{ "Description": "(SO0217m) - The AWS CloudFormation org management template for deployment of the Account Assessment for AWS Organizations, Version: 1.1.11", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Solution Setup" }, "Parameters": [ "DeploymentNamespace", "HubAccountId" ] } ], "ParameterLabels": { "DeploymentNamespace": { "default": "Provide the unique namespace value from Hub deployment" }, "HubAccountId": { "default": "Provide the Hub Account Id" } } } }, "Parameters": { "DeploymentNamespace": { "Type": "String", "AllowedPattern": "^[a-z0-9][a-z0-9-]{1,8}[a-z0-9]$", "ConstraintDescription": "Must be 3-10 characters long, containing only lowercase letters, numbers, and hyphens. Cannot begin or end with a hyphen.", "Description": "Will be used as prefix for resource names. Same namespace must be used in hub stack.", "MaxLength": 10, "MinLength": 3 }, "HubAccountId": { "Type": "String", "Description": "ID of the AWS account where the Hub Stack of this solution is deployed." } }, "Resources": { "OrgManagementStackRoleF3732685": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "HubAccountId" }, ":role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-TrustedAccess" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "HubAccountId" }, ":role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-DelegatedAdmin" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "HubAccountId" }, ":role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-PolicyExplorer" ] ] } } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListDelegatedAdministrators", "organizations:ListDelegatedServicesForAccount", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribePolicy", "organizations:ListPolicies" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "listAccounts" } ], "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-OrgMgmtStackRole" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-org-management/OrgManagementStackRole/Resource", "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] }, "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is necessary for organizations:List* operations. No risk, because the role can still only access its own organization." }, { "id": "W28", "reason": "This role needs an explicit name so that the Hub Stack can reference the role." } ] } } } } }