Skip to content

Commit e3afb31

Browse files
ravinadhruve10ravinadhruve10
authored
Adding permissions to AWS trust relationship role to CFTs (#116)
* Adding permissions to AWS trust relationship role Change summary: ---------------- For each of the templates deploying CSPM / trust-relationship role, adding policy with specific permissions to retrieve data for new resource types being collected in CSPM. - The change covers both single and org install templates. - Validated the CFT templates using make lint and validate. * Remove new permissions change from native templates * Fix linting
1 parent 1c9a039 commit e3afb31

File tree

6 files changed

+164
-3
lines changed

6 files changed

+164
-3
lines changed

templates_cspm/CloudAgentlessRole.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,24 @@ Resources:
4747
sts:ExternalId: !Ref ExternalID
4848
ManagedPolicyArns:
4949
- arn:aws:iam::aws:policy/SecurityAudit
50+
Policies:
51+
- PolicyName: !Ref RoleName
52+
PolicyDocument:
53+
Version: "2012-10-17"
54+
Statement:
55+
- Effect: "Allow"
56+
Action: "elasticfilesystem:DescribeAccessPoints"
57+
Resource: "*"
58+
- Effect: "Allow"
59+
Action:
60+
- "waf-regional:ListRules"
61+
- "waf-regional:ListRuleGroups"
62+
Resource:
63+
- "arn:aws:waf-regional:*:*:rule/*"
64+
- "arn:aws:waf-regional:*:*:rulegroup/*"
65+
- Effect: "Allow"
66+
Action: "account:GetContactInformation"
67+
Resource: "*"
5068

5169
Outputs:
5270
RoleARN:

templates_cspm/OrgCloudAgentlessRole.yaml

Lines changed: 37 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,24 @@ Resources:
4949
sts:ExternalId: !Sub ${ExternalID}
5050
ManagedPolicyArns:
5151
- arn:aws:iam::aws:policy/SecurityAudit
52+
Policies:
53+
- PolicyName: !Sub ${RoleName}
54+
PolicyDocument:
55+
Version: "2012-10-17"
56+
Statement:
57+
- Effect: "Allow"
58+
Action: "elasticfilesystem:DescribeAccessPoints"
59+
Resource: "*"
60+
- Effect: "Allow"
61+
Action:
62+
- "waf-regional:ListRules"
63+
- "waf-regional:ListRuleGroups"
64+
Resource:
65+
- "arn:aws:waf-regional:*:*:rule/*"
66+
- "arn:aws:waf-regional:*:*:rulegroup/*"
67+
- Effect: "Allow"
68+
Action: "account:GetContactInformation"
69+
Resource: "*"
5270
RoleStackSet:
5371
Type: AWS::CloudFormation::StackSet
5472
Properties:
@@ -101,5 +119,22 @@ Resources:
101119
StringEquals:
102120
sts:ExternalId: !Sub ${ExternalID}
103121
ManagedPolicyArns:
104-
- arn:aws:iam::aws:policy/SecurityAudit
105-
122+
- arn:aws:iam::aws:policy/SecurityAudit
123+
Policies:
124+
- PolicyName: !Sub ${RoleName}
125+
PolicyDocument:
126+
Version: "2012-10-17"
127+
Statement:
128+
- Effect: "Allow"
129+
Action: "elasticfilesystem:DescribeAccessPoints"
130+
Resource: "*"
131+
- Effect: "Allow"
132+
Action:
133+
- "waf-regional:ListRules"
134+
- "waf-regional:ListRuleGroups"
135+
Resource:
136+
- "arn:aws:waf-regional:*:*:rule/*"
137+
- "arn:aws:waf-regional:*:*:rulegroup/*"
138+
- Effect: "Allow"
139+
Action: "account:GetContactInformation"
140+
Resource: "*"

templates_cspm_cloudlogs/FullInstall.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,24 @@ Resources:
6060
sts:ExternalId: !Ref ExternalID
6161
ManagedPolicyArns:
6262
- arn:aws:iam::aws:policy/SecurityAudit
63+
Policies:
64+
- PolicyName: !Ref CSPMRoleName
65+
PolicyDocument:
66+
Version: "2012-10-17"
67+
Statement:
68+
- Effect: "Allow"
69+
Action: "elasticfilesystem:DescribeAccessPoints"
70+
Resource: "*"
71+
- Effect: "Allow"
72+
Action:
73+
- "waf-regional:ListRules"
74+
- "waf-regional:ListRuleGroups"
75+
Resource:
76+
- "arn:aws:waf-regional:*:*:rule/*"
77+
- "arn:aws:waf-regional:*:*:rulegroup/*"
78+
- Effect: "Allow"
79+
Action: "account:GetContactInformation"
80+
Resource: "*"
6381
CloudLogsRole:
6482
Type: "AWS::IAM::Role"
6583
Properties:

