From 64667ea9d0aced4303ddf5680b0dacae2232d1e6 Mon Sep 17 00:00:00 2001
From: "Mr. Secure" <ben.github@mrsecure.org>
Date: Fri, 11 Oct 2019 21:46:20 -0500
Subject: [PATCH] grant codebuild the ability to assume audit role

---
 util/Audit_Exec_Role.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/util/Audit_Exec_Role.yaml b/util/Audit_Exec_Role.yaml
index ba9129a5..673defaa 100644
--- a/util/Audit_Exec_Role.yaml
+++ b/util/Audit_Exec_Role.yaml
@@ -26,14 +26,19 @@ Resources:
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
         Statement:
-          -
-            Effect: "Allow"
+          - Effect: "Allow"
             Principal:
               AWS: # TODO: review permissions to see if this can be narrowed down - code build only perhaps
                 - !Sub "arn:aws:iam::${AuditorAccountId}:root"
-                - !Sub "arn:aws:iam::${AuditorAccountId}:role${AuditRolePathName}"
             Action:
               - "sts:AssumeRole"
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "codebuild.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+            # TODO: restrict to only AuditorAccount only
       Policies:
         - PolicyName: "ProwlerPolicyAdditions"
           PolicyDocument: