Created
August 15, 2018 22:30
-
-
Save 0xdabbad00/f278d7f90205937a8f94ffeaddd44d23 to your computer and use it in GitHub Desktop.
CloudFormation template used for security assessments
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Description: 'Provides Summit Route with the ability to perform a security assessment on this account. An IAM role is created to provide view-only access of the metadata in the account. Read and write access to the Athena and Glue services is also granted for CloudTrail log analysis, and if the S3 bucket for the CloudTrail logs is provided, then read access is granted to that bucket.' | |
Parameters: | |
S3Bucket: | |
Description: 'S3 bucket for CloudTrail logs (optional). Example: For the bucket "s3://mycloudtrail", you would put "mycloudtrail" (without quotes) here.' | |
Type: 'String' | |
Conditions: | |
HasS3Bucket: !Not [ !Equals ['', !Ref 'S3Bucket']] | |
Resources: | |
CFNSummitRouteRole: | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
AWS: arn:aws:iam::393727464233:root | |
Action: 'sts:AssumeRole' | |
Condition: | |
Bool: | |
'aws:MultiFactorAuthPresent': true | |
ManagedPolicyArns: | |
- 'arn:aws:iam::aws:policy/SecurityAudit' | |
- 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess' | |
- 'arn:aws:iam::aws:policy/AmazonAthenaFullAccess' | |
RoleName: SummitRouteAudit | |
Policies: | |
- PolicyName: SummitRouteAdditionalViewPrivileges | |
PolicyDocument: | |
Version : '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 'acm:DescribeCertificate' | |
- 'apigateway:GET' | |
- 'ec2:DescribeLaunchTemplates' | |
- 'eks:DescribeCluster' | |
- 'eks:ListClusters' | |
- 'elasticfilesystem:DescribeMountTargetSecurityGroups' | |
- 'elasticfilesystem:DescribeMountTargets' | |
- 'elasticmapreduce:DescribeCluster' | |
- 'elasticmapreduce:DescribeSecurityConfiguration' | |
- 'events:DescribeRule' | |
- 'fms:ListComplianceStatus' | |
- 'fms:ListPolicies' | |
- 'guardduty:ListDetectors' | |
- 'guardduty:ListFindings' | |
- 'guardduty:ListIPSets' | |
- 'guardduty:ListInvitations' | |
- 'guardduty:ListMembers' | |
- 'guardduty:ListThreatIntelSets' | |
- 'iam:GetSSHPublicKey' | |
- 'inspector:DescribeAssessmentRuns' | |
- 'inspector:DescribeAssessmentTargets' | |
- 'inspector:DescribeAssessmentTemplates' | |
- 'inspector:DescribeCrossAccountAccessRole' | |
- 'inspector:DescribeFindings' | |
- 'inspector:DescribeResourceGroups' | |
- 'inspector:DescribeRulesPackages' | |
- 'iot:DescribeAuthorizer' | |
- 'iot:DescribeCACertificate' | |
- 'iot:DescribeCertificate' | |
- 'iot:DescribeDefaultAuthorizer' | |
- 'iot:GetPolicy' | |
- 'iot:GetPolicyVersion' | |
- 'lambda:GetFunctionConfiguration' | |
- 'lightsail:GetInstances' | |
- 'lightsail:GetLoadBalancers' | |
- 'opsworks:DescribeStacks' | |
- 'organizations:DescribeAccount' | |
- 'organizations:DescribeCreateAccountStatus' | |
- 'organizations:DescribeHandshake' | |
- 'organizations:DescribeOrganization' | |
- 'organizations:DescribeOrganizationalUnit' | |
- 'organizations:DescribePolicy' | |
- 'organizations:ListAWSServiceAccessForOrganization' | |
- 'shield:DescribeAttack' | |
- 'shield:DescribeProtection' | |
- 'shield:DescribeSubscription' | |
- 'sso:DescribePermissionsPolicies' | |
- 'sso:ListApplicationInstanceCertificates' | |
- 'sso:ListApplicationInstances' | |
- 'sso:ListApplicationTemplates' | |
- 'sso:ListApplications' | |
- 'sso:ListDirectoryAssociations' | |
- 'sso:ListPermissionSets' | |
- 'sso:ListProfileAssociations' | |
- 'sso:ListProfiles' | |
Resource: '*' | |
- PolicyName: SummitRouteLogAccess | |
PolicyDocument: | |
Version : '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 's3:GetObject' | |
- 's3:ListBucket' | |
Resource: | |
- !Join | |
- '' | |
- ['arn:aws:s3:::', !If ['HasS3Bucket', !Ref 'S3Bucket', 'NONE'], '/*'] | |
- !Join | |
- '' | |
- ['arn:aws:s3:::', !If ['HasS3Bucket', !Ref 'S3Bucket', 'NONE']] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment