New folder structure phase 1

2026-02-10 06:45:08 +00:00 · 2022-05-25 12:54:15 +02:00
parent 432416d09e
commit 5ad517ce83
305 changed files with 0 additions and 0 deletions
--- a/contrib/multi-account-securityhub/templates/CF-Prowler-IAM.yml
+++ b/contrib/multi-account-securityhub/templates/CF-Prowler-IAM.yml
@@ -0,0 +1,105 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This Template will create the IAM Roles needed for the Prowler infrastructure
+Parameters:
+  ProwlerCrossAccountRoleName:
+    Type: String
+    Description: Name of the cross account Prowler IAM Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerXA-Role
+  ECSExecutionRoleName:
+    Type: String
+    Description: Name for the ECS Task Execution Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ECSTaskExecution-Role
+  ProwlerTaskRoleName:
+    Type: String
+    Description: Name for the ECS Prowler Task Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerECSTask-Role
+  ECSEventRoleName:
+    Type: String
+    Description: Name for the Eventbridge Task Role
+    AllowedPattern: ^[\w+=,.@-]{1,64}$
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: ProwlerEvents-Role
+Resources:
+  ECSExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ECSExecutionRoleName
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: ECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: ecs-tasks.amazonaws.com
+          Action: sts:AssumeRole
+  ProwlerTaskRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ProwlerTaskRoleName
+      Policies:
+      - PolicyName: ProwlerAssumeRole
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Sid: AllowProwlerAssumeRole
+            Effect: Allow
+            Action: sts:AssumeRole
+            Resource:
+            - !Sub arn:aws:iam::*:role/${ProwlerCrossAccountRoleName}
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: ECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: ecs-tasks.amazonaws.com
+          Action: sts:AssumeRole
+  ECSEventRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref ECSEventRoleName
+      Policies:
+      - PolicyName: AllowProwlerEventsECS
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - ecs:RunTask
+            Resource:
+            - "*"
+            Sid: EventRunECS
+          - Effect: Allow
+            Action: iam:PassRole
+            Resource:
+            - "*"
+            Sid: EventPassRole
+            Condition:
+              StringLike:
+                iam:PassedToService: ecs-tasks.amazonaws.com
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Sid: EventsECSExecutionTrust
+          Effect: Allow
+          Principal:
+            Service: events.amazonaws.com
+          Action: sts:AssumeRole
+Outputs:
+  ECSExecutionRoleARN:
+    Description: ARN of the ECS Task Execution Role
+    Value: !GetAtt ECSExecutionRole.Arn
+  ProwlerTaskRoleARN:
+    Description: ARN of the ECS Prowler Task Role
+    Value: !GetAtt ProwlerTaskRole.Arn
+  ECSEventRoleARN:
+    Description: ARN of the Eventbridge Task Role
+    Value: !GetAtt ECSEventRole.Arn