAccount-LambdaAssume.iampolicy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AddingEC2AndInspectorAndEventsPermissionsforAll
Action:
- 'ec2:DescribeInstances'
- 'ec2:DescribeVpcAttribute'
- 'ec2:DescribeVpcs'
- 'ec2:DescribeSubnets'
- 'inspector:List*'
- 'inspector:PreviewAgents'
- 'inspector:AddAttributesToFindings'
- 'inspector:Describe*'
- 'inspector:SetTagsForResource'
- 'inspector:GetTelemetryMetadata'
- 'events:DescribeRule'
- 'events:ListRuleNamesByTarget'
Effect: Allow
Resource:
- '*'
Roles:
- !Ref CrossAccountInspectorRole
Inspec2SNSLambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Ref InspectorToSNSLambdaRoleName
Description: "This role is assumed by a regional Lambda function to attach an Inspector template (of application accounts) to a SNS topic in central audit account. Do not delete this role."
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Inspec2SNSLambdaExecutionPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: 'Attach-SNS-to-Inspector-Lambda.iampolicy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AddingInspectorPermissions
Action:
- 'inspector:List*'
- 'inspector:Describe*'
- 'inspector:SubscribeToEvent'
Effect: Allow
Resource:
- '*'
Roles:
- !Ref Inspec2SNSLambdaExecutionRole