Skip to content

Instantly share code, notes, and snippets.

@0xdabbad00

0xdabbad00/security_assessment_access.template

Created August 15, 2018 22:30
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xdabbad00/f278d7f90205937a8f94ffeaddd44d23 to your computer and use it in GitHub Desktop.
Save 0xdabbad00/f278d7f90205937a8f94ffeaddd44d23 to your computer and use it in GitHub Desktop.
Download ZIP
CloudFormation template used for security assessments
Raw
security_assessment_access.template
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Provides Summit Route with the ability to perform a security assessment on this account. An IAM role is created to provide view-only access of the metadata in the account. Read and write access to the Athena and Glue services is also granted for CloudTrail log analysis, and if the S3 bucket for the CloudTrail logs is provided, then read access is granted to that bucket.'
Parameters:
S3Bucket:
Description: 'S3 bucket for CloudTrail logs (optional). Example: For the bucket "s3://mycloudtrail", you would put "mycloudtrail" (without quotes) here.'
Type: 'String'
Conditions:
HasS3Bucket: !Not [ !Equals ['', !Ref 'S3Bucket']]
Resources:
CFNSummitRouteRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::393727464233:root
Action: 'sts:AssumeRole'
Condition:
Bool:
'aws:MultiFactorAuthPresent': true
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/SecurityAudit'
- 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonAthenaFullAccess'
RoleName: SummitRouteAudit
Policies:
- PolicyName: SummitRouteAdditionalViewPrivileges
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'acm:DescribeCertificate'
- 'apigateway:GET'
- 'ec2:DescribeLaunchTemplates'
- 'eks:DescribeCluster'
- 'eks:ListClusters'
- 'elasticfilesystem:DescribeMountTargetSecurityGroups'
- 'elasticfilesystem:DescribeMountTargets'
- 'elasticmapreduce:DescribeCluster'
- 'elasticmapreduce:DescribeSecurityConfiguration'
- 'events:DescribeRule'
- 'fms:ListComplianceStatus'
- 'fms:ListPolicies'
- 'guardduty:ListDetectors'
- 'guardduty:ListFindings'
- 'guardduty:ListIPSets'
- 'guardduty:ListInvitations'
- 'guardduty:ListMembers'
- 'guardduty:ListThreatIntelSets'
- 'iam:GetSSHPublicKey'
- 'inspector:DescribeAssessmentRuns'
- 'inspector:DescribeAssessmentTargets'
- 'inspector:DescribeAssessmentTemplates'
- 'inspector:DescribeCrossAccountAccessRole'
- 'inspector:DescribeFindings'
- 'inspector:DescribeResourceGroups'
- 'inspector:DescribeRulesPackages'
- 'iot:DescribeAuthorizer'
- 'iot:DescribeCACertificate'
- 'iot:DescribeCertificate'
- 'iot:DescribeDefaultAuthorizer'
- 'iot:GetPolicy'
- 'iot:GetPolicyVersion'
- 'lambda:GetFunctionConfiguration'
- 'lightsail:GetInstances'
- 'lightsail:GetLoadBalancers'
- 'opsworks:DescribeStacks'
- 'organizations:DescribeAccount'
- 'organizations:DescribeCreateAccountStatus'
- 'organizations:DescribeHandshake'
- 'organizations:DescribeOrganization'
- 'organizations:DescribeOrganizationalUnit'
- 'organizations:DescribePolicy'
- 'organizations:ListAWSServiceAccessForOrganization'
- 'shield:DescribeAttack'
- 'shield:DescribeProtection'
- 'shield:DescribeSubscription'
- 'sso:DescribePermissionsPolicies'
- 'sso:ListApplicationInstanceCertificates'
- 'sso:ListApplicationInstances'
- 'sso:ListApplicationTemplates'
- 'sso:ListApplications'
- 'sso:ListDirectoryAssociations'
- 'sso:ListPermissionSets'
- 'sso:ListProfileAssociations'
- 'sso:ListProfiles'
Resource: '*'
- PolicyName: SummitRouteLogAccess
PolicyDocument:
Version : '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:ListBucket'
Resource:
- !Join
- ''
- ['arn:aws:s3:::', !If ['HasS3Bucket', !Ref 'S3Bucket', 'NONE'], '/*']
- !Join
- ''
- ['arn:aws:s3:::', !If ['HasS3Bucket', !Ref 'S3Bucket', 'NONE']]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment