-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathpanther-rules-engine-cross-account-read-only.yml
84 lines (78 loc) · 3.42 KB
/
panther-rules-engine-cross-account-read-only.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Copyright (C) 2022 Panther Labs, Inc.
#
# The Panther SaaS is licensed under the terms of the Panther Enterprise Subscription
# Agreement available at https://panther.com/enterprise-subscription-agreement/.
# All intellectual property rights in and to the Panther SaaS, including any and all
# rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement.
AWSTemplateFormatVersion: 2010-09-09
Description: Creates an IAM role in an external customer account which Panther can assume for read-only access
Parameters:
PantherMasterAccountID:
Type: String
Description: 12 Digit AWS Panther Master AccountID located in Panther under General > Settings
AllowedPattern: '^\d{12}$'
PantherRulesEngineRoleName:
Type: String
Description: Panther detections-engine role name which can be found in the AWS Console under IAM by searching "rules" in the Panther Master Account
SecretArn:
Type: String
Default: ''
Description: (Optional) Allow Panther detections-engine to read the given secret arn
AllowedPattern: '^(arn:(aws|aws-cn|aws-us-gov):secretsmanager:[a-z]{2}-[a-z]{4,9}-[1-9]:\d{12}:secret:\S+)?$'
TargetBucketName:
Type: String
Description: External S3 bucket which the Panther detections-engine will be allowed to read from
TargetBucketKmsKeyArn:
Type: String
Default: ''
Description: (Optional) Allow Panther detections-engine to decrypt this KMS key arn (required if the target bucket has KMS encryption enabled)
AllowedPattern: '^(arn:(aws|aws-cn|aws-us-gov):kms:[a-z]{2}-[a-z]{4,9}-[1-9]:\d{12}:key\/[0-9a-f-]{36})?$'
Conditions:
SecretDefined: !Not [!Equals [!Ref SecretArn, '']]
KmsKeyDefined: !Not [!Equals [!Ref TargetBucketKmsKeyArn, '']]
Resources:
PantherRulesEngineIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS: !Sub arn:${AWS::Partition}:iam::${PantherMasterAccountID}:role/${PantherRulesEngineRoleName}
Policies:
- PolicyName: panther-rule-engine-cross-account-read-only-role
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:Get*
- s3:List*
Resource:
- !Sub arn:${AWS::Partition}:s3:::${TargetBucketName}
- !Sub arn:${AWS::Partition}:s3:::${TargetBucketName}/*
- !If
- SecretDefined
- Effect: Allow
Action:
- secretsmanager:GetResourcePolicy
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
- secretsmanager:ListSecretVersionIds
Resource: !Ref SecretArn
- !Ref AWS::NoValue
- !If
- KmsKeyDefined
- Effect: Allow
Action: kms:Decrypt
Resource: !Ref TargetBucketKmsKeyArn
- !Ref AWS::NoValue
Outputs:
PantherRulesEngineCrossAccountIamRoleName:
Description: Panther Rules Engine Read-only IAM Role Name
Value: !Ref PantherRulesEngineIamRole
PantherRulesEngineCrossAccountIamRoleArn:
Description: Panther Rules Engine Read-only IAM Role ARN
Value: !GetAtt PantherRulesEngineIamRole.Arn