Last active
June 18, 2023 21:07
-
-
Save hisashiyamaguchi/0fb567a8be84dba3863ce4c4a318e609 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "AWSTemplateFormatVersion":"2010-09-09", | |
| "Outputs":{ | |
| "OrcaRoleArn":{ | |
| "Value":{ | |
| "Fn::GetAtt":[ | |
| "OrcaSecurityRole", | |
| "Arn" | |
| ] | |
| } | |
| } | |
| }, | |
| "Parameters":{ | |
| "ExternalId":{ | |
| "Type":"String" | |
| }, | |
| "SecretManagerAccess":{ | |
| "Type":"String", | |
| "Default":"true", | |
| "AllowedValues":[ | |
| "true", | |
| "false" | |
| ] | |
| }, | |
| "DeployRdsScanner":{ | |
| "Type":"String", | |
| "Default":"true", | |
| "AllowedValues":[ | |
| "true", | |
| "false" | |
| ] | |
| } | |
| }, | |
| "Conditions":{ | |
| "SecretManagerAccessAllowed":{ | |
| "Fn::Equals":[ | |
| { | |
| "Ref":"SecretManagerAccess" | |
| }, | |
| "true" | |
| ] | |
| }, | |
| "DeployRdsScanner":{ | |
| "Fn::Equals":[ | |
| { | |
| "Ref":"DeployRdsScanner" | |
| }, | |
| "true" | |
| ] | |
| } | |
| }, | |
| "Resources":{ | |
| "OrcaSecurityPolicy":{ | |
| "Type":"AWS::IAM::ManagedPolicy", | |
| "Properties":{ | |
| "Description":"Orca Security Account Policy", | |
| "PolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "ec2:CreateTags" | |
| ], | |
| "Resource":"arn:aws:ec2:*::snapshot/*", | |
| "Condition":{ | |
| "ForAnyValue:StringEquals":{ | |
| "aws:TagKeys":[ | |
| "Orca" | |
| ] | |
| }, | |
| "StringEquals":{ | |
| "ec2:CreateAction":[ | |
| "CreateSnapshot", | |
| "CreateSnapshots", | |
| "CopySnapshot" | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "ec2:DeleteSnapshot" | |
| ], | |
| "Resource":"*", | |
| "Condition":{ | |
| "StringLike":{ | |
| "ec2:ResourceTag/Orca":"*" | |
| }, | |
| "StringNotLikeIfExists":{ | |
| "ec2:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| }, | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "ec2:CreateSnapshots", | |
| "ec2:CreateSnapshot", | |
| "ec2:CopySnapshot", | |
| "ec2:ModifySnapshotAttribute" | |
| ], | |
| "Resource":"*", | |
| "Condition":{ | |
| "StringNotLikeIfExists":{ | |
| "ec2:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| }, | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "kms:ReEncryptFrom", | |
| "kms:ReEncryptTo", | |
| "kms:Encrypt", | |
| "kms:Decrypt", | |
| "kms:GenerateDataKeyWithoutPlaintext", | |
| "kms:CreateGrant" | |
| ], | |
| "Resource":"*", | |
| "Condition":{ | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| }, | |
| "StringLike":{ | |
| "kms:ViaService":"ec2.*.amazonaws.com" | |
| } | |
| } | |
| }, | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "kms:PutKeyPolicy" | |
| ], | |
| "Resource":"*", | |
| "Condition":{ | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "OrcaSecuritySecretsManagerPolicy":{ | |
| "Type":"AWS::IAM::ManagedPolicy", | |
| "Condition":"SecretManagerAccessAllowed", | |
| "Properties":{ | |
| "Description":"Orca Security Secrets Manager Policy", | |
| "PolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "secretsmanager:GetSecretValue" | |
| ], | |
| "Resource":"arn:aws:secretsmanager:*:*:secret:*", | |
| "Condition":{ | |
| "StringLike":{ | |
| "secretsmanager:ResourceTag/Orca":"SecretAccess" | |
| } | |
| } | |
