AWSTemplateFormatVersion: 2010-09-09 Description: Create the Cross-Account IAM Prowler Role Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: EC2 Settings Parameters: - ProwlerEc2Account - ProwlerEc2Role - Label: default: S3 Settings Parameters: - ProwlerS3 - Label: default: CrossAccount Role Parameters: - ProwlerCrossAccountRole Parameters: ProwlerS3: Type: String Description: Enter S3 Bucket for Prowler Reports. prefix-awsaccount-awsregion AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$ Default: prowler-123456789012-us-east-1 ProwlerEc2Account: Type: String Description: Enter AWS Account Number where Prowler EC2 Instance will reside. AllowedPattern: ^\d{12}$ ConstraintDescription: An AWS Account Number must be a 12 digit numeric string. ProwlerEc2Role: Type: String Description: Enter Instance Role that will be given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights). AllowedPattern: ^[\w+=,.@-]{1,64}$ ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] Default: ProwlerEC2-Role ProwlerCrossAccountRole: Type: String Description: Enter Name for CrossAccount Role to be created for Prowler to assess all Accounts in the AWS Organization. AllowedPattern: ^[\w+=,.@-]{1,64}$ ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -] Default: ProwlerXA-Role Resources: ProwlerRole: Type: AWS::IAM::Role Properties: Description: Provides Prowler EC2 instance permissions to assess security of Accounts in AWS Organization RoleName: !Ref ProwlerCrossAccountRole Tags: - Key: App Value: Prowler AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Sub arn:${AWS::Partition}:iam::${ProwlerEc2Account}:root Action: - sts:AssumeRole Condition: StringLike: aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::${ProwlerEc2Account}:role/${ProwlerEc2Role} ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/SecurityAudit - !Sub arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess Policies: - PolicyName: Prowler-Additions-Policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowMoreReadForProwler Effect: Allow Resource: "*" Action: - ds:ListAuthorizedApplications - ec2:GetEbsEncryptionByDefault - ecr:Describe* - elasticfilesystem:DescribeBackupPolicy - glue:GetConnections - glue:GetSecurityConfiguration - glue:SearchTables - lambda:GetFunction - s3:GetAccountPublicAccessBlock - shield:DescribeProtection - shield:GetSubscriptionState - ssm:GetDocument - support:Describe* - tag:GetTagKeys - PolicyName: Prowler-S3-Reports PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowGetPutListObject Effect: Allow Resource: - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3} - !Sub arn:${AWS::Partition}:s3:::${ProwlerS3}/* Action: - s3:GetObject - s3:PutObject - s3:ListBucket Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: "Prowler requires these rights to perform its Security Assessment." - id: W28 reason: "Using a defined Role Name." Outputs: ProwlerCrossAccountRole: Description: CrossAccount Role to be used by Prowler to assess AWS Accounts in the AWS Organization. Value: !Ref ProwlerCrossAccountRole