Skip to content

Update template so it can create either role or both #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update template so it can create either role or both #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
234 changes: 151 additions & 83 deletions CloudFormation/CrossAccountRole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,23 @@ Description: >

Parameters:

RoleName:
CreateManagedPolicyRole:
Type: String
Default: "No"
AllowedValues:
- "Yes"
- "No"
Description: >
Name of the IAM role to create in your AWS account.
Select "Yes" to create the managed policy role.

Principal:
CreatePredefinedRole:
Type: String
Default: "No"
AllowedValues:
- "Yes"
- "No"
Description: >
Amazon Resource Name (ARN) of the principal that can assume the IAM role created in your AWS account.
Select "Yes" to create the predefined role.

ManagedPolicyArn:
Type: String
Expand All @@ -25,7 +33,12 @@ Parameters:
- arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess
- arn:aws:iam::aws:policy/ReadOnlyAccess
Description: >
If selected, a role will be created with the specified AWS managed policy attached.
The AWS managed policy attached to attach to the managed policy role, if created.

ManagedPolicyRoleName:
Type: String
Description: >
Name of the managed policy IAM role.

PredefinedRole:
Type: String
Expand All @@ -34,47 +47,104 @@ Parameters:
- ""
- ProwlerScanRole
Description: >
If selected, the specified predefined role will be created.
The predefined role to create, if created.

PredefinedRoleName:
Type: String
Description: >
Name of the predefined IAM role.

Principal:
Type: String
Description: >
Amazon Resource Name (ARN) of the principal that can assume the IAM role(s) created in your AWS account.


Metadata:

AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Role Permissions (Choose One)
default: Principal to Assume Role(s)
Parameters:
- Principal
- Label:
default: Managed Policy Role
Parameters:
- CreateManagedPolicyRole
- ManagedPolicyRoleName
- ManagedPolicyArn
- PredefinedRole
- Label:
default: OpsGuru Provided Parameter Values
default: Predefine Role
Parameters:
- Principal
- RoleName
- CreatePredefinedRole
- PredefinedRoleName
- PredefinedRole
ParameterLabels:
CreateManagedPolicyRole:
default: Create Managed Policy Role?
CreatePredefinedRole:
default: Create Predefined Role?
ManagedPolicyArn:
default: Managed Policy ARN (Optional)
default: Managed Policy ARN
ManagedPolicyRoleName:
default: Managed Policy Role Name (Value Provided by OpsGuru)
PredefinedRole:
default: Predefined Role (Optional)
RoleName:
default: Role Name
default: Predefined Role
PredefinedRoleName:
default: Predefined Role Name (Value Provided by OpsGuru)
Principal:
default: Principal (Value Provided by OpsGuru)


Conditions:

CreateManagedPolicyRole:
Fn::Equals:
- Ref: CreateManagedPolicyRole
- "Yes"

CreatePredefinedRole:
Fn::Equals:
- Ref: CreatePredefinedRole
- "Yes"

ProwlerScanRole:
Fn::Equals:
- Ref: PredefinedRole
- ProwlerScanRole

CreateProwlerScanRole:
Fn::And:
- Condition: CreatePredefinedRole
- Condition: ProwlerScanRole


Resources:

CrossAccountRole:
ManagedPolicyRole:
Condition: CreateManagedPolicyRole
Type: AWS::IAM::Role
Properties:
RoleName:
Ref: ManagedPolicyRoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
Ref: Principal
Action: sts:AssumeRole
ManagedPolicyArns:
- Ref: ManagedPolicyArn

