From c6cc82c527a3cacaac9fbc0f72d781d1a993309c Mon Sep 17 00:00:00 2001
From: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
Date: Mon, 5 Jan 2026 14:44:51 +0100
Subject: [PATCH] docs(aws): update CloudFormation template reference in
 role-assumption docs (#9719)

---
 .../providers/aws/role-assumption.mdx         |  10 +-
 permissions/create_role_to_assume_cfn.yaml    | 120 ------------------
 2 files changed, 5 insertions(+), 125 deletions(-)
 delete mode 100644 permissions/create_role_to_assume_cfn.yaml

diff --git a/docs/user-guide/providers/aws/role-assumption.mdx b/docs/user-guide/providers/aws/role-assumption.mdx
index ef45e56441..b714beafbd 100644
--- a/docs/user-guide/providers/aws/role-assumption.mdx
+++ b/docs/user-guide/providers/aws/role-assumption.mdx
@@ -69,18 +69,18 @@ If your IAM Role is configured with Multi-Factor Authentication (MFA), use `--mf
 
 ## Creating a Role for One or Multiple Accounts
 
-To create an IAM role that can be assumed in one or multiple AWS accounts, use either a CloudFormation Stack or StackSet with the provided [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml).
+To create an IAM role that can be assumed in one or multiple AWS accounts, use either a CloudFormation Stack or StackSet with the provided [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/templates/cloudformation/prowler-scan-role.yml).
 
 The template requires the following parameters:
 
-- **AuthorisedARN:** The ARN of the user or role authorized to assume the created role (e.g., `arn:aws:iam::123456789012:root`)
 - **ExternalId:** A unique identifier to prevent the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)
-- **ProwlerRoleName:** *(Optional)* Name of the IAM role (default: `ProwlerScanRole`)
+- **AccountId:** *(Optional)* AWS Account ID that will assume the role (default: Prowler Cloud account)
+- **IAMPrincipal:** *(Optional)* The IAM principal allowed to assume the role (default: `role/prowler*`)
 
-When running Prowler, include the External ID using the `-I/--external-id` flag:
+When running Prowler CLI, include the External ID using the `-I/--external-id` flag:
 
 ```sh
-prowler aws -R arn:aws:iam::<account_id>:role/<role_name> -I <external_id>
+prowler aws -R arn:aws:iam::<account_id>:role/ProwlerScan -I <external_id>
 ```
 
 <Note>
diff --git a/permissions/create_role_to_assume_cfn.yaml b/permissions/create_role_to_assume_cfn.yaml
deleted file mode 100644
index 0f41421808..0000000000
--- a/permissions/create_role_to_assume_cfn.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
-AWSTemplateFormatVersion: '2010-09-09'
-#
-# You can invoke CloudFormation and pass the principal ARN from a command line like this:
-# aws cloudformation create-stack \
-#  --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
-#  --template-body "file://create_role_to_assume_cfn.yaml" \
-#  --stack-name "ProwlerScanRole" \
-#  --parameters "ParameterKey=AuthorisedARN,ParameterValue=arn:aws:iam::123456789012:root" \
-#               "ParameterKey=ExternalId,ParameterValue=YourExternalId"
-#
-Description: |
-  This template creates an AWS IAM Role with an inline policy and two AWS managed policies
-  attached. It sets the trust policy on that IAM Role to permit a named ARN in another AWS
-  account to assume that role. The role name and the ARN of the trusted user can all be passed
-  to the CloudFormation stack as parameters. Then you can run Prowler to perform a security
-  assessment with a command like:
-  prowler --role ProwlerScanRole.ARN
-Parameters:
-  AuthorisedARN:
-    Description: |
-      ARN of user who is authorised to assume the role that is created by this template.
-      E.g., arn:aws:iam::123456789012:root
-    Type: String
-  ExternalId:
-    Description: |
-      This is the External ID that Prowler will use to assume the role.
-    Type: String
-    MinLength: 1
-    AllowedPattern: ".+"
-    ConstraintDescription: "ExternalId must not be empty."
-  ProwlerRoleName:
-    Description: |
-      Name of the IAM role that will have these policies attached. Default: ProwlerScanRole
-    Type: String
-    Default: 'ProwlerScanRole'
-
-Resources:
-  ProwlerScanRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: !Sub ${AuthorisedARN}
-            Action: 'sts:AssumeRole'
-            Condition:
-              StringEquals:
-                'sts:ExternalId': !Ref ExternalId
-              ## In case MFA is required uncomment lines below and read https://github.com/prowler-cloud/prowler#run-prowler-with-mfa-protected-credentials
-              # Bool:
-              #   'aws:MultiFactorAuthPresent': true
-      # This is 12h that is maximum allowed, Minimum is 3600 = 1h
-      # to take advantage of this use -T like in './prowler --role ProwlerScanRole.ARN -T 43200'
-      MaxSessionDuration: 43200
-      ManagedPolicyArns:
-        - 'arn:aws:iam::aws:policy/SecurityAudit'
-        - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
-      RoleName: !Sub ${ProwlerRoleName}
-      Policies:
-        - PolicyName: ProwlerScanRoleAdditionalViewPrivileges
-          PolicyDocument:
-            Version : '2012-10-17'
-            Statement:
-            - Effect: Allow
-              Action:
-                - 'account:Get*'
-                - 'appstream:Describe*'
-                - 'appstream:List*'
-                - 'backup:List*'
-                - 'bedrock:List*'
-                - 'bedrock:Get*'
-                - 'cloudtrail:GetInsightSelectors'
-                - 'codeartifact:List*'
-                - 'codebuild:BatchGet*'
-                - 'codebuild:ListReportGroups'
-                - 'cognito-idp:GetUserPoolMfaConfig'
-                - 'dlm:Get*'
-                - 'drs:Describe*'
-                - 'ds:Get*'
-                - 'ds:Describe*'
-                - 'ds:List*'
-                - 'dynamodb:GetResourcePolicy'
-                - 'ec2:GetEbsEncryptionByDefault'
-                - 'ec2:GetSnapshotBlockPublicAccessState'
-                - 'ec2:GetInstanceMetadataDefaults'
-                - 'ecr:Describe*'
-                - 'ecr:GetRegistryScanningConfiguration'
-                - 'elasticfilesystem:DescribeBackupPolicy'
-                - 'glue:GetConnections'
-                - 'glue:GetSecurityConfiguration*'
-                - 'glue:SearchTables'
-                - 'lambda:GetFunction*'
-                - 'logs:FilterLogEvents'
-                - 'lightsail:GetRelationalDatabases'
-                - 'macie2:GetMacieSession'
-                - 'macie2:GetAutomatedDiscoveryConfiguration'
-                - 's3:GetAccountPublicAccessBlock'
-                - 'shield:DescribeProtection'
-                - 'shield:GetSubscriptionState'
-                - 'securityhub:BatchImportFindings'
-                - 'securityhub:GetFindings'
-                - 'servicecatalog:Describe*'
-                - 'servicecatalog:List*'
-                - 'ssm:GetDocument'
-                - 'ssm-incidents:List*'
-                - 'states:ListTagsForResource'
-                - 'support:Describe*'
-                - 'tag:GetTagKeys'
-                - 'wellarchitected:List*'
-              Resource: '*'
-        - PolicyName: ProwlerScanRoleAdditionalViewPrivilegesApiGateway
-          PolicyDocument:
-            Version : '2012-10-17'
-            Statement:
-            - Effect: Allow
-              Action:
-                - 'apigateway:GET'
-              Resource: 'arn:aws:apigateway:*::/restapis/*'