templates_cspm_cloudlogs/OrgFullInstall.yaml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,24 @@ Resources:
6565
sts:ExternalId: !Sub ${ExternalID}
6666
ManagedPolicyArns:
6767
- arn:aws:iam::aws:policy/SecurityAudit
68+
Policies:
69+
- PolicyName: !Sub ${CSPMRoleName}
70+
PolicyDocument:
71+
Version: "2012-10-17"
72+
Statement:
73+
- Effect: "Allow"
74+
Action: "elasticfilesystem:DescribeAccessPoints"
75+
Resource: "*"
76+
- Effect: "Allow"
77+
Action:
78+
- "waf-regional:ListRules"
79+
- "waf-regional:ListRuleGroups"
80+
Resource:
81+
- "arn:aws:waf-regional:*:*:rule/*"
82+
- "arn:aws:waf-regional:*:*:rulegroup/*"
83+
- Effect: "Allow"
84+
Action: "account:GetContactInformation"
85+
Resource: "*"
6886
CloudLogsRole:
6987
Type: "AWS::IAM::Role"
7088
Properties:
@@ -156,3 +174,21 @@ Resources:
156174
sts:ExternalId: !Sub ${ExternalID}
157175
ManagedPolicyArns:
158176
- arn:aws:iam::aws:policy/SecurityAudit
177+
Policies:
178+
- PolicyName: !Sub ${CSPMRoleName}
179+
PolicyDocument:
180+
Version: "2012-10-17"
181+
Statement:
182+
- Effect: "Allow"
183+
Action: "elasticfilesystem:DescribeAccessPoints"
184+
Resource: "*"
185+
- Effect: "Allow"
186+
Action:
187+
- "waf-regional:ListRules"
188+
- "waf-regional:ListRuleGroups"
189+
Resource:
190+
- "arn:aws:waf-regional:*:*:rule/*"
191+
- "arn:aws:waf-regional:*:*:rulegroup/*"
192+
- Effect: "Allow"
193+
Action: "account:GetContactInformation"
194+
Resource: "*"

templates_cspm_eventbridge/FullInstall.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,24 @@ Resources:
7272
sts:ExternalId: !Ref ExternalID
7373
ManagedPolicyArns:
7474
- arn:aws:iam::aws:policy/SecurityAudit
75+
Policies:
76+
- PolicyName: !Ref RoleName
77+
PolicyDocument:
78+
Version: "2012-10-17"
79+
Statement:
80+
- Effect: "Allow"
81+
Action: "elasticfilesystem:DescribeAccessPoints"
82+
Resource: "*"
83+
- Effect: "Allow"
84+
Action:
85+
- "waf-regional:ListRules"
86+
- "waf-regional:ListRuleGroups"
87+
Resource:
88+
- "arn:aws:waf-regional:*:*:rule/*"
89+
- "arn:aws:waf-regional:*:*:rulegroup/*"
90+
- Effect: "Allow"
91+
Action: "account:GetContactInformation"
92+
Resource: "*"
7593
EventBridgeRole:
7694
Type: AWS::IAM::Role
7795
Properties:

templates_cspm_eventbridge/OrgFullInstall.yaml

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,24 @@ Resources:
116116
sts:ExternalId: !Sub ${ExternalID}
117117
ManagedPolicyArns:
118118
- arn:aws:iam::aws:policy/SecurityAudit
119+
Policies:
120+
- PolicyName: !Sub ${CSPMRoleName}
121+
PolicyDocument:
122+
Version: "2012-10-17"
123+
Statement:
124+
- Effect: "Allow"
125+
Action: "elasticfilesystem:DescribeAccessPoints"
126+
Resource: "*"
127+
- Effect: "Allow"
128+
Action:
129+
- "waf-regional:ListRules"
130+
- "waf-regional:ListRuleGroups"
131+
Resource:
132+
- "arn:aws:waf-regional:*:*:rule/*"
133+
- "arn:aws:waf-regional:*:*:rulegroup/*"
134+
- Effect: "Allow"
135+
Action: "account:GetContactInformation"
136+
Resource: "*"
119137
EventBridgeRole:
120138
Type: AWS::IAM::Role
121139
Properties:
@@ -210,7 +228,25 @@ Resources:
210228
StringEquals:
211229
sts:ExternalId: !Sub ${ExternalID}
212230
ManagedPolicyArns:
213-
- arn:aws:iam::aws:policy/SecurityAudit
231+
- arn:aws:iam::aws:policy/SecurityAudit
232+
Policies:
233+
- PolicyName: !Sub ${CSPMRoleName}
234+
PolicyDocument:
235+
Version: "2012-10-17"
236+
Statement:
237+
- Effect: "Allow"
238+
Action: "elasticfilesystem:DescribeAccessPoints"
239+
Resource: "*"
240+
- Effect: "Allow"
241+
Action:
242+
- "waf-regional:ListRules"
243+
- "waf-regional:ListRuleGroups"
244+
Resource:
245+
- "arn:aws:waf-regional:*:*:rule/*"
246+
- "arn:aws:waf-regional:*:*:rulegroup/*"
247+
- Effect: "Allow"
248+
Action: "account:GetContactInformation"
249+
Resource: "*"
214250
EventBridgeRole:
215251
Type: AWS::IAM::Role
216252
Properties:

0 commit comments

Comments
 (0)