ProwlerScanRole:
Condition: CreateProwlerScanRole
Type: AWS::IAM::Role
Properties:
RoleName:
Ref: RoleName
Ref: PredefinedRoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -84,75 +154,73 @@ Resources:
Ref: Principal
Action: sts:AssumeRole
ManagedPolicyArns:
Fn::If:
- ProwlerScanRole
-
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
-
- Ref: ManagedPolicyArn
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Policies:
Fn::If:
- ProwlerScanRole
-
- PolicyName: ProwlerScanRoleAdditionalViewPrivileges
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'account:Get*'
- 'appstream:Describe*'
- 'appstream:List*'
- 'backup:List*'
- 'cloudtrail:GetInsightSelectors'
- 'codeartifact:List*'
- 'codebuild:BatchGet*'
- 'cognito-idp:GetUserPoolMfaConfig'
- 'dlm:Get*'
- 'drs:Describe*'
- 'ds:Get*'
- 'ds:Describe*'
- 'ds:List*'
- 'dynamodb:GetResourcePolicy'
- 'ec2:GetEbsEncryptionByDefault'
- 'ec2:GetSnapshotBlockPublicAccessState'
- 'ec2:GetInstanceMetadataDefaults'
- 'ecr:Describe*'
- 'ecr:GetRegistryScanningConfiguration'
- 'elasticfilesystem:DescribeBackupPolicy'
- 'glue:GetConnections'
- 'glue:GetSecurityConfiguration*'
- 'glue:SearchTables'
- 'lambda:GetFunction*'
- 'logs:FilterLogEvents'
- 'lightsail:GetRelationalDatabases'
- 'macie2:GetMacieSession'
- 's3:GetAccountPublicAccessBlock'
- 'shield:DescribeProtection'
- 'shield:GetSubscriptionState'
- 'securityhub:BatchImportFindings'
- 'securityhub:GetFindings'
- 'ssm:GetDocument'
- 'ssm-incidents:List*'
- 'support:Describe*'
- 'tag:GetTagKeys'
- 'wellarchitected:List*'
Resource: '*'
- PolicyName: ProwlerScanRoleAdditionalViewPrivilegesApiGateway
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'apigateway:GET'
Resource: 'arn:aws:apigateway:*::/restapis/*'
- Ref: AWS::NoValue
- PolicyName: ProwlerScanRoleAdditionalViewPrivileges
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'account:Get*'
- 'appstream:Describe*'
- 'appstream:List*'
- 'backup:List*'
- 'cloudtrail:GetInsightSelectors'
- 'codeartifact:List*'
- 'codebuild:BatchGet*'
- 'cognito-idp:GetUserPoolMfaConfig'
- 'dlm:Get*'
- 'drs:Describe*'
- 'ds:Get*'
- 'ds:Describe*'
- 'ds:List*'
- 'dynamodb:GetResourcePolicy'
- 'ec2:GetEbsEncryptionByDefault'
- 'ec2:GetSnapshotBlockPublicAccessState'
- 'ec2:GetInstanceMetadataDefaults'
- 'ecr:Describe*'
- 'ecr:GetRegistryScanningConfiguration'
- 'elasticfilesystem:DescribeBackupPolicy'
- 'glue:GetConnections'
- 'glue:GetSecurityConfiguration*'
- 'glue:SearchTables'
- 'lambda:GetFunction*'
- 'logs:FilterLogEvents'
- 'lightsail:GetRelationalDatabases'
- 'macie2:GetMacieSession'
- 's3:GetAccountPublicAccessBlock'
- 'shield:DescribeProtection'
- 'shield:GetSubscriptionState'
- 'securityhub:BatchImportFindings'
- 'securityhub:GetFindings'
- 'ssm:GetDocument'
- 'ssm-incidents:List*'
- 'support:Describe*'
- 'tag:GetTagKeys'
- 'wellarchitected:List*'
Resource: '*'
- PolicyName: ProwlerScanRoleAdditionalViewPrivilegesApiGateway
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'apigateway:GET'
Resource: 'arn:aws:apigateway:*::/restapis/*'


Outputs:

CrossAccountRoleArn:
Description: Amazon Resource Name (ARN) of the IAM role
ManagedPolicyRoleArn:
Condition: CreateManagedPolicyRole
Description: Amazon Resource Name (ARN) of the IAM role with managed policy attached
Value:
Fn::GetAtt: ManagedPolicyRole.Arn

ProwlerScanRoleArn:
Condition: CreateProwlerScanRole
Description: Amazon Resource Name (ARN) of the IAM role for running Prowler scans
Value:
Fn::GetAtt: CrossAccountRole.Arn
Fn::GetAtt: ProwlerScanRole.Arn