diff --git a/.github/workflows/generate-aws-cloudformation-template.yaml b/.github/workflows/generate-aws-cloudformation-template.yaml new file mode 100644 index 0000000000..485766ccd7 --- /dev/null +++ b/.github/workflows/generate-aws-cloudformation-template.yaml @@ -0,0 +1,45 @@ +name: Generate Meta Parent Policy Templates + +on: + # Trigger this workflow on pushes to master + push: + branches: + - master + + # Workflow dispatch trigger allows manually running workflow + workflow_dispatch: + branches: + - master + +jobs: + meta-parent-policy-templates: + name: "Generate AWS CloudFormation Template" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Speed up checkout by not fetching history + + - uses: ruby/setup-ruby@v1 + + - name: Generate AWS CloudFormation Template + working-directory: tools/cloudformation-template + run: | + ruby aws_cft_generator.rb + + - name: Create Pull Request + id: cpr + uses: peter-evans/create-pull-request@v4 + with: + commit-message: "Update AWS CloudFormation Template" + title: "Update AWS CloudFormation Template" + body: "Update AWS CloudFormation Template from GitHub Actions Workflow [${{ github.workflow }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})" + branch: "task/update-aws-cloudformation-template" + delete-branch: true + labels: "automation" + + - name: Check outputs + if: ${{ steps.cpr.outputs.pull-request-number }} + run: | + echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" diff --git a/.spellignore b/.spellignore index 80a06e02b1..40d172bc92 100644 --- a/.spellignore +++ b/.spellignore @@ -585,6 +585,9 @@ FSM ByteCount PacketCount balancers +OUs +README +readme backfill FNMS CBI diff --git a/compliance/aws/untagged_resources/README.md b/compliance/aws/untagged_resources/README.md index c0dac9aee2..4de7a12851 100644 --- a/compliance/aws/untagged_resources/README.md +++ b/compliance/aws/untagged_resources/README.md @@ -52,7 +52,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - `ec2:DescribeRegions` - `tag:GetResources` - `tag:TagResources`* - - `organizations:TagResources`* + - `organizations:TagResource`* \* Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions. @@ -69,7 +69,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto "ec2:DescribeRegions", "tag:GetResources", "tag:TagResources", - "organizations:TagResources" + "organizations:TagResource" ], "Resource": "*" } diff --git a/cost/aws/s3_storage_policy/README.md b/cost/aws/s3_storage_policy/README.md index 0895c74707..51ab945753 100644 --- a/cost/aws/s3_storage_policy/README.md +++ b/cost/aws/s3_storage_policy/README.md @@ -36,7 +36,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/ - `s3:ListAllMyBuckets` - `s3:GetBucketLocation` - `s3:GetBucketTagging` - - `s3:GetBucketIntelligentTieringConfiguration` + - `s3:GetIntelligentTieringConfiguration` - `sts:GetCallerIdentity` Example IAM Permission Policy: @@ -51,7 +51,7 @@ For administrators [creating and managing credentials](https://docs.flexera.com/ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging", - "s3:GetBucketIntelligentTieringConfiguration", + "s3:GetIntelligentTieringConfiguration", "sts:GetCallerIdentity" ], "Resource": "*" diff --git a/data/policy_permissions_list/master_policy_permissions_list.json b/data/policy_permissions_list/master_policy_permissions_list.json index 658058dee8..7cc40460c6 100644 --- a/data/policy_permissions_list/master_policy_permissions_list.json +++ b/data/policy_permissions_list/master_policy_permissions_list.json @@ -677,7 +677,7 @@ "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions." }, { - "name": "organizations:TagResources", + "name": "organizations:TagResource", "read_only": false, "required": false, "description": "Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions." @@ -2642,7 +2642,7 @@ "required": true }, { - "name": "s3:GetBucketIntelligentTieringConfiguration", + "name": "s3:GetIntelligentTieringConfiguration", "read_only": true, "required": true }, @@ -8705,7 +8705,7 @@ "required": true }, { - "name": "s3:ListBuckets", + "name": "s3:ListAllMyBuckets", "read_only": true, "required": true }, @@ -8752,7 +8752,7 @@ "required": true }, { - "name": "s3:ListBuckets", + "name": "s3:ListAllMyBuckets", "read_only": true, "required": true }, @@ -8805,7 +8805,7 @@ "required": true }, { - "name": "s3:ListBuckets", + "name": "s3:ListAllMyBuckets", "read_only": true, "required": true }, @@ -8820,7 +8820,7 @@ "required": true }, { - "name": "s3:GetPublicAccessBlock", + "name": "s3:GetBucketPublicAccessBlock", "read_only": true, "required": true } @@ -8852,7 +8852,7 @@ "required": true }, { - "name": "s3:ListBuckets", + "name": "s3:ListAllMyBuckets", "read_only": true, "required": true }, @@ -8899,7 +8899,7 @@ "required": true }, { - "name": "s3:ListBuckets", + "name": "s3:ListAllMyBuckets", "read_only": true, "required": true }, @@ -8914,12 +8914,12 @@ "required": true }, { - "name": "s3:GetBucketEncryption", + "name": "s3:GetEncryptionConfiguration", "read_only": true, "required": true }, { - "name": "s3:PutBucketEncryption", + "name": "s3:PutEncryptionConfiguration", "read_only": false, "required": false, "description": "Only required for taking action; the policy will still function in a read-only capacity without these permissions." diff --git a/data/policy_permissions_list/master_policy_permissions_list.yaml b/data/policy_permissions_list/master_policy_permissions_list.yaml index 98fd17273a..a2da1fd1c0 100644 --- a/data/policy_permissions_list/master_policy_permissions_list.yaml +++ b/data/policy_permissions_list/master_policy_permissions_list.yaml @@ -382,7 +382,7 @@ required: false description: Only required for taking action (adding tags); the policy will still function in a read-only capacity without these permissions. - - name: organizations:TagResources + - name: organizations:TagResource read_only: false required: false description: Only required for taking action (adding tags); the policy will @@ -1518,7 +1518,7 @@ - name: s3:GetBucketTagging read_only: true required: true - - name: s3:GetBucketIntelligentTieringConfiguration + - name: s3:GetIntelligentTieringConfiguration read_only: true required: true - name: sts:GetCallerIdentity @@ -4991,7 +4991,7 @@ - name: sts:GetCallerIdentity read_only: true required: true - - name: s3:ListBuckets + - name: s3:ListAllMyBuckets read_only: true required: true - name: s3:GetBucketLocation @@ -5017,7 +5017,7 @@ - name: sts:GetCallerIdentity read_only: true required: true - - name: s3:ListBuckets + - name: s3:ListAllMyBuckets read_only: true required: true - name: s3:GetBucketLocation @@ -5048,7 +5048,7 @@ - name: sts:GetCallerIdentity read_only: true required: true - - name: s3:ListBuckets + - name: s3:ListAllMyBuckets read_only: true required: true - name: s3:GetBucketLocation @@ -5057,7 +5057,7 @@ - name: s3:GetBucketTagging read_only: true required: true - - name: s3:GetPublicAccessBlock + - name: s3:GetBucketPublicAccessBlock read_only: true required: true - :name: flexera @@ -5074,7 +5074,7 @@ - name: sts:GetCallerIdentity read_only: true required: true - - name: s3:ListBuckets + - name: s3:ListAllMyBuckets read_only: true required: true - name: s3:GetBucketLocation @@ -5100,7 +5100,7 @@ - name: sts:GetCallerIdentity read_only: true required: true - - name: s3:ListBuckets + - name: s3:ListAllMyBuckets read_only: true required: true - name: s3:GetBucketLocation @@ -5109,10 +5109,10 @@ - name: s3:GetBucketTagging read_only: true required: true - - name: s3:GetBucketEncryption + - name: s3:GetEncryptionConfiguration read_only: true required: true - - name: s3:PutBucketEncryption + - name: s3:PutEncryptionConfiguration read_only: false required: false description: Only required for taking action; the policy will still function diff --git a/security/aws/s3_buckets_deny_http/README.md b/security/aws/s3_buckets_deny_http/README.md index 6557862530..996d9a55cc 100644 --- a/security/aws/s3_buckets_deny_http/README.md +++ b/security/aws/s3_buckets_deny_http/README.md @@ -40,7 +40,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions: - `sts:GetCallerIdentity` - - `s3:ListBuckets` + - `s3:ListAllMyBuckets` - `s3:GetBucketLocation` - `s3:GetBucketTagging` - `s3:GetBucketPolicy` @@ -55,7 +55,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", - "s3:ListBuckets", + "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:GetBucketPolicy" diff --git a/security/aws/s3_buckets_without_server_access_logging/README.md b/security/aws/s3_buckets_without_server_access_logging/README.md index 510065093e..cc007c125a 100644 --- a/security/aws/s3_buckets_without_server_access_logging/README.md +++ b/security/aws/s3_buckets_without_server_access_logging/README.md @@ -30,7 +30,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions: - `sts:GetCallerIdentity` - - `s3:ListBuckets` + - `s3:ListAllMyBuckets` - `s3:GetBucketLocation` - `s3:GetBucketTagging` - `s3:GetBucketLogging` @@ -48,7 +48,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", - "s3:ListBuckets", + "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:GetBucketLogging", diff --git a/security/aws/s3_ensure_buckets_block_public_access/README.md b/security/aws/s3_ensure_buckets_block_public_access/README.md index 0a66c2ce0b..8693dd9a24 100644 --- a/security/aws/s3_ensure_buckets_block_public_access/README.md +++ b/security/aws/s3_ensure_buckets_block_public_access/README.md @@ -40,10 +40,10 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions: - `sts:GetCallerIdentity` - - `s3:ListBuckets` + - `s3:ListAllMyBuckets` - `s3:GetBucketLocation` - `s3:GetBucketTagging` - - `s3:GetPublicAccessBlock` + - `s3:GetBucketPublicAccessBlock` Example IAM Permission Policy: @@ -55,10 +55,10 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", - "s3:ListBuckets", + "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging", - "s3:GetPublicAccessBlock" + "s3:GetBucketPublicAccessBlock" ], "Resource": "*" } diff --git a/security/aws/s3_ensure_mfa_delete_enabled/README.md b/security/aws/s3_ensure_mfa_delete_enabled/README.md index 0738987c8e..0e49ed5b88 100644 --- a/security/aws/s3_ensure_mfa_delete_enabled/README.md +++ b/security/aws/s3_ensure_mfa_delete_enabled/README.md @@ -31,7 +31,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions: - `sts:GetCallerIdentity` - - `s3:ListBuckets` + - `s3:ListAllMyBuckets` - `s3:GetBucketLocation` - `s3:GetBucketTagging` - `s3:GetBucketVersioning` @@ -46,7 +46,7 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", - "s3:ListBuckets", + "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:GetBucketVersioning" diff --git a/security/aws/unencrypted_s3_buckets/README.md b/security/aws/unencrypted_s3_buckets/README.md index f08b25b635..fd083cf8d2 100644 --- a/security/aws/unencrypted_s3_buckets/README.md +++ b/security/aws/unencrypted_s3_buckets/README.md @@ -31,11 +31,11 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto - [**AWS Credential**](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_1982464505_1121575) (*provider=aws*) which has the following permissions: - `sts:GetCallerIdentity` - - `s3:ListBuckets` + - `s3:ListAllMyBuckets` - `s3:GetBucketLocation` - `s3:GetBucketTagging` - - `s3:GetBucketEncryption` - - `s3:PutBucketEncryption`* + - `s3:GetEncryptionConfiguration` + - `s3:PutEncryptionConfiguration`* - `s3:DeleteBucket`* \* Only required for taking action; the policy will still function in a read-only capacity without these permissions. @@ -50,11 +50,11 @@ This Policy Template uses [Credentials](https://docs.flexera.com/flexera/EN/Auto "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", - "s3:ListBuckets", + "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging", - "s3:GetBucketEncryption", - "s3:PutBucketEncryption", + "s3:GetEncryptionConfiguration", + "s3:PutEncryptionConfiguration", "s3:DeleteBucket" ], "Resource": "*" diff --git a/tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template b/tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template new file mode 100644 index 0000000000..8cfcef5e42 --- /dev/null +++ b/tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template @@ -0,0 +1,142 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/" +# Read Only for all resources +# For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md + +Metadata: + # AWS::CloudFormation::Interface is a metadata key that defines how parameters are grouped and sorted in the AWS CloudFormation console. + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-interface.html + AWS::CloudFormation::Interface: + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parametergroup.html + ParameterGroups: + # ParameterGroup with paramFlexeraOrgId should be first. + # paramFlexeraOrgId only param that is actually required (if Org is on app.flexera.com) + - Label: + default: "Parameters related to your Organization on the Flexera Platform" + Parameters: + - paramFlexeraOrgId + - paramFlexeraZone + - Label: + default: "Parameters related to the IAM Role that is created" + Parameters: + - paramRoleName + - paramRolePath + - Label: + default: "Parameters related to permissions policies to attach to role" + Parameters: + # End for each policy template + - paramPermsAttachExistingPolicies + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parameterlabel.html + ParameterLabels: + paramRoleName: + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-label.html + # The default label that the CloudFormation console uses to name a parameter group or parameter. + default: "IAM Role Name" + paramRolePath: + default: "IAM Role Path" + paramFlexeraOrgId: + default: "Flexera Organization ID" + paramFlexeraZone: + default: "Flexera Zone" + # End for each policy template + paramPermsAttachExistingPolicies: + default: "Permission Policies for IAM Role" + +Parameters: + # ParameterGroup: Parameters related to your Organization on the Flexera Platform + paramFlexeraOrgId: + Description: >- + The Organization ID in Flexera which trust will be granted to use the IAM Role that will be created + Type: String + AllowedPattern: "[0-9]+" + MinLength: 1 + ConstraintDescription: Organization ID must be provided and match regex [0-9]+ + paramFlexeraZone: + Description: >- + The Flexera Zone which trust will be granted to. The Organization ID should be located in this Flexera Zone. + Type: String + Default: app.flexera.com + AllowedValues: + - app.flexera.com + - app.flexera.eu + - app.flexera.au + - app.flexeratest.com + + # ParameterGroup: Parameters for the IAM Role that is created + paramRoleName: + Description: Name of the the IAM Role that will be created. If you plan to create more than one IAM Role (i.e. one for each Policy Template, or to trust multiple Orgs) you will need to modify this to prevent naming conflict. + Type: String + Default: FlexeraAutomationAccessRole + # IAM Role Name Max Length is 64chars + MaxLength: 64 + paramRolePath: + Description: Path for the IAM Role that will be created. Generally does not need to be modified. + Type: String + Default: / + + # End for each policy template + paramPermsAttachExistingPolicies: + Description: 'Existing IAM Permission Policies to attach to the IAM Role that will be created. Comma separated list of IAM Policy ARNs -- i.e. arn:aws:iam::aws:policy/ReadOnlyAccess' + Type: String + Default: arn:aws:iam::aws:policy/ReadOnlyAccess + # AWS Managed Policy ARN: arn:aws:iam::aws:policy/ReadOnlyAccess + # Customer Managed Policy ARN: arn:aws:iam::123456789012:policy/CustomPolicy + AllowedPattern: '^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$' + ConstraintDescription: 'Malformed IAM Policy ARN. Must match pattern ^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$' + +Conditions: + # End for each policy template + ValueProvidedparamPermsAttachExistingPolicies: !Not + - !Equals + - !Ref paramPermsAttachExistingPolicies + - "" + +Mappings: + TrustedRoleMap: + app.flexera.com: + roleArn: "arn:aws:iam::451234325714:role/production_customer_access" + app.flexera.eu: + roleArn: "arn:aws:iam::451234325714:role/production_eu_customer_access" + app.flexera.au: + roleArn: "arn:aws:iam::451234325714:role/production_apac_customer_access" + app.flexeratest.com: + roleArn: "arn:aws:iam::274571843445:role/staging_customer_access" + +Resources: + # IAM Role Resource + iamRole: + Type: "AWS::IAM::Role" + Properties: + RoleName: !Ref paramRoleName + Description: !Join + - " " + - - "Allows access from Flexera Platform. This IAM Role and the attached permission policies were created and are managed by CloudFormation Stack:" + - !Ref AWS::StackId + Path: !Ref paramRolePath + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: !FindInMap + - TrustedRoleMap + - !Ref paramFlexeraZone + - roleArn + Action: "sts:AssumeRole" + Condition: + StringEquals: + "sts:ExternalId": !Ref paramFlexeraOrgId + # ManagedPolicyArns value is conditional based on input paramPermsAttachExistingPolicies + ManagedPolicyArns: !If + - ValueProvidedparamPermsAttachExistingPolicies + # If value is provided for paramPermsAttachExistingPolicies, split that comma-separated list into a list object + - !Split [ ",", !Ref paramPermsAttachExistingPolicies ] + # Provide a null value if nothing provided for paramPermsAttachExistingPolicies + - !Ref AWS::NoValue + +Outputs: + iamRoleArn: + Description: The ARN of the IAM Role that was created + Value: !GetAtt + - iamRole + - Arn diff --git a/tools/cloudformation-template/README.md b/tools/cloudformation-template/README.md index cc9b2f2f96..bea58e3f3a 100644 --- a/tools/cloudformation-template/README.md +++ b/tools/cloudformation-template/README.md @@ -4,6 +4,16 @@ Template to create a CloudFormation Stack with IAM Role and Permission Policy resources required by [Flexera Automation](https://docs.flexera.com/flexera/EN/Automation/AutomationGS.htm). +Two supported versions are provided as options: + +- [FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPolicies.template): Current approved/stable version of the template. Recommended for most use cases. +- [FlexeraAutomationPoliciesSimple.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPoliciesSimple.template): Template that simply attaches the built-in `arn:aws:iam::aws:policy/ReadOnlyAccess` AWS policy by default with the option to add other policies by name manually via parameter. Recommended when custom inline policies are not desired. Note that this grants more access than simply applying [FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/FlexeraAutomationPolicies.template) with the default options, since this provides read-only access to everything in the AWS account rather than just to the resources needed for Flexera automation. + +Additionally, two automatically generated rolling release versions are provided but are **not recommended** or supported for production use. These will be used as the basis for the stable releases above. + +- [rolling/FlexeraAutomationPolicies.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template): Template to add either read or read/action permissions for either all Flexera automation templates or per-Flexera automation template. +- [rolling/FlexeraAutomationPoliciesReadOnly.template](https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template): Identical to the above but with only read-only permissions. Recommended when there are concerns over the template having options for more than just read-only access. + ## Amazon S3 Template URL **`https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_latest.template`** @@ -83,7 +93,7 @@ As you follow the official docs, you can use the recommended configurations belo - At bottom, under **Capabilities**, check the box next to `I acknowledge that AWS CloudFormation might create IAM resources with custom names` and click **Submit** button to create the StackSet - This acknowledgement is required because AWS CloudFormation will create an IAM Role and an IAM Policy (as expected). + This acknowledgment is required because AWS CloudFormation will create an IAM Role and an IAM Policy (as expected). - Allow Stack instances to deploy and get to *"Current"* Status. If any fail, you can review the details of the failed Stack instances and take action as needed. @@ -98,7 +108,7 @@ As you follow the official docs, you can use the recommended configurations belo - `` is the AWS Account ID of the account the CloudFormation Stack instance has been deployed to. - `` is the value of the *IAM Role Name* parameter provided to the CloudFormation StackSet. - For example, if the Stack instance was depoyed to AWS Account `123456789012` and the *IAM Role Name* parameter was `FlexeraAutomationPolicies-Org12345`, then the IAM Role ARN to input in Flexera Platform would be `arn:aws:iam::123456789012:role/FlexeraAutomationPolicies-Org12345`. + For example, if the Stack instance was deployed to AWS Account `123456789012` and the *IAM Role Name* parameter was `FlexeraAutomationPolicies-Org12345`, then the IAM Role ARN to input in Flexera Platform would be `arn:aws:iam::123456789012:role/FlexeraAutomationPolicies-Org12345`. **See [Flexera Docs > Automation > AWS STS Multi-Account Credential Usage](https://docs.flexera.com/flexera/EN/Automation/ProviderCredentials.htm#automationadmin_109256743_1136870) for more information.** @@ -170,8 +180,4 @@ resource "aws_cloudformation_stack" "FlexeraAutomationAccessRole" { ## For Maintainers -New releases are created by copying the latest version of template to `releases/` and appending a version number (using [Semantic Versioning](https://semver.org/) strategies). Files under `releases/` should not be modified once they are merged and committed to default branch. - -Publishing releases and latest Template files to S3 is handled by GitHub Actions workflow [ -Publish CloudFormation Templates -](../../.github/workflows/cfn-publish.yaml) and triggered when [Test CloudFormation Templates](../../.github/workflows/cfn-test.yaml) finishes successfully after commit to the default branch. +New rolling releases are created automatically by the `tools/cloudformation-template/aws_cft_generator.rb` script. This script runs automatically via GitHub Actions whenever a change is made to the master branch. This script uses the permissions file `data/policy_permissions_list/master_policy_permissions_list.json` to obtain the information needed to generate the CloudFormation Template. This file, in turn, is sourced through its own automation that scrapes policy template README files. diff --git a/tools/cloudformation-template/aws_cft_generator.rb b/tools/cloudformation-template/aws_cft_generator.rb new file mode 100644 index 0000000000..5a477b893b --- /dev/null +++ b/tools/cloudformation-template/aws_cft_generator.rb @@ -0,0 +1,241 @@ +require "json" +require "time" + +# Method for generating permission list +def create_permissions(perm_json, deprecated, perm_type = "action") + permission_list = [] + + perm_json['values'].each do |item| + read = [] + action = [] + + if item["providers"] + item["providers"].each do |provider| + if provider["name"] == "aws" + provider["permissions"].each do |permission| + if permission["read_only"] + read << permission["name"] + else + action << permission["name"] if perm_type != "read" + end + end + end + end + end + + # Skip deprecated policies and policies with no permissions needed + unless (read.empty? && action.empty?) || deprecated.include?(item["name"]) + short_name = item["name"].gsub(/[^a-zA-Z0-9]/, '') + + permission_list << { + "id" => item["id"], + "name" => item["name"], + "short_name" => short_name, + "version" => item["version"], + "read" => read, + "action" => action + } + end + end + + special_permission_list = [] + + all_read = permission_list.map { |policy| policy["read"] }.flatten.uniq.sort + all_action = permission_list.map { |policy| policy["action"] }.flatten.uniq.sort + + special_permission_list << { + "id" => "all_policy_templates", + "name" => "All AWS Policy Templates", + "short_name" => "AllAWSPolicyTemplates", + "version" => "1.0", + "read" => all_read, + "action" => all_action + } + + sorted_permission_list = permission_list.sort_by { |policy| policy["name"] } + + return special_permission_list + sorted_permission_list +end + +# Method for generating template +def create_template(perm_list, template_path) + # Create strings to insert into template + parameter_groups = "" + parameter_labels = "" + parameter_group_definitions = "" + conditions = "" + mappings = "" + resources = "" + + perm_list.each do |policy| + # Entry for __PLACEHOLDER_FOR_PARAMETER_GROUPS__ + parameter_groups += " ## " + policy["name"] + "\n" + parameter_groups += " - paramPerms" + policy["short_name"] + "\n" + + # Entry for __PLACEHOLDER_FOR_PARAMETER_LABELS__ + parameter_labels += " ## " + policy["name"] + "\n" + parameter_labels += " paramPerms" + policy["short_name"] + ":\n" + + if policy["id"] == "all_policy_templates" + parameter_labels += " default: \"Permissions for all AWS Policy Templates\"\n" + else + parameter_labels += " default: \"Permissions for Policy Template: " + policy["name"] + "\"\n" + end + + # Entry for __PLACEHOLDER_FOR_PARAMETER_GROUP_DEFINITIONS__ + parameter_group_definitions += " ## " + policy["name"] + "\n" + + parameter_group_definitions += " paramPerms" + policy["short_name"] + ":\n" + + if policy["id"] == "all_policy_templates" + parameter_group_definitions += " Description: 'What permissions for all AWS Policy Templates should be granted on the AWS Role that will be created? Note that the more granular permissions below only need to be enabled if this option is disabled or you want to grant access to take actions only for specific policy templates.'\n" + else + parameter_group_definitions += " Description: 'What permissions for the \"" + policy["name"] + "\" Policy Template should be granted on the AWS Role that will be created?'