-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtemplate.yaml
126 lines (111 loc) · 3.91 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Resources for IAM Access Analyzer resources to generate IAM Policies. See https://confluence.cornell.edu/x/f7IkGQ
Metadata:
Source: https://github.com/CU-CommunityApps/cu-aws-cloudformation/iam-access-analyzer/template.yaml
Version: "1.1.0"
RecommendedStackName: access-analyzer-policy-generator-resources-$ENV
ChangeLog:
"1.1.0":
- add KMS decryption privs to policy
- add path to role
- rename role to follow the same naming scheme as roles auto-generated by AWS
"1.0.0":
- inital release
Parameters:
VersionParam:
Description: CIT template version
Type: String
Default: "1.1.0"
ContactEmailParam:
Description: CIT contact email tag value version
Default: cloud-support@cornell.edu
Type: String
SourceURLParam:
Description: URL of this template in source code repository (not necessarily public)
Default: https://github.com/CU-CommunityApps/cu-aws-cloudformation/iam-access-analyzer/template.yaml
Type: String
EnvironmentParam:
Description: Environment for the resources this template creates.
Default: prod
Type: String
AllowedValues:
- dev
- test
- prod
DocumentationURLParam:
Description: URL of documentation about this deployment or these resources
Default: https://confluence.cornell.edu/x/f7IkGQ
Type: String
# Cornell folks should see https://confluence.cornell.edu/x/f7IkGQ for the correct value for this parameter.
CloudTrailBucketNameParam:
Description: Name of the S3 bucket holding CloudTrail logs
Type: String
# Cornell folks should see https://confluence.cornell.edu/x/f7IkGQ for the correct value for this parameter.
KSMKeyARNParam:
Description: ARN of the KMS key used for encrypting CloudTrail log data in S3
Type: String
Mappings: {}
Conditions: {}
Resources:
AccessAnalyzerMonitorServicePolicy:
Type: "AWS::IAM::Role"
DeletionPolicy: Delete
Properties:
Description: Allows Access Analyzer policy generator to access CloudTrail data and use KMS key for decryption
Path: "/service-role/"
RoleName: !Sub "AccessAnalyzerMonitorServiceRole-${EnvironmentParam}-v${VersionParam}"
Policies:
-
PolicyName: "access-analyzer"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Action: cloudtrail:GetTrail
Resource: "*"
-
Effect: Allow
Action:
- iam:GenerateServiceLastAccessedDetails
- iam:GetServiceLastAccessedDetails
Resource: "*"
-
Effect: Allow
Action:
- s3:GetObject
- s3:ListBucket
Resource:
- !Sub "arn:aws:s3:::${CloudTrailBucketNameParam}"
- !Sub "arn:aws:s3:::${CloudTrailBucketNameParam}/*"
-
Effect: Allow
Action: kms:Decrypt
Resource: !Ref KSMKeyARNParam
Condition:
StringLike:
"kms:ViaService": "s3.*.amazonaws.com"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "access-analyzer.amazonaws.com"
Action:
- "sts:AssumeRole"
Tags:
- Key: Environment
Value: !Ref EnvironmentParam
- Key: Description
Value: This is the description of this specific resource.
- Key: Documentation
Value: !Ref DocumentationURLParam
- Key: cit:contact-email
Value: !Ref ContactEmailParam
- Key: cit:version
Value: !Ref VersionParam
- Key: cit:source
Value: !Ref SourceURLParam