| }, | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "kms:Decrypt" | |
| ], | |
| "Resource":"*", | |
| "Condition":{ | |
| "StringLike":{ | |
| "aws:ResourceTag/Orca":"SecretAccess", | |
| "kms:ViaService":[ | |
| "secretsmanager.*.amazonaws.com" | |
| ] | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "OrcaSecurityViewOnlyExtrasPolicy":{ | |
| "Type":"AWS::IAM::ManagedPolicy", | |
| "Properties":{ | |
| "Description":"Orca Security Extras For View Only Policy", | |
| "PolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "access-analyzer:ListAnalyzers", | |
| "acm:DescribeCertificate", | |
| "acm:GetCertificate", | |
| "apigateway:GET", | |
| "application-autoscaling:Describe*", | |
| "appsync:Get*", | |
| "appsync:List*", | |
| "autoscaling-plans:Describe*", | |
| "backup:Get*", | |
| "backup:List*", | |
| "cassandra:Select", | |
| "cloudfront:Get*", | |
| "cloudhsm:DescribeClusters", | |
| "cloudtrail:Describe*", | |
| "cloudtrail:Get*", | |
| "cloudtrail:List*", | |
| "cloudwatch:Describe*", | |
| "codebuild:BatchGet*", | |
| "codebuild:List*", | |
| "codecommit:GetRepository", | |
| "codepipeline:GetPipeline", | |
| "config:Get*", | |
| "dlm:Get*", | |
| "dms:Describe*", | |
| "dynamodb:Describe*", | |
| "dynamodb:List*", | |
| "ec2:Describe*", | |
| "ec2:GetEbsEncryptionByDefault", | |
| "ec2:List*", | |
| "ec2:SearchTransitGatewayRoutes", | |
| "ecr:BatchGetImage", | |
| "ecr:Describe*", | |
| "ecr:Get*", | |
| "ecr:List*", | |
| "eks:Describe*", | |
| "eks:List*", | |
| "elasticache:Describe*", | |
| "elasticfilesystem:Describe*", | |
| "elasticfilesystem:List*", | |
| "elasticloadbalancing:Describe*", | |
| "elasticmapreduce:DescribeSecurityConfiguration", | |
| "elasticmapreduce:DescribeCluster", | |
| "es:Describe*", | |
| "es:List*", | |
| "events:List*", | |
| "glacier:Describe*", | |
| "glacier:Get*", | |
| "globalaccelerator:List*", | |
| "glue:GetDataCatalogEncryptionSettings", | |
| "glue:GetDatabases", | |
| "glue:GetDevEndpoints", | |
| "glue:GetResourcePolicy", | |
| "glue:GetSecurityConfigurations", | |
| "guardduty:Get*", | |
| "guardduty:List*", | |
| "iam:Generate*", | |
| "iam:Get*", | |
| "iam:Simulate*", | |
| "kafka:Describe*", | |
| "kafka:List*", | |
| "kms:Describe*", | |
| "kms:Get*", | |
| "kms:List*", | |
| "lakeformation:GetDataLakeSettings", | |
| "lakeformation:GetEffectivePermissionsForPath", | |
| "lakeformation:ListResources", | |
| "lambda:Get*", | |
| "logs:FilterLogEvents", | |
| "logs:Get*", | |
| "logs:ListTagsLogGroup", | |
| "logs:StartQuery", | |
| "logs:TestMetricFilter", | |
| "memorydb:Describe*", | |
| "memorydb:List*", | |
| "mq:Describe*", | |
| "mq:List*", | |
| "network-firewall:List*", | |
| "network-firewall:Describe*", | |
| "organizations:Describe*", | |
| "qldb:DescribeLedger", | |
| "qldb:ListLedgers", | |
| "rds:List*", | |
| "redshift:Describe*", | |
| "resource-groups:Get*", | |
| "resource-groups:List*", | |
| "resource-groups:Search*", | |
| "route53:Test*", | |
| "route53domains:Check*", | |
| "route53domains:Get*", | |
| "route53domains:View*", | |
| "s3:Get*", | |
| "s3:List*", | |
| "secretsmanager:Describe*", | |
| "secretsmanager:GetResourcePolicy", | |
| "secretsmanager:List*", | |
| "serverlessrepo:Get*", | |
