ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-02-09 02:30:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a35fbec7ff79a63068c603415d04a1078bcbc7c3
prowler/contrib/aws/multi-account-securityhub/templates/CF-Prowler-IAM.yml
Sergio Garcia a5378b58f7 chore(gcp): add script to enable APIs in GCP projects (#4117) 
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
2024-05-28 12:17:49 -04:00

106 lines
3.5 KiB
YAML
Raw Blame History

AWSTemplateFormatVersion: 2010-09-09
Description: This Template will create the IAM Roles needed for the Prowler infrastructure
Parameters:
ProwlerCrossAccountRoleName:
Type: String
Description: Name of the cross account Prowler IAM Role
AllowedPattern: ^[\w+=,.@-]{1,64}$
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: ProwlerXA-Role
ECSExecutionRoleName:
Type: String
Description: Name for the ECS Task Execution Role
AllowedPattern: ^[\w+=,.@-]{1,64}$
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: ECSTaskExecution-Role
ProwlerTaskRoleName:
Type: String
Description: Name for the ECS Prowler Task Role
AllowedPattern: ^[\w+=,.@-]{1,64}$
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: ProwlerECSTask-Role
ECSEventRoleName:
Type: String
Description: Name for the Eventbridge Task Role
AllowedPattern: ^[\w+=,.@-]{1,64}$
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
Default: ProwlerEvents-Role
Resources:
ECSExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref ECSExecutionRoleName
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ECSExecutionTrust
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ProwlerTaskRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref ProwlerTaskRoleName
Policies:
- PolicyName: ProwlerAssumeRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowProwlerAssumeRole
Effect: Allow
Action: sts:AssumeRole
Resource:
- !Sub arn:aws:iam::*:role/${ProwlerCrossAccountRoleName}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ECSExecutionTrust
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ECSEventRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref ECSEventRoleName
Policies:
- PolicyName: AllowProwlerEventsECS
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecs:RunTask
Resource:
- "*"
Sid: EventRunECS
- Effect: Allow
Action: iam:PassRole
Resource:
- "*"
Sid: EventPassRole
Condition:
StringLike:
iam:PassedToService: ecs-tasks.amazonaws.com
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: EventsECSExecutionTrust
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
Outputs:
ECSExecutionRoleARN:
Description: ARN of the ECS Task Execution Role
Value: !GetAtt ECSExecutionRole.Arn
ProwlerTaskRoleARN:
Description: ARN of the ECS Prowler Task Role
Value: !GetAtt ProwlerTaskRole.Arn
ECSEventRoleARN:
Description: ARN of the Eventbridge Task Role
Value: !GetAtt ECSEventRole.Arn
Reference in New Issue View Git Blame Copy Permalink