-
Notifications
You must be signed in to change notification settings - Fork 8
/
prowler-pro-scan-role.yaml
119 lines (116 loc) · 4.5 KB
/
prowler-pro-scan-role.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
AWSTemplateFormatVersion: '2010-09-09'
# You can invoke CloudFormation and pass the principal ARN from a command line like this:
# aws cloudformation create-stack \
# --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
# --template-body "file://prowler-pro-saas-scan-role.yaml" \
# --stack-name "ProwlerProSaaSScanRole" \
# --parameters "ParameterKey=ExternalId,ParameterValue=ProvidedExternalID"
Description: |
This template creates the ProwlerProSaaSScanRole role in this account with
all read-only permissions to scan your account for security issues.
Contains two AWS managed policies (SecurityAudit and ViewOnlyAccess) and an inline policy.
It sets the trust policy on that IAM Role to permit Prowler Pro to assume that role.
Parameters:
ExternalId:
Description: |
DO NOT CHANGE THIS.
This is the External ID that ProwlerPro SaaS will use to assume the role ProwlerProSaaSScanRole
from ProwlerPro SaaS account.
Type: String
Resources:
ProwlerProRole:
Type: AWS::IAM::Role
Properties:
RoleName: ProwlerProSaaSScanRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::232136659152:root
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Sub ${ExternalId}
StringLike:
'aws:PrincipalArn': arn:aws:iam::232136659152:role/prowler-pro-saas*
MaxSessionDuration: 3600
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/SecurityAudit'
- 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
Policies:
- PolicyName: ProwlerProSaaSRoleAdditionalViewPrivileges
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'account:Get*'
- 'appstream:Describe*'
- 'appstream:List*'
- 'backup:List*'
- 'backup:Get*'
- 'bedrock:List*'
- 'bedrock:Get*'
- 'cloudtrail:GetInsightSelectors'
- 'codeartifact:List*'
- 'codebuild:BatchGet*'
- 'codebuild:ListReportGroups'
- 'cognito-idp:GetUserPoolMfaConfig'
- 'dlm:Get*'
- 'drs:Describe*'
- 'ds:Get*'
- 'ds:Describe*'
- 'ds:List*'
- 'dynamodb:GetResourcePolicy'
- 'ec2:GetEbsEncryptionByDefault'
- 'ec2:GetSnapshotBlockPublicAccessState'
- 'ec2:GetInstanceMetadataDefaults'
- 'ecr:Describe*'
- 'ecr:GetRegistryScanningConfiguration'
- 'elasticfilesystem:DescribeBackupPolicy'
- 'glue:GetConnections'
- 'glue:GetSecurityConfiguration*'
- 'glue:SearchTables'
- 'glue:GetMLTransforms'
- 'lambda:GetFunction*'
- 'logs:FilterLogEvents'
- 'servicecatalog:Describe*'
- 'servicecatalog:List*'
- 'lightsail:GetRelationalDatabases'
- 'macie2:GetMacieSession'
- 'macie2:GetAutomatedDiscoveryConfiguration'
- 's3:GetAccountPublicAccessBlock'
- 'shield:DescribeProtection'
- 'shield:GetSubscriptionState'
- 'servicecatalog:Describe*'
- 'servicecatalog:List*'
- 'securityhub:BatchImportFindings'
- 'securityhub:GetFindings'
- 'ssm:GetDocument'
- 'ssm-incidents:List*'
- 'support:Describe*'
- 'tag:GetTagKeys'
- 'wellarchitected:List*'
Resource: '*'
- PolicyName: ProwlerProSaaSRoleApiGatewayViewPrivileges
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'apigateway:GET'
Resource:
- 'arn:aws:apigateway:*::/restapis/*'
- 'arn:aws:apigateway:*::/apis/*'
Tags:
- Key: "Service"
Value: "https://prowler.pro"
- Key: "Support"
Value: "[email protected]"
- Key: "CloudFormation"
Value: "true"
- Key: "Name"
Value: "ProwlerProSaaSScanRole"
- Key: "Version"
Value: "1.0.1"