{ "Description": "(SO0217s) - The AWS CloudFormation spoke template for deployment of the Account Assessment for AWS Organizations, Version: 1.1.11", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Solution Setup" }, "Parameters": [ "DeploymentNamespace", "HubAccountId" ] } ], "ParameterLabels": { "DeploymentNamespace": { "default": "Provide the unique namespace value from Hub deployment" }, "HubAccountId": { "default": "Provide the Hub Account Id" } } } }, "Parameters": { "HubAccountId": { "Type": "String", "Description": "ID of the AWS account where the Hub Stack of this solution is deployed." }, "DeploymentNamespace": { "Type": "String", "AllowedPattern": "^[a-z0-9][a-z0-9-]{1,8}[a-z0-9]$", "ConstraintDescription": "Must be 3-10 characters long, containing only lowercase letters, numbers, and hyphens. Cannot begin or end with a hyphen.", "Description": "Will be used as prefix for resource names. Same namespace must be used in hub stack.", "MaxLength": 10, "MinLength": 3 } }, "Resources": { "ScanSpokePolicy7A5F4EE9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetBucketPolicy", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "glacier:GetVaultAccessPolicy", "glacier:ListVaults", "sns:ListTopics", "sqs:ListQueues", "iam:ListRoles", "iam:ListPolicies", "iam:ListRolePolicies", "lambda:ListFunctions", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeFileSystems", "secretsmanager:ListSecrets", "iot:ListPolicies", "kms:ListKeys", "kms:GetKeyPolicy", "events:ListEventBuses", "ses:ListEmailIdentities", "apigateway:GET", "config:DescribeOrganizationConfigRules", "config:GetOrganizationCustomRulePolicy", "ssm-incidents:ListResponsePlans", "es:ListDomainNames", "cloudformation:ListStacks", "serverlessrepo:ListApplications", "backup:ListBackupVaults", "codeartifact:ListRepositories", "codeartifact:ListDomains", "codebuild:ListReportGroups", "codebuild:ListProjects", "mediastore:ListContainers", "ec2:DescribeVpcEndpoints", "lex:ListBots", "lex:ListBotAliases", "redshift-serverless:ListSnapshots", "schemas:ListRegistries", "ssm-contacts:ListContacts", "acm-pca:ListCertificateAuthorities", "ram:ListResources", "ram:GetResourcePolicies", "account:ListRegions" ], "Effect": "Allow", "Resource": "*" }, { "Action": "sns:GetTopicAttributes", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:sns:*:", { "Ref": "AWS::AccountId" }, ":*" ] ] } }, { "Action": "sqs:GetQueueAttributes", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:sqs:*:", { "Ref": "AWS::AccountId" }, ":*" ] ] } }, { "Action": "iam:GetPolicyVersion", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":policy/*" ] ] } }, { "Action": "iam:GetRolePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } }, { "Action": "lambda:GetPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:lambda:*:", { "Ref": "AWS::AccountId" }, ":function:*" ] ] } }, { "Action": "secretsmanager:GetResourcePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } }, { "Action": "iot:GetPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:iot:*:", { "Ref": "AWS::AccountId" }, ":policy/*" ] ] } }, { "Action": "ses:GetEmailIdentityPolicies", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:ses:*:", { "Ref": "AWS::AccountId" }, ":identity/*" ] ] } }, { "Action": [ "ecr:DescribeRepositories", "ecr:GetRepositoryPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:ecr:*:", { "Ref": "AWS::AccountId" }, ":repository/*" ] ] } }, { "Action": "ssm-incidents:GetResourcePolicies", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:ssm-incidents::", { "Ref": "AWS::AccountId" }, ":response-plan/*" ] ] } }, { "Action": "es:DescribeDomains", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:es:*:", { "Ref": "AWS::AccountId" }, ":domain/*" ] ] } }, { "Action": "cloudformation:GetStackPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:cloudformation:*:", { "Ref": "AWS::AccountId" }, ":stack/*/*" ] ] } }, { "Action": "glue:GetResourcePolicies", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:glue:*:", { "Ref": "AWS::AccountId" }, ":catalog" ] ] } }, { "Action": "serverlessrepo:GetApplicationPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:serverlessrepo:*:", { "Ref": "AWS::AccountId" }, ":applications/*" ] ] } }, { "Action": "backup:GetBackupVaultAccessPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:backup:*:", { "Ref": "AWS::AccountId" }, ":backup-vault:*" ] ] } }, { "Action": [ "codeartifact:GetRepositoryPermissionsPolicy", "codeartifact:GetDomainPermissionsPolicy" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:codeartifact:*:", { "Ref": "AWS::AccountId" }, ":domain/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:codeartifact:*:", { "Ref": "AWS::AccountId" }, ":repository/*/*" ] ] } ] }, { "Action": [ "codebuild:BatchGetProjects", "codebuild:GetResourcePolicy" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:codebuild:*:", { "Ref": "AWS::AccountId" }, ":project/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:codebuild:*:", { "Ref": "AWS::AccountId" }, ":report-group/*" ] ] } ] }, { "Action": "mediastore:GetContainerPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:mediastore:*:", { "Ref": "AWS::AccountId" }, ":container/*" ] ] } }, { "Action": "lex:DescribeResourcePolicy", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:lex:*:", { "Ref": "AWS::AccountId" }, ":bot/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:lex:*:", { "Ref": "AWS::AccountId" }, ":bot-alias/*" ] ] } ] }, { "Action": "redshift-serverless:GetResourcePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:redshift-serverless:*:", { "Ref": "AWS::AccountId" }, ":snapshot/*" ] ] } }, { "Action": "schemas:GetResourcePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:schemas:*:", { "Ref": "AWS::AccountId" }, ":registry/*" ] ] } }, { "Action": "ssm-contacts:GetContactPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:ssm-contacts:*:", { "Ref": "AWS::AccountId" }, ":contact/*" ] ] } }, { "Action": "acm-pca:GetPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:acm-pca:*:", { "Ref": "AWS::AccountId" }, ":certificate-authority/*" ] ] } }, { "Action": "refactor-spaces:GetResourcePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:refactor-spaces:*:", { "Ref": "AWS::AccountId" }, ":environment/*" ] ] } }, { "Action": "network-firewall:DescribeResourcePolicy", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:network-firewall:*:", { "Ref": "AWS::AccountId" }, ":stateful-rulegroup/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:network-firewall:*:", { "Ref": "AWS::AccountId" }, ":stateless-rulegroup/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:network-firewall:*:", { "Ref": "AWS::AccountId" }, ":firewall-policy/*" ] ] } ] }, { "Action": "glue:GetResourcePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:glue:*:", { "Ref": "AWS::AccountId" }, ":catalog" ] ] } }, { "Action": "route53resolver:GetFirewallRuleGroupPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:route53resolver:*:", { "Ref": "AWS::AccountId" }, ":firewall-rule-group/*" ] ] } }, { "Action": "vpc-lattice:GetResourcePolicy", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:aws:vpc-lattice:*:", { "Ref": "AWS::AccountId" }, ":service/*" ] ] }, { "Fn::Join": [ "", [ "arn:aws:vpc-lattice:*:", { "Ref": "AWS::AccountId" }, ":servicenetwork/*" ] ] } ] }, { "Action": "ec2:GetResourcePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:ec2:*:", { "Ref": "AWS::AccountId" }, ":verified-access-group/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ScanSpokePolicy7A5F4EE9", "Roles": [ { "Ref": "SpokeStackRoleE52E7349" } ] }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-spoke/ScanSpokePolicy/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is necessary to allow scanning all resources using the listed operations." } ] } } }, "SpokeStackRoleE52E7349": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "HubAccountId" }, ":role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-ValidateSpokeAccess" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "HubAccountId" }, ":role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-PolicyExplorerScanSpokeResource" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "HubAccountId" }, ":role/", { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-PolicyExplorerScanSingleAccountResource" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ { "Ref": "DeploymentNamespace" }, "-", { "Ref": "AWS::Region" }, "-AccountAssessment-Spoke-ExecutionRole" ] ] } }, "Metadata": { "aws:cdk:path": "account-assessment-for-aws-organizations-spoke/SpokeStackRole/Resource", "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is necessary to allow scanning all resources using the listed operations." }, { "id": "W28", "reason": "This role needs an explicit name so that the Hub Stack can reference the role in all Spoke Stacks." } ] } } } } }