From 1fefc11d8e2c5c989efec1351f9710da21c1be06 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 29 Jun 2020 15:06:54 +0200 Subject: [PATCH] CFN template helper for role --- iam/create_role_to_assume_cfn.yaml | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 iam/create_role_to_assume_cfn.yaml diff --git a/iam/create_role_to_assume_cfn.yaml b/iam/create_role_to_assume_cfn.yaml new file mode 100644 index 00000000..14f6574e --- /dev/null +++ b/iam/create_role_to_assume_cfn.yaml @@ -0,0 +1,37 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: 'This template creates a custom policy and role to be assumed by account 123456789012 (change it in line 12 as needed) to run Prowler from and perform a security assessment with a command like: ./prowler -A -R ProwlerExecRole' +Resources: + ProwlerExecRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:root + Action: 'sts:AssumeRole' + ## In case MFA is required uncomment lines below + ## and read https://github.com/toniblyx/prowler#run-prowler-with-mfa-protected-credentials + # Condition: + # Bool: + # 'aws:MultiFactorAuthPresent': true + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/SecurityAudit' + - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess' + RoleName: ProwlerExecRole + Policies: + - PolicyName: ProwlerExecRoleAdditionalViewPrivileges + PolicyDocument: + Version : '2012-10-17' + Statement: + - Effect: Allow + Action: + - 'dax:ListTables' + - 'ds:ListAuthorizedApplications' + - 'ds:DescribeRoles' + - 'ec2:GetEbsEncryptionByDefault' + - 'ecr:Describe*' + - 'support:Describe*' + - 'tag:GetTagKeys' + Resource: '*' \ No newline at end of file