| "serverlessrepo:List*", | |
| "ses:GetIdentityDkimAttributes", | |
| "ses:GetIdentityPolicies", | |
| "ses:GetIdentityVerificationAttributes", | |
| "sns:Get*", | |
| "sqs:GetQueueAttributes", | |
| "sqs:ListQueueTags", | |
| "ssm:Describe*", | |
| "ssm:GetParameter*", | |
| "ssm:GetParametersByPath", | |
| "ssm:List*", | |
| "sso:DescribePermissionSet", | |
| "sso:GetInlinePolicyForPermissionSet", | |
| "sso:ListAccountAssignments", | |
| "sso:ListInstances", | |
| "sso:ListManagedPoliciesInPermissionSet", | |
| "sso:ListPermissionSets", | |
| "states:DescribeStateMachine", | |
| "timestream:ListDatabases", | |
| "identitystore:DescribeGroup", | |
| "identitystore:DescribeUser", | |
| "identitystore:ListGroups", | |
| "identitystore:ListUsers", | |
| "tag:Get*", | |
| "waf-regional:Get*", | |
| "waf:Get*" | |
| ], | |
| "Resource":"*" | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "OrcaRdsSnapshotCreatePolicy":{ | |
| "Type":"AWS::IAM::ManagedPolicy", | |
| "Condition":"DeployRdsScanner", | |
| "Properties":{ | |
| "Description":"Orca Security RDS Snapshot Creation Policy", | |
| "PolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "rds:AddTagsToResource", | |
| "rds:DeleteDBSnapshot", | |
| "rds:DeleteDBClusterSnapshot" | |
| ], | |
| "Resource":[ | |
| "arn:aws:rds:*:*:snapshot:*", | |
| "arn:aws:rds:*:*:cluster-snapshot:*" | |
| ], | |
| "Condition":{ | |
| "StringLike":{ | |
| "aws:ResourceTag/Orca":"*" | |
| }, | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| }, | |
| { | |
| "Effect":"Allow", | |
| "Action":[ | |
| "rds:CreateDBSnapshot", | |
| "rds:CreateDBClusterSnapshot", | |
| "rds:CopyDBSnapshot", | |
| "rds:CopyDBClusterSnapshot" | |
| ], | |
| "Resource":[ | |
| "arn:aws:rds:*:*:db:*", | |
| "arn:aws:rds:*:*:cluster:*", | |
| "arn:aws:rds:*:*:snapshot:*", | |
| "arn:aws:rds:*:*:cluster-snapshot:*" | |
| ], | |
| "Condition":{ | |
| "ForAnyValue:StringEquals":{ | |
| "aws:TagKeys":"Orca" | |
| }, | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "OrcaRdsSnapshotReencryptPolicy":{ | |
| "Type":"AWS::IAM::ManagedPolicy", | |
| "Condition":"DeployRdsScanner", | |
| "Properties":{ | |
| "Description":"Orca Security RDS Snapshot Re-Encryption Policy", | |
| "PolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Sid":"CreateGrantForDbSnapshotReencryption", | |
| "Effect":"Allow", | |
| "Action":"kms:CreateGrant", | |
| "Resource":"arn:aws:kms:*:*:key/*", | |
| "Condition":{ | |
| "ForAllValues:StringLike":{ | |
| "kms:GrantOperations":[ | |
| "DescribeKey", | |
| "Decrypt", | |
| "Encrypt", | |
| "GenerateDataKeyWithoutPlaintext", | |
| "CreateGrant", | |
| "RetireGrant" | |
| ] | |
| }, | |
| "Bool":{ | |
| "kms:GrantIsForAWSResource":true | |
| }, | |
| "StringLike":{ | |
| "aws:ResourceAccount":"${aws:PrincipalTag/OrcaScannerAccountId, '*'}" | |
| }, | |
| "ForAnyValue:StringLike":{ | |
| "kms:ViaService":"rds.*.amazonaws.com" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid":"DescribeKeyForDbSnapshotReencryption", | |
| "Effect":"Allow", | |
| "Action":"kms:DescribeKey", | |
| "Resource":"arn:aws:kms:*:*:key/*", | |
| "Condition":{ | |
| "StringLike":{ | |
| "aws:ResourceAccount":"${aws:PrincipalTag/OrcaScannerAccountId, '*'}" | |