\n" + end + + parameter_group_definitions += " Type: String\n" + + if policy["id"] == "all_policy_templates" + parameter_group_definitions += " Default: Read Only\n" + else + parameter_group_definitions += " Default: None\n" + end + + parameter_group_definitions += " AllowedValues:\n" + parameter_group_definitions += " - None\n" + parameter_group_definitions += " - Read Only\n" unless policy["read"].empty? + parameter_group_definitions += " - Read and Take Action\n" unless policy["action"].empty? + + # Entry for __PLACEHOLDER_FOR_CONDITIONS__ + conditions += " ## " + policy["name"] + "\n" + + unless policy["read"].empty? + conditions += " CreatePolicy" + policy["short_name"] + "Read: !Not\n" + conditions += " - !Equals\n" + conditions += " - !Ref paramPerms" + policy["short_name"] + "\n" + conditions += " - None\n" + end + + unless policy["action"].empty? + conditions += " CreatePolicy" + policy["short_name"] + "Action: !Equals\n" + conditions += " - !Ref paramPerms" + policy["short_name"] + "\n" + conditions += " - Read and Take Action\n" + end + + # Entry for __PLACEHOLDER_FOR_MAPPINGS__ + mappings += " ## " + policy["name"] + "\n" + mappings += " " + policy["short_name"] + ":\n" + + if policy["read"].empty? + mappings += " read: []\n" + else + mappings += " read:\n" + + policy["read"].each do |permission| + mappings += " - \"" + permission + "\"\n" + end + end + + if policy["action"].empty? + mappings += " action: []\n" + else + mappings += " action:\n" + + policy["action"].each do |permission| + mappings += " - \"" + permission + "\"\n" + end + end + + # Entry for __PLACEHOLDER_FOR_RESOURCES__ + resources += " ## " + policy["name"] + "\n" + + unless policy["read"].empty? + resources += " iamPolicy" + policy["short_name"] + "Read:\n" + resources += " Type: \"AWS::IAM::Policy\"\n" + resources += " Condition: CreatePolicy" + policy["short_name"] + "Read\n" + resources += " Properties:\n" + resources += " PolicyName: !Join\n" + resources += " - \"_\"\n" + resources += " - - !Ref paramRoleName\n" + resources += " - " + policy["short_name"] + "ReadPermissionPolicy\n" + resources += " Roles:\n" + resources += " - !Ref iamRole\n" + resources += " PolicyDocument:\n" + resources += " Version: 2012-10-17\n" + resources += " Statement:\n" + resources += " - Effect: Allow\n" + resources += " Action: !FindInMap\n" + resources += " - PermissionMap\n" + resources += " - " + policy["short_name"] + "\n" + resources += " - read\n" + resources += " Resource: \"*\"\n" + end + + unless policy["action"].empty? + resources += " iamPolicy" + policy["short_name"] + "Action:\n" + resources += " Type: \"AWS::IAM::Policy\"\n" + resources += " Condition: CreatePolicy" + policy["short_name"] + "Action\n" + resources += " Properties:\n" + resources += " PolicyName: !Join\n" + resources += " - \"_\"\n" + resources += " - - !Ref paramRoleName\n" + resources += " - " + policy["short_name"] + "ActionPermissionPolicy\n" + resources += " Roles:\n" + resources += " - !Ref iamRole\n" + resources += " PolicyDocument:\n" + resources += " Version: 2012-10-17\n" + resources += " Statement:\n" + resources += " - Effect: Allow\n" + resources += " Action: !FindInMap\n" + resources += " - PermissionMap\n" + resources += " - " + policy["short_name"] + "\n" + resources += " - action\n" + resources += " Resource: \"*\"\n" + end + end + + # Generate new CloudFormation Template + empty_template = File.read(template_path) + + final_template = empty_template.gsub("__PLACEHOLDER_FOR_GENERATION_DATETIME__", Time.now.utc.iso8601) + final_template = final_template.gsub("__PLACEHOLDER_FOR_PARAMETER_GROUPS__", parameter_groups) + final_template = final_template.gsub("__PLACEHOLDER_FOR_PARAMETER_LABELS__", parameter_labels) + final_template = final_template.gsub("__PLACEHOLDER_FOR_PARAMETER_GROUP_DEFINITIONS__", parameter_group_definitions) + final_template = final_template.gsub("__PLACEHOLDER_FOR_CONDITIONS__", conditions) + final_template = final_template.gsub("__PLACEHOLDER_FOR_MAPPINGS__", mappings) + final_template = final_template.gsub("__PLACEHOLDER_FOR_RESOURCES__", resources) + + return final_template +end + +# File paths +activepolicy_json_filepath = "../../data/active_policy_list/active_policy_list.json" +permission_json_filepath = "../../data/policy_permissions_list/master_policy_permissions_list.json" +template_filepath = "./aws_cft_generator.template.txt" +output_filepath = "./rolling/FlexeraAutomationPolicies.template" +output_readonly_filepath = "./rolling/FlexeraAutomationPoliciesReadOnly.template" + +# Get list of deprecated policies +activepolicy_json = JSON.parse(File.read(activepolicy_json_filepath)) +deprecated_policies = activepolicy_json["policies"].select { |policy| policy["deprecated"] == true } +deprecated_names = deprecated_policies.map { |policy| policy["name"] } + +# Read AWS permissions data +permission_json = JSON.parse(File.read(permission_json_filepath)) + +# Remap data for easy parsing +permission_list = create_permissions(permission_json, deprecated_names) +readonly_permission_list = create_permissions(permission_json, deprecated_names, "read") + +# Create template text +final_template = create_template(permission_list, template_filepath) +readonly_final_template = create_template(readonly_permission_list, template_filepath) + +# Write new CloudFormation Templates to disk +output_file = File.open(output_filepath, "w") +output_file.puts(final_template) +output_file.close + +output_file = File.open(output_readonly_filepath, "w") +output_file.puts(readonly_final_template) +output_file.close diff --git a/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template b/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template new file mode 100644 index 0000000000..2f4b8b5b50 --- /dev/null +++ b/tools/cloudformation-template/rolling/FlexeraAutomationPolicies.template @@ -0,0 +1,4830 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/" +# Generated by Flexera automation on 2024-12-12T16:59:05Z +# For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md + +Metadata: + # AWS::CloudFormation::Interface is a metadata key that defines how parameters are grouped and sorted in the AWS CloudFormation console. + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-interface.html + AWS::CloudFormation::Interface: + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parametergroup.html + ParameterGroups: + # ParameterGroup with paramFlexeraOrgId should be first. + # paramFlexeraOrgId only param that is actually required (if Org is on app.flexera.com) + - Label: + default: "Parameters related to your Organization on the Flexera Platform" + Parameters: + - paramFlexeraOrgId + - paramFlexeraZone + - Label: + default: "Parameters related to the IAM Role that is created" + Parameters: + - paramRoleName + - paramRolePath + - Label: + default: "Parameters related to Policy Template permissions on the IAM Role that is created" + Parameters: + ## All AWS Policy Templates + - paramPermsAllAWSPolicyTemplates + ## AWS Account Credentials + - paramPermsAWSAccountCredentials + ## AWS Accounts Missing Service Control Policies + - paramPermsAWSAccountsMissingServiceControlPolicies + ## AWS Burstable EC2 Instances + - paramPermsAWSBurstableEC2Instances + ## AWS CloudTrail Not Enabled In All Regions + - paramPermsAWSCloudTrailNotEnabledInAllRegions + ## AWS CloudTrail S3 Buckets Without Access Logging + - paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging + ## AWS CloudTrails Not Integrated With CloudWatch + - paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch + ## AWS CloudTrails With Read Logging Enabled + - paramPermsAWSCloudTrailsWithReadLoggingEnabled + ## AWS CloudTrails Without Encrypted Logs + - paramPermsAWSCloudTrailsWithoutEncryptedLogs + ## AWS CloudTrails Without Log File Validation Enabled + - paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled + ## AWS CloudTrails Without Object-level Events Logging Enabled + - paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + - paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled + ## AWS Disallowed Regions + - paramPermsAWSDisallowedRegions + ## AWS EC2 Compute Optimizer Recommendations + - paramPermsAWSEC2ComputeOptimizerRecommendations + ## AWS EC2 Instances Time Stopped Report + - paramPermsAWSEC2InstancesTimeStoppedReport + ## AWS EC2 Instances not running FlexNet Inventory Agent + - paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent + ## AWS EKS Clusters Without Spot Instances + - paramPermsAWSEKSClustersWithoutSpotInstances + ## AWS Elastic Load Balancers With Unencrypted Listeners + - paramPermsAWSElasticLoadBalancersWithUnencryptedListeners + ## AWS Expiring Savings Plans + - paramPermsAWSExpiringSavingsPlans + ## AWS IAM Account Missing Support Role + - paramPermsAWSIAMAccountMissingSupportRole + ## AWS IAM Attached Admin Policies + - paramPermsAWSIAMAttachedAdminPolicies + ## AWS IAM Expired SSL/TLS Certificates + - paramPermsAWSIAMExpiredSSLTLSCertificates + ## AWS IAM Insufficient Required Password Length + - paramPermsAWSIAMInsufficientRequiredPasswordLength + ## AWS IAM Password Policy Not Restricting Password Reuse + - paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse + ## AWS IAM Role Audit + - paramPermsAWSIAMRoleAudit + ## AWS IAM Root Account Access Keys + - paramPermsAWSIAMRootAccountAccessKeys + ## AWS IAM Root User Account Without Hardware MFA + - paramPermsAWSIAMRootUserAccountWithoutHardwareMFA + ## AWS IAM Root User Account Without MFA + - paramPermsAWSIAMRootUserAccountWithoutMFA + ## AWS IAM Root User Doing Everyday Tasks + - paramPermsAWSIAMRootUserDoingEverydayTasks + ## AWS IAM User Accounts Without MFA + - paramPermsAWSIAMUserAccountsWithoutMFA + ## AWS IAM Users With Directly-Attached Policies + - paramPermsAWSIAMUsersWithDirectlyAttachedPolicies + ## AWS IAM Users With Multiple Active Access Keys + - paramPermsAWSIAMUsersWithMultipleActiveAccessKeys + ## AWS IAM Users With Old Access Keys + - paramPermsAWSIAMUsersWithOldAccessKeys + ## AWS Idle NAT Gateways + - paramPermsAWSIdleNATGateways + ## AWS Internet-Accessible Elastic Load Balancers + - paramPermsAWSInternetAccessibleElasticLoadBalancers + ## AWS Lambda Functions With High Error Rate + - paramPermsAWSLambdaFunctionsWithHighErrorRate + ## AWS Lambda Functions Without Provisioned Concurrency + - paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency + ## AWS Long Running Instances + - paramPermsAWSLongRunningInstances + ## AWS Long Stopped EC2 Instances + - paramPermsAWSLongStoppedEC2Instances + ## AWS Missing Regions + - paramPermsAWSMissingRegions + ## AWS Old Snapshots + - paramPermsAWSOldSnapshots + ## AWS Open S3 Buckets + - paramPermsAWSOpenS3Buckets + ## AWS Oversized S3 Buckets + - paramPermsAWSOversizedS3Buckets + ## AWS Publicly Accessible CloudTrail S3 Buckets + - paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets + ## AWS Publicly Accessible RDS Instances + - paramPermsAWSPubliclyAccessibleRDSInstances + ## AWS RDS Instances With Unapproved Backup Settings + - paramPermsAWSRDSInstancesWithUnapprovedBackupSettings + ## AWS Regions Without Access Analyzer Enabled + - paramPermsAWSRegionsWithoutAccessAnalyzerEnabled + ## AWS Regions Without Config Fully Enabled + - paramPermsAWSRegionsWithoutConfigFullyEnabled + ## AWS Regions Without Default EBS Encryption + - paramPermsAWSRegionsWithoutDefaultEBSEncryption + ## AWS Reserved Instances Coverage + - paramPermsAWSReservedInstancesCoverage + ## AWS Reserved Instances Recommendations + - paramPermsAWSReservedInstancesRecommendations + ## AWS Rightsize EBS Volumes + - paramPermsAWSRightsizeEBSVolumes + ## AWS Rightsize EC2 Instances + - paramPermsAWSRightsizeEC2Instances + ## AWS Rightsize ElastiCache + - paramPermsAWSRightsizeElastiCache + ## AWS Rightsize RDS Instances + - paramPermsAWSRightsizeRDSInstances + ## AWS Rightsize Redshift + - paramPermsAWSRightsizeRedshift + ## AWS S3 Buckets Accepting HTTP Requests + - paramPermsAWSS3BucketsAcceptingHTTPRequests + ## AWS S3 Buckets Without Default Encryption Configuration + - paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration + ## AWS S3 Buckets Without Intelligent Tiering + - paramPermsAWSS3BucketsWithoutIntelligentTiering + ## AWS S3 Buckets Without Lifecycle Configuration + - paramPermsAWSS3BucketsWithoutLifecycleConfiguration + ## AWS S3 Buckets Without MFA Delete Enabled + - paramPermsAWSS3BucketsWithoutMFADeleteEnabled + ## AWS S3 Buckets Without Public Access Blocked + - paramPermsAWSS3BucketsWithoutPublicAccessBlocked + ## AWS S3 Buckets Without Server Access Logging + - paramPermsAWSS3BucketsWithoutServerAccessLogging + ## AWS S3 Incomplete Multi-Part Uploads + - paramPermsAWSS3IncompleteMultiPartUploads + ## AWS Savings Plan Recommendations + - paramPermsAWSSavingsPlanRecommendations + ## AWS Savings Plan Utilization + - paramPermsAWSSavingsPlanUtilization + ## AWS Schedule Instance + - paramPermsAWSScheduleInstance + ## AWS Scheduled EC2 Events + - paramPermsAWSScheduledEC2Events + ## AWS Superseded EBS Volumes + - paramPermsAWSSupersededEBSVolumes + ## AWS Superseded EC2 Instances + - paramPermsAWSSupersededEC2Instances + ## AWS Superseded EC2 Instances + - paramPermsAWSSupersededEC2Instances + ## AWS Tag Cardinality Report + - paramPermsAWSTagCardinalityReport + ## AWS Unencrypted EBS Volumes + - paramPermsAWSUnencryptedEBSVolumes + ## AWS Unencrypted RDS Instances + - paramPermsAWSUnencryptedRDSInstances + ## AWS Untagged Resources + - paramPermsAWSUntaggedResources + ## AWS Unused Application Load Balancers + - paramPermsAWSUnusedApplicationLoadBalancers + ## AWS Unused Classic Load Balancers + - paramPermsAWSUnusedClassicLoadBalancers + ## AWS Unused ECS Clusters + - paramPermsAWSUnusedECSClusters + ## AWS Unused IAM Credentials + - paramPermsAWSUnusedIAMCredentials + ## AWS Unused IP Addresses + - paramPermsAWSUnusedIPAddresses + ## AWS Unused Network Load Balancers + - paramPermsAWSUnusedNetworkLoadBalancers + ## AWS VPCs Without FlowLogs Enabled + - paramPermsAWSVPCsWithoutFlowLogsEnabled + ## Common Bill Ingestion from AWS S3 Object Storage + - paramPermsCommonBillIngestionfromAWSS3ObjectStorage + + # End for each policy template + - paramPermsAttachExistingPolicies + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parameterlabel.html + ParameterLabels: + paramRoleName: + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-label.html + # The default label that the CloudFormation console uses to name a parameter group or parameter. + default: "IAM Role Name" + paramRolePath: + default: "IAM Role Path" + paramFlexeraOrgId: + default: "Flexera Organization ID" + paramFlexeraZone: + default: "Flexera Zone" + ## All AWS Policy Templates + paramPermsAllAWSPolicyTemplates: + default: "Permissions for all AWS Policy Templates" + ## AWS Account Credentials + paramPermsAWSAccountCredentials: + default: "Permissions for Policy Template: AWS Account Credentials" + ## AWS Accounts Missing Service Control Policies + paramPermsAWSAccountsMissingServiceControlPolicies: + default: "Permissions for Policy Template: AWS Accounts Missing Service Control Policies" + ## AWS Burstable EC2 Instances + paramPermsAWSBurstableEC2Instances: + default: "Permissions for Policy Template: AWS Burstable EC2 Instances" + ## AWS CloudTrail Not Enabled In All Regions + paramPermsAWSCloudTrailNotEnabledInAllRegions: + default: "Permissions for Policy Template: AWS CloudTrail Not Enabled In All Regions" + ## AWS CloudTrail S3 Buckets Without Access Logging + paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging: + default: "Permissions for Policy Template: AWS CloudTrail S3 Buckets Without Access Logging" + ## AWS CloudTrails Not Integrated With CloudWatch + paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch: + default: "Permissions for Policy Template: AWS CloudTrails Not Integrated With CloudWatch" + ## AWS CloudTrails With Read Logging Enabled + paramPermsAWSCloudTrailsWithReadLoggingEnabled: + default: "Permissions for Policy Template: AWS CloudTrails With Read Logging Enabled" + ## AWS CloudTrails Without Encrypted Logs + paramPermsAWSCloudTrailsWithoutEncryptedLogs: + default: "Permissions for Policy Template: AWS CloudTrails Without Encrypted Logs" + ## AWS CloudTrails Without Log File Validation Enabled + paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled: + default: "Permissions for Policy Template: AWS CloudTrails Without Log File Validation Enabled" + ## AWS CloudTrails Without Object-level Events Logging Enabled + paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled: + default: "Permissions for Policy Template: AWS CloudTrails Without Object-level Events Logging Enabled" + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled: + default: "Permissions for Policy Template: AWS Customer Managed Keys (CMKs) Without Rotation Enabled" + ## AWS Disallowed Regions + paramPermsAWSDisallowedRegions: + default: "Permissions for Policy Template: AWS Disallowed Regions" + ## AWS EC2 Compute Optimizer Recommendations + paramPermsAWSEC2ComputeOptimizerRecommendations: + default: "Permissions for Policy Template: AWS EC2 Compute Optimizer Recommendations" + ## AWS EC2 Instances Time Stopped Report + paramPermsAWSEC2InstancesTimeStoppedReport: + default: "Permissions for Policy Template: AWS EC2 Instances Time Stopped Report" + ## AWS EC2 Instances not running FlexNet Inventory Agent + paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent: + default: "Permissions for Policy Template: AWS EC2 Instances not running FlexNet Inventory Agent" + ## AWS EKS Clusters Without Spot Instances + paramPermsAWSEKSClustersWithoutSpotInstances: + default: "Permissions for Policy Template: AWS EKS Clusters Without Spot Instances" + ## AWS Elastic Load Balancers With Unencrypted Listeners + paramPermsAWSElasticLoadBalancersWithUnencryptedListeners: + default: "Permissions for Policy Template: AWS Elastic Load Balancers With Unencrypted Listeners" + ## AWS Expiring Savings Plans + paramPermsAWSExpiringSavingsPlans: + default: "Permissions for Policy Template: AWS Expiring Savings Plans" + ## AWS IAM Account Missing Support Role + paramPermsAWSIAMAccountMissingSupportRole: + default: "Permissions for Policy Template: AWS IAM Account Missing Support Role" + ## AWS IAM Attached Admin Policies + paramPermsAWSIAMAttachedAdminPolicies: + default: "Permissions for Policy Template: AWS IAM Attached Admin Policies" + ## AWS IAM Expired SSL/TLS Certificates + paramPermsAWSIAMExpiredSSLTLSCertificates: + default: "Permissions for Policy Template: AWS IAM Expired SSL/TLS Certificates" + ## AWS IAM Insufficient Required Password Length + paramPermsAWSIAMInsufficientRequiredPasswordLength: + default: "Permissions for Policy Template: AWS IAM Insufficient Required Password Length" + ## AWS IAM Password Policy Not Restricting Password Reuse + paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse: + default: "Permissions for Policy Template: AWS IAM Password Policy Not Restricting Password Reuse" + ## AWS IAM Role Audit + paramPermsAWSIAMRoleAudit: + default: "Permissions for Policy Template: AWS IAM Role Audit" + ## AWS IAM Root Account Access Keys + paramPermsAWSIAMRootAccountAccessKeys: + default: "Permissions for Policy Template: AWS IAM Root Account Access Keys" + ## AWS IAM Root User Account Without Hardware MFA + paramPermsAWSIAMRootUserAccountWithoutHardwareMFA: + default: "Permissions for Policy Template: AWS IAM Root User Account Without Hardware MFA" + ## AWS IAM Root User Account Without MFA + paramPermsAWSIAMRootUserAccountWithoutMFA: + default: "Permissions for Policy Template: AWS IAM Root User Account Without MFA" + ## AWS IAM Root User Doing Everyday Tasks + paramPermsAWSIAMRootUserDoingEverydayTasks: + default: "Permissions for Policy Template: AWS IAM Root User Doing Everyday Tasks" + ## AWS IAM User Accounts Without MFA + paramPermsAWSIAMUserAccountsWithoutMFA: + default: "Permissions for Policy Template: AWS IAM User Accounts Without MFA" + ## AWS IAM Users With Directly-Attached Policies + paramPermsAWSIAMUsersWithDirectlyAttachedPolicies: + default: "Permissions for Policy Template: AWS IAM Users With Directly-Attached Policies" + ## AWS IAM Users With Multiple Active Access Keys + paramPermsAWSIAMUsersWithMultipleActiveAccessKeys: + default: "Permissions for Policy Template: AWS IAM Users With Multiple Active Access Keys" + ## AWS IAM Users With Old Access Keys + paramPermsAWSIAMUsersWithOldAccessKeys: + default: "Permissions for Policy Template: AWS IAM Users With Old Access Keys" + ## AWS Idle NAT Gateways + paramPermsAWSIdleNATGateways: + default: "Permissions for Policy Template: AWS Idle NAT Gateways" + ## AWS Internet-Accessible Elastic Load Balancers + paramPermsAWSInternetAccessibleElasticLoadBalancers: + default: "Permissions for Policy Template: AWS Internet-Accessible Elastic Load Balancers" + ## AWS Lambda Functions With High Error Rate + paramPermsAWSLambdaFunctionsWithHighErrorRate: + default: "Permissions for Policy Template: AWS Lambda Functions With High Error Rate" + ## AWS Lambda Functions Without Provisioned Concurrency + paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency: + default: "Permissions for Policy Template: AWS Lambda Functions Without Provisioned Concurrency" + ## AWS Long Running Instances + paramPermsAWSLongRunningInstances: + default: "Permissions for Policy Template: AWS Long Running Instances" + ## AWS Long Stopped EC2 Instances + paramPermsAWSLongStoppedEC2Instances: + default: "Permissions for Policy Template: AWS Long Stopped EC2 Instances" + ## AWS Missing Regions + paramPermsAWSMissingRegions: + default: "Permissions for Policy Template: AWS Missing Regions" + ## AWS Old Snapshots + paramPermsAWSOldSnapshots: + default: "Permissions for Policy Template: AWS Old Snapshots" + ## AWS Open S3 Buckets + paramPermsAWSOpenS3Buckets: + default: "Permissions for Policy Template: AWS Open S3 Buckets" + ## AWS Oversized S3 Buckets + paramPermsAWSOversizedS3Buckets: + default: "Permissions for Policy Template: AWS Oversized S3 Buckets" + ## AWS Publicly Accessible CloudTrail S3 Buckets + paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets: + default: "Permissions for Policy Template: AWS Publicly Accessible CloudTrail S3 Buckets" + ## AWS Publicly Accessible RDS Instances + paramPermsAWSPubliclyAccessibleRDSInstances: + default: "Permissions for Policy Template: AWS Publicly Accessible RDS Instances" + ## AWS RDS Instances With Unapproved Backup Settings + paramPermsAWSRDSInstancesWithUnapprovedBackupSettings: + default: "Permissions for Policy Template: AWS RDS Instances With Unapproved Backup Settings" + ## AWS Regions Without Access Analyzer Enabled + paramPermsAWSRegionsWithoutAccessAnalyzerEnabled: + default: "Permissions for Policy Template: AWS Regions Without Access Analyzer Enabled" + ## AWS Regions Without Config Fully Enabled + paramPermsAWSRegionsWithoutConfigFullyEnabled: + default: "Permissions for Policy Template: AWS Regions Without Config Fully Enabled" + ## AWS Regions Without Default EBS Encryption + paramPermsAWSRegionsWithoutDefaultEBSEncryption: + default: "Permissions for Policy Template: AWS Regions Without Default EBS Encryption" + ## AWS Reserved Instances Coverage + paramPermsAWSReservedInstancesCoverage: + default: "Permissions for Policy Template: AWS Reserved Instances Coverage" + ## AWS Reserved Instances Recommendations + paramPermsAWSReservedInstancesRecommendations: + default: "Permissions for Policy Template: AWS Reserved Instances Recommendations" + ## AWS Rightsize EBS Volumes + paramPermsAWSRightsizeEBSVolumes: + default: "Permissions for Policy Template: AWS Rightsize EBS Volumes" + ## AWS Rightsize EC2 Instances + paramPermsAWSRightsizeEC2Instances: + default: "Permissions for Policy Template: AWS Rightsize EC2 Instances" + ## AWS Rightsize ElastiCache + paramPermsAWSRightsizeElastiCache: + default: "Permissions for Policy Template: AWS Rightsize ElastiCache" + ## AWS Rightsize RDS Instances + paramPermsAWSRightsizeRDSInstances: + default: "Permissions for Policy Template: AWS Rightsize RDS Instances" + ## AWS Rightsize Redshift + paramPermsAWSRightsizeRedshift: + default: "Permissions for Policy Template: AWS Rightsize Redshift" + ## AWS S3 Buckets Accepting HTTP Requests + paramPermsAWSS3BucketsAcceptingHTTPRequests: + default: "Permissions for Policy Template: AWS S3 Buckets Accepting HTTP Requests" + ## AWS S3 Buckets Without Default Encryption Configuration + paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration: + default: "Permissions for Policy Template: AWS S3 Buckets Without Default Encryption Configuration" + ## AWS S3 Buckets Without Intelligent Tiering + paramPermsAWSS3BucketsWithoutIntelligentTiering: + default: "Permissions for Policy Template: AWS S3 Buckets Without Intelligent Tiering" + ## AWS S3 Buckets Without Lifecycle Configuration + paramPermsAWSS3BucketsWithoutLifecycleConfiguration: + default: "Permissions for Policy Template: AWS S3 Buckets Without Lifecycle Configuration" + ## AWS S3 Buckets Without MFA Delete Enabled + paramPermsAWSS3BucketsWithoutMFADeleteEnabled: + default: "Permissions for Policy Template: AWS S3 Buckets Without MFA Delete Enabled" + ## AWS S3 Buckets Without Public Access Blocked + paramPermsAWSS3BucketsWithoutPublicAccessBlocked: + default: "Permissions for Policy Template: AWS S3 Buckets Without Public Access Blocked" + ## AWS S3 Buckets Without Server Access Logging + paramPermsAWSS3BucketsWithoutServerAccessLogging: + default: "Permissions for Policy Template: AWS S3 Buckets Without Server Access Logging" + ## AWS S3 Incomplete Multi-Part Uploads + paramPermsAWSS3IncompleteMultiPartUploads: + default: "Permissions for Policy Template: AWS S3 Incomplete Multi-Part Uploads" + ## AWS Savings Plan Recommendations + paramPermsAWSSavingsPlanRecommendations: + default: "Permissions for Policy Template: AWS Savings Plan Recommendations" + ## AWS Savings Plan Utilization + paramPermsAWSSavingsPlanUtilization: + default: "Permissions for Policy Template: AWS Savings Plan Utilization" + ## AWS Schedule Instance + paramPermsAWSScheduleInstance: + default: "Permissions for Policy Template: AWS Schedule Instance" + ## AWS Scheduled EC2 Events + paramPermsAWSScheduledEC2Events: + default: "Permissions for Policy Template: AWS Scheduled EC2 Events" + ## AWS Superseded EBS Volumes + paramPermsAWSSupersededEBSVolumes: + default: "Permissions for Policy Template: AWS Superseded EBS Volumes" + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + default: "Permissions for Policy Template: AWS Superseded EC2 Instances" + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + default: "Permissions for Policy Template: AWS Superseded EC2 Instances" + ## AWS Tag Cardinality Report + paramPermsAWSTagCardinalityReport: + default: "Permissions for Policy Template: AWS Tag Cardinality Report" + ## AWS Unencrypted EBS Volumes + paramPermsAWSUnencryptedEBSVolumes: + default: "Permissions for Policy Template: AWS Unencrypted EBS Volumes" + ## AWS Unencrypted RDS Instances + paramPermsAWSUnencryptedRDSInstances: + default: "Permissions for Policy Template: AWS Unencrypted RDS Instances" + ## AWS Untagged Resources + paramPermsAWSUntaggedResources: + default: "Permissions for Policy Template: AWS Untagged Resources" + ## AWS Unused Application Load Balancers + paramPermsAWSUnusedApplicationLoadBalancers: + default: "Permissions for Policy Template: AWS Unused Application Load Balancers" + ## AWS Unused Classic Load Balancers + paramPermsAWSUnusedClassicLoadBalancers: + default: "Permissions for Policy Template: AWS Unused Classic Load Balancers" + ## AWS Unused ECS Clusters + paramPermsAWSUnusedECSClusters: + default: "Permissions for Policy Template: AWS Unused ECS Clusters" + ## AWS Unused IAM Credentials + paramPermsAWSUnusedIAMCredentials: + default: "Permissions for Policy Template: AWS Unused IAM Credentials" + ## AWS Unused IP Addresses + paramPermsAWSUnusedIPAddresses: + default: "Permissions for Policy Template: AWS Unused IP Addresses" + ## AWS Unused Network Load Balancers + paramPermsAWSUnusedNetworkLoadBalancers: + default: "Permissions for Policy Template: AWS Unused Network Load Balancers" + ## AWS VPCs Without FlowLogs Enabled + paramPermsAWSVPCsWithoutFlowLogsEnabled: + default: "Permissions for Policy Template: AWS VPCs Without FlowLogs Enabled" + ## Common Bill Ingestion from AWS S3 Object Storage + paramPermsCommonBillIngestionfromAWSS3ObjectStorage: + default: "Permissions for Policy Template: Common Bill Ingestion from AWS S3 Object Storage" + + # End for each policy template + paramPermsAttachExistingPolicies: + default: "Additional IAM Permission Policies for IAM Role" + +Parameters: + # ParameterGroup: Parameters related to your Organization on the Flexera Platform + paramFlexeraOrgId: + Description: >- + The Organization ID in Flexera which trust will be granted to use the IAM Role that will be created + Type: String + AllowedPattern: "[0-9]+" + MinLength: 1 + ConstraintDescription: Organization ID must be provided and match regex [0-9]+ + paramFlexeraZone: + Description: >- + The Flexera Zone which trust will be granted to. The Organization ID should be located in this Flexera Zone. + Type: String + Default: app.flexera.com + AllowedValues: + - app.flexera.com + - app.flexera.eu + - app.flexera.au + - app.flexeratest.com + + # ParameterGroup: Parameters for the IAM Role that is created + paramRoleName: + Description: Name of the the IAM Role that will be created. If you plan to create more than one IAM Role (i.e. one for each Policy Template, or to trust multiple Orgs) you will need to modify this to prevent naming conflict. + Type: String + Default: FlexeraAutomationAccessRole + # IAM Role Name Max Length is 64chars + MaxLength: 64 + paramRolePath: + Description: Path for the IAM Role that will be created. Generally does not need to be modified. + Type: String + Default: / + + # ParameterGroup: Parameters to define Policy Template permissions on the IAM Role that is created + ## All AWS Policy Templates + paramPermsAllAWSPolicyTemplates: + Description: 'What permissions for all AWS Policy Templates should be granted on the AWS Role that will be created? Note that the more granular permissions below only need to be enabled if this option is disabled or you want to grant access to take actions only for specific policy templates.' + Type: String + Default: Read Only + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Account Credentials + paramPermsAWSAccountCredentials: + Description: 'What permissions for the "AWS Account Credentials" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Accounts Missing Service Control Policies + paramPermsAWSAccountsMissingServiceControlPolicies: + Description: 'What permissions for the "AWS Accounts Missing Service Control Policies" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Burstable EC2 Instances + paramPermsAWSBurstableEC2Instances: + Description: 'What permissions for the "AWS Burstable EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS CloudTrail Not Enabled In All Regions + paramPermsAWSCloudTrailNotEnabledInAllRegions: + Description: 'What permissions for the "AWS CloudTrail Not Enabled In All Regions" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrail S3 Buckets Without Access Logging + paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging: + Description: 'What permissions for the "AWS CloudTrail S3 Buckets Without Access Logging" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Not Integrated With CloudWatch + paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch: + Description: 'What permissions for the "AWS CloudTrails Not Integrated With CloudWatch" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails With Read Logging Enabled + paramPermsAWSCloudTrailsWithReadLoggingEnabled: + Description: 'What permissions for the "AWS CloudTrails With Read Logging Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS CloudTrails Without Encrypted Logs + paramPermsAWSCloudTrailsWithoutEncryptedLogs: + Description: 'What permissions for the "AWS CloudTrails Without Encrypted Logs" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Without Log File Validation Enabled + paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled: + Description: 'What permissions for the "AWS CloudTrails Without Log File Validation Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Without Object-level Events Logging Enabled + paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled: + Description: 'What permissions for the "AWS CloudTrails Without Object-level Events Logging Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled: + Description: 'What permissions for the "AWS Customer Managed Keys (CMKs) Without Rotation Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Disallowed Regions + paramPermsAWSDisallowedRegions: + Description: 'What permissions for the "AWS Disallowed Regions" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS EC2 Compute Optimizer Recommendations + paramPermsAWSEC2ComputeOptimizerRecommendations: + Description: 'What permissions for the "AWS EC2 Compute Optimizer Recommendations" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS EC2 Instances Time Stopped Report + paramPermsAWSEC2InstancesTimeStoppedReport: + Description: 'What permissions for the "AWS EC2 Instances Time Stopped Report" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS EC2 Instances not running FlexNet Inventory Agent + paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent: + Description: 'What permissions for the "AWS EC2 Instances not running FlexNet Inventory Agent" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS EKS Clusters Without Spot Instances + paramPermsAWSEKSClustersWithoutSpotInstances: + Description: 'What permissions for the "AWS EKS Clusters Without Spot Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Elastic Load Balancers With Unencrypted Listeners + paramPermsAWSElasticLoadBalancersWithUnencryptedListeners: + Description: 'What permissions for the "AWS Elastic Load Balancers With Unencrypted Listeners" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Expiring Savings Plans + paramPermsAWSExpiringSavingsPlans: + Description: 'What permissions for the "AWS Expiring Savings Plans" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Account Missing Support Role + paramPermsAWSIAMAccountMissingSupportRole: + Description: 'What permissions for the "AWS IAM Account Missing Support Role" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Attached Admin Policies + paramPermsAWSIAMAttachedAdminPolicies: + Description: 'What permissions for the "AWS IAM Attached Admin Policies" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Expired SSL/TLS Certificates + paramPermsAWSIAMExpiredSSLTLSCertificates: + Description: 'What permissions for the "AWS IAM Expired SSL/TLS Certificates" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Insufficient Required Password Length + paramPermsAWSIAMInsufficientRequiredPasswordLength: + Description: 'What permissions for the "AWS IAM Insufficient Required Password Length" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Password Policy Not Restricting Password Reuse + paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse: + Description: 'What permissions for the "AWS IAM Password Policy Not Restricting Password Reuse" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Role Audit + paramPermsAWSIAMRoleAudit: + Description: 'What permissions for the "AWS IAM Role Audit" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root Account Access Keys + paramPermsAWSIAMRootAccountAccessKeys: + Description: 'What permissions for the "AWS IAM Root Account Access Keys" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root User Account Without Hardware MFA + paramPermsAWSIAMRootUserAccountWithoutHardwareMFA: + Description: 'What permissions for the "AWS IAM Root User Account Without Hardware MFA" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root User Account Without MFA + paramPermsAWSIAMRootUserAccountWithoutMFA: + Description: 'What permissions for the "AWS IAM Root User Account Without MFA" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root User Doing Everyday Tasks + paramPermsAWSIAMRootUserDoingEverydayTasks: + Description: 'What permissions for the "AWS IAM Root User Doing Everyday Tasks" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM User Accounts Without MFA + paramPermsAWSIAMUserAccountsWithoutMFA: + Description: 'What permissions for the "AWS IAM User Accounts Without MFA" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Users With Directly-Attached Policies + paramPermsAWSIAMUsersWithDirectlyAttachedPolicies: + Description: 'What permissions for the "AWS IAM Users With Directly-Attached Policies" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Users With Multiple Active Access Keys + paramPermsAWSIAMUsersWithMultipleActiveAccessKeys: + Description: 'What permissions for the "AWS IAM Users With Multiple Active Access Keys" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Users With Old Access Keys + paramPermsAWSIAMUsersWithOldAccessKeys: + Description: 'What permissions for the "AWS IAM Users With Old Access Keys" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Idle NAT Gateways + paramPermsAWSIdleNATGateways: + Description: 'What permissions for the "AWS Idle NAT Gateways" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Internet-Accessible Elastic Load Balancers + paramPermsAWSInternetAccessibleElasticLoadBalancers: + Description: 'What permissions for the "AWS Internet-Accessible Elastic Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Lambda Functions With High Error Rate + paramPermsAWSLambdaFunctionsWithHighErrorRate: + Description: 'What permissions for the "AWS Lambda Functions With High Error Rate" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Lambda Functions Without Provisioned Concurrency + paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency: + Description: 'What permissions for the "AWS Lambda Functions Without Provisioned Concurrency" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Long Running Instances + paramPermsAWSLongRunningInstances: + Description: 'What permissions for the "AWS Long Running Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Long Stopped EC2 Instances + paramPermsAWSLongStoppedEC2Instances: + Description: 'What permissions for the "AWS Long Stopped EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Missing Regions + paramPermsAWSMissingRegions: + Description: 'What permissions for the "AWS Missing Regions" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Old Snapshots + paramPermsAWSOldSnapshots: + Description: 'What permissions for the "AWS Old Snapshots" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Open S3 Buckets + paramPermsAWSOpenS3Buckets: + Description: 'What permissions for the "AWS Open S3 Buckets" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Oversized S3 Buckets + paramPermsAWSOversizedS3Buckets: + Description: 'What permissions for the "AWS Oversized S3 Buckets" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Publicly Accessible CloudTrail S3 Buckets + paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets: + Description: 'What permissions for the "AWS Publicly Accessible CloudTrail S3 Buckets" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Publicly Accessible RDS Instances + paramPermsAWSPubliclyAccessibleRDSInstances: + Description: 'What permissions for the "AWS Publicly Accessible RDS Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS RDS Instances With Unapproved Backup Settings + paramPermsAWSRDSInstancesWithUnapprovedBackupSettings: + Description: 'What permissions for the "AWS RDS Instances With Unapproved Backup Settings" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Regions Without Access Analyzer Enabled + paramPermsAWSRegionsWithoutAccessAnalyzerEnabled: + Description: 'What permissions for the "AWS Regions Without Access Analyzer Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Regions Without Config Fully Enabled + paramPermsAWSRegionsWithoutConfigFullyEnabled: + Description: 'What permissions for the "AWS Regions Without Config Fully Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Regions Without Default EBS Encryption + paramPermsAWSRegionsWithoutDefaultEBSEncryption: + Description: 'What permissions for the "AWS Regions Without Default EBS Encryption" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Reserved Instances Coverage + paramPermsAWSReservedInstancesCoverage: + Description: 'What permissions for the "AWS Reserved Instances Coverage" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Reserved Instances Recommendations + paramPermsAWSReservedInstancesRecommendations: + Description: 'What permissions for the "AWS Reserved Instances Recommendations" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Rightsize EBS Volumes + paramPermsAWSRightsizeEBSVolumes: + Description: 'What permissions for the "AWS Rightsize EBS Volumes" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Rightsize EC2 Instances + paramPermsAWSRightsizeEC2Instances: + Description: 'What permissions for the "AWS Rightsize EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Rightsize ElastiCache + paramPermsAWSRightsizeElastiCache: + Description: 'What permissions for the "AWS Rightsize ElastiCache" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Rightsize RDS Instances + paramPermsAWSRightsizeRDSInstances: + Description: 'What permissions for the "AWS Rightsize RDS Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Rightsize Redshift + paramPermsAWSRightsizeRedshift: + Description: 'What permissions for the "AWS Rightsize Redshift" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS S3 Buckets Accepting HTTP Requests + paramPermsAWSS3BucketsAcceptingHTTPRequests: + Description: 'What permissions for the "AWS S3 Buckets Accepting HTTP Requests" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Default Encryption Configuration + paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration: + Description: 'What permissions for the "AWS S3 Buckets Without Default Encryption Configuration" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS S3 Buckets Without Intelligent Tiering + paramPermsAWSS3BucketsWithoutIntelligentTiering: + Description: 'What permissions for the "AWS S3 Buckets Without Intelligent Tiering" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Lifecycle Configuration + paramPermsAWSS3BucketsWithoutLifecycleConfiguration: + Description: 'What permissions for the "AWS S3 Buckets Without Lifecycle Configuration" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without MFA Delete Enabled + paramPermsAWSS3BucketsWithoutMFADeleteEnabled: + Description: 'What permissions for the "AWS S3 Buckets Without MFA Delete Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Public Access Blocked + paramPermsAWSS3BucketsWithoutPublicAccessBlocked: + Description: 'What permissions for the "AWS S3 Buckets Without Public Access Blocked" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Server Access Logging + paramPermsAWSS3BucketsWithoutServerAccessLogging: + Description: 'What permissions for the "AWS S3 Buckets Without Server Access Logging" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS S3 Incomplete Multi-Part Uploads + paramPermsAWSS3IncompleteMultiPartUploads: + Description: 'What permissions for the "AWS S3 Incomplete Multi-Part Uploads" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Savings Plan Recommendations + paramPermsAWSSavingsPlanRecommendations: + Description: 'What permissions for the "AWS Savings Plan Recommendations" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Savings Plan Utilization + paramPermsAWSSavingsPlanUtilization: + Description: 'What permissions for the "AWS Savings Plan Utilization" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Schedule Instance + paramPermsAWSScheduleInstance: + Description: 'What permissions for the "AWS Schedule Instance" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Scheduled EC2 Events + paramPermsAWSScheduledEC2Events: + Description: 'What permissions for the "AWS Scheduled EC2 Events" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Superseded EBS Volumes + paramPermsAWSSupersededEBSVolumes: + Description: 'What permissions for the "AWS Superseded EBS Volumes" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Tag Cardinality Report + paramPermsAWSTagCardinalityReport: + Description: 'What permissions for the "AWS Tag Cardinality Report" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unencrypted EBS Volumes + paramPermsAWSUnencryptedEBSVolumes: + Description: 'What permissions for the "AWS Unencrypted EBS Volumes" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unencrypted RDS Instances + paramPermsAWSUnencryptedRDSInstances: + Description: 'What permissions for the "AWS Unencrypted RDS Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Untagged Resources + paramPermsAWSUntaggedResources: + Description: 'What permissions for the "AWS Untagged Resources" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Unused Application Load Balancers + paramPermsAWSUnusedApplicationLoadBalancers: + Description: 'What permissions for the "AWS Unused Application Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Unused Classic Load Balancers + paramPermsAWSUnusedClassicLoadBalancers: + Description: 'What permissions for the "AWS Unused Classic Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Unused ECS Clusters + paramPermsAWSUnusedECSClusters: + Description: 'What permissions for the "AWS Unused ECS Clusters" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Unused IAM Credentials + paramPermsAWSUnusedIAMCredentials: + Description: 'What permissions for the "AWS Unused IAM Credentials" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused IP Addresses + paramPermsAWSUnusedIPAddresses: + Description: 'What permissions for the "AWS Unused IP Addresses" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS Unused Network Load Balancers + paramPermsAWSUnusedNetworkLoadBalancers: + Description: 'What permissions for the "AWS Unused Network Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + - Read and Take Action + ## AWS VPCs Without FlowLogs Enabled + paramPermsAWSVPCsWithoutFlowLogsEnabled: + Description: 'What permissions for the "AWS VPCs Without FlowLogs Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## Common Bill Ingestion from AWS S3 Object Storage + paramPermsCommonBillIngestionfromAWSS3ObjectStorage: + Description: 'What permissions for the "Common Bill Ingestion from AWS S3 Object Storage" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + + # End for each policy template + paramPermsAttachExistingPolicies: + Description: 'Existing IAM Permission Policies to attach to the IAM Role that will be created. Optional, comma separated list of IAM Policy ARNs -- i.e. arn:aws:iam::aws:policy/ReadOnlyAccess' + Type: String + # AWS Managed Policy ARN: arn:aws:iam::aws:policy/ReadOnlyAccess + # Customer Managed Policy ARN: arn:aws:iam::123456789012:policy/CustomPolicy + AllowedPattern: '^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$' + ConstraintDescription: 'Malformed IAM Policy ARN. Must match pattern ^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$' + +Conditions: + ## All AWS Policy Templates + CreatePolicyAllAWSPolicyTemplatesRead: !Not + - !Equals + - !Ref paramPermsAllAWSPolicyTemplates + - None + CreatePolicyAllAWSPolicyTemplatesAction: !Equals + - !Ref paramPermsAllAWSPolicyTemplates + - Read and Take Action + ## AWS Account Credentials + CreatePolicyAWSAccountCredentialsRead: !Not + - !Equals + - !Ref paramPermsAWSAccountCredentials + - None + ## AWS Accounts Missing Service Control Policies + CreatePolicyAWSAccountsMissingServiceControlPoliciesRead: !Not + - !Equals + - !Ref paramPermsAWSAccountsMissingServiceControlPolicies + - None + ## AWS Burstable EC2 Instances + CreatePolicyAWSBurstableEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSBurstableEC2Instances + - None + CreatePolicyAWSBurstableEC2InstancesAction: !Equals + - !Ref paramPermsAWSBurstableEC2Instances + - Read and Take Action + ## AWS CloudTrail Not Enabled In All Regions + CreatePolicyAWSCloudTrailNotEnabledInAllRegionsRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailNotEnabledInAllRegions + - None + ## AWS CloudTrail S3 Buckets Without Access Logging + CreatePolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging + - None + ## AWS CloudTrails Not Integrated With CloudWatch + CreatePolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch + - None + ## AWS CloudTrails With Read Logging Enabled + CreatePolicyAWSCloudTrailsWithReadLoggingEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithReadLoggingEnabled + - None + CreatePolicyAWSCloudTrailsWithReadLoggingEnabledAction: !Equals + - !Ref paramPermsAWSCloudTrailsWithReadLoggingEnabled + - Read and Take Action + ## AWS CloudTrails Without Encrypted Logs + CreatePolicyAWSCloudTrailsWithoutEncryptedLogsRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithoutEncryptedLogs + - None + ## AWS CloudTrails Without Log File Validation Enabled + CreatePolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled + - None + ## AWS CloudTrails Without Object-level Events Logging Enabled + CreatePolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled + - None + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + CreatePolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled + - None + ## AWS Disallowed Regions + CreatePolicyAWSDisallowedRegionsRead: !Not + - !Equals + - !Ref paramPermsAWSDisallowedRegions + - None + CreatePolicyAWSDisallowedRegionsAction: !Equals + - !Ref paramPermsAWSDisallowedRegions + - Read and Take Action + ## AWS EC2 Compute Optimizer Recommendations + CreatePolicyAWSEC2ComputeOptimizerRecommendationsRead: !Not + - !Equals + - !Ref paramPermsAWSEC2ComputeOptimizerRecommendations + - None + CreatePolicyAWSEC2ComputeOptimizerRecommendationsAction: !Equals + - !Ref paramPermsAWSEC2ComputeOptimizerRecommendations + - Read and Take Action + ## AWS EC2 Instances Time Stopped Report + CreatePolicyAWSEC2InstancesTimeStoppedReportRead: !Not + - !Equals + - !Ref paramPermsAWSEC2InstancesTimeStoppedReport + - None + CreatePolicyAWSEC2InstancesTimeStoppedReportAction: !Equals + - !Ref paramPermsAWSEC2InstancesTimeStoppedReport + - Read and Take Action + ## AWS EC2 Instances not running FlexNet Inventory Agent + CreatePolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead: !Not + - !Equals + - !Ref paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent + - None + ## AWS EKS Clusters Without Spot Instances + CreatePolicyAWSEKSClustersWithoutSpotInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSEKSClustersWithoutSpotInstances + - None + ## AWS Elastic Load Balancers With Unencrypted Listeners + CreatePolicyAWSElasticLoadBalancersWithUnencryptedListenersRead: !Not + - !Equals + - !Ref paramPermsAWSElasticLoadBalancersWithUnencryptedListeners + - None + ## AWS Expiring Savings Plans + CreatePolicyAWSExpiringSavingsPlansRead: !Not + - !Equals + - !Ref paramPermsAWSExpiringSavingsPlans + - None + ## AWS IAM Account Missing Support Role + CreatePolicyAWSIAMAccountMissingSupportRoleRead: !Not + - !Equals + - !Ref paramPermsAWSIAMAccountMissingSupportRole + - None + ## AWS IAM Attached Admin Policies + CreatePolicyAWSIAMAttachedAdminPoliciesRead: !Not + - !Equals + - !Ref paramPermsAWSIAMAttachedAdminPolicies + - None + ## AWS IAM Expired SSL/TLS Certificates + CreatePolicyAWSIAMExpiredSSLTLSCertificatesRead: !Not + - !Equals + - !Ref paramPermsAWSIAMExpiredSSLTLSCertificates + - None + ## AWS IAM Insufficient Required Password Length + CreatePolicyAWSIAMInsufficientRequiredPasswordLengthRead: !Not + - !Equals + - !Ref paramPermsAWSIAMInsufficientRequiredPasswordLength + - None + ## AWS IAM Password Policy Not Restricting Password Reuse + CreatePolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead: !Not + - !Equals + - !Ref paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse + - None + ## AWS IAM Role Audit + CreatePolicyAWSIAMRoleAuditRead: !Not + - !Equals + - !Ref paramPermsAWSIAMRoleAudit + - None + ## AWS IAM Root Account Access Keys + CreatePolicyAWSIAMRootAccountAccessKeysRead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootAccountAccessKeys + - None + ## AWS IAM Root User Account Without Hardware MFA + CreatePolicyAWSIAMRootUserAccountWithoutHardwareMFARead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootUserAccountWithoutHardwareMFA + - None + ## AWS IAM Root User Account Without MFA + CreatePolicyAWSIAMRootUserAccountWithoutMFARead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootUserAccountWithoutMFA + - None + ## AWS IAM Root User Doing Everyday Tasks + CreatePolicyAWSIAMRootUserDoingEverydayTasksRead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootUserDoingEverydayTasks + - None + ## AWS IAM User Accounts Without MFA + CreatePolicyAWSIAMUserAccountsWithoutMFARead: !Not + - !Equals + - !Ref paramPermsAWSIAMUserAccountsWithoutMFA + - None + ## AWS IAM Users With Directly-Attached Policies + CreatePolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead: !Not + - !Equals + - !Ref paramPermsAWSIAMUsersWithDirectlyAttachedPolicies + - None + ## AWS IAM Users With Multiple Active Access Keys + CreatePolicyAWSIAMUsersWithMultipleActiveAccessKeysRead: !Not + - !Equals + - !Ref paramPermsAWSIAMUsersWithMultipleActiveAccessKeys + - None + ## AWS IAM Users With Old Access Keys + CreatePolicyAWSIAMUsersWithOldAccessKeysRead: !Not + - !Equals + - !Ref paramPermsAWSIAMUsersWithOldAccessKeys + - None + ## AWS Idle NAT Gateways + CreatePolicyAWSIdleNATGatewaysRead: !Not + - !Equals + - !Ref paramPermsAWSIdleNATGateways + - None + CreatePolicyAWSIdleNATGatewaysAction: !Equals + - !Ref paramPermsAWSIdleNATGateways + - Read and Take Action + ## AWS Internet-Accessible Elastic Load Balancers + CreatePolicyAWSInternetAccessibleElasticLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSInternetAccessibleElasticLoadBalancers + - None + CreatePolicyAWSInternetAccessibleElasticLoadBalancersAction: !Equals + - !Ref paramPermsAWSInternetAccessibleElasticLoadBalancers + - Read and Take Action + ## AWS Lambda Functions With High Error Rate + CreatePolicyAWSLambdaFunctionsWithHighErrorRateRead: !Not + - !Equals + - !Ref paramPermsAWSLambdaFunctionsWithHighErrorRate + - None + ## AWS Lambda Functions Without Provisioned Concurrency + CreatePolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead: !Not + - !Equals + - !Ref paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency + - None + ## AWS Long Running Instances + CreatePolicyAWSLongRunningInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSLongRunningInstances + - None + CreatePolicyAWSLongRunningInstancesAction: !Equals + - !Ref paramPermsAWSLongRunningInstances + - Read and Take Action + ## AWS Long Stopped EC2 Instances + CreatePolicyAWSLongStoppedEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSLongStoppedEC2Instances + - None + CreatePolicyAWSLongStoppedEC2InstancesAction: !Equals + - !Ref paramPermsAWSLongStoppedEC2Instances + - Read and Take Action + ## AWS Missing Regions + CreatePolicyAWSMissingRegionsRead: !Not + - !Equals + - !Ref paramPermsAWSMissingRegions + - None + ## AWS Old Snapshots + CreatePolicyAWSOldSnapshotsRead: !Not + - !Equals + - !Ref paramPermsAWSOldSnapshots + - None + CreatePolicyAWSOldSnapshotsAction: !Equals + - !Ref paramPermsAWSOldSnapshots + - Read and Take Action + ## AWS Open S3 Buckets + CreatePolicyAWSOpenS3BucketsRead: !Not + - !Equals + - !Ref paramPermsAWSOpenS3Buckets + - None + ## AWS Oversized S3 Buckets + CreatePolicyAWSOversizedS3BucketsRead: !Not + - !Equals + - !Ref paramPermsAWSOversizedS3Buckets + - None + ## AWS Publicly Accessible CloudTrail S3 Buckets + CreatePolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead: !Not + - !Equals + - !Ref paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets + - None + ## AWS Publicly Accessible RDS Instances + CreatePolicyAWSPubliclyAccessibleRDSInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSPubliclyAccessibleRDSInstances + - None + CreatePolicyAWSPubliclyAccessibleRDSInstancesAction: !Equals + - !Ref paramPermsAWSPubliclyAccessibleRDSInstances + - Read and Take Action + ## AWS RDS Instances With Unapproved Backup Settings + CreatePolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead: !Not + - !Equals + - !Ref paramPermsAWSRDSInstancesWithUnapprovedBackupSettings + - None + ## AWS Regions Without Access Analyzer Enabled + CreatePolicyAWSRegionsWithoutAccessAnalyzerEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSRegionsWithoutAccessAnalyzerEnabled + - None + ## AWS Regions Without Config Fully Enabled + CreatePolicyAWSRegionsWithoutConfigFullyEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSRegionsWithoutConfigFullyEnabled + - None + ## AWS Regions Without Default EBS Encryption + CreatePolicyAWSRegionsWithoutDefaultEBSEncryptionRead: !Not + - !Equals + - !Ref paramPermsAWSRegionsWithoutDefaultEBSEncryption + - None + ## AWS Reserved Instances Coverage + CreatePolicyAWSReservedInstancesCoverageRead: !Not + - !Equals + - !Ref paramPermsAWSReservedInstancesCoverage + - None + ## AWS Reserved Instances Recommendations + CreatePolicyAWSReservedInstancesRecommendationsRead: !Not + - !Equals + - !Ref paramPermsAWSReservedInstancesRecommendations + - None + ## AWS Rightsize EBS Volumes + CreatePolicyAWSRightsizeEBSVolumesRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeEBSVolumes + - None + CreatePolicyAWSRightsizeEBSVolumesAction: !Equals + - !Ref paramPermsAWSRightsizeEBSVolumes + - Read and Take Action + ## AWS Rightsize EC2 Instances + CreatePolicyAWSRightsizeEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeEC2Instances + - None + CreatePolicyAWSRightsizeEC2InstancesAction: !Equals + - !Ref paramPermsAWSRightsizeEC2Instances + - Read and Take Action + ## AWS Rightsize ElastiCache + CreatePolicyAWSRightsizeElastiCacheRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeElastiCache + - None + CreatePolicyAWSRightsizeElastiCacheAction: !Equals + - !Ref paramPermsAWSRightsizeElastiCache + - Read and Take Action + ## AWS Rightsize RDS Instances + CreatePolicyAWSRightsizeRDSInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeRDSInstances + - None + CreatePolicyAWSRightsizeRDSInstancesAction: !Equals + - !Ref paramPermsAWSRightsizeRDSInstances + - Read and Take Action + ## AWS Rightsize Redshift + CreatePolicyAWSRightsizeRedshiftRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeRedshift + - None + CreatePolicyAWSRightsizeRedshiftAction: !Equals + - !Ref paramPermsAWSRightsizeRedshift + - Read and Take Action + ## AWS S3 Buckets Accepting HTTP Requests + CreatePolicyAWSS3BucketsAcceptingHTTPRequestsRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsAcceptingHTTPRequests + - None + ## AWS S3 Buckets Without Default Encryption Configuration + CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration + - None + CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationAction: !Equals + - !Ref paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration + - Read and Take Action + ## AWS S3 Buckets Without Intelligent Tiering + CreatePolicyAWSS3BucketsWithoutIntelligentTieringRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutIntelligentTiering + - None + ## AWS S3 Buckets Without Lifecycle Configuration + CreatePolicyAWSS3BucketsWithoutLifecycleConfigurationRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutLifecycleConfiguration + - None + ## AWS S3 Buckets Without MFA Delete Enabled + CreatePolicyAWSS3BucketsWithoutMFADeleteEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutMFADeleteEnabled + - None + ## AWS S3 Buckets Without Public Access Blocked + CreatePolicyAWSS3BucketsWithoutPublicAccessBlockedRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutPublicAccessBlocked + - None + ## AWS S3 Buckets Without Server Access Logging + CreatePolicyAWSS3BucketsWithoutServerAccessLoggingRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutServerAccessLogging + - None + CreatePolicyAWSS3BucketsWithoutServerAccessLoggingAction: !Equals + - !Ref paramPermsAWSS3BucketsWithoutServerAccessLogging + - Read and Take Action + ## AWS S3 Incomplete Multi-Part Uploads + CreatePolicyAWSS3IncompleteMultiPartUploadsRead: !Not + - !Equals + - !Ref paramPermsAWSS3IncompleteMultiPartUploads + - None + CreatePolicyAWSS3IncompleteMultiPartUploadsAction: !Equals + - !Ref paramPermsAWSS3IncompleteMultiPartUploads + - Read and Take Action + ## AWS Savings Plan Recommendations + CreatePolicyAWSSavingsPlanRecommendationsRead: !Not + - !Equals + - !Ref paramPermsAWSSavingsPlanRecommendations + - None + ## AWS Savings Plan Utilization + CreatePolicyAWSSavingsPlanUtilizationRead: !Not + - !Equals + - !Ref paramPermsAWSSavingsPlanUtilization + - None + ## AWS Schedule Instance + CreatePolicyAWSScheduleInstanceRead: !Not + - !Equals + - !Ref paramPermsAWSScheduleInstance + - None + ## AWS Scheduled EC2 Events + CreatePolicyAWSScheduledEC2EventsRead: !Not + - !Equals + - !Ref paramPermsAWSScheduledEC2Events + - None + ## AWS Superseded EBS Volumes + CreatePolicyAWSSupersededEBSVolumesRead: !Not + - !Equals + - !Ref paramPermsAWSSupersededEBSVolumes + - None + CreatePolicyAWSSupersededEBSVolumesAction: !Equals + - !Ref paramPermsAWSSupersededEBSVolumes + - Read and Take Action + ## AWS Superseded EC2 Instances + CreatePolicyAWSSupersededEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSSupersededEC2Instances + - None + CreatePolicyAWSSupersededEC2InstancesAction: !Equals + - !Ref paramPermsAWSSupersededEC2Instances + - Read and Take Action + ## AWS Superseded EC2 Instances + CreatePolicyAWSSupersededEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSSupersededEC2Instances + - None + CreatePolicyAWSSupersededEC2InstancesAction: !Equals + - !Ref paramPermsAWSSupersededEC2Instances + - Read and Take Action + ## AWS Tag Cardinality Report + CreatePolicyAWSTagCardinalityReportRead: !Not + - !Equals + - !Ref paramPermsAWSTagCardinalityReport + - None + ## AWS Unencrypted EBS Volumes + CreatePolicyAWSUnencryptedEBSVolumesRead: !Not + - !Equals + - !Ref paramPermsAWSUnencryptedEBSVolumes + - None + ## AWS Unencrypted RDS Instances + CreatePolicyAWSUnencryptedRDSInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSUnencryptedRDSInstances + - None + CreatePolicyAWSUnencryptedRDSInstancesAction: !Equals + - !Ref paramPermsAWSUnencryptedRDSInstances + - Read and Take Action + ## AWS Untagged Resources + CreatePolicyAWSUntaggedResourcesRead: !Not + - !Equals + - !Ref paramPermsAWSUntaggedResources + - None + CreatePolicyAWSUntaggedResourcesAction: !Equals + - !Ref paramPermsAWSUntaggedResources + - Read and Take Action + ## AWS Unused Application Load Balancers + CreatePolicyAWSUnusedApplicationLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedApplicationLoadBalancers + - None + CreatePolicyAWSUnusedApplicationLoadBalancersAction: !Equals + - !Ref paramPermsAWSUnusedApplicationLoadBalancers + - Read and Take Action + ## AWS Unused Classic Load Balancers + CreatePolicyAWSUnusedClassicLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedClassicLoadBalancers + - None + CreatePolicyAWSUnusedClassicLoadBalancersAction: !Equals + - !Ref paramPermsAWSUnusedClassicLoadBalancers + - Read and Take Action + ## AWS Unused ECS Clusters + CreatePolicyAWSUnusedECSClustersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedECSClusters + - None + CreatePolicyAWSUnusedECSClustersAction: !Equals + - !Ref paramPermsAWSUnusedECSClusters + - Read and Take Action + ## AWS Unused IAM Credentials + CreatePolicyAWSUnusedIAMCredentialsRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedIAMCredentials + - None + ## AWS Unused IP Addresses + CreatePolicyAWSUnusedIPAddressesRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedIPAddresses + - None + CreatePolicyAWSUnusedIPAddressesAction: !Equals + - !Ref paramPermsAWSUnusedIPAddresses + - Read and Take Action + ## AWS Unused Network Load Balancers + CreatePolicyAWSUnusedNetworkLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedNetworkLoadBalancers + - None + CreatePolicyAWSUnusedNetworkLoadBalancersAction: !Equals + - !Ref paramPermsAWSUnusedNetworkLoadBalancers + - Read and Take Action + ## AWS VPCs Without FlowLogs Enabled + CreatePolicyAWSVPCsWithoutFlowLogsEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSVPCsWithoutFlowLogsEnabled + - None + ## Common Bill Ingestion from AWS S3 Object Storage + CreatePolicyCommonBillIngestionfromAWSS3ObjectStorageRead: !Not + - !Equals + - !Ref paramPermsCommonBillIngestionfromAWSS3ObjectStorage + - None + + # End for each policy template + ValueProvidedparamPermsAttachExistingPolicies: !Not + - !Equals + - !Ref paramPermsAttachExistingPolicies + - "" + +Mappings: + TrustedRoleMap: + app.flexera.com: + roleArn: "arn:aws:iam::451234325714:role/production_customer_access" + app.flexera.eu: + roleArn: "arn:aws:iam::451234325714:role/production_eu_customer_access" + app.flexera.au: + roleArn: "arn:aws:iam::451234325714:role/production_apac_customer_access" + app.flexeratest.com: + roleArn: "arn:aws:iam::274571843445:role/staging_customer_access" + PermissionMap: + # Begin IAM Permissions Map + # Expect 2 lists for each Policy Template (read and action) + ## All AWS Policy Templates + AllAWSPolicyTemplates: + read: + - "access-analyzer:ListAnalyzers" + - "ce:GetReservationCoverage" + - "ce:GetReservationPurchaseRecommendation" + - "ce:GetSavingsPlansPurchaseRecommendation" + - "ce:GetSavingsPlansUtilization" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetEventSelectors" + - "cloudtrail:GetTrailStatus" + - "cloudtrail:LookupEvents" + - "cloudwatch:GetMetricData" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:ListMetrics" + - "compute-optimizer:GetEC2InstanceRecommendations" + - "config:DescribeConfigurationRecorderStatus" + - "ec2:CreateTags" + - "ec2:DeleteTags" + - "ec2:DescribeAddresses" + - "ec2:DescribeFlowLogs" + - "ec2:DescribeImages" + - "ec2:DescribeInstanceStatus" + - "ec2:DescribeInstances" + - "ec2:DescribeNatGateways" + - "ec2:DescribeRegions" + - "ec2:DescribeSnapshots" + - "ec2:DescribeTags" + - "ec2:DescribeVolumes" + - "ec2:DescribeVpcs" + - "ec2:GetEbsEncryptionByDefault" + - "ec2:StartInstances" + - "ec2:StopInstances" + - "ec2:TerminateInstances" + - "ecs:DescribeClusters" + - "ecs:ListClusters" + - "eks:DescribeCluster" + - "eks:DescribeNodegroup" + - "eks:ListClusters" + - "eks:ListNodegroups" + - "elasticache:DescribeCacheClusters" + - "elasticache:ListTagsForResource" + - "elasticloadbalancing:DescribeInstanceHealth" + - "elasticloadbalancing:DescribeListeners" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeTargetGroups" + - "elasticloadbalancing:DescribeTargetHealth" + - "iam:GenerateCredentialReport" + - "iam:GetAccountPasswordPolicy" + - "iam:GetAccountSummary" + - "iam:GetCredentialReport" + - "iam:GetPolicyVersion" + - "iam:ListAccessKeys" + - "iam:ListAttachedUserPolicies" + - "iam:ListEntitiesForPolicy" + - "iam:ListPolicies" + - "iam:ListRoleTags" + - "iam:ListRoles" + - "iam:ListServerCertificates" + - "iam:ListUserPolicies" + - "iam:ListUsers" + - "iam:ListVirtualMFADevices" + - "kms:CreateGrant" + - "kms:Decrypt" + - "kms:GetKeyRotationStatus" + - "kms:ListKeys" + - "lambda:ListFunctions" + - "lambda:ListProvisionedConcurrencyConfigs" + - "lambda:ListTags" + - "lambda:ListVersionsByFunction" + - "organizations:ListAccounts" + - "organizations:ListPolicies" + - "organizations:ListPoliciesForTarget" + - "organizations:ListTagsForResource" + - "pricing:GetProducts" + - "rds:DescribeDBClusterSnapshots" + - "rds:DescribeDBClusters" + - "rds:DescribeDBInstances" + - "rds:DescribeDBSnapshots" + - "rds:DescribeOrderableDBInstanceOptions" + - "rds:ListTagsForResource" + - "redshift:DescribeClusters" + - "s3:GetBucketAcl" + - "s3:GetBucketLifecycleConfiguration" + - "s3:GetBucketLocation" + - "s3:GetBucketLogging" + - "s3:GetBucketPolicy" + - "s3:GetBucketPublicAccessBlock" + - "s3:GetBucketTagging" + - "s3:GetBucketVersioning" + - "s3:GetEncryptionConfiguration" + - "s3:GetIntelligentTieringConfiguration" + - "s3:GetObject" + - "s3:ListAllMyBuckets" + - "s3:ListBucketMultipartUploads" + - "s3:ListMultipartUploadParts" + - "savingsplans:DescribeSavingsPlans" + - "sts:GetCallerIdentity" + - "tag:GetResources" + action: + - "cloudtrail:PutEventSelectors" + - "ec2:DeleteNatGateway" + - "ec2:DeleteSnapshot" + - "ec2:DeregisterImage" + - "ec2:DescribeInstanceStatus" + - "ec2:ModifyInstanceAttribute" + - "ec2:ModifyVolume" + - "ec2:ReleaseAddress" + - "ec2:StartInstances" + - "ec2:StopInstances" + - "ec2:TerminateInstances" + - "ecs:DeleteCluster" + - "elasticache:ModifyCacheCluster" + - "elasticloadbalancing:DeleteLoadBalancer" + - "organizations:TagResource" + - "rds:DeleteDBClusterSnapshot" + - "rds:DeleteDBInstance" + - "rds:DeleteDBSnapshot" + - "rds:ModifyDBInstance" + - "redshift:ModifyCluster" + - "s3:AbortMultipartUpload" + - "s3:DeleteBucket" + - "s3:PutBucketLogging" + - "s3:PutEncryptionConfiguration" + - "tag:TagResources" + ## AWS Account Credentials + AWSAccountCredentials: + read: + - "sts:GetCallerIdentity" + action: [] + ## AWS Accounts Missing Service Control Policies + AWSAccountsMissingServiceControlPolicies: + read: + - "organizations:ListPolicies" + - "organizations:ListAccounts" + - "organizations:ListPoliciesForTarget" + action: [] + ## AWS Burstable EC2 Instances + AWSBurstableEC2Instances: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricData" + - "cloudwatch:ListMetrics" + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:ModifyInstanceAttribute" + - "ec2:StartInstances" + - "ec2:StopInstances" + ## AWS CloudTrail Not Enabled In All Regions + AWSCloudTrailNotEnabledInAllRegions: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetTrailStatus" + - "cloudtrail:GetEventSelectors" + action: [] + ## AWS CloudTrail S3 Buckets Without Access Logging + AWSCloudTrailS3BucketsWithoutAccessLogging: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "s3:GetBucketLocation" + - "s3:GetBucketLogging" + action: [] + ## AWS CloudTrails Not Integrated With CloudWatch + AWSCloudTrailsNotIntegratedWithCloudWatch: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetTrailStatus" + action: [] + ## AWS CloudTrails With Read Logging Enabled + AWSCloudTrailsWithReadLoggingEnabled: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetEventSelectors" + action: + - "cloudtrail:PutEventSelectors" + ## AWS CloudTrails Without Encrypted Logs + AWSCloudTrailsWithoutEncryptedLogs: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + action: [] + ## AWS CloudTrails Without Log File Validation Enabled + AWSCloudTrailsWithoutLogFileValidationEnabled: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + action: [] + ## AWS CloudTrails Without Object-level Events Logging Enabled + AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetEventSelectors" + action: [] + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + AWSCustomerManagedKeysCMKsWithoutRotationEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "kms:ListKeys" + - "kms:GetKeyRotationStatus" + action: [] + ## AWS Disallowed Regions + AWSDisallowedRegions: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + action: + - "ec2:StopInstances" + - "ec2:TerminateInstances" + ## AWS EC2 Compute Optimizer Recommendations + AWSEC2ComputeOptimizerRecommendations: + read: + - "sts:GetCallerIdentity" + - "compute-optimizer:GetEC2InstanceRecommendations" + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + action: + - "ec2:ModifyInstanceAttribute" + - "ec2:StartInstances" + - "ec2:StopInstances" + ## AWS EC2 Instances Time Stopped Report + AWSEC2InstancesTimeStoppedReport: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "sts:GetCallerIdentity" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:StopInstances" + - "ec2:TerminateInstances" + ## AWS EC2 Instances not running FlexNet Inventory Agent + AWSEC2InstancesnotrunningFlexNetInventoryAgent: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + action: [] + ## AWS EKS Clusters Without Spot Instances + AWSEKSClustersWithoutSpotInstances: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "eks:ListClusters" + - "eks:ListNodegroups" + - "eks:DescribeCluster" + - "eks:DescribeNodegroup" + action: [] + ## AWS Elastic Load Balancers With Unencrypted Listeners + AWSElasticLoadBalancersWithUnencryptedListeners: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeListeners" + action: [] + ## AWS Expiring Savings Plans + AWSExpiringSavingsPlans: + read: + - "savingsplans:DescribeSavingsPlans" + action: [] + ## AWS IAM Account Missing Support Role + AWSIAMAccountMissingSupportRole: + read: + - "sts:GetCallerIdentity" + - "iam:ListPolicies" + - "iam:ListEntitiesForPolicy" + action: [] + ## AWS IAM Attached Admin Policies + AWSIAMAttachedAdminPolicies: + read: + - "sts:GetCallerIdentity" + - "iam:ListPolicies" + - "iam:GetPolicyVersion" + action: [] + ## AWS IAM Expired SSL/TLS Certificates + AWSIAMExpiredSSLTLSCertificates: + read: + - "sts:GetCallerIdentity" + - "iam:ListServerCertificates" + action: [] + ## AWS IAM Insufficient Required Password Length + AWSIAMInsufficientRequiredPasswordLength: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountPasswordPolicy" + action: [] + ## AWS IAM Password Policy Not Restricting Password Reuse + AWSIAMPasswordPolicyNotRestrictingPasswordReuse: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountPasswordPolicy" + action: [] + ## AWS IAM Role Audit + AWSIAMRoleAudit: + read: + - "sts:GetCallerIdentity" + - "iam:ListRoles" + - "iam:ListRoleTags" + action: [] + ## AWS IAM Root Account Access Keys + AWSIAMRootAccountAccessKeys: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountSummary" + action: [] + ## AWS IAM Root User Account Without Hardware MFA + AWSIAMRootUserAccountWithoutHardwareMFA: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountSummary" + - "iam:ListVirtualMFADevices" + action: [] + ## AWS IAM Root User Account Without MFA + AWSIAMRootUserAccountWithoutMFA: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountSummary" + - "iam:ListVirtualMFADevices" + action: [] + ## AWS IAM Root User Doing Everyday Tasks + AWSIAMRootUserDoingEverydayTasks: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS IAM User Accounts Without MFA + AWSIAMUserAccountsWithoutMFA: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS IAM Users With Directly-Attached Policies + AWSIAMUsersWithDirectlyAttachedPolicies: + read: + - "sts:GetCallerIdentity" + - "iam:ListUsers" + - "iam:ListUserPolicies" + - "iam:ListAttachedUserPolicies" + action: [] + ## AWS IAM Users With Multiple Active Access Keys + AWSIAMUsersWithMultipleActiveAccessKeys: + read: + - "sts:GetCallerIdentity" + - "iam:ListUsers" + - "iam:ListAccessKeys" + action: [] + ## AWS IAM Users With Old Access Keys + AWSIAMUsersWithOldAccessKeys: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS Idle NAT Gateways + AWSIdleNATGateways: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeNatGateways" + - "sts:GetCallerIdentity" + action: + - "ec2:DeleteNatGateway" + ## AWS Internet-Accessible Elastic Load Balancers + AWSInternetAccessibleElasticLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeListeners" + action: + - "elasticloadbalancing:DeleteLoadBalancer" + ## AWS Lambda Functions With High Error Rate + AWSLambdaFunctionsWithHighErrorRate: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "lambda:ListFunctions" + - "lambda:ListTags" + - "cloudwatch:ListMetrics" + - "cloudwatch:GetMetricData" + action: [] + ## AWS Lambda Functions Without Provisioned Concurrency + AWSLambdaFunctionsWithoutProvisionedConcurrency: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "lambda:ListFunctions" + - "lambda:ListTags" + - "lambda:ListProvisionedConcurrencyConfigs" + - "lambda:ListVersionsByFunction" + action: [] + ## AWS Long Running Instances + AWSLongRunningInstances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "sts:GetCallerIdentity" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:StopInstances" + - "ec2:TerminateInstances" + ## AWS Long Stopped EC2 Instances + AWSLongStoppedEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:GetMetricData" + - "cloudwatch:ListMetrics" + - "sts:GetCallerIdentity" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:TerminateInstances" + ## AWS Missing Regions + AWSMissingRegions: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "sts:GetCallerIdentity" + action: [] + ## AWS Old Snapshots + AWSOldSnapshots: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeImages" + - "ec2:DescribeSnapshots" + - "rds:DescribeDBInstances" + - "rds:DescribeDBSnapshots" + - "rds:DescribeDBClusters" + - "rds:DescribeDBClusterSnapshots" + - "sts:GetCallerIdentity" + - "cloudtrail:LookupEvents" + action: + - "ec2:DeregisterImage" + - "ec2:DeleteSnapshot" + - "rds:DeleteDBClusterSnapshot" + - "rds:DeleteDBSnapshot" + ## AWS Open S3 Buckets + AWSOpenS3Buckets: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketAcl" + - "sts:GetCallerIdentity" + action: [] + ## AWS Oversized S3 Buckets + AWSOversizedS3Buckets: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "cloudwatch:ListMetrics" + - "cloudwatch:GetMetricData" + - "sts:GetCallerIdentity" + action: [] + ## AWS Publicly Accessible CloudTrail S3 Buckets + AWSPubliclyAccessibleCloudTrailS3Buckets: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "s3:GetBucketLocation" + - "s3:GetBucketAcl" + - "s3:GetBucketPolicy" + action: [] + ## AWS Publicly Accessible RDS Instances + AWSPubliclyAccessibleRDSInstances: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + action: + - "rds:ModifyDBInstance" + - "rds:DeleteDBInstance" + ## AWS RDS Instances With Unapproved Backup Settings + AWSRDSInstancesWithUnapprovedBackupSettings: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + action: [] + ## AWS Regions Without Access Analyzer Enabled + AWSRegionsWithoutAccessAnalyzerEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "access-analyzer:ListAnalyzers" + action: [] + ## AWS Regions Without Config Fully Enabled + AWSRegionsWithoutConfigFullyEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "config:DescribeConfigurationRecorderStatus" + action: [] + ## AWS Regions Without Default EBS Encryption + AWSRegionsWithoutDefaultEBSEncryption: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:GetEbsEncryptionByDefault" + action: [] + ## AWS Reserved Instances Coverage + AWSReservedInstancesCoverage: + read: + - "ce:GetReservationCoverage" + action: [] + ## AWS Reserved Instances Recommendations + AWSReservedInstancesRecommendations: + read: + - "ce:GetReservationPurchaseRecommendation" + action: [] + ## AWS Rightsize EBS Volumes + AWSRightsizeEBSVolumes: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeVolumes" + - "pricing:GetProducts" + action: + - "ec2:ModifyVolume" + ## AWS Rightsize EC2 Instances + AWSRightsizeEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:GetMetricData" + - "cloudwatch:ListMetrics" + - "sts:GetCallerIdentity" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:ModifyInstanceAttribute" + - "ec2:StartInstances" + - "ec2:StopInstances" + - "ec2:TerminateInstances" + ## AWS Rightsize ElastiCache + AWSRightsizeElastiCache: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricData" + - "ec2:DescribeRegions" + - "elasticache:DescribeCacheClusters" + - "elasticache:ListTagsForResource" + action: + - "elasticache:ModifyCacheCluster" + ## AWS Rightsize RDS Instances + AWSRightsizeRDSInstances: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:GetMetricData" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + - "rds:DescribeOrderableDBInstanceOptions" + action: + - "rds:ModifyDBInstance" + - "rds:DeleteDBInstance" + ## AWS Rightsize Redshift + AWSRightsizeRedshift: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricData" + - "ec2:DescribeRegions" + - "redshift:DescribeClusters" + action: + - "redshift:ModifyCluster" + ## AWS S3 Buckets Accepting HTTP Requests + AWSS3BucketsAcceptingHTTPRequests: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketPolicy" + action: [] + ## AWS S3 Buckets Without Default Encryption Configuration + AWSS3BucketsWithoutDefaultEncryptionConfiguration: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetEncryptionConfiguration" + action: + - "s3:PutEncryptionConfiguration" + - "s3:DeleteBucket" + ## AWS S3 Buckets Without Intelligent Tiering + AWSS3BucketsWithoutIntelligentTiering: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetIntelligentTieringConfiguration" + - "sts:GetCallerIdentity" + action: [] + ## AWS S3 Buckets Without Lifecycle Configuration + AWSS3BucketsWithoutLifecycleConfiguration: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketLifecycleConfiguration" + - "sts:GetCallerIdentity" + action: [] + ## AWS S3 Buckets Without MFA Delete Enabled + AWSS3BucketsWithoutMFADeleteEnabled: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketVersioning" + action: [] + ## AWS S3 Buckets Without Public Access Blocked + AWSS3BucketsWithoutPublicAccessBlocked: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketPublicAccessBlock" + action: [] + ## AWS S3 Buckets Without Server Access Logging + AWSS3BucketsWithoutServerAccessLogging: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketLogging" + action: + - "s3:PutBucketLogging" + ## AWS S3 Incomplete Multi-Part Uploads + AWSS3IncompleteMultiPartUploads: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:ListBucketMultipartUploads" + - "s3:ListMultipartUploadParts" + action: + - "s3:AbortMultipartUpload" + ## AWS Savings Plan Recommendations + AWSSavingsPlanRecommendations: + read: + - "ce:GetSavingsPlansPurchaseRecommendation" + action: [] + ## AWS Savings Plan Utilization + AWSSavingsPlanUtilization: + read: + - "ce:GetSavingsPlansUtilization" + - "savingsplans:DescribeSavingsPlans" + action: [] + ## AWS Schedule Instance + AWSScheduleInstance: + read: + - "ec2:DescribeInstances" + - "ec2:StartInstances" + - "ec2:StopInstances" + - "ec2:DeleteTags" + - "ec2:DescribeRegions" + - "kms:CreateGrant" + - "kms:Decrypt" + - "ec2:CreateTags" + - "ec2:TerminateInstances" + action: [] + ## AWS Scheduled EC2 Events + AWSScheduledEC2Events: + read: + - "ec2:DescribeInstances" + - "ec2:DescribeInstanceStatus" + - "ec2:DescribeRegions" + - "sts:GetCallerIdentity" + action: [] + ## AWS Superseded EBS Volumes + AWSSupersededEBSVolumes: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeVolumes" + - "pricing:GetProducts" + action: + - "ec2:ModifyVolume" + ## AWS Superseded EC2 Instances + AWSSupersededEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + - "sts:GetCallerIdentity" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:ModifyInstanceAttribute" + - "ec2:StartInstances" + - "ec2:StopInstances" + ## AWS Superseded EC2 Instances + AWSSupersededEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + - "sts:GetCallerIdentity" + action: + - "ec2:DescribeInstanceStatus" + - "ec2:ModifyInstanceAttribute" + - "ec2:StartInstances" + - "ec2:StopInstances" + ## AWS Tag Cardinality Report + AWSTagCardinalityReport: + read: + - "tag:GetResources" + - "ec2:DescribeRegions" + - "organizations:ListAccounts" + - "organizations:ListTagsForResource" + action: [] + ## AWS Unencrypted EBS Volumes + AWSUnencryptedEBSVolumes: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeVolumes" + action: [] + ## AWS Unencrypted RDS Instances + AWSUnencryptedRDSInstances: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + action: + - "rds:DeleteDBInstance" + ## AWS Untagged Resources + AWSUntaggedResources: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "tag:GetResources" + action: + - "tag:TagResources" + - "organizations:TagResource" + ## AWS Unused Application Load Balancers + AWSUnusedApplicationLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeListeners" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeTargetGroups" + - "elasticloadbalancing:DescribeTargetHealth" + action: + - "elasticloadbalancing:DeleteLoadBalancer" + ## AWS Unused Classic Load Balancers + AWSUnusedClassicLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeInstanceHealth" + - "elasticloadbalancing:DescribeTags" + action: + - "elasticloadbalancing:DeleteLoadBalancer" + ## AWS Unused ECS Clusters + AWSUnusedECSClusters: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ecs:ListClusters" + - "ecs:DescribeClusters" + action: + - "ecs:DeleteCluster" + ## AWS Unused IAM Credentials + AWSUnusedIAMCredentials: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS Unused IP Addresses + AWSUnusedIPAddresses: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeAddresses" + - "sts:GetCallerIdentity" + - "cloudtrail:LookupEvents" + action: + - "ec2:ReleaseAddress" + ## AWS Unused Network Load Balancers + AWSUnusedNetworkLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeListeners" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeTargetGroups" + - "elasticloadbalancing:DescribeTargetHealth" + action: + - "elasticloadbalancing:DeleteLoadBalancer" + ## AWS VPCs Without FlowLogs Enabled + AWSVPCsWithoutFlowLogsEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeVpcs" + - "ec2:DescribeFlowLogs" + action: [] + ## Common Bill Ingestion from AWS S3 Object Storage + CommonBillIngestionfromAWSS3ObjectStorage: + read: + - "s3:GetObject" + action: [] + + # End for each policy template + +Resources: + # IAM Role Resource + iamRole: + Type: "AWS::IAM::Role" + Properties: + RoleName: !Ref paramRoleName + Description: !Join + - " " + - - "Allows access from Flexera Platform. This IAM Role and the attached permission policies were created and are managed by CloudFormation Stack:" + - !Ref AWS::StackId + Path: !Ref paramRolePath + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: !FindInMap + - TrustedRoleMap + - !Ref paramFlexeraZone + - roleArn + Action: "sts:AssumeRole" + Condition: + StringEquals: + "sts:ExternalId": !Ref paramFlexeraOrgId + # ManagedPolicyArns value is conditional based on input paramPermsAttachExistingPolicies + ManagedPolicyArns: !If + - ValueProvidedparamPermsAttachExistingPolicies + # If value is provided for paramPermsAttachExistingPolicies, split that comma-separated list into a list object + - !Split [ ",", !Ref paramPermsAttachExistingPolicies ] + # Provide a null value if nothing provided for paramPermsAttachExistingPolicies + - !Ref AWS::NoValue + # Begin IAM Permission Policy Resources + # 1 or 2 Permission Policies per Policy Template (read and action) + # Policy create/attachment is conditional based on parameter input for each policy + ## All AWS Policy Templates + iamPolicyAllAWSPolicyTemplatesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAllAWSPolicyTemplatesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AllAWSPolicyTemplatesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AllAWSPolicyTemplates + - read + Resource: "*" + iamPolicyAllAWSPolicyTemplatesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAllAWSPolicyTemplatesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AllAWSPolicyTemplatesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AllAWSPolicyTemplates + - action + Resource: "*" + ## AWS Account Credentials + iamPolicyAWSAccountCredentialsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSAccountCredentialsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSAccountCredentialsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSAccountCredentials + - read + Resource: "*" + ## AWS Accounts Missing Service Control Policies + iamPolicyAWSAccountsMissingServiceControlPoliciesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSAccountsMissingServiceControlPoliciesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSAccountsMissingServiceControlPoliciesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSAccountsMissingServiceControlPolicies + - read + Resource: "*" + ## AWS Burstable EC2 Instances + iamPolicyAWSBurstableEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSBurstableEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSBurstableEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSBurstableEC2Instances + - read + Resource: "*" + iamPolicyAWSBurstableEC2InstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSBurstableEC2InstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSBurstableEC2InstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSBurstableEC2Instances + - action + Resource: "*" + ## AWS CloudTrail Not Enabled In All Regions + iamPolicyAWSCloudTrailNotEnabledInAllRegionsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailNotEnabledInAllRegionsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailNotEnabledInAllRegionsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailNotEnabledInAllRegions + - read + Resource: "*" + ## AWS CloudTrail S3 Buckets Without Access Logging + iamPolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailS3BucketsWithoutAccessLoggingReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailS3BucketsWithoutAccessLogging + - read + Resource: "*" + ## AWS CloudTrails Not Integrated With CloudWatch + iamPolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsNotIntegratedWithCloudWatchReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsNotIntegratedWithCloudWatch + - read + Resource: "*" + ## AWS CloudTrails With Read Logging Enabled + iamPolicyAWSCloudTrailsWithReadLoggingEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithReadLoggingEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithReadLoggingEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithReadLoggingEnabled + - read + Resource: "*" + iamPolicyAWSCloudTrailsWithReadLoggingEnabledAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithReadLoggingEnabledAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithReadLoggingEnabledActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithReadLoggingEnabled + - action + Resource: "*" + ## AWS CloudTrails Without Encrypted Logs + iamPolicyAWSCloudTrailsWithoutEncryptedLogsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithoutEncryptedLogsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithoutEncryptedLogsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithoutEncryptedLogs + - read + Resource: "*" + ## AWS CloudTrails Without Log File Validation Enabled + iamPolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithoutLogFileValidationEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithoutLogFileValidationEnabled + - read + Resource: "*" + ## AWS CloudTrails Without Object-level Events Logging Enabled + iamPolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled + - read + Resource: "*" + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + iamPolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCustomerManagedKeysCMKsWithoutRotationEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCustomerManagedKeysCMKsWithoutRotationEnabled + - read + Resource: "*" + ## AWS Disallowed Regions + iamPolicyAWSDisallowedRegionsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSDisallowedRegionsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSDisallowedRegionsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSDisallowedRegions + - read + Resource: "*" + iamPolicyAWSDisallowedRegionsAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSDisallowedRegionsAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSDisallowedRegionsActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSDisallowedRegions + - action + Resource: "*" + ## AWS EC2 Compute Optimizer Recommendations + iamPolicyAWSEC2ComputeOptimizerRecommendationsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2ComputeOptimizerRecommendationsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2ComputeOptimizerRecommendationsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2ComputeOptimizerRecommendations + - read + Resource: "*" + iamPolicyAWSEC2ComputeOptimizerRecommendationsAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2ComputeOptimizerRecommendationsAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2ComputeOptimizerRecommendationsActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2ComputeOptimizerRecommendations + - action + Resource: "*" + ## AWS EC2 Instances Time Stopped Report + iamPolicyAWSEC2InstancesTimeStoppedReportRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2InstancesTimeStoppedReportRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2InstancesTimeStoppedReportReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2InstancesTimeStoppedReport + - read + Resource: "*" + iamPolicyAWSEC2InstancesTimeStoppedReportAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2InstancesTimeStoppedReportAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2InstancesTimeStoppedReportActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2InstancesTimeStoppedReport + - action + Resource: "*" + ## AWS EC2 Instances not running FlexNet Inventory Agent + iamPolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2InstancesnotrunningFlexNetInventoryAgentReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2InstancesnotrunningFlexNetInventoryAgent + - read + Resource: "*" + ## AWS EKS Clusters Without Spot Instances + iamPolicyAWSEKSClustersWithoutSpotInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEKSClustersWithoutSpotInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEKSClustersWithoutSpotInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEKSClustersWithoutSpotInstances + - read + Resource: "*" + ## AWS Elastic Load Balancers With Unencrypted Listeners + iamPolicyAWSElasticLoadBalancersWithUnencryptedListenersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSElasticLoadBalancersWithUnencryptedListenersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSElasticLoadBalancersWithUnencryptedListenersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSElasticLoadBalancersWithUnencryptedListeners + - read + Resource: "*" + ## AWS Expiring Savings Plans + iamPolicyAWSExpiringSavingsPlansRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSExpiringSavingsPlansRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSExpiringSavingsPlansReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSExpiringSavingsPlans + - read + Resource: "*" + ## AWS IAM Account Missing Support Role + iamPolicyAWSIAMAccountMissingSupportRoleRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMAccountMissingSupportRoleRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMAccountMissingSupportRoleReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMAccountMissingSupportRole + - read + Resource: "*" + ## AWS IAM Attached Admin Policies + iamPolicyAWSIAMAttachedAdminPoliciesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMAttachedAdminPoliciesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMAttachedAdminPoliciesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMAttachedAdminPolicies + - read + Resource: "*" + ## AWS IAM Expired SSL/TLS Certificates + iamPolicyAWSIAMExpiredSSLTLSCertificatesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMExpiredSSLTLSCertificatesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMExpiredSSLTLSCertificatesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMExpiredSSLTLSCertificates + - read + Resource: "*" + ## AWS IAM Insufficient Required Password Length + iamPolicyAWSIAMInsufficientRequiredPasswordLengthRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMInsufficientRequiredPasswordLengthRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMInsufficientRequiredPasswordLengthReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMInsufficientRequiredPasswordLength + - read + Resource: "*" + ## AWS IAM Password Policy Not Restricting Password Reuse + iamPolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMPasswordPolicyNotRestrictingPasswordReuseReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMPasswordPolicyNotRestrictingPasswordReuse + - read + Resource: "*" + ## AWS IAM Role Audit + iamPolicyAWSIAMRoleAuditRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRoleAuditRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRoleAuditReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRoleAudit + - read + Resource: "*" + ## AWS IAM Root Account Access Keys + iamPolicyAWSIAMRootAccountAccessKeysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootAccountAccessKeysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootAccountAccessKeysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootAccountAccessKeys + - read + Resource: "*" + ## AWS IAM Root User Account Without Hardware MFA + iamPolicyAWSIAMRootUserAccountWithoutHardwareMFARead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootUserAccountWithoutHardwareMFARead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootUserAccountWithoutHardwareMFAReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootUserAccountWithoutHardwareMFA + - read + Resource: "*" + ## AWS IAM Root User Account Without MFA + iamPolicyAWSIAMRootUserAccountWithoutMFARead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootUserAccountWithoutMFARead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootUserAccountWithoutMFAReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootUserAccountWithoutMFA + - read + Resource: "*" + ## AWS IAM Root User Doing Everyday Tasks + iamPolicyAWSIAMRootUserDoingEverydayTasksRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootUserDoingEverydayTasksRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootUserDoingEverydayTasksReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootUserDoingEverydayTasks + - read + Resource: "*" + ## AWS IAM User Accounts Without MFA + iamPolicyAWSIAMUserAccountsWithoutMFARead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUserAccountsWithoutMFARead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUserAccountsWithoutMFAReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUserAccountsWithoutMFA + - read + Resource: "*" + ## AWS IAM Users With Directly-Attached Policies + iamPolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUsersWithDirectlyAttachedPoliciesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUsersWithDirectlyAttachedPolicies + - read + Resource: "*" + ## AWS IAM Users With Multiple Active Access Keys + iamPolicyAWSIAMUsersWithMultipleActiveAccessKeysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUsersWithMultipleActiveAccessKeysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUsersWithMultipleActiveAccessKeysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUsersWithMultipleActiveAccessKeys + - read + Resource: "*" + ## AWS IAM Users With Old Access Keys + iamPolicyAWSIAMUsersWithOldAccessKeysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUsersWithOldAccessKeysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUsersWithOldAccessKeysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUsersWithOldAccessKeys + - read + Resource: "*" + ## AWS Idle NAT Gateways + iamPolicyAWSIdleNATGatewaysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIdleNATGatewaysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIdleNATGatewaysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIdleNATGateways + - read + Resource: "*" + iamPolicyAWSIdleNATGatewaysAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIdleNATGatewaysAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIdleNATGatewaysActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIdleNATGateways + - action + Resource: "*" + ## AWS Internet-Accessible Elastic Load Balancers + iamPolicyAWSInternetAccessibleElasticLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSInternetAccessibleElasticLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSInternetAccessibleElasticLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSInternetAccessibleElasticLoadBalancers + - read + Resource: "*" + iamPolicyAWSInternetAccessibleElasticLoadBalancersAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSInternetAccessibleElasticLoadBalancersAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSInternetAccessibleElasticLoadBalancersActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSInternetAccessibleElasticLoadBalancers + - action + Resource: "*" + ## AWS Lambda Functions With High Error Rate + iamPolicyAWSLambdaFunctionsWithHighErrorRateRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLambdaFunctionsWithHighErrorRateRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLambdaFunctionsWithHighErrorRateReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLambdaFunctionsWithHighErrorRate + - read + Resource: "*" + ## AWS Lambda Functions Without Provisioned Concurrency + iamPolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLambdaFunctionsWithoutProvisionedConcurrencyReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLambdaFunctionsWithoutProvisionedConcurrency + - read + Resource: "*" + ## AWS Long Running Instances + iamPolicyAWSLongRunningInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLongRunningInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLongRunningInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLongRunningInstances + - read + Resource: "*" + iamPolicyAWSLongRunningInstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLongRunningInstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLongRunningInstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLongRunningInstances + - action + Resource: "*" + ## AWS Long Stopped EC2 Instances + iamPolicyAWSLongStoppedEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLongStoppedEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLongStoppedEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLongStoppedEC2Instances + - read + Resource: "*" + iamPolicyAWSLongStoppedEC2InstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLongStoppedEC2InstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLongStoppedEC2InstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLongStoppedEC2Instances + - action + Resource: "*" + ## AWS Missing Regions + iamPolicyAWSMissingRegionsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSMissingRegionsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSMissingRegionsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSMissingRegions + - read + Resource: "*" + ## AWS Old Snapshots + iamPolicyAWSOldSnapshotsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOldSnapshotsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOldSnapshotsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOldSnapshots + - read + Resource: "*" + iamPolicyAWSOldSnapshotsAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOldSnapshotsAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOldSnapshotsActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOldSnapshots + - action + Resource: "*" + ## AWS Open S3 Buckets + iamPolicyAWSOpenS3BucketsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOpenS3BucketsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOpenS3BucketsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOpenS3Buckets + - read + Resource: "*" + ## AWS Oversized S3 Buckets + iamPolicyAWSOversizedS3BucketsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOversizedS3BucketsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOversizedS3BucketsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOversizedS3Buckets + - read + Resource: "*" + ## AWS Publicly Accessible CloudTrail S3 Buckets + iamPolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSPubliclyAccessibleCloudTrailS3BucketsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSPubliclyAccessibleCloudTrailS3Buckets + - read + Resource: "*" + ## AWS Publicly Accessible RDS Instances + iamPolicyAWSPubliclyAccessibleRDSInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSPubliclyAccessibleRDSInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSPubliclyAccessibleRDSInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSPubliclyAccessibleRDSInstances + - read + Resource: "*" + iamPolicyAWSPubliclyAccessibleRDSInstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSPubliclyAccessibleRDSInstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSPubliclyAccessibleRDSInstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSPubliclyAccessibleRDSInstances + - action + Resource: "*" + ## AWS RDS Instances With Unapproved Backup Settings + iamPolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRDSInstancesWithUnapprovedBackupSettingsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRDSInstancesWithUnapprovedBackupSettings + - read + Resource: "*" + ## AWS Regions Without Access Analyzer Enabled + iamPolicyAWSRegionsWithoutAccessAnalyzerEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRegionsWithoutAccessAnalyzerEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRegionsWithoutAccessAnalyzerEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRegionsWithoutAccessAnalyzerEnabled + - read + Resource: "*" + ## AWS Regions Without Config Fully Enabled + iamPolicyAWSRegionsWithoutConfigFullyEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRegionsWithoutConfigFullyEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRegionsWithoutConfigFullyEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRegionsWithoutConfigFullyEnabled + - read + Resource: "*" + ## AWS Regions Without Default EBS Encryption + iamPolicyAWSRegionsWithoutDefaultEBSEncryptionRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRegionsWithoutDefaultEBSEncryptionRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRegionsWithoutDefaultEBSEncryptionReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRegionsWithoutDefaultEBSEncryption + - read + Resource: "*" + ## AWS Reserved Instances Coverage + iamPolicyAWSReservedInstancesCoverageRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSReservedInstancesCoverageRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSReservedInstancesCoverageReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSReservedInstancesCoverage + - read + Resource: "*" + ## AWS Reserved Instances Recommendations + iamPolicyAWSReservedInstancesRecommendationsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSReservedInstancesRecommendationsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSReservedInstancesRecommendationsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSReservedInstancesRecommendations + - read + Resource: "*" + ## AWS Rightsize EBS Volumes + iamPolicyAWSRightsizeEBSVolumesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeEBSVolumesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeEBSVolumesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeEBSVolumes + - read + Resource: "*" + iamPolicyAWSRightsizeEBSVolumesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeEBSVolumesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeEBSVolumesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeEBSVolumes + - action + Resource: "*" + ## AWS Rightsize EC2 Instances + iamPolicyAWSRightsizeEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeEC2Instances + - read + Resource: "*" + iamPolicyAWSRightsizeEC2InstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeEC2InstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeEC2InstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeEC2Instances + - action + Resource: "*" + ## AWS Rightsize ElastiCache + iamPolicyAWSRightsizeElastiCacheRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeElastiCacheRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeElastiCacheReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeElastiCache + - read + Resource: "*" + iamPolicyAWSRightsizeElastiCacheAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeElastiCacheAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeElastiCacheActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeElastiCache + - action + Resource: "*" + ## AWS Rightsize RDS Instances + iamPolicyAWSRightsizeRDSInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeRDSInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeRDSInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeRDSInstances + - read + Resource: "*" + iamPolicyAWSRightsizeRDSInstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeRDSInstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeRDSInstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeRDSInstances + - action + Resource: "*" + ## AWS Rightsize Redshift + iamPolicyAWSRightsizeRedshiftRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeRedshiftRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeRedshiftReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeRedshift + - read + Resource: "*" + iamPolicyAWSRightsizeRedshiftAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeRedshiftAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeRedshiftActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeRedshift + - action + Resource: "*" + ## AWS S3 Buckets Accepting HTTP Requests + iamPolicyAWSS3BucketsAcceptingHTTPRequestsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsAcceptingHTTPRequestsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsAcceptingHTTPRequestsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsAcceptingHTTPRequests + - read + Resource: "*" + ## AWS S3 Buckets Without Default Encryption Configuration + iamPolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutDefaultEncryptionConfigurationReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutDefaultEncryptionConfiguration + - read + Resource: "*" + iamPolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutDefaultEncryptionConfigurationActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutDefaultEncryptionConfiguration + - action + Resource: "*" + ## AWS S3 Buckets Without Intelligent Tiering + iamPolicyAWSS3BucketsWithoutIntelligentTieringRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutIntelligentTieringRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutIntelligentTieringReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutIntelligentTiering + - read + Resource: "*" + ## AWS S3 Buckets Without Lifecycle Configuration + iamPolicyAWSS3BucketsWithoutLifecycleConfigurationRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutLifecycleConfigurationRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutLifecycleConfigurationReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutLifecycleConfiguration + - read + Resource: "*" + ## AWS S3 Buckets Without MFA Delete Enabled + iamPolicyAWSS3BucketsWithoutMFADeleteEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutMFADeleteEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutMFADeleteEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutMFADeleteEnabled + - read + Resource: "*" + ## AWS S3 Buckets Without Public Access Blocked + iamPolicyAWSS3BucketsWithoutPublicAccessBlockedRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutPublicAccessBlockedRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutPublicAccessBlockedReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutPublicAccessBlocked + - read + Resource: "*" + ## AWS S3 Buckets Without Server Access Logging + iamPolicyAWSS3BucketsWithoutServerAccessLoggingRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutServerAccessLoggingRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutServerAccessLoggingReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutServerAccessLogging + - read + Resource: "*" + iamPolicyAWSS3BucketsWithoutServerAccessLoggingAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutServerAccessLoggingAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutServerAccessLoggingActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutServerAccessLogging + - action + Resource: "*" + ## AWS S3 Incomplete Multi-Part Uploads + iamPolicyAWSS3IncompleteMultiPartUploadsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3IncompleteMultiPartUploadsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3IncompleteMultiPartUploadsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3IncompleteMultiPartUploads + - read + Resource: "*" + iamPolicyAWSS3IncompleteMultiPartUploadsAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3IncompleteMultiPartUploadsAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3IncompleteMultiPartUploadsActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3IncompleteMultiPartUploads + - action + Resource: "*" + ## AWS Savings Plan Recommendations + iamPolicyAWSSavingsPlanRecommendationsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSavingsPlanRecommendationsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSavingsPlanRecommendationsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSavingsPlanRecommendations + - read + Resource: "*" + ## AWS Savings Plan Utilization + iamPolicyAWSSavingsPlanUtilizationRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSavingsPlanUtilizationRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSavingsPlanUtilizationReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSavingsPlanUtilization + - read + Resource: "*" + ## AWS Schedule Instance + iamPolicyAWSScheduleInstanceRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSScheduleInstanceRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSScheduleInstanceReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSScheduleInstance + - read + Resource: "*" + ## AWS Scheduled EC2 Events + iamPolicyAWSScheduledEC2EventsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSScheduledEC2EventsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSScheduledEC2EventsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSScheduledEC2Events + - read + Resource: "*" + ## AWS Superseded EBS Volumes + iamPolicyAWSSupersededEBSVolumesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEBSVolumesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEBSVolumesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEBSVolumes + - read + Resource: "*" + iamPolicyAWSSupersededEBSVolumesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEBSVolumesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEBSVolumesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEBSVolumes + - action + Resource: "*" + ## AWS Superseded EC2 Instances + iamPolicyAWSSupersededEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEC2Instances + - read + Resource: "*" + iamPolicyAWSSupersededEC2InstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEC2InstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEC2InstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEC2Instances + - action + Resource: "*" + ## AWS Superseded EC2 Instances + iamPolicyAWSSupersededEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEC2Instances + - read + Resource: "*" + iamPolicyAWSSupersededEC2InstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEC2InstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEC2InstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEC2Instances + - action + Resource: "*" + ## AWS Tag Cardinality Report + iamPolicyAWSTagCardinalityReportRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSTagCardinalityReportRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSTagCardinalityReportReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSTagCardinalityReport + - read + Resource: "*" + ## AWS Unencrypted EBS Volumes + iamPolicyAWSUnencryptedEBSVolumesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnencryptedEBSVolumesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnencryptedEBSVolumesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnencryptedEBSVolumes + - read + Resource: "*" + ## AWS Unencrypted RDS Instances + iamPolicyAWSUnencryptedRDSInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnencryptedRDSInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnencryptedRDSInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnencryptedRDSInstances + - read + Resource: "*" + iamPolicyAWSUnencryptedRDSInstancesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnencryptedRDSInstancesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnencryptedRDSInstancesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnencryptedRDSInstances + - action + Resource: "*" + ## AWS Untagged Resources + iamPolicyAWSUntaggedResourcesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUntaggedResourcesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUntaggedResourcesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUntaggedResources + - read + Resource: "*" + iamPolicyAWSUntaggedResourcesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUntaggedResourcesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUntaggedResourcesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUntaggedResources + - action + Resource: "*" + ## AWS Unused Application Load Balancers + iamPolicyAWSUnusedApplicationLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedApplicationLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedApplicationLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedApplicationLoadBalancers + - read + Resource: "*" + iamPolicyAWSUnusedApplicationLoadBalancersAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedApplicationLoadBalancersAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedApplicationLoadBalancersActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedApplicationLoadBalancers + - action + Resource: "*" + ## AWS Unused Classic Load Balancers + iamPolicyAWSUnusedClassicLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedClassicLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedClassicLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedClassicLoadBalancers + - read + Resource: "*" + iamPolicyAWSUnusedClassicLoadBalancersAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedClassicLoadBalancersAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedClassicLoadBalancersActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedClassicLoadBalancers + - action + Resource: "*" + ## AWS Unused ECS Clusters + iamPolicyAWSUnusedECSClustersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedECSClustersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedECSClustersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedECSClusters + - read + Resource: "*" + iamPolicyAWSUnusedECSClustersAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedECSClustersAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedECSClustersActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedECSClusters + - action + Resource: "*" + ## AWS Unused IAM Credentials + iamPolicyAWSUnusedIAMCredentialsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedIAMCredentialsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedIAMCredentialsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedIAMCredentials + - read + Resource: "*" + ## AWS Unused IP Addresses + iamPolicyAWSUnusedIPAddressesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedIPAddressesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedIPAddressesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedIPAddresses + - read + Resource: "*" + iamPolicyAWSUnusedIPAddressesAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedIPAddressesAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedIPAddressesActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedIPAddresses + - action + Resource: "*" + ## AWS Unused Network Load Balancers + iamPolicyAWSUnusedNetworkLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedNetworkLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedNetworkLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedNetworkLoadBalancers + - read + Resource: "*" + iamPolicyAWSUnusedNetworkLoadBalancersAction: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedNetworkLoadBalancersAction + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedNetworkLoadBalancersActionPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedNetworkLoadBalancers + - action + Resource: "*" + ## AWS VPCs Without FlowLogs Enabled + iamPolicyAWSVPCsWithoutFlowLogsEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSVPCsWithoutFlowLogsEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSVPCsWithoutFlowLogsEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSVPCsWithoutFlowLogsEnabled + - read + Resource: "*" + ## Common Bill Ingestion from AWS S3 Object Storage + iamPolicyCommonBillIngestionfromAWSS3ObjectStorageRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyCommonBillIngestionfromAWSS3ObjectStorageRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - CommonBillIngestionfromAWSS3ObjectStorageReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - CommonBillIngestionfromAWSS3ObjectStorage + - read + Resource: "*" + + # End for each policy template + + # End IAM Permission Policy Resources + +Outputs: + iamRoleArn: + Description: The ARN of the IAM Role that was created + Value: !GetAtt + - iamRole + - Arn diff --git a/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template b/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template new file mode 100644 index 0000000000..3fe32b5d7a --- /dev/null +++ b/tools/cloudformation-template/rolling/FlexeraAutomationPoliciesReadOnly.template @@ -0,0 +1,4058 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "CloudFormation Stack with IAM Role and IAM Permission Policy used by Flexera Automation. Official Docs: https://docs.flexera.com/" +# Generated by Flexera automation on 2024-12-12T16:59:05Z +# For more details, see: https://github.com/flexera-public/policy_templates/blob/master/tools/cloudformation-template/README.md + +Metadata: + # AWS::CloudFormation::Interface is a metadata key that defines how parameters are grouped and sorted in the AWS CloudFormation console. + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-interface.html + AWS::CloudFormation::Interface: + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parametergroup.html + ParameterGroups: + # ParameterGroup with paramFlexeraOrgId should be first. + # paramFlexeraOrgId only param that is actually required (if Org is on app.flexera.com) + - Label: + default: "Parameters related to your Organization on the Flexera Platform" + Parameters: + - paramFlexeraOrgId + - paramFlexeraZone + - Label: + default: "Parameters related to the IAM Role that is created" + Parameters: + - paramRoleName + - paramRolePath + - Label: + default: "Parameters related to Policy Template permissions on the IAM Role that is created" + Parameters: + ## All AWS Policy Templates + - paramPermsAllAWSPolicyTemplates + ## AWS Account Credentials + - paramPermsAWSAccountCredentials + ## AWS Accounts Missing Service Control Policies + - paramPermsAWSAccountsMissingServiceControlPolicies + ## AWS Burstable EC2 Instances + - paramPermsAWSBurstableEC2Instances + ## AWS CloudTrail Not Enabled In All Regions + - paramPermsAWSCloudTrailNotEnabledInAllRegions + ## AWS CloudTrail S3 Buckets Without Access Logging + - paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging + ## AWS CloudTrails Not Integrated With CloudWatch + - paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch + ## AWS CloudTrails With Read Logging Enabled + - paramPermsAWSCloudTrailsWithReadLoggingEnabled + ## AWS CloudTrails Without Encrypted Logs + - paramPermsAWSCloudTrailsWithoutEncryptedLogs + ## AWS CloudTrails Without Log File Validation Enabled + - paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled + ## AWS CloudTrails Without Object-level Events Logging Enabled + - paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + - paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled + ## AWS Disallowed Regions + - paramPermsAWSDisallowedRegions + ## AWS EC2 Compute Optimizer Recommendations + - paramPermsAWSEC2ComputeOptimizerRecommendations + ## AWS EC2 Instances Time Stopped Report + - paramPermsAWSEC2InstancesTimeStoppedReport + ## AWS EC2 Instances not running FlexNet Inventory Agent + - paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent + ## AWS EKS Clusters Without Spot Instances + - paramPermsAWSEKSClustersWithoutSpotInstances + ## AWS Elastic Load Balancers With Unencrypted Listeners + - paramPermsAWSElasticLoadBalancersWithUnencryptedListeners + ## AWS Expiring Savings Plans + - paramPermsAWSExpiringSavingsPlans + ## AWS IAM Account Missing Support Role + - paramPermsAWSIAMAccountMissingSupportRole + ## AWS IAM Attached Admin Policies + - paramPermsAWSIAMAttachedAdminPolicies + ## AWS IAM Expired SSL/TLS Certificates + - paramPermsAWSIAMExpiredSSLTLSCertificates + ## AWS IAM Insufficient Required Password Length + - paramPermsAWSIAMInsufficientRequiredPasswordLength + ## AWS IAM Password Policy Not Restricting Password Reuse + - paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse + ## AWS IAM Role Audit + - paramPermsAWSIAMRoleAudit + ## AWS IAM Root Account Access Keys + - paramPermsAWSIAMRootAccountAccessKeys + ## AWS IAM Root User Account Without Hardware MFA + - paramPermsAWSIAMRootUserAccountWithoutHardwareMFA + ## AWS IAM Root User Account Without MFA + - paramPermsAWSIAMRootUserAccountWithoutMFA + ## AWS IAM Root User Doing Everyday Tasks + - paramPermsAWSIAMRootUserDoingEverydayTasks + ## AWS IAM User Accounts Without MFA + - paramPermsAWSIAMUserAccountsWithoutMFA + ## AWS IAM Users With Directly-Attached Policies + - paramPermsAWSIAMUsersWithDirectlyAttachedPolicies + ## AWS IAM Users With Multiple Active Access Keys + - paramPermsAWSIAMUsersWithMultipleActiveAccessKeys + ## AWS IAM Users With Old Access Keys + - paramPermsAWSIAMUsersWithOldAccessKeys + ## AWS Idle NAT Gateways + - paramPermsAWSIdleNATGateways + ## AWS Internet-Accessible Elastic Load Balancers + - paramPermsAWSInternetAccessibleElasticLoadBalancers + ## AWS Lambda Functions With High Error Rate + - paramPermsAWSLambdaFunctionsWithHighErrorRate + ## AWS Lambda Functions Without Provisioned Concurrency + - paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency + ## AWS Long Running Instances + - paramPermsAWSLongRunningInstances + ## AWS Long Stopped EC2 Instances + - paramPermsAWSLongStoppedEC2Instances + ## AWS Missing Regions + - paramPermsAWSMissingRegions + ## AWS Old Snapshots + - paramPermsAWSOldSnapshots + ## AWS Open S3 Buckets + - paramPermsAWSOpenS3Buckets + ## AWS Oversized S3 Buckets + - paramPermsAWSOversizedS3Buckets + ## AWS Publicly Accessible CloudTrail S3 Buckets + - paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets + ## AWS Publicly Accessible RDS Instances + - paramPermsAWSPubliclyAccessibleRDSInstances + ## AWS RDS Instances With Unapproved Backup Settings + - paramPermsAWSRDSInstancesWithUnapprovedBackupSettings + ## AWS Regions Without Access Analyzer Enabled + - paramPermsAWSRegionsWithoutAccessAnalyzerEnabled + ## AWS Regions Without Config Fully Enabled + - paramPermsAWSRegionsWithoutConfigFullyEnabled + ## AWS Regions Without Default EBS Encryption + - paramPermsAWSRegionsWithoutDefaultEBSEncryption + ## AWS Reserved Instances Coverage + - paramPermsAWSReservedInstancesCoverage + ## AWS Reserved Instances Recommendations + - paramPermsAWSReservedInstancesRecommendations + ## AWS Rightsize EBS Volumes + - paramPermsAWSRightsizeEBSVolumes + ## AWS Rightsize EC2 Instances + - paramPermsAWSRightsizeEC2Instances + ## AWS Rightsize ElastiCache + - paramPermsAWSRightsizeElastiCache + ## AWS Rightsize RDS Instances + - paramPermsAWSRightsizeRDSInstances + ## AWS Rightsize Redshift + - paramPermsAWSRightsizeRedshift + ## AWS S3 Buckets Accepting HTTP Requests + - paramPermsAWSS3BucketsAcceptingHTTPRequests + ## AWS S3 Buckets Without Default Encryption Configuration + - paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration + ## AWS S3 Buckets Without Intelligent Tiering + - paramPermsAWSS3BucketsWithoutIntelligentTiering + ## AWS S3 Buckets Without Lifecycle Configuration + - paramPermsAWSS3BucketsWithoutLifecycleConfiguration + ## AWS S3 Buckets Without MFA Delete Enabled + - paramPermsAWSS3BucketsWithoutMFADeleteEnabled + ## AWS S3 Buckets Without Public Access Blocked + - paramPermsAWSS3BucketsWithoutPublicAccessBlocked + ## AWS S3 Buckets Without Server Access Logging + - paramPermsAWSS3BucketsWithoutServerAccessLogging + ## AWS S3 Incomplete Multi-Part Uploads + - paramPermsAWSS3IncompleteMultiPartUploads + ## AWS Savings Plan Recommendations + - paramPermsAWSSavingsPlanRecommendations + ## AWS Savings Plan Utilization + - paramPermsAWSSavingsPlanUtilization + ## AWS Schedule Instance + - paramPermsAWSScheduleInstance + ## AWS Scheduled EC2 Events + - paramPermsAWSScheduledEC2Events + ## AWS Superseded EBS Volumes + - paramPermsAWSSupersededEBSVolumes + ## AWS Superseded EC2 Instances + - paramPermsAWSSupersededEC2Instances + ## AWS Superseded EC2 Instances + - paramPermsAWSSupersededEC2Instances + ## AWS Tag Cardinality Report + - paramPermsAWSTagCardinalityReport + ## AWS Unencrypted EBS Volumes + - paramPermsAWSUnencryptedEBSVolumes + ## AWS Unencrypted RDS Instances + - paramPermsAWSUnencryptedRDSInstances + ## AWS Untagged Resources + - paramPermsAWSUntaggedResources + ## AWS Unused Application Load Balancers + - paramPermsAWSUnusedApplicationLoadBalancers + ## AWS Unused Classic Load Balancers + - paramPermsAWSUnusedClassicLoadBalancers + ## AWS Unused ECS Clusters + - paramPermsAWSUnusedECSClusters + ## AWS Unused IAM Credentials + - paramPermsAWSUnusedIAMCredentials + ## AWS Unused IP Addresses + - paramPermsAWSUnusedIPAddresses + ## AWS Unused Network Load Balancers + - paramPermsAWSUnusedNetworkLoadBalancers + ## AWS VPCs Without FlowLogs Enabled + - paramPermsAWSVPCsWithoutFlowLogsEnabled + ## Common Bill Ingestion from AWS S3 Object Storage + - paramPermsCommonBillIngestionfromAWSS3ObjectStorage + + # End for each policy template + - paramPermsAttachExistingPolicies + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-parameterlabel.html + ParameterLabels: + paramRoleName: + # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-interface-label.html + # The default label that the CloudFormation console uses to name a parameter group or parameter. + default: "IAM Role Name" + paramRolePath: + default: "IAM Role Path" + paramFlexeraOrgId: + default: "Flexera Organization ID" + paramFlexeraZone: + default: "Flexera Zone" + ## All AWS Policy Templates + paramPermsAllAWSPolicyTemplates: + default: "Permissions for all AWS Policy Templates" + ## AWS Account Credentials + paramPermsAWSAccountCredentials: + default: "Permissions for Policy Template: AWS Account Credentials" + ## AWS Accounts Missing Service Control Policies + paramPermsAWSAccountsMissingServiceControlPolicies: + default: "Permissions for Policy Template: AWS Accounts Missing Service Control Policies" + ## AWS Burstable EC2 Instances + paramPermsAWSBurstableEC2Instances: + default: "Permissions for Policy Template: AWS Burstable EC2 Instances" + ## AWS CloudTrail Not Enabled In All Regions + paramPermsAWSCloudTrailNotEnabledInAllRegions: + default: "Permissions for Policy Template: AWS CloudTrail Not Enabled In All Regions" + ## AWS CloudTrail S3 Buckets Without Access Logging + paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging: + default: "Permissions for Policy Template: AWS CloudTrail S3 Buckets Without Access Logging" + ## AWS CloudTrails Not Integrated With CloudWatch + paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch: + default: "Permissions for Policy Template: AWS CloudTrails Not Integrated With CloudWatch" + ## AWS CloudTrails With Read Logging Enabled + paramPermsAWSCloudTrailsWithReadLoggingEnabled: + default: "Permissions for Policy Template: AWS CloudTrails With Read Logging Enabled" + ## AWS CloudTrails Without Encrypted Logs + paramPermsAWSCloudTrailsWithoutEncryptedLogs: + default: "Permissions for Policy Template: AWS CloudTrails Without Encrypted Logs" + ## AWS CloudTrails Without Log File Validation Enabled + paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled: + default: "Permissions for Policy Template: AWS CloudTrails Without Log File Validation Enabled" + ## AWS CloudTrails Without Object-level Events Logging Enabled + paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled: + default: "Permissions for Policy Template: AWS CloudTrails Without Object-level Events Logging Enabled" + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled: + default: "Permissions for Policy Template: AWS Customer Managed Keys (CMKs) Without Rotation Enabled" + ## AWS Disallowed Regions + paramPermsAWSDisallowedRegions: + default: "Permissions for Policy Template: AWS Disallowed Regions" + ## AWS EC2 Compute Optimizer Recommendations + paramPermsAWSEC2ComputeOptimizerRecommendations: + default: "Permissions for Policy Template: AWS EC2 Compute Optimizer Recommendations" + ## AWS EC2 Instances Time Stopped Report + paramPermsAWSEC2InstancesTimeStoppedReport: + default: "Permissions for Policy Template: AWS EC2 Instances Time Stopped Report" + ## AWS EC2 Instances not running FlexNet Inventory Agent + paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent: + default: "Permissions for Policy Template: AWS EC2 Instances not running FlexNet Inventory Agent" + ## AWS EKS Clusters Without Spot Instances + paramPermsAWSEKSClustersWithoutSpotInstances: + default: "Permissions for Policy Template: AWS EKS Clusters Without Spot Instances" + ## AWS Elastic Load Balancers With Unencrypted Listeners + paramPermsAWSElasticLoadBalancersWithUnencryptedListeners: + default: "Permissions for Policy Template: AWS Elastic Load Balancers With Unencrypted Listeners" + ## AWS Expiring Savings Plans + paramPermsAWSExpiringSavingsPlans: + default: "Permissions for Policy Template: AWS Expiring Savings Plans" + ## AWS IAM Account Missing Support Role + paramPermsAWSIAMAccountMissingSupportRole: + default: "Permissions for Policy Template: AWS IAM Account Missing Support Role" + ## AWS IAM Attached Admin Policies + paramPermsAWSIAMAttachedAdminPolicies: + default: "Permissions for Policy Template: AWS IAM Attached Admin Policies" + ## AWS IAM Expired SSL/TLS Certificates + paramPermsAWSIAMExpiredSSLTLSCertificates: + default: "Permissions for Policy Template: AWS IAM Expired SSL/TLS Certificates" + ## AWS IAM Insufficient Required Password Length + paramPermsAWSIAMInsufficientRequiredPasswordLength: + default: "Permissions for Policy Template: AWS IAM Insufficient Required Password Length" + ## AWS IAM Password Policy Not Restricting Password Reuse + paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse: + default: "Permissions for Policy Template: AWS IAM Password Policy Not Restricting Password Reuse" + ## AWS IAM Role Audit + paramPermsAWSIAMRoleAudit: + default: "Permissions for Policy Template: AWS IAM Role Audit" + ## AWS IAM Root Account Access Keys + paramPermsAWSIAMRootAccountAccessKeys: + default: "Permissions for Policy Template: AWS IAM Root Account Access Keys" + ## AWS IAM Root User Account Without Hardware MFA + paramPermsAWSIAMRootUserAccountWithoutHardwareMFA: + default: "Permissions for Policy Template: AWS IAM Root User Account Without Hardware MFA" + ## AWS IAM Root User Account Without MFA + paramPermsAWSIAMRootUserAccountWithoutMFA: + default: "Permissions for Policy Template: AWS IAM Root User Account Without MFA" + ## AWS IAM Root User Doing Everyday Tasks + paramPermsAWSIAMRootUserDoingEverydayTasks: + default: "Permissions for Policy Template: AWS IAM Root User Doing Everyday Tasks" + ## AWS IAM User Accounts Without MFA + paramPermsAWSIAMUserAccountsWithoutMFA: + default: "Permissions for Policy Template: AWS IAM User Accounts Without MFA" + ## AWS IAM Users With Directly-Attached Policies + paramPermsAWSIAMUsersWithDirectlyAttachedPolicies: + default: "Permissions for Policy Template: AWS IAM Users With Directly-Attached Policies" + ## AWS IAM Users With Multiple Active Access Keys + paramPermsAWSIAMUsersWithMultipleActiveAccessKeys: + default: "Permissions for Policy Template: AWS IAM Users With Multiple Active Access Keys" + ## AWS IAM Users With Old Access Keys + paramPermsAWSIAMUsersWithOldAccessKeys: + default: "Permissions for Policy Template: AWS IAM Users With Old Access Keys" + ## AWS Idle NAT Gateways + paramPermsAWSIdleNATGateways: + default: "Permissions for Policy Template: AWS Idle NAT Gateways" + ## AWS Internet-Accessible Elastic Load Balancers + paramPermsAWSInternetAccessibleElasticLoadBalancers: + default: "Permissions for Policy Template: AWS Internet-Accessible Elastic Load Balancers" + ## AWS Lambda Functions With High Error Rate + paramPermsAWSLambdaFunctionsWithHighErrorRate: + default: "Permissions for Policy Template: AWS Lambda Functions With High Error Rate" + ## AWS Lambda Functions Without Provisioned Concurrency + paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency: + default: "Permissions for Policy Template: AWS Lambda Functions Without Provisioned Concurrency" + ## AWS Long Running Instances + paramPermsAWSLongRunningInstances: + default: "Permissions for Policy Template: AWS Long Running Instances" + ## AWS Long Stopped EC2 Instances + paramPermsAWSLongStoppedEC2Instances: + default: "Permissions for Policy Template: AWS Long Stopped EC2 Instances" + ## AWS Missing Regions + paramPermsAWSMissingRegions: + default: "Permissions for Policy Template: AWS Missing Regions" + ## AWS Old Snapshots + paramPermsAWSOldSnapshots: + default: "Permissions for Policy Template: AWS Old Snapshots" + ## AWS Open S3 Buckets + paramPermsAWSOpenS3Buckets: + default: "Permissions for Policy Template: AWS Open S3 Buckets" + ## AWS Oversized S3 Buckets + paramPermsAWSOversizedS3Buckets: + default: "Permissions for Policy Template: AWS Oversized S3 Buckets" + ## AWS Publicly Accessible CloudTrail S3 Buckets + paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets: + default: "Permissions for Policy Template: AWS Publicly Accessible CloudTrail S3 Buckets" + ## AWS Publicly Accessible RDS Instances + paramPermsAWSPubliclyAccessibleRDSInstances: + default: "Permissions for Policy Template: AWS Publicly Accessible RDS Instances" + ## AWS RDS Instances With Unapproved Backup Settings + paramPermsAWSRDSInstancesWithUnapprovedBackupSettings: + default: "Permissions for Policy Template: AWS RDS Instances With Unapproved Backup Settings" + ## AWS Regions Without Access Analyzer Enabled + paramPermsAWSRegionsWithoutAccessAnalyzerEnabled: + default: "Permissions for Policy Template: AWS Regions Without Access Analyzer Enabled" + ## AWS Regions Without Config Fully Enabled + paramPermsAWSRegionsWithoutConfigFullyEnabled: + default: "Permissions for Policy Template: AWS Regions Without Config Fully Enabled" + ## AWS Regions Without Default EBS Encryption + paramPermsAWSRegionsWithoutDefaultEBSEncryption: + default: "Permissions for Policy Template: AWS Regions Without Default EBS Encryption" + ## AWS Reserved Instances Coverage + paramPermsAWSReservedInstancesCoverage: + default: "Permissions for Policy Template: AWS Reserved Instances Coverage" + ## AWS Reserved Instances Recommendations + paramPermsAWSReservedInstancesRecommendations: + default: "Permissions for Policy Template: AWS Reserved Instances Recommendations" + ## AWS Rightsize EBS Volumes + paramPermsAWSRightsizeEBSVolumes: + default: "Permissions for Policy Template: AWS Rightsize EBS Volumes" + ## AWS Rightsize EC2 Instances + paramPermsAWSRightsizeEC2Instances: + default: "Permissions for Policy Template: AWS Rightsize EC2 Instances" + ## AWS Rightsize ElastiCache + paramPermsAWSRightsizeElastiCache: + default: "Permissions for Policy Template: AWS Rightsize ElastiCache" + ## AWS Rightsize RDS Instances + paramPermsAWSRightsizeRDSInstances: + default: "Permissions for Policy Template: AWS Rightsize RDS Instances" + ## AWS Rightsize Redshift + paramPermsAWSRightsizeRedshift: + default: "Permissions for Policy Template: AWS Rightsize Redshift" + ## AWS S3 Buckets Accepting HTTP Requests + paramPermsAWSS3BucketsAcceptingHTTPRequests: + default: "Permissions for Policy Template: AWS S3 Buckets Accepting HTTP Requests" + ## AWS S3 Buckets Without Default Encryption Configuration + paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration: + default: "Permissions for Policy Template: AWS S3 Buckets Without Default Encryption Configuration" + ## AWS S3 Buckets Without Intelligent Tiering + paramPermsAWSS3BucketsWithoutIntelligentTiering: + default: "Permissions for Policy Template: AWS S3 Buckets Without Intelligent Tiering" + ## AWS S3 Buckets Without Lifecycle Configuration + paramPermsAWSS3BucketsWithoutLifecycleConfiguration: + default: "Permissions for Policy Template: AWS S3 Buckets Without Lifecycle Configuration" + ## AWS S3 Buckets Without MFA Delete Enabled + paramPermsAWSS3BucketsWithoutMFADeleteEnabled: + default: "Permissions for Policy Template: AWS S3 Buckets Without MFA Delete Enabled" + ## AWS S3 Buckets Without Public Access Blocked + paramPermsAWSS3BucketsWithoutPublicAccessBlocked: + default: "Permissions for Policy Template: AWS S3 Buckets Without Public Access Blocked" + ## AWS S3 Buckets Without Server Access Logging + paramPermsAWSS3BucketsWithoutServerAccessLogging: + default: "Permissions for Policy Template: AWS S3 Buckets Without Server Access Logging" + ## AWS S3 Incomplete Multi-Part Uploads + paramPermsAWSS3IncompleteMultiPartUploads: + default: "Permissions for Policy Template: AWS S3 Incomplete Multi-Part Uploads" + ## AWS Savings Plan Recommendations + paramPermsAWSSavingsPlanRecommendations: + default: "Permissions for Policy Template: AWS Savings Plan Recommendations" + ## AWS Savings Plan Utilization + paramPermsAWSSavingsPlanUtilization: + default: "Permissions for Policy Template: AWS Savings Plan Utilization" + ## AWS Schedule Instance + paramPermsAWSScheduleInstance: + default: "Permissions for Policy Template: AWS Schedule Instance" + ## AWS Scheduled EC2 Events + paramPermsAWSScheduledEC2Events: + default: "Permissions for Policy Template: AWS Scheduled EC2 Events" + ## AWS Superseded EBS Volumes + paramPermsAWSSupersededEBSVolumes: + default: "Permissions for Policy Template: AWS Superseded EBS Volumes" + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + default: "Permissions for Policy Template: AWS Superseded EC2 Instances" + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + default: "Permissions for Policy Template: AWS Superseded EC2 Instances" + ## AWS Tag Cardinality Report + paramPermsAWSTagCardinalityReport: + default: "Permissions for Policy Template: AWS Tag Cardinality Report" + ## AWS Unencrypted EBS Volumes + paramPermsAWSUnencryptedEBSVolumes: + default: "Permissions for Policy Template: AWS Unencrypted EBS Volumes" + ## AWS Unencrypted RDS Instances + paramPermsAWSUnencryptedRDSInstances: + default: "Permissions for Policy Template: AWS Unencrypted RDS Instances" + ## AWS Untagged Resources + paramPermsAWSUntaggedResources: + default: "Permissions for Policy Template: AWS Untagged Resources" + ## AWS Unused Application Load Balancers + paramPermsAWSUnusedApplicationLoadBalancers: + default: "Permissions for Policy Template: AWS Unused Application Load Balancers" + ## AWS Unused Classic Load Balancers + paramPermsAWSUnusedClassicLoadBalancers: + default: "Permissions for Policy Template: AWS Unused Classic Load Balancers" + ## AWS Unused ECS Clusters + paramPermsAWSUnusedECSClusters: + default: "Permissions for Policy Template: AWS Unused ECS Clusters" + ## AWS Unused IAM Credentials + paramPermsAWSUnusedIAMCredentials: + default: "Permissions for Policy Template: AWS Unused IAM Credentials" + ## AWS Unused IP Addresses + paramPermsAWSUnusedIPAddresses: + default: "Permissions for Policy Template: AWS Unused IP Addresses" + ## AWS Unused Network Load Balancers + paramPermsAWSUnusedNetworkLoadBalancers: + default: "Permissions for Policy Template: AWS Unused Network Load Balancers" + ## AWS VPCs Without FlowLogs Enabled + paramPermsAWSVPCsWithoutFlowLogsEnabled: + default: "Permissions for Policy Template: AWS VPCs Without FlowLogs Enabled" + ## Common Bill Ingestion from AWS S3 Object Storage + paramPermsCommonBillIngestionfromAWSS3ObjectStorage: + default: "Permissions for Policy Template: Common Bill Ingestion from AWS S3 Object Storage" + + # End for each policy template + paramPermsAttachExistingPolicies: + default: "Additional IAM Permission Policies for IAM Role" + +Parameters: + # ParameterGroup: Parameters related to your Organization on the Flexera Platform + paramFlexeraOrgId: + Description: >- + The Organization ID in Flexera which trust will be granted to use the IAM Role that will be created + Type: String + AllowedPattern: "[0-9]+" + MinLength: 1 + ConstraintDescription: Organization ID must be provided and match regex [0-9]+ + paramFlexeraZone: + Description: >- + The Flexera Zone which trust will be granted to. The Organization ID should be located in this Flexera Zone. + Type: String + Default: app.flexera.com + AllowedValues: + - app.flexera.com + - app.flexera.eu + - app.flexera.au + - app.flexeratest.com + + # ParameterGroup: Parameters for the IAM Role that is created + paramRoleName: + Description: Name of the the IAM Role that will be created. If you plan to create more than one IAM Role (i.e. one for each Policy Template, or to trust multiple Orgs) you will need to modify this to prevent naming conflict. + Type: String + Default: FlexeraAutomationAccessRole + # IAM Role Name Max Length is 64chars + MaxLength: 64 + paramRolePath: + Description: Path for the IAM Role that will be created. Generally does not need to be modified. + Type: String + Default: / + + # ParameterGroup: Parameters to define Policy Template permissions on the IAM Role that is created + ## All AWS Policy Templates + paramPermsAllAWSPolicyTemplates: + Description: 'What permissions for all AWS Policy Templates should be granted on the AWS Role that will be created? Note that the more granular permissions below only need to be enabled if this option is disabled or you want to grant access to take actions only for specific policy templates.' + Type: String + Default: Read Only + AllowedValues: + - None + - Read Only + ## AWS Account Credentials + paramPermsAWSAccountCredentials: + Description: 'What permissions for the "AWS Account Credentials" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Accounts Missing Service Control Policies + paramPermsAWSAccountsMissingServiceControlPolicies: + Description: 'What permissions for the "AWS Accounts Missing Service Control Policies" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Burstable EC2 Instances + paramPermsAWSBurstableEC2Instances: + Description: 'What permissions for the "AWS Burstable EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrail Not Enabled In All Regions + paramPermsAWSCloudTrailNotEnabledInAllRegions: + Description: 'What permissions for the "AWS CloudTrail Not Enabled In All Regions" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrail S3 Buckets Without Access Logging + paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging: + Description: 'What permissions for the "AWS CloudTrail S3 Buckets Without Access Logging" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Not Integrated With CloudWatch + paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch: + Description: 'What permissions for the "AWS CloudTrails Not Integrated With CloudWatch" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails With Read Logging Enabled + paramPermsAWSCloudTrailsWithReadLoggingEnabled: + Description: 'What permissions for the "AWS CloudTrails With Read Logging Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Without Encrypted Logs + paramPermsAWSCloudTrailsWithoutEncryptedLogs: + Description: 'What permissions for the "AWS CloudTrails Without Encrypted Logs" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Without Log File Validation Enabled + paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled: + Description: 'What permissions for the "AWS CloudTrails Without Log File Validation Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS CloudTrails Without Object-level Events Logging Enabled + paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled: + Description: 'What permissions for the "AWS CloudTrails Without Object-level Events Logging Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled: + Description: 'What permissions for the "AWS Customer Managed Keys (CMKs) Without Rotation Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Disallowed Regions + paramPermsAWSDisallowedRegions: + Description: 'What permissions for the "AWS Disallowed Regions" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS EC2 Compute Optimizer Recommendations + paramPermsAWSEC2ComputeOptimizerRecommendations: + Description: 'What permissions for the "AWS EC2 Compute Optimizer Recommendations" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS EC2 Instances Time Stopped Report + paramPermsAWSEC2InstancesTimeStoppedReport: + Description: 'What permissions for the "AWS EC2 Instances Time Stopped Report" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS EC2 Instances not running FlexNet Inventory Agent + paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent: + Description: 'What permissions for the "AWS EC2 Instances not running FlexNet Inventory Agent" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS EKS Clusters Without Spot Instances + paramPermsAWSEKSClustersWithoutSpotInstances: + Description: 'What permissions for the "AWS EKS Clusters Without Spot Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Elastic Load Balancers With Unencrypted Listeners + paramPermsAWSElasticLoadBalancersWithUnencryptedListeners: + Description: 'What permissions for the "AWS Elastic Load Balancers With Unencrypted Listeners" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Expiring Savings Plans + paramPermsAWSExpiringSavingsPlans: + Description: 'What permissions for the "AWS Expiring Savings Plans" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Account Missing Support Role + paramPermsAWSIAMAccountMissingSupportRole: + Description: 'What permissions for the "AWS IAM Account Missing Support Role" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Attached Admin Policies + paramPermsAWSIAMAttachedAdminPolicies: + Description: 'What permissions for the "AWS IAM Attached Admin Policies" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Expired SSL/TLS Certificates + paramPermsAWSIAMExpiredSSLTLSCertificates: + Description: 'What permissions for the "AWS IAM Expired SSL/TLS Certificates" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Insufficient Required Password Length + paramPermsAWSIAMInsufficientRequiredPasswordLength: + Description: 'What permissions for the "AWS IAM Insufficient Required Password Length" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Password Policy Not Restricting Password Reuse + paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse: + Description: 'What permissions for the "AWS IAM Password Policy Not Restricting Password Reuse" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Role Audit + paramPermsAWSIAMRoleAudit: + Description: 'What permissions for the "AWS IAM Role Audit" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root Account Access Keys + paramPermsAWSIAMRootAccountAccessKeys: + Description: 'What permissions for the "AWS IAM Root Account Access Keys" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root User Account Without Hardware MFA + paramPermsAWSIAMRootUserAccountWithoutHardwareMFA: + Description: 'What permissions for the "AWS IAM Root User Account Without Hardware MFA" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root User Account Without MFA + paramPermsAWSIAMRootUserAccountWithoutMFA: + Description: 'What permissions for the "AWS IAM Root User Account Without MFA" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Root User Doing Everyday Tasks + paramPermsAWSIAMRootUserDoingEverydayTasks: + Description: 'What permissions for the "AWS IAM Root User Doing Everyday Tasks" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM User Accounts Without MFA + paramPermsAWSIAMUserAccountsWithoutMFA: + Description: 'What permissions for the "AWS IAM User Accounts Without MFA" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Users With Directly-Attached Policies + paramPermsAWSIAMUsersWithDirectlyAttachedPolicies: + Description: 'What permissions for the "AWS IAM Users With Directly-Attached Policies" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Users With Multiple Active Access Keys + paramPermsAWSIAMUsersWithMultipleActiveAccessKeys: + Description: 'What permissions for the "AWS IAM Users With Multiple Active Access Keys" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS IAM Users With Old Access Keys + paramPermsAWSIAMUsersWithOldAccessKeys: + Description: 'What permissions for the "AWS IAM Users With Old Access Keys" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Idle NAT Gateways + paramPermsAWSIdleNATGateways: + Description: 'What permissions for the "AWS Idle NAT Gateways" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Internet-Accessible Elastic Load Balancers + paramPermsAWSInternetAccessibleElasticLoadBalancers: + Description: 'What permissions for the "AWS Internet-Accessible Elastic Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Lambda Functions With High Error Rate + paramPermsAWSLambdaFunctionsWithHighErrorRate: + Description: 'What permissions for the "AWS Lambda Functions With High Error Rate" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Lambda Functions Without Provisioned Concurrency + paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency: + Description: 'What permissions for the "AWS Lambda Functions Without Provisioned Concurrency" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Long Running Instances + paramPermsAWSLongRunningInstances: + Description: 'What permissions for the "AWS Long Running Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Long Stopped EC2 Instances + paramPermsAWSLongStoppedEC2Instances: + Description: 'What permissions for the "AWS Long Stopped EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Missing Regions + paramPermsAWSMissingRegions: + Description: 'What permissions for the "AWS Missing Regions" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Old Snapshots + paramPermsAWSOldSnapshots: + Description: 'What permissions for the "AWS Old Snapshots" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Open S3 Buckets + paramPermsAWSOpenS3Buckets: + Description: 'What permissions for the "AWS Open S3 Buckets" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Oversized S3 Buckets + paramPermsAWSOversizedS3Buckets: + Description: 'What permissions for the "AWS Oversized S3 Buckets" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Publicly Accessible CloudTrail S3 Buckets + paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets: + Description: 'What permissions for the "AWS Publicly Accessible CloudTrail S3 Buckets" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Publicly Accessible RDS Instances + paramPermsAWSPubliclyAccessibleRDSInstances: + Description: 'What permissions for the "AWS Publicly Accessible RDS Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS RDS Instances With Unapproved Backup Settings + paramPermsAWSRDSInstancesWithUnapprovedBackupSettings: + Description: 'What permissions for the "AWS RDS Instances With Unapproved Backup Settings" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Regions Without Access Analyzer Enabled + paramPermsAWSRegionsWithoutAccessAnalyzerEnabled: + Description: 'What permissions for the "AWS Regions Without Access Analyzer Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Regions Without Config Fully Enabled + paramPermsAWSRegionsWithoutConfigFullyEnabled: + Description: 'What permissions for the "AWS Regions Without Config Fully Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Regions Without Default EBS Encryption + paramPermsAWSRegionsWithoutDefaultEBSEncryption: + Description: 'What permissions for the "AWS Regions Without Default EBS Encryption" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Reserved Instances Coverage + paramPermsAWSReservedInstancesCoverage: + Description: 'What permissions for the "AWS Reserved Instances Coverage" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Reserved Instances Recommendations + paramPermsAWSReservedInstancesRecommendations: + Description: 'What permissions for the "AWS Reserved Instances Recommendations" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Rightsize EBS Volumes + paramPermsAWSRightsizeEBSVolumes: + Description: 'What permissions for the "AWS Rightsize EBS Volumes" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Rightsize EC2 Instances + paramPermsAWSRightsizeEC2Instances: + Description: 'What permissions for the "AWS Rightsize EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Rightsize ElastiCache + paramPermsAWSRightsizeElastiCache: + Description: 'What permissions for the "AWS Rightsize ElastiCache" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Rightsize RDS Instances + paramPermsAWSRightsizeRDSInstances: + Description: 'What permissions for the "AWS Rightsize RDS Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Rightsize Redshift + paramPermsAWSRightsizeRedshift: + Description: 'What permissions for the "AWS Rightsize Redshift" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Accepting HTTP Requests + paramPermsAWSS3BucketsAcceptingHTTPRequests: + Description: 'What permissions for the "AWS S3 Buckets Accepting HTTP Requests" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Default Encryption Configuration + paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration: + Description: 'What permissions for the "AWS S3 Buckets Without Default Encryption Configuration" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Intelligent Tiering + paramPermsAWSS3BucketsWithoutIntelligentTiering: + Description: 'What permissions for the "AWS S3 Buckets Without Intelligent Tiering" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Lifecycle Configuration + paramPermsAWSS3BucketsWithoutLifecycleConfiguration: + Description: 'What permissions for the "AWS S3 Buckets Without Lifecycle Configuration" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without MFA Delete Enabled + paramPermsAWSS3BucketsWithoutMFADeleteEnabled: + Description: 'What permissions for the "AWS S3 Buckets Without MFA Delete Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Public Access Blocked + paramPermsAWSS3BucketsWithoutPublicAccessBlocked: + Description: 'What permissions for the "AWS S3 Buckets Without Public Access Blocked" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Buckets Without Server Access Logging + paramPermsAWSS3BucketsWithoutServerAccessLogging: + Description: 'What permissions for the "AWS S3 Buckets Without Server Access Logging" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS S3 Incomplete Multi-Part Uploads + paramPermsAWSS3IncompleteMultiPartUploads: + Description: 'What permissions for the "AWS S3 Incomplete Multi-Part Uploads" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Savings Plan Recommendations + paramPermsAWSSavingsPlanRecommendations: + Description: 'What permissions for the "AWS Savings Plan Recommendations" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Savings Plan Utilization + paramPermsAWSSavingsPlanUtilization: + Description: 'What permissions for the "AWS Savings Plan Utilization" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Schedule Instance + paramPermsAWSScheduleInstance: + Description: 'What permissions for the "AWS Schedule Instance" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Scheduled EC2 Events + paramPermsAWSScheduledEC2Events: + Description: 'What permissions for the "AWS Scheduled EC2 Events" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Superseded EBS Volumes + paramPermsAWSSupersededEBSVolumes: + Description: 'What permissions for the "AWS Superseded EBS Volumes" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Superseded EC2 Instances + paramPermsAWSSupersededEC2Instances: + Description: 'What permissions for the "AWS Superseded EC2 Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Tag Cardinality Report + paramPermsAWSTagCardinalityReport: + Description: 'What permissions for the "AWS Tag Cardinality Report" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unencrypted EBS Volumes + paramPermsAWSUnencryptedEBSVolumes: + Description: 'What permissions for the "AWS Unencrypted EBS Volumes" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unencrypted RDS Instances + paramPermsAWSUnencryptedRDSInstances: + Description: 'What permissions for the "AWS Unencrypted RDS Instances" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Untagged Resources + paramPermsAWSUntaggedResources: + Description: 'What permissions for the "AWS Untagged Resources" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused Application Load Balancers + paramPermsAWSUnusedApplicationLoadBalancers: + Description: 'What permissions for the "AWS Unused Application Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused Classic Load Balancers + paramPermsAWSUnusedClassicLoadBalancers: + Description: 'What permissions for the "AWS Unused Classic Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused ECS Clusters + paramPermsAWSUnusedECSClusters: + Description: 'What permissions for the "AWS Unused ECS Clusters" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused IAM Credentials + paramPermsAWSUnusedIAMCredentials: + Description: 'What permissions for the "AWS Unused IAM Credentials" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused IP Addresses + paramPermsAWSUnusedIPAddresses: + Description: 'What permissions for the "AWS Unused IP Addresses" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS Unused Network Load Balancers + paramPermsAWSUnusedNetworkLoadBalancers: + Description: 'What permissions for the "AWS Unused Network Load Balancers" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## AWS VPCs Without FlowLogs Enabled + paramPermsAWSVPCsWithoutFlowLogsEnabled: + Description: 'What permissions for the "AWS VPCs Without FlowLogs Enabled" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + ## Common Bill Ingestion from AWS S3 Object Storage + paramPermsCommonBillIngestionfromAWSS3ObjectStorage: + Description: 'What permissions for the "Common Bill Ingestion from AWS S3 Object Storage" Policy Template should be granted on the AWS Role that will be created?' + Type: String + Default: None + AllowedValues: + - None + - Read Only + + # End for each policy template + paramPermsAttachExistingPolicies: + Description: 'Existing IAM Permission Policies to attach to the IAM Role that will be created. Optional, comma separated list of IAM Policy ARNs -- i.e. arn:aws:iam::aws:policy/ReadOnlyAccess' + Type: String + # AWS Managed Policy ARN: arn:aws:iam::aws:policy/ReadOnlyAccess + # Customer Managed Policy ARN: arn:aws:iam::123456789012:policy/CustomPolicy + AllowedPattern: '^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$' + ConstraintDescription: 'Malformed IAM Policy ARN. Must match pattern ^((arn:aws:iam::(\d{12}|aws)?:policy\/[\w+=,.@-]{1,128})(,)?)*$' + +Conditions: + ## All AWS Policy Templates + CreatePolicyAllAWSPolicyTemplatesRead: !Not + - !Equals + - !Ref paramPermsAllAWSPolicyTemplates + - None + ## AWS Account Credentials + CreatePolicyAWSAccountCredentialsRead: !Not + - !Equals + - !Ref paramPermsAWSAccountCredentials + - None + ## AWS Accounts Missing Service Control Policies + CreatePolicyAWSAccountsMissingServiceControlPoliciesRead: !Not + - !Equals + - !Ref paramPermsAWSAccountsMissingServiceControlPolicies + - None + ## AWS Burstable EC2 Instances + CreatePolicyAWSBurstableEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSBurstableEC2Instances + - None + ## AWS CloudTrail Not Enabled In All Regions + CreatePolicyAWSCloudTrailNotEnabledInAllRegionsRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailNotEnabledInAllRegions + - None + ## AWS CloudTrail S3 Buckets Without Access Logging + CreatePolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailS3BucketsWithoutAccessLogging + - None + ## AWS CloudTrails Not Integrated With CloudWatch + CreatePolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsNotIntegratedWithCloudWatch + - None + ## AWS CloudTrails With Read Logging Enabled + CreatePolicyAWSCloudTrailsWithReadLoggingEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithReadLoggingEnabled + - None + ## AWS CloudTrails Without Encrypted Logs + CreatePolicyAWSCloudTrailsWithoutEncryptedLogsRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithoutEncryptedLogs + - None + ## AWS CloudTrails Without Log File Validation Enabled + CreatePolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithoutLogFileValidationEnabled + - None + ## AWS CloudTrails Without Object-level Events Logging Enabled + CreatePolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled + - None + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + CreatePolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSCustomerManagedKeysCMKsWithoutRotationEnabled + - None + ## AWS Disallowed Regions + CreatePolicyAWSDisallowedRegionsRead: !Not + - !Equals + - !Ref paramPermsAWSDisallowedRegions + - None + ## AWS EC2 Compute Optimizer Recommendations + CreatePolicyAWSEC2ComputeOptimizerRecommendationsRead: !Not + - !Equals + - !Ref paramPermsAWSEC2ComputeOptimizerRecommendations + - None + ## AWS EC2 Instances Time Stopped Report + CreatePolicyAWSEC2InstancesTimeStoppedReportRead: !Not + - !Equals + - !Ref paramPermsAWSEC2InstancesTimeStoppedReport + - None + ## AWS EC2 Instances not running FlexNet Inventory Agent + CreatePolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead: !Not + - !Equals + - !Ref paramPermsAWSEC2InstancesnotrunningFlexNetInventoryAgent + - None + ## AWS EKS Clusters Without Spot Instances + CreatePolicyAWSEKSClustersWithoutSpotInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSEKSClustersWithoutSpotInstances + - None + ## AWS Elastic Load Balancers With Unencrypted Listeners + CreatePolicyAWSElasticLoadBalancersWithUnencryptedListenersRead: !Not + - !Equals + - !Ref paramPermsAWSElasticLoadBalancersWithUnencryptedListeners + - None + ## AWS Expiring Savings Plans + CreatePolicyAWSExpiringSavingsPlansRead: !Not + - !Equals + - !Ref paramPermsAWSExpiringSavingsPlans + - None + ## AWS IAM Account Missing Support Role + CreatePolicyAWSIAMAccountMissingSupportRoleRead: !Not + - !Equals + - !Ref paramPermsAWSIAMAccountMissingSupportRole + - None + ## AWS IAM Attached Admin Policies + CreatePolicyAWSIAMAttachedAdminPoliciesRead: !Not + - !Equals + - !Ref paramPermsAWSIAMAttachedAdminPolicies + - None + ## AWS IAM Expired SSL/TLS Certificates + CreatePolicyAWSIAMExpiredSSLTLSCertificatesRead: !Not + - !Equals + - !Ref paramPermsAWSIAMExpiredSSLTLSCertificates + - None + ## AWS IAM Insufficient Required Password Length + CreatePolicyAWSIAMInsufficientRequiredPasswordLengthRead: !Not + - !Equals + - !Ref paramPermsAWSIAMInsufficientRequiredPasswordLength + - None + ## AWS IAM Password Policy Not Restricting Password Reuse + CreatePolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead: !Not + - !Equals + - !Ref paramPermsAWSIAMPasswordPolicyNotRestrictingPasswordReuse + - None + ## AWS IAM Role Audit + CreatePolicyAWSIAMRoleAuditRead: !Not + - !Equals + - !Ref paramPermsAWSIAMRoleAudit + - None + ## AWS IAM Root Account Access Keys + CreatePolicyAWSIAMRootAccountAccessKeysRead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootAccountAccessKeys + - None + ## AWS IAM Root User Account Without Hardware MFA + CreatePolicyAWSIAMRootUserAccountWithoutHardwareMFARead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootUserAccountWithoutHardwareMFA + - None + ## AWS IAM Root User Account Without MFA + CreatePolicyAWSIAMRootUserAccountWithoutMFARead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootUserAccountWithoutMFA + - None + ## AWS IAM Root User Doing Everyday Tasks + CreatePolicyAWSIAMRootUserDoingEverydayTasksRead: !Not + - !Equals + - !Ref paramPermsAWSIAMRootUserDoingEverydayTasks + - None + ## AWS IAM User Accounts Without MFA + CreatePolicyAWSIAMUserAccountsWithoutMFARead: !Not + - !Equals + - !Ref paramPermsAWSIAMUserAccountsWithoutMFA + - None + ## AWS IAM Users With Directly-Attached Policies + CreatePolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead: !Not + - !Equals + - !Ref paramPermsAWSIAMUsersWithDirectlyAttachedPolicies + - None + ## AWS IAM Users With Multiple Active Access Keys + CreatePolicyAWSIAMUsersWithMultipleActiveAccessKeysRead: !Not + - !Equals + - !Ref paramPermsAWSIAMUsersWithMultipleActiveAccessKeys + - None + ## AWS IAM Users With Old Access Keys + CreatePolicyAWSIAMUsersWithOldAccessKeysRead: !Not + - !Equals + - !Ref paramPermsAWSIAMUsersWithOldAccessKeys + - None + ## AWS Idle NAT Gateways + CreatePolicyAWSIdleNATGatewaysRead: !Not + - !Equals + - !Ref paramPermsAWSIdleNATGateways + - None + ## AWS Internet-Accessible Elastic Load Balancers + CreatePolicyAWSInternetAccessibleElasticLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSInternetAccessibleElasticLoadBalancers + - None + ## AWS Lambda Functions With High Error Rate + CreatePolicyAWSLambdaFunctionsWithHighErrorRateRead: !Not + - !Equals + - !Ref paramPermsAWSLambdaFunctionsWithHighErrorRate + - None + ## AWS Lambda Functions Without Provisioned Concurrency + CreatePolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead: !Not + - !Equals + - !Ref paramPermsAWSLambdaFunctionsWithoutProvisionedConcurrency + - None + ## AWS Long Running Instances + CreatePolicyAWSLongRunningInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSLongRunningInstances + - None + ## AWS Long Stopped EC2 Instances + CreatePolicyAWSLongStoppedEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSLongStoppedEC2Instances + - None + ## AWS Missing Regions + CreatePolicyAWSMissingRegionsRead: !Not + - !Equals + - !Ref paramPermsAWSMissingRegions + - None + ## AWS Old Snapshots + CreatePolicyAWSOldSnapshotsRead: !Not + - !Equals + - !Ref paramPermsAWSOldSnapshots + - None + ## AWS Open S3 Buckets + CreatePolicyAWSOpenS3BucketsRead: !Not + - !Equals + - !Ref paramPermsAWSOpenS3Buckets + - None + ## AWS Oversized S3 Buckets + CreatePolicyAWSOversizedS3BucketsRead: !Not + - !Equals + - !Ref paramPermsAWSOversizedS3Buckets + - None + ## AWS Publicly Accessible CloudTrail S3 Buckets + CreatePolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead: !Not + - !Equals + - !Ref paramPermsAWSPubliclyAccessibleCloudTrailS3Buckets + - None + ## AWS Publicly Accessible RDS Instances + CreatePolicyAWSPubliclyAccessibleRDSInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSPubliclyAccessibleRDSInstances + - None + ## AWS RDS Instances With Unapproved Backup Settings + CreatePolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead: !Not + - !Equals + - !Ref paramPermsAWSRDSInstancesWithUnapprovedBackupSettings + - None + ## AWS Regions Without Access Analyzer Enabled + CreatePolicyAWSRegionsWithoutAccessAnalyzerEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSRegionsWithoutAccessAnalyzerEnabled + - None + ## AWS Regions Without Config Fully Enabled + CreatePolicyAWSRegionsWithoutConfigFullyEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSRegionsWithoutConfigFullyEnabled + - None + ## AWS Regions Without Default EBS Encryption + CreatePolicyAWSRegionsWithoutDefaultEBSEncryptionRead: !Not + - !Equals + - !Ref paramPermsAWSRegionsWithoutDefaultEBSEncryption + - None + ## AWS Reserved Instances Coverage + CreatePolicyAWSReservedInstancesCoverageRead: !Not + - !Equals + - !Ref paramPermsAWSReservedInstancesCoverage + - None + ## AWS Reserved Instances Recommendations + CreatePolicyAWSReservedInstancesRecommendationsRead: !Not + - !Equals + - !Ref paramPermsAWSReservedInstancesRecommendations + - None + ## AWS Rightsize EBS Volumes + CreatePolicyAWSRightsizeEBSVolumesRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeEBSVolumes + - None + ## AWS Rightsize EC2 Instances + CreatePolicyAWSRightsizeEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeEC2Instances + - None + ## AWS Rightsize ElastiCache + CreatePolicyAWSRightsizeElastiCacheRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeElastiCache + - None + ## AWS Rightsize RDS Instances + CreatePolicyAWSRightsizeRDSInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeRDSInstances + - None + ## AWS Rightsize Redshift + CreatePolicyAWSRightsizeRedshiftRead: !Not + - !Equals + - !Ref paramPermsAWSRightsizeRedshift + - None + ## AWS S3 Buckets Accepting HTTP Requests + CreatePolicyAWSS3BucketsAcceptingHTTPRequestsRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsAcceptingHTTPRequests + - None + ## AWS S3 Buckets Without Default Encryption Configuration + CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutDefaultEncryptionConfiguration + - None + ## AWS S3 Buckets Without Intelligent Tiering + CreatePolicyAWSS3BucketsWithoutIntelligentTieringRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutIntelligentTiering + - None + ## AWS S3 Buckets Without Lifecycle Configuration + CreatePolicyAWSS3BucketsWithoutLifecycleConfigurationRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutLifecycleConfiguration + - None + ## AWS S3 Buckets Without MFA Delete Enabled + CreatePolicyAWSS3BucketsWithoutMFADeleteEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutMFADeleteEnabled + - None + ## AWS S3 Buckets Without Public Access Blocked + CreatePolicyAWSS3BucketsWithoutPublicAccessBlockedRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutPublicAccessBlocked + - None + ## AWS S3 Buckets Without Server Access Logging + CreatePolicyAWSS3BucketsWithoutServerAccessLoggingRead: !Not + - !Equals + - !Ref paramPermsAWSS3BucketsWithoutServerAccessLogging + - None + ## AWS S3 Incomplete Multi-Part Uploads + CreatePolicyAWSS3IncompleteMultiPartUploadsRead: !Not + - !Equals + - !Ref paramPermsAWSS3IncompleteMultiPartUploads + - None + ## AWS Savings Plan Recommendations + CreatePolicyAWSSavingsPlanRecommendationsRead: !Not + - !Equals + - !Ref paramPermsAWSSavingsPlanRecommendations + - None + ## AWS Savings Plan Utilization + CreatePolicyAWSSavingsPlanUtilizationRead: !Not + - !Equals + - !Ref paramPermsAWSSavingsPlanUtilization + - None + ## AWS Schedule Instance + CreatePolicyAWSScheduleInstanceRead: !Not + - !Equals + - !Ref paramPermsAWSScheduleInstance + - None + ## AWS Scheduled EC2 Events + CreatePolicyAWSScheduledEC2EventsRead: !Not + - !Equals + - !Ref paramPermsAWSScheduledEC2Events + - None + ## AWS Superseded EBS Volumes + CreatePolicyAWSSupersededEBSVolumesRead: !Not + - !Equals + - !Ref paramPermsAWSSupersededEBSVolumes + - None + ## AWS Superseded EC2 Instances + CreatePolicyAWSSupersededEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSSupersededEC2Instances + - None + ## AWS Superseded EC2 Instances + CreatePolicyAWSSupersededEC2InstancesRead: !Not + - !Equals + - !Ref paramPermsAWSSupersededEC2Instances + - None + ## AWS Tag Cardinality Report + CreatePolicyAWSTagCardinalityReportRead: !Not + - !Equals + - !Ref paramPermsAWSTagCardinalityReport + - None + ## AWS Unencrypted EBS Volumes + CreatePolicyAWSUnencryptedEBSVolumesRead: !Not + - !Equals + - !Ref paramPermsAWSUnencryptedEBSVolumes + - None + ## AWS Unencrypted RDS Instances + CreatePolicyAWSUnencryptedRDSInstancesRead: !Not + - !Equals + - !Ref paramPermsAWSUnencryptedRDSInstances + - None + ## AWS Untagged Resources + CreatePolicyAWSUntaggedResourcesRead: !Not + - !Equals + - !Ref paramPermsAWSUntaggedResources + - None + ## AWS Unused Application Load Balancers + CreatePolicyAWSUnusedApplicationLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedApplicationLoadBalancers + - None + ## AWS Unused Classic Load Balancers + CreatePolicyAWSUnusedClassicLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedClassicLoadBalancers + - None + ## AWS Unused ECS Clusters + CreatePolicyAWSUnusedECSClustersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedECSClusters + - None + ## AWS Unused IAM Credentials + CreatePolicyAWSUnusedIAMCredentialsRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedIAMCredentials + - None + ## AWS Unused IP Addresses + CreatePolicyAWSUnusedIPAddressesRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedIPAddresses + - None + ## AWS Unused Network Load Balancers + CreatePolicyAWSUnusedNetworkLoadBalancersRead: !Not + - !Equals + - !Ref paramPermsAWSUnusedNetworkLoadBalancers + - None + ## AWS VPCs Without FlowLogs Enabled + CreatePolicyAWSVPCsWithoutFlowLogsEnabledRead: !Not + - !Equals + - !Ref paramPermsAWSVPCsWithoutFlowLogsEnabled + - None + ## Common Bill Ingestion from AWS S3 Object Storage + CreatePolicyCommonBillIngestionfromAWSS3ObjectStorageRead: !Not + - !Equals + - !Ref paramPermsCommonBillIngestionfromAWSS3ObjectStorage + - None + + # End for each policy template + ValueProvidedparamPermsAttachExistingPolicies: !Not + - !Equals + - !Ref paramPermsAttachExistingPolicies + - "" + +Mappings: + TrustedRoleMap: + app.flexera.com: + roleArn: "arn:aws:iam::451234325714:role/production_customer_access" + app.flexera.eu: + roleArn: "arn:aws:iam::451234325714:role/production_eu_customer_access" + app.flexera.au: + roleArn: "arn:aws:iam::451234325714:role/production_apac_customer_access" + app.flexeratest.com: + roleArn: "arn:aws:iam::274571843445:role/staging_customer_access" + PermissionMap: + # Begin IAM Permissions Map + # Expect 2 lists for each Policy Template (read and action) + ## All AWS Policy Templates + AllAWSPolicyTemplates: + read: + - "access-analyzer:ListAnalyzers" + - "ce:GetReservationCoverage" + - "ce:GetReservationPurchaseRecommendation" + - "ce:GetSavingsPlansPurchaseRecommendation" + - "ce:GetSavingsPlansUtilization" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetEventSelectors" + - "cloudtrail:GetTrailStatus" + - "cloudtrail:LookupEvents" + - "cloudwatch:GetMetricData" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:ListMetrics" + - "compute-optimizer:GetEC2InstanceRecommendations" + - "config:DescribeConfigurationRecorderStatus" + - "ec2:CreateTags" + - "ec2:DeleteTags" + - "ec2:DescribeAddresses" + - "ec2:DescribeFlowLogs" + - "ec2:DescribeImages" + - "ec2:DescribeInstanceStatus" + - "ec2:DescribeInstances" + - "ec2:DescribeNatGateways" + - "ec2:DescribeRegions" + - "ec2:DescribeSnapshots" + - "ec2:DescribeTags" + - "ec2:DescribeVolumes" + - "ec2:DescribeVpcs" + - "ec2:GetEbsEncryptionByDefault" + - "ec2:StartInstances" + - "ec2:StopInstances" + - "ec2:TerminateInstances" + - "ecs:DescribeClusters" + - "ecs:ListClusters" + - "eks:DescribeCluster" + - "eks:DescribeNodegroup" + - "eks:ListClusters" + - "eks:ListNodegroups" + - "elasticache:DescribeCacheClusters" + - "elasticache:ListTagsForResource" + - "elasticloadbalancing:DescribeInstanceHealth" + - "elasticloadbalancing:DescribeListeners" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeTargetGroups" + - "elasticloadbalancing:DescribeTargetHealth" + - "iam:GenerateCredentialReport" + - "iam:GetAccountPasswordPolicy" + - "iam:GetAccountSummary" + - "iam:GetCredentialReport" + - "iam:GetPolicyVersion" + - "iam:ListAccessKeys" + - "iam:ListAttachedUserPolicies" + - "iam:ListEntitiesForPolicy" + - "iam:ListPolicies" + - "iam:ListRoleTags" + - "iam:ListRoles" + - "iam:ListServerCertificates" + - "iam:ListUserPolicies" + - "iam:ListUsers" + - "iam:ListVirtualMFADevices" + - "kms:CreateGrant" + - "kms:Decrypt" + - "kms:GetKeyRotationStatus" + - "kms:ListKeys" + - "lambda:ListFunctions" + - "lambda:ListProvisionedConcurrencyConfigs" + - "lambda:ListTags" + - "lambda:ListVersionsByFunction" + - "organizations:ListAccounts" + - "organizations:ListPolicies" + - "organizations:ListPoliciesForTarget" + - "organizations:ListTagsForResource" + - "pricing:GetProducts" + - "rds:DescribeDBClusterSnapshots" + - "rds:DescribeDBClusters" + - "rds:DescribeDBInstances" + - "rds:DescribeDBSnapshots" + - "rds:DescribeOrderableDBInstanceOptions" + - "rds:ListTagsForResource" + - "redshift:DescribeClusters" + - "s3:GetBucketAcl" + - "s3:GetBucketLifecycleConfiguration" + - "s3:GetBucketLocation" + - "s3:GetBucketLogging" + - "s3:GetBucketPolicy" + - "s3:GetBucketPublicAccessBlock" + - "s3:GetBucketTagging" + - "s3:GetBucketVersioning" + - "s3:GetEncryptionConfiguration" + - "s3:GetIntelligentTieringConfiguration" + - "s3:GetObject" + - "s3:ListAllMyBuckets" + - "s3:ListBucketMultipartUploads" + - "s3:ListMultipartUploadParts" + - "savingsplans:DescribeSavingsPlans" + - "sts:GetCallerIdentity" + - "tag:GetResources" + action: [] + ## AWS Account Credentials + AWSAccountCredentials: + read: + - "sts:GetCallerIdentity" + action: [] + ## AWS Accounts Missing Service Control Policies + AWSAccountsMissingServiceControlPolicies: + read: + - "organizations:ListPolicies" + - "organizations:ListAccounts" + - "organizations:ListPoliciesForTarget" + action: [] + ## AWS Burstable EC2 Instances + AWSBurstableEC2Instances: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricData" + - "cloudwatch:ListMetrics" + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + action: [] + ## AWS CloudTrail Not Enabled In All Regions + AWSCloudTrailNotEnabledInAllRegions: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetTrailStatus" + - "cloudtrail:GetEventSelectors" + action: [] + ## AWS CloudTrail S3 Buckets Without Access Logging + AWSCloudTrailS3BucketsWithoutAccessLogging: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "s3:GetBucketLocation" + - "s3:GetBucketLogging" + action: [] + ## AWS CloudTrails Not Integrated With CloudWatch + AWSCloudTrailsNotIntegratedWithCloudWatch: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetTrailStatus" + action: [] + ## AWS CloudTrails With Read Logging Enabled + AWSCloudTrailsWithReadLoggingEnabled: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetEventSelectors" + action: [] + ## AWS CloudTrails Without Encrypted Logs + AWSCloudTrailsWithoutEncryptedLogs: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + action: [] + ## AWS CloudTrails Without Log File Validation Enabled + AWSCloudTrailsWithoutLogFileValidationEnabled: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + action: [] + ## AWS CloudTrails Without Object-level Events Logging Enabled + AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "cloudtrail:GetEventSelectors" + action: [] + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + AWSCustomerManagedKeysCMKsWithoutRotationEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "kms:ListKeys" + - "kms:GetKeyRotationStatus" + action: [] + ## AWS Disallowed Regions + AWSDisallowedRegions: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + action: [] + ## AWS EC2 Compute Optimizer Recommendations + AWSEC2ComputeOptimizerRecommendations: + read: + - "sts:GetCallerIdentity" + - "compute-optimizer:GetEC2InstanceRecommendations" + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + action: [] + ## AWS EC2 Instances Time Stopped Report + AWSEC2InstancesTimeStoppedReport: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "sts:GetCallerIdentity" + action: [] + ## AWS EC2 Instances not running FlexNet Inventory Agent + AWSEC2InstancesnotrunningFlexNetInventoryAgent: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + action: [] + ## AWS EKS Clusters Without Spot Instances + AWSEKSClustersWithoutSpotInstances: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "eks:ListClusters" + - "eks:ListNodegroups" + - "eks:DescribeCluster" + - "eks:DescribeNodegroup" + action: [] + ## AWS Elastic Load Balancers With Unencrypted Listeners + AWSElasticLoadBalancersWithUnencryptedListeners: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeListeners" + action: [] + ## AWS Expiring Savings Plans + AWSExpiringSavingsPlans: + read: + - "savingsplans:DescribeSavingsPlans" + action: [] + ## AWS IAM Account Missing Support Role + AWSIAMAccountMissingSupportRole: + read: + - "sts:GetCallerIdentity" + - "iam:ListPolicies" + - "iam:ListEntitiesForPolicy" + action: [] + ## AWS IAM Attached Admin Policies + AWSIAMAttachedAdminPolicies: + read: + - "sts:GetCallerIdentity" + - "iam:ListPolicies" + - "iam:GetPolicyVersion" + action: [] + ## AWS IAM Expired SSL/TLS Certificates + AWSIAMExpiredSSLTLSCertificates: + read: + - "sts:GetCallerIdentity" + - "iam:ListServerCertificates" + action: [] + ## AWS IAM Insufficient Required Password Length + AWSIAMInsufficientRequiredPasswordLength: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountPasswordPolicy" + action: [] + ## AWS IAM Password Policy Not Restricting Password Reuse + AWSIAMPasswordPolicyNotRestrictingPasswordReuse: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountPasswordPolicy" + action: [] + ## AWS IAM Role Audit + AWSIAMRoleAudit: + read: + - "sts:GetCallerIdentity" + - "iam:ListRoles" + - "iam:ListRoleTags" + action: [] + ## AWS IAM Root Account Access Keys + AWSIAMRootAccountAccessKeys: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountSummary" + action: [] + ## AWS IAM Root User Account Without Hardware MFA + AWSIAMRootUserAccountWithoutHardwareMFA: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountSummary" + - "iam:ListVirtualMFADevices" + action: [] + ## AWS IAM Root User Account Without MFA + AWSIAMRootUserAccountWithoutMFA: + read: + - "sts:GetCallerIdentity" + - "iam:GetAccountSummary" + - "iam:ListVirtualMFADevices" + action: [] + ## AWS IAM Root User Doing Everyday Tasks + AWSIAMRootUserDoingEverydayTasks: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS IAM User Accounts Without MFA + AWSIAMUserAccountsWithoutMFA: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS IAM Users With Directly-Attached Policies + AWSIAMUsersWithDirectlyAttachedPolicies: + read: + - "sts:GetCallerIdentity" + - "iam:ListUsers" + - "iam:ListUserPolicies" + - "iam:ListAttachedUserPolicies" + action: [] + ## AWS IAM Users With Multiple Active Access Keys + AWSIAMUsersWithMultipleActiveAccessKeys: + read: + - "sts:GetCallerIdentity" + - "iam:ListUsers" + - "iam:ListAccessKeys" + action: [] + ## AWS IAM Users With Old Access Keys + AWSIAMUsersWithOldAccessKeys: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS Idle NAT Gateways + AWSIdleNATGateways: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeNatGateways" + - "sts:GetCallerIdentity" + action: [] + ## AWS Internet-Accessible Elastic Load Balancers + AWSInternetAccessibleElasticLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeListeners" + action: [] + ## AWS Lambda Functions With High Error Rate + AWSLambdaFunctionsWithHighErrorRate: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "lambda:ListFunctions" + - "lambda:ListTags" + - "cloudwatch:ListMetrics" + - "cloudwatch:GetMetricData" + action: [] + ## AWS Lambda Functions Without Provisioned Concurrency + AWSLambdaFunctionsWithoutProvisionedConcurrency: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "lambda:ListFunctions" + - "lambda:ListTags" + - "lambda:ListProvisionedConcurrencyConfigs" + - "lambda:ListVersionsByFunction" + action: [] + ## AWS Long Running Instances + AWSLongRunningInstances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "sts:GetCallerIdentity" + action: [] + ## AWS Long Stopped EC2 Instances + AWSLongStoppedEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:GetMetricData" + - "cloudwatch:ListMetrics" + - "sts:GetCallerIdentity" + action: [] + ## AWS Missing Regions + AWSMissingRegions: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "sts:GetCallerIdentity" + action: [] + ## AWS Old Snapshots + AWSOldSnapshots: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeImages" + - "ec2:DescribeSnapshots" + - "rds:DescribeDBInstances" + - "rds:DescribeDBSnapshots" + - "rds:DescribeDBClusters" + - "rds:DescribeDBClusterSnapshots" + - "sts:GetCallerIdentity" + - "cloudtrail:LookupEvents" + action: [] + ## AWS Open S3 Buckets + AWSOpenS3Buckets: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketAcl" + - "sts:GetCallerIdentity" + action: [] + ## AWS Oversized S3 Buckets + AWSOversizedS3Buckets: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "cloudwatch:ListMetrics" + - "cloudwatch:GetMetricData" + - "sts:GetCallerIdentity" + action: [] + ## AWS Publicly Accessible CloudTrail S3 Buckets + AWSPubliclyAccessibleCloudTrailS3Buckets: + read: + - "sts:GetCallerIdentity" + - "cloudtrail:DescribeTrails" + - "s3:GetBucketLocation" + - "s3:GetBucketAcl" + - "s3:GetBucketPolicy" + action: [] + ## AWS Publicly Accessible RDS Instances + AWSPubliclyAccessibleRDSInstances: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + action: [] + ## AWS RDS Instances With Unapproved Backup Settings + AWSRDSInstancesWithUnapprovedBackupSettings: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + action: [] + ## AWS Regions Without Access Analyzer Enabled + AWSRegionsWithoutAccessAnalyzerEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "access-analyzer:ListAnalyzers" + action: [] + ## AWS Regions Without Config Fully Enabled + AWSRegionsWithoutConfigFullyEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "config:DescribeConfigurationRecorderStatus" + action: [] + ## AWS Regions Without Default EBS Encryption + AWSRegionsWithoutDefaultEBSEncryption: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:GetEbsEncryptionByDefault" + action: [] + ## AWS Reserved Instances Coverage + AWSReservedInstancesCoverage: + read: + - "ce:GetReservationCoverage" + action: [] + ## AWS Reserved Instances Recommendations + AWSReservedInstancesRecommendations: + read: + - "ce:GetReservationPurchaseRecommendation" + action: [] + ## AWS Rightsize EBS Volumes + AWSRightsizeEBSVolumes: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeVolumes" + - "pricing:GetProducts" + action: [] + ## AWS Rightsize EC2 Instances + AWSRightsizeEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:GetMetricData" + - "cloudwatch:ListMetrics" + - "sts:GetCallerIdentity" + action: [] + ## AWS Rightsize ElastiCache + AWSRightsizeElastiCache: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricData" + - "ec2:DescribeRegions" + - "elasticache:DescribeCacheClusters" + - "elasticache:ListTagsForResource" + action: [] + ## AWS Rightsize RDS Instances + AWSRightsizeRDSInstances: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricStatistics" + - "cloudwatch:GetMetricData" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + - "rds:DescribeOrderableDBInstanceOptions" + action: [] + ## AWS Rightsize Redshift + AWSRightsizeRedshift: + read: + - "sts:GetCallerIdentity" + - "cloudwatch:GetMetricData" + - "ec2:DescribeRegions" + - "redshift:DescribeClusters" + action: [] + ## AWS S3 Buckets Accepting HTTP Requests + AWSS3BucketsAcceptingHTTPRequests: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketPolicy" + action: [] + ## AWS S3 Buckets Without Default Encryption Configuration + AWSS3BucketsWithoutDefaultEncryptionConfiguration: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetEncryptionConfiguration" + action: [] + ## AWS S3 Buckets Without Intelligent Tiering + AWSS3BucketsWithoutIntelligentTiering: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetIntelligentTieringConfiguration" + - "sts:GetCallerIdentity" + action: [] + ## AWS S3 Buckets Without Lifecycle Configuration + AWSS3BucketsWithoutLifecycleConfiguration: + read: + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketLifecycleConfiguration" + - "sts:GetCallerIdentity" + action: [] + ## AWS S3 Buckets Without MFA Delete Enabled + AWSS3BucketsWithoutMFADeleteEnabled: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketVersioning" + action: [] + ## AWS S3 Buckets Without Public Access Blocked + AWSS3BucketsWithoutPublicAccessBlocked: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketPublicAccessBlock" + action: [] + ## AWS S3 Buckets Without Server Access Logging + AWSS3BucketsWithoutServerAccessLogging: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:GetBucketLogging" + action: [] + ## AWS S3 Incomplete Multi-Part Uploads + AWSS3IncompleteMultiPartUploads: + read: + - "sts:GetCallerIdentity" + - "s3:ListAllMyBuckets" + - "s3:GetBucketLocation" + - "s3:GetBucketTagging" + - "s3:ListBucketMultipartUploads" + - "s3:ListMultipartUploadParts" + action: [] + ## AWS Savings Plan Recommendations + AWSSavingsPlanRecommendations: + read: + - "ce:GetSavingsPlansPurchaseRecommendation" + action: [] + ## AWS Savings Plan Utilization + AWSSavingsPlanUtilization: + read: + - "ce:GetSavingsPlansUtilization" + - "savingsplans:DescribeSavingsPlans" + action: [] + ## AWS Schedule Instance + AWSScheduleInstance: + read: + - "ec2:DescribeInstances" + - "ec2:StartInstances" + - "ec2:StopInstances" + - "ec2:DeleteTags" + - "ec2:DescribeRegions" + - "kms:CreateGrant" + - "kms:Decrypt" + - "ec2:CreateTags" + - "ec2:TerminateInstances" + action: [] + ## AWS Scheduled EC2 Events + AWSScheduledEC2Events: + read: + - "ec2:DescribeInstances" + - "ec2:DescribeInstanceStatus" + - "ec2:DescribeRegions" + - "sts:GetCallerIdentity" + action: [] + ## AWS Superseded EBS Volumes + AWSSupersededEBSVolumes: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeVolumes" + - "pricing:GetProducts" + action: [] + ## AWS Superseded EC2 Instances + AWSSupersededEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + - "sts:GetCallerIdentity" + action: [] + ## AWS Superseded EC2 Instances + AWSSupersededEC2Instances: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeInstances" + - "ec2:DescribeTags" + - "sts:GetCallerIdentity" + action: [] + ## AWS Tag Cardinality Report + AWSTagCardinalityReport: + read: + - "tag:GetResources" + - "ec2:DescribeRegions" + - "organizations:ListAccounts" + - "organizations:ListTagsForResource" + action: [] + ## AWS Unencrypted EBS Volumes + AWSUnencryptedEBSVolumes: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeVolumes" + action: [] + ## AWS Unencrypted RDS Instances + AWSUnencryptedRDSInstances: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "rds:DescribeDBInstances" + - "rds:ListTagsForResource" + action: [] + ## AWS Untagged Resources + AWSUntaggedResources: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "tag:GetResources" + action: [] + ## AWS Unused Application Load Balancers + AWSUnusedApplicationLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeListeners" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeTargetGroups" + - "elasticloadbalancing:DescribeTargetHealth" + action: [] + ## AWS Unused Classic Load Balancers + AWSUnusedClassicLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeInstanceHealth" + - "elasticloadbalancing:DescribeTags" + action: [] + ## AWS Unused ECS Clusters + AWSUnusedECSClusters: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ecs:ListClusters" + - "ecs:DescribeClusters" + action: [] + ## AWS Unused IAM Credentials + AWSUnusedIAMCredentials: + read: + - "sts:GetCallerIdentity" + - "iam:GenerateCredentialReport" + - "iam:GetCredentialReport" + action: [] + ## AWS Unused IP Addresses + AWSUnusedIPAddresses: + read: + - "ec2:DescribeRegions" + - "ec2:DescribeAddresses" + - "sts:GetCallerIdentity" + - "cloudtrail:LookupEvents" + action: [] + ## AWS Unused Network Load Balancers + AWSUnusedNetworkLoadBalancers: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "elasticloadbalancing:DescribeLoadBalancers" + - "elasticloadbalancing:DescribeListeners" + - "elasticloadbalancing:DescribeTags" + - "elasticloadbalancing:DescribeTargetGroups" + - "elasticloadbalancing:DescribeTargetHealth" + action: [] + ## AWS VPCs Without FlowLogs Enabled + AWSVPCsWithoutFlowLogsEnabled: + read: + - "sts:GetCallerIdentity" + - "ec2:DescribeRegions" + - "ec2:DescribeVpcs" + - "ec2:DescribeFlowLogs" + action: [] + ## Common Bill Ingestion from AWS S3 Object Storage + CommonBillIngestionfromAWSS3ObjectStorage: + read: + - "s3:GetObject" + action: [] + + # End for each policy template + +Resources: + # IAM Role Resource + iamRole: + Type: "AWS::IAM::Role" + Properties: + RoleName: !Ref paramRoleName + Description: !Join + - " " + - - "Allows access from Flexera Platform. This IAM Role and the attached permission policies were created and are managed by CloudFormation Stack:" + - !Ref AWS::StackId + Path: !Ref paramRolePath + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: !FindInMap + - TrustedRoleMap + - !Ref paramFlexeraZone + - roleArn + Action: "sts:AssumeRole" + Condition: + StringEquals: + "sts:ExternalId": !Ref paramFlexeraOrgId + # ManagedPolicyArns value is conditional based on input paramPermsAttachExistingPolicies + ManagedPolicyArns: !If + - ValueProvidedparamPermsAttachExistingPolicies + # If value is provided for paramPermsAttachExistingPolicies, split that comma-separated list into a list object + - !Split [ ",", !Ref paramPermsAttachExistingPolicies ] + # Provide a null value if nothing provided for paramPermsAttachExistingPolicies + - !Ref AWS::NoValue + # Begin IAM Permission Policy Resources + # 1 or 2 Permission Policies per Policy Template (read and action) + # Policy create/attachment is conditional based on parameter input for each policy + ## All AWS Policy Templates + iamPolicyAllAWSPolicyTemplatesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAllAWSPolicyTemplatesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AllAWSPolicyTemplatesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AllAWSPolicyTemplates + - read + Resource: "*" + ## AWS Account