Skip to content

Commit

Permalink
Adding permissions to AWS trust relationship role to CFTs (#116)
Browse files Browse the repository at this point in the history 
* Adding permissions to AWS trust relationship role

Change summary:
----------------
For each of the templates deploying CSPM / trust-relationship role,
adding policy with specific permissions to retrieve data for new
resource types being collected in CSPM.

- The change covers both single and org install templates.
- Validated the CFT templates using make lint and validate.

* Remove new permissions change from native templates

* Fix linting
  • Loading branch information
@ravinadhruve10
ravinadhruve10 authored Feb 27, 2024
1 parent 1c9a039 commit e3afb31
Show file tree
Hide file tree
Showing 6 changed files with 164 additions and 3 deletions.
18 changes: 18 additions & 0 deletions templates_cspm/CloudAgentlessRole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,24 @@ Resources:
sts:ExternalId: !Ref ExternalID
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Ref RoleName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"

Outputs:
RoleARN:
Expand Down
39 changes: 37 additions & 2 deletions templates_cspm/OrgCloudAgentlessRole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,24 @@ Resources:
sts:ExternalId: !Sub ${ExternalID}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub ${RoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
RoleStackSet:
Type: AWS::CloudFormation::StackSet
Properties:
Expand Down Expand Up @@ -101,5 +119,22 @@ Resources:
StringEquals:
sts:ExternalId: !Sub ${ExternalID}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub ${RoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
18 changes: 18 additions & 0 deletions templates_cspm_cloudlogs/FullInstall.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,24 @@ Resources:
sts:ExternalId: !Ref ExternalID
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Ref CSPMRoleName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
CloudLogsRole:
Type: "AWS::IAM::Role"
Properties:
Expand Down
36 changes: 36 additions & 0 deletions templates_cspm_cloudlogs/OrgFullInstall.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,24 @@ Resources:
sts:ExternalId: !Sub ${ExternalID}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub ${CSPMRoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
CloudLogsRole:
Type: "AWS::IAM::Role"
Properties:
Expand Down Expand Up @@ -156,3 +174,21 @@ Resources:
sts:ExternalId: !Sub ${ExternalID}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub ${CSPMRoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
18 changes: 18 additions & 0 deletions templates_cspm_eventbridge/FullInstall.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,24 @@ Resources:
sts:ExternalId: !Ref ExternalID
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Ref RoleName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
Expand Down
38 changes: 37 additions & 1 deletion templates_cspm_eventbridge/OrgFullInstall.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,24 @@ Resources:
sts:ExternalId: !Sub ${ExternalID}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub ${CSPMRoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
Expand Down Expand Up @@ -210,7 +228,25 @@ Resources:
StringEquals:
sts:ExternalId: !Sub ${ExternalID}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecurityAudit
- arn:aws:iam::aws:policy/SecurityAudit
Policies:
- PolicyName: !Sub ${CSPMRoleName}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "elasticfilesystem:DescribeAccessPoints"
Resource: "*"
- Effect: "Allow"
Action:
- "waf-regional:ListRules"
- "waf-regional:ListRuleGroups"
Resource:
- "arn:aws:waf-regional:*:*:rule/*"
- "arn:aws:waf-regional:*:*:rulegroup/*"
- Effect: "Allow"
Action: "account:GetContactInformation"
Resource: "*"
EventBridgeRole:
Type: AWS::IAM::Role
Properties:
Expand Down

0 comments on commit e3afb31

Please sign in to comment.