| }, | |
| "ForAnyValue:StringLike":{ | |
| "kms:ViaService":"rds.*.amazonaws.com" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid":"Tag", | |
| "Effect":"Allow", | |
| "Action":"rds:AddTagsToResource", | |
| "Resource":[ | |
| "arn:aws:rds:*:*:snapshot:*", | |
| "arn:aws:rds:*:*:cluster-snapshot:*" | |
| ], | |
| "Condition":{ | |
| "StringLike":{ | |
| "aws:ResourceTag/Orca":"*" | |
| }, | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid":"CopyDbSnapshots", | |
| "Effect":"Allow", | |
| "Action":[ | |
| "rds:CopyDBSnapshot", | |
| "rds:CopyDBClusterSnapshot" | |
| ], | |
| "Resource":[ | |
| "arn:aws:rds:*:*:snapshot:*", | |
| "arn:aws:rds:*:*:cluster-snapshot:*" | |
| ], | |
| "Condition":{ | |
| "ForAnyValue:StringEquals":{ | |
| "aws:TagKeys":"Orca" | |
| }, | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "OrcaRdsSnapshotSharePolicy":{ | |
| "Type":"AWS::IAM::ManagedPolicy", | |
| "Condition":"DeployRdsScanner", | |
| "Properties":{ | |
| "Description":"Orca Security RDS Snapshot Sharing Policy", | |
| "PolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Sid":"ModifyDbSnapshots", | |
| "Effect":"Allow", | |
| "Action":[ | |
| "rds:ModifyDBSnapshotAttribute", | |
| "rds:ModifyDBClusterSnapshotAttribute" | |
| ], | |
| "Resource":[ | |
| "arn:aws:rds:*:*:snapshot:*", | |
| "arn:aws:rds:*:*:cluster-snapshot:*" | |
| ], | |
| "Condition":{ | |
| "StringLike":{ | |
| "aws:ResourceTag/Orca":"*" | |
| }, | |
| "StringNotLikeIfExists":{ | |
| "aws:ResourceTag/OrcaOptOut":"*" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| "OrcaSecurityRole":{ | |
| "Type":"AWS::IAM::Role", | |
| "Properties":{ | |
| "AssumeRolePolicyDocument":{ | |
| "Version":"2012-10-17", | |
| "Statement":[ | |
| { | |
| "Effect":"Allow", | |
| "Principal":{ | |
| "AWS":"arn:aws:iam::976280145156:root" | |
| }, | |
| "Action":"sts:AssumeRole", | |
| "Condition":{ | |
| "StringEquals":{ | |
| "sts:ExternalId":{ | |
| "Ref":"ExternalId" | |
| } | |
| } | |
| } | |
| } | |
| ] | |
| }, | |
| "ManagedPolicyArns":{ | |
| "Fn::Split":[ | |
| ",", | |
| { | |
| "Fn::Join":[ | |
| "", | |
| [ | |
| { | |
| "Fn::Join":[ | |
| ",", | |
| [ | |
| "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess", | |
| { | |
| "Ref":"OrcaSecurityPolicy" | |
| }, | |
| { | |
| "Ref":"OrcaSecurityViewOnlyExtrasPolicy" | |
| } | |
| ] | |
| ] | |
| }, | |
| { | |
| "Fn::If":[ | |
| "SecretManagerAccessAllowed", | |
| { | |
| "Fn::Sub":[ | |
| ",${SecretsManagerPolicyArn}", | |
| { | |
| "SecretsManagerPolicyArn":{ | |
| "Ref":"OrcaSecuritySecretsManagerPolicy" | |
| } | |
| } | |
| ] | |
| }, | |
| "" | |
| ] | |
| }, | |
| { | |
| "Fn::If":[ | |
| "DeployRdsScanner", | |
| { | |
| "Fn::Sub":[ | |
| ",${RdsCreateSnapshotPolicyArn},${RdsReencryptSnapshotPolicyArn},${RdsShareSnapshotPolicyArn}", | |
| { | |
| "RdsCreateSnapshotPolicyArn":{ | |
| "Ref":"OrcaRdsSnapshotCreatePolicy" | |
| }, | |
| "RdsReencryptSnapshotPolicyArn":{ | |
| "Ref":"OrcaRdsSnapshotReencryptPolicy" | |
| }, | |
| "RdsShareSnapshotPolicyArn":{ | |
| "Ref":"OrcaRdsSnapshotSharePolicy" | |
| } | |
| } | |
| ] | |
| }, | |
| "" | |
| ] | |
| } | |
| ] | |
| ] | |
| } | |
| ] | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment