-
Notifications
You must be signed in to change notification settings - Fork 24
Expand file tree
/
Copy pathCloudFrontierAWS.yml
More file actions
49 lines (49 loc) · 1.57 KB
/
CloudFrontierAWS.yml
File metadata and controls
49 lines (49 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
AWSTemplateFormatVersion: '2010-09-09'
Description: A CloudFormation template that creates an IAM role with read-only policies, used by Cloud Frontier's AWS asset collectors.
Parameters:
DeploymentAccountID:
Type: String
Description: The AWS account ID to which Cloud Frontier will be deployed to. Eg. 123456789012.
Resources:
CloudFrontierRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DeploymentAccountID}:root"
Action: sts:AssumeRole
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
Policies:
- PolicyName: DenyDataAccessPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Deny
Action:
- cloudformation:GetTemplate
- dynamodb:GetItem
- dynamodb:BatchGetItem
- dynamodb:Query
- dynamodb:Scan
- ec2:GetConsoleOutput
- ec2:GetConsoleScreenshot
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
- kinesis:Get*
- lambda:GetFunction
- logs:GetLogEvents
- s3:GetObject
- sdb:Select*
- sqs:ReceiveMessage
Resource:
- "*"
Outputs:
CloudFrontierRoleARN:
Description: ARN of the created role.
Value: !GetAtt CloudFrontierRole.Arn