-
Notifications
You must be signed in to change notification settings - Fork 100
/
1-sat2-member-roles.yaml
94 lines (93 loc) · 4.02 KB
/
1-sat2-member-roles.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
AWSTemplateFormatVersion: 2010-09-09
Description: This template deploys the roles needed for Prowler to run in each account.
Parameters:
ProwlerAccountID:
Description: 'Specifies the account ID where Prowler will run from.'
Type: String
Default: '012345678910'
AllowedPattern: \d{12}
ConstraintDescription: Enter the 12 digit account ID with no spaces.
Resources:
ProwlerIntegrationCodeBuildRole:
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: Role allows * in resource policy. The role needs broad, read-only privileges to review all resources. Only the CodeBuild role created as part of this solution can assume this role.
- id: W28
reason: Resource has an explicit name so Prowler can loop through and assume it in each account.
- id: W76
reason: SPCM for IAM policy is higher than 25 due to managed polices, and additional polices. Each section of the role has a comment with the Prowler documentation describing the need for the privileges.
Type: 'AWS::IAM::Role'
Properties:
Path: '/service-role/'
RoleName: ProwlerMemberRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:${AWS::Partition}:iam::${ProwlerAccountID}:root'
Action:
- 'sts:AssumeRole'
Condition:
ArnEquals:
aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::${ProwlerAccountID}:role/service-role/ProwlerCodeBuildRole
ManagedPolicyArns:
# Prowler requires these managed polices to perform all the checks
# https://docs.prowler.cloud/en/latest/getting-started/requirements/
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/SecurityAudit'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess'
Policies:
# Prowler requires these additional read-only permissions. They are documented in the Prowler documentation.
# https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json
- PolicyName: ProwlerAdditions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- account:Get*
- appstream:Describe*
- appstream:List*
- backup:List*
- cloudtrail:GetInsightSelectors
- codeartifact:List*
- codebuild:BatchGet*
- cognito-idp:GetUserPoolMfaConfig
- dlm:Get*
- drs:Describe*
- ds:Get*
- ds:Describe*
- ds:List*
- dynamodb:GetResourcePolicy
- ec2:GetEbsEncryptionByDefault
- ec2:GetSnapshotBlockPublicAccessState
- ec2:GetInstanceMetadataDefaults
- ecr:Describe*
- ecr:GetRegistryScanningConfiguration
- elasticfilesystem:DescribeBackupPolicy
- glue:GetConnections
- glue:GetSecurityConfiguration*
- glue:SearchTables
- lambda:GetFunction*
- lightsail:GetRelationalDatabases
- logs:FilterLogEvents
- macie2:GetMacieSession
- s3:GetAccountPublicAccessBlock
- shield:DescribeProtection
- shield:GetSubscriptionState
- securityhub:BatchImportFindings
- securityhub:GetFindings
- ssm:GetDocument
- ssm-incidents:List*
- support:Describe*
- tag:GetTagKeys
- wellarchitected:List*
Effect: Allow
Resource: '*'
- Action:
- apigateway:GET
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:apigateway:*::/restapis/*
- !Sub arn:${AWS::Partition}:apigateway:*::/apis/*