AWSTemplateFormatVersion: 2010-09-09
Description: Create the Cross-Account IAM Prowler Role
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: ECS Settings
        Parameters:
          - ProwlerEcsAccount
          - ProwlerTaskRoleName
      - Label:
          default: CrossAccount Role
        Parameters:
          - ProwlerCrossAccountRole
Parameters:
  ProwlerEcsAccount:
    Type: String
    Description: Enter AWS Account Number where Prowler ECS Task will reside.
    AllowedPattern: ^\d{12}$
    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
  ProwlerTaskRoleName:
    Type: String
    Description: Enter Instance Role that will be given to the Prowler ECS Instance (needed to grant sts:AssumeRole rights).
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ProwlerECSTask-Role
  ProwlerCrossAccountRole:
    Type: String
    Description: Enter Name for CrossAccount Role to be created for Prowler to assess all Accounts in the AWS Organization.
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ProwlerXA-Role
Resources:
  ProwlerRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Provides Prowler ECS tasks permissions to assess security of Accounts in AWS Organization
      RoleName: !Ref ProwlerCrossAccountRole
      Tags:
        - Key: App
          Value: Prowler
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub arn:${AWS::Partition}:iam::${ProwlerEcsAccount}:role/${ProwlerTaskRoleName}
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit
        - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess
      Policies:
        - PolicyName: Prowler-Additions-Policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AllowMoreReadForProwler
                Effect: Allow
                Resource: "*"
                Action:
                  - ds:ListAuthorizedApplications
                  - ec2:GetEbsEncryptionByDefault
                  - ecr:Describe*
                  - elasticfilesystem:DescribeBackupPolicy
                  - glue:GetConnections
                  - glue:GetSecurityConfiguration
                  - glue:SearchTables
                  - lambda:GetFunction
                  - s3:GetAccountPublicAccessBlock
                  - shield:DescribeProtection
                  - shield:GetSubscriptionState
                  - ssm:GetDocument
                  - support:Describe*
                  - tag:GetTagKeys
        - PolicyName: Prowler-Security-Hub
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AllowProwlerSecurityHub
                Effect: Allow
                Resource: "*"
                Action:
                  - securityhub:BatchImportFindings
                  - securityhub:GetFindings
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Prowler requires these rights to perform its Security Assessment."
          - id: W28
            reason: "Using a defined Role Name."
Outputs:
  ProwlerCrossAccountRole:
    Description: CrossAccount Role to be used by Prowler to assess AWS Accounts in the AWS Organization.
    Value: !Ref ProwlerCrossAccountRole