-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcloudformation_template_test_securestack.json
More file actions
1 lines (1 loc) · 11.2 KB
/
cloudformation_template_test_securestack.json
File metadata and controls
1 lines (1 loc) · 11.2 KB
1
{"AWSTemplateFormatVersion":"2010-09-09","Metadata":{"AWS::CloudFormation::Interface":{"ParameterGroups":[{"Label":{"default":"IAMRole"},"Parameters":["RoleName","ExternalAccount","ExternalId"]}]}},"Parameters":{"RoleName":{"Type":"String","Default":"SecureStack-Audit-Role","Description":"NamefortheIAMroletobecreated"},"ExternalId":{"Type":"String","Default":"09aca2ff-099e-469a-8d96-34d0a59fa725","Description":"SecureStackExternalID"},"ExternalAccount":{"Type":"String","Default":"955284390043","Description":"SecureStackAccount"}},"Resources":{"IamRole":{"Type":"AWS::IAM::Role","Properties":{"RoleName":{"Ref":"RoleName"},"AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":{"Fn::Sub":"arn:${AWS::Partition}:iam::${ExternalAccount}:root"}},"Action":"sts:AssumeRole","Condition":{"StringEquals":{"sts:ExternalId":{"Ref":"ExternalId"}}}}]}}},"InventoryPolicy":{"Type":"AWS::IAM::Policy","Properties":{"Roles":[{"Ref":"IamRole"}],"PolicyName":"SecureStack-Audit-Policy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"Audit","Effect":"Allow","Action":["acm-pca:Describe*","acm-pca:Get*","acm-pca:List*","acm:Describe*","acm:Get*","acm:List*","apigateway:GET","application-autoscaling:Describe*","applicationinsights:Describe*","applicationinsights:List*","appmesh:Describe*","appmesh:List*","appsync:Get*","appsync:List*","athena:Batch*","athena:Get*","athena:List*","autoscaling-plans:Describe*","autoscaling-plans:GetScalingPlanResourceForecastData","autoscaling:Describe*","cloudformation:Describe*","cloudformation:Detect*","cloudformation:Estimate*","cloudformation:Get*","cloudformation:List*","cloudfront:DescribeFunction","cloudfront:Get*","cloudfront:List*","cloudhsm:Describe*","cloudhsm:Get*","cloudhsm:List*","cloudsearch:Describe*","cloudsearch:List*","cloudtrail:Describe*","cloudtrail:Get*","cloudtrail:List*","cloudtrail:LookupEvents","cloudwatch:Describe*","cloudwatch:Get*","cloudwatch:List*","codebuild:BatchGet*","codebuild:DescribeCodeCoverages","codebuild:DescribeTestCases","codebuild:List*","codedeploy:BatchGet*","codedeploy:Get*","codedeploy:List*","codepipeline:Get*","codepipeline:List*","cognito-identity:Describe*","cognito-identity:GetCredentialsForIdentity","cognito-identity:GetIdentityPoolRoles","cognito-identity:GetOpenIdToken","cognito-identity:GetOpenIdTokenForDeveloperIdentity","cognito-identity:List*","cognito-identity:Lookup*","cognito-idp:AdminGet*","cognito-idp:AdminList*","cognito-idp:Describe*","cognito-idp:Get*","cognito-idp:List*","cognito-sync:Describe*","cognito-sync:Get*","cognito-sync:List*","cognito-sync:QueryRecords","config:BatchGetAggregateResourceConfig","config:BatchGetResourceConfig","config:Deliver*","config:Describe*","config:Get*","config:List*","config:SelectAggregateResourceConfig","config:SelectResourceConfig","detective:Get*","detective:List*","detective:SearchGraph","dynamodb:BatchGet*","dynamodb:Describe*","dynamodb:Get*","dynamodb:List*","dynamodb:Query","dynamodb:Scan","ec2:Describe*","ec2:Get*","ec2:SearchTransitGatewayRoutes","ec2messages:Get*","ecr-public:BatchCheckLayerAvailability","ecr-public:DescribeImages","ecr-public:DescribeImageTags","ecr-public:DescribeRegistries","ecr-public:DescribeRepositories","ecr-public:GetAuthorizationToken","ecr-public:GetRegistryCatalogData","ecr-public:GetRepositoryCatalogData","ecr-public:GetRepositoryPolicy","ecr-public:ListTagsForResource","ecr:BatchCheck*","ecr:BatchGet*","ecr:Describe*","ecr:Get*","ecr:List*","ecs:Describe*","ecs:List*","eks:Describe*","eks:List*","elasticache:Describe*","elasticache:List*","elasticbeanstalk:Check*","elasticbeanstalk:Describe*","elasticbeanstalk:List*","elasticbeanstalk:Request*","elasticbeanstalk:Retrieve*","elasticbeanstalk:Validate*","elasticfilesystem:Describe*","elasticloadbalancing:Describe*","es:Describe*","es:ESHttpGet","es:ESHttpHead","es:Get*","es:List*","events:Describe*","events:List*","events:Test*","firehose:Describe*","firehose:List*","fis:GetAction","fis:GetExperiment","fis:GetExperimentTemplate","fis:ListActions","fis:ListExperiments","fis:ListExperimentTemplates","fis:ListTagsForResource","fms:GetAdminAccount","fms:GetAppsList","fms:GetComplianceDetail","fms:GetNotificationChannel","fms:GetPolicy","fms:GetProtectionStatus","fms:GetProtocolsList","fms:GetViolationDetails","fms:ListAppsLists","fms:ListComplianceStatus","fms:ListMemberAccounts","fms:ListPolicies","fms:ListProtocolsLists","fms:ListTagsForResource","fsx:Describe*","fsx:List*","glacier:Describe*","glacier:Get*","glacier:List*","globalaccelerator:Describe*","globalaccelerator:List*","guardduty:DescribeOrganizationConfiguration","guardduty:DescribePublishingDestination","guardduty:Get*","guardduty:List*","health:Describe*","iam:Generate*","iam:Get*","iam:List*","iam:Simulate*","inspector:Describe*","inspector:Get*","inspector:List*","inspector:Preview*","kafka:Describe*","kafka:Get*","kafka:List*","kinesis:Describe*","kinesis:Get*","kinesis:List*","kinesisanalytics:Describe*","kinesisanalytics:Discover*","kinesisanalytics:Get*","kinesisanalytics:List*","kinesisvideo:Describe*","kinesisvideo:Get*","kinesisvideo:List*","kms:Describe*","kms:Get*","kms:List*","lambda:Get*","lambda:List*","lightsail:GetActiveNames","lightsail:GetAlarms","lightsail:GetAutoSnapshots","lightsail:GetBlueprints","lightsail:GetBucketAccessKeys","lightsail:GetBucketBundles","lightsail:GetBucketMetricData","lightsail:GetBuckets","lightsail:GetBundles","lightsail:GetCertificates","lightsail:GetCloudFormationStackRecords","lightsail:GetContainerAPIMetadata","lightsail:GetContainerImages","lightsail:GetContainerServiceDeployments","lightsail:GetContainerServiceMetricData","lightsail:GetContainerServicePowers","lightsail:GetContainerServices","lightsail:GetDisk","lightsail:GetDisks","lightsail:GetDiskSnapshot","lightsail:GetDiskSnapshots","lightsail:GetDistributionBundles","lightsail:GetDistributionLatestCacheReset","lightsail:GetDistributionMetricData","lightsail:GetDistributions","lightsail:GetDomain","lightsail:GetDomains","lightsail:GetExportSnapshotRecords","lightsail:GetInstance","lightsail:GetInstanceMetricData","lightsail:GetInstancePortStates","lightsail:GetInstances","lightsail:GetInstanceSnapshot","lightsail:GetInstanceSnapshots","lightsail:GetInstanceState","lightsail:GetKeyPair","lightsail:GetKeyPairs","lightsail:GetLoadBalancer","lightsail:GetLoadBalancerMetricData","lightsail:GetLoadBalancers","lightsail:GetLoadBalancerTlsCertificates","lightsail:GetOperation","lightsail:GetOperations","lightsail:GetOperationsForResource","lightsail:GetRegions","lightsail:GetRelationalDatabase","lightsail:GetRelationalDatabaseBlueprints","lightsail:GetRelationalDatabaseBundles","lightsail:GetRelationalDatabaseEvents","lightsail:GetRelationalDatabaseLogEvents","lightsail:GetRelationalDatabaseLogStreams","lightsail:GetRelationalDatabaseMetricData","lightsail:GetRelationalDatabaseParameters","lightsail:GetRelationalDatabases","lightsail:GetRelationalDatabaseSnapshot","lightsail:GetRelationalDatabaseSnapshots","lightsail:GetStaticIp","lightsail:GetStaticIps","lightsail:Is*","logs:Describe*","logs:FilterLogEvents","logs:Get*","logs:ListTagsLogGroup","logs:StartQuery","logs:StopQuery","logs:TestMetricFilter","macie:ListMemberAccounts","macie:ListS3Resources","macie2:BatchGetCustomDataIdentifiers","macie2:DescribeBuckets","macie2:DescribeClassificationJob","macie2:DescribeOrganizationConfiguration","macie2:GetAdministratorAccount","macie2:GetBucketStatistics","macie2:GetClassificationExportConfiguration","macie2:GetCustomDataIdentifier","macie2:GetFindings","macie2:GetFindingsFilter","macie2:GetFindingsPublicationConfiguration","macie2:GetFindingStatistics","macie2:GetInvitationsCount","macie2:GetMacieSession","macie2:GetMember","macie2:GetUsageStatistics","macie2:GetUsageTotals","macie2:ListClassificationJobs","macie2:ListCustomDataIdentifiers","macie2:ListFindings","macie2:ListFindingsFilters","macie2:ListInvitations","macie2:ListMembers","macie2:ListOrganizationAdminAccounts","macie2:ListTagsForResource","macie2:SearchResources","mq:Describe*","mq:List*","network-firewall:DescribeFirewall","network-firewall:DescribeFirewallPolicy","network-firewall:DescribeLoggingConfiguration","network-firewall:DescribeResourcePolicy","network-firewall:DescribeRuleGroup","network-firewall:ListFirewallPolicies","network-firewall:ListFirewalls","network-firewall:ListRuleGroups","network-firewall:ListTagsForResource","networkmanager:DescribeGlobalNetworks","networkmanager:GetConnections","networkmanager:GetCustomerGatewayAssociations","networkmanager:GetDevices","networkmanager:GetLinkAssociations","networkmanager:GetLinks","networkmanager:GetSites","networkmanager:GetTransitGatewayConnectPeerAssociations","networkmanager:GetTransitGatewayRegistrations","organizations:Describe*","organizations:List*","rds:Describe*","rds:Download*","rds:List*","redshift:Describe*","redshift:GetReservedNodeExchangeOfferings","redshift:View*","resource-groups:Get*","resource-groups:List*","resource-groups:Search*","route53-recovery-cluster:Get*","route53-recovery-control-config:Describe*","route53-recovery-control-config:List*","route53-recovery-readiness:Get*","route53-recovery-readiness:List*","route53:Get*","route53:List*","route53:Test*","route53domains:Check*","route53domains:Get*","route53domains:List*","route53domains:View*","route53resolver:Get*","route53resolver:List*","s3-object-lambda:GetObject","s3-object-lambda:GetObjectAcl","s3-object-lambda:GetObjectLegalHold","s3-object-lambda:GetObjectRetention","s3-object-lambda:GetObjectTagging","s3-object-lambda:GetObjectVersion","s3-object-lambda:GetObjectVersionAcl","s3-object-lambda:GetObjectVersionTagging","s3-object-lambda:ListBucket","s3-object-lambda:ListBucketMultipartUploads","s3-object-lambda:ListBucketVersions","s3-object-lambda:ListMultipartUploadParts","s3:DescribeJob","s3:Get*","s3:List*","schemas:Describe*","schemas:Get*","schemas:List*","schemas:Search*","secretsmanager:Describe*","secretsmanager:GetResourcePolicy","secretsmanager:List*","securityhub:Describe*","securityhub:Get*","securityhub:List*","servicediscovery:Get*","servicediscovery:List*","servicequotas:GetAssociationForServiceQuotaTemplate","servicequotas:GetAWSDefaultServiceQuota","servicequotas:GetRequestedServiceQuotaChange","servicequotas:GetServiceQuota","servicequotas:GetServiceQuotaIncreaseRequestFromTemplate","servicequotas:ListAWSDefaultServiceQuotas","servicequotas:ListRequestedServiceQuotaChangeHistory","servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota","servicequotas:ListServiceQuotaIncreaseRequestsInTemplate","servicequotas:ListServiceQuotas","servicequotas:ListServices","ses:Describe*","ses:Get*","ses:List*","shield:Describe*","shield:Get*","shield:List*","sns:Check*","sns:Get*","sns:List*","sqs:Get*","sqs:List*","sqs:Receive*","ssm:Describe*","ssm:Get*","ssm:List*","states:Describe*","states:GetExecutionHistory","states:List*","storagegateway:Describe*","storagegateway:List*","sts:GetAccessKeyInfo","sts:GetCallerIdentity","sts:GetSessionToken","tag:Get*","trustedadvisor:Describe*","waf-regional:Get*","waf-regional:List*","waf:Get*","waf:List*","wafv2:CheckCapacity","wafv2:Describe*","wafv2:Get*","wafv2:List*","workspaces:Describe*"],"Resource":"*"}]}}}},"Outputs":{"RoleArn":{"Description":"ARNoftheIAMRole","Value":{"Fn::GetAtt":["IamRole","Arn"]}},"RoleId":{"Description":"IdoftheIAMRole","Value":{"Fn::GetAtt":["IamRole","RoleId"]}}}}