AWSTemplateFormatVersion: '2010-09-09'
#
# You can invoke CloudFormation and pass the principal ARN from a command line like this:
# aws cloudformation create-stack \
#  --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \
#  --template-body "file://create_role_to_assume_cfn.yaml" \
#  --stack-name "ProwlerExecRole" \
#  --parameters "ParameterKey=AuthorisedARN,ParameterValue=arn:aws:iam::123456789012:root"
#
Description: | 
  This template creates an AWS IAM Role with an inline policy and two AWS managed policies
  attached. It sets the trust policy on that IAM Role to permit a named ARN in another AWS
  account to assume that role. The role name and the ARN of the trusted user can all be passed
  to the CloudFormation stack as parameters. Then you can run Prowler to perform a security
  assessment with a command like:
  ./prowler -A <THIS_ACCOUNT_ID> -R ProwlerExecRole
Parameters:
  AuthorisedARN:
    Description: |
      ARN of user who is authorised to assume the role that is created by this template.
      E.g., arn:aws:iam::123456789012:root
    Type: String
  ProwlerRoleName:
    Description: |
      Name of the IAM role that will have these policies attached. Default: ProwlerExecRole
    Type: String
    Default: 'ProwlerExecRole'

Resources:
  ProwlerExecRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub ${AuthorisedARN}
            Action: 'sts:AssumeRole'
            ## In case MFA is required uncomment lines below and read https://github.com/toniblyx/prowler#run-prowler-with-mfa-protected-credentials
            # Condition:
            #   Bool:
            #     'aws:MultiFactorAuthPresent': true
      # This is 12h that is maximum allowed, Minimum is 3600 = 1h
      # to take advantage of this use -T like in './prowler -A <ACCOUNT_ID_TO_ASSUME> -R ProwlerExecRole -T 43200 -M text,html'
      MaxSessionDuration: 43200
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
        - 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess'
      RoleName: !Sub ${ProwlerRoleName}
      Policies: 
        - PolicyName: ProwlerExecRoleAdditionalViewPrivileges
          PolicyDocument:
            Version : '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
                - 'ds:ListAuthorizedApplications'
                - 'ec2:GetEbsEncryptionByDefault'
                - 'ecr:Describe*'
                - 'support:Describe*'
                - 'tag:GetTagKeys'
                - 'lambda:GetFunction'
                - 'glue:GetConnections'
                - 's3:GetAccountPublicAccessBlock'
              Resource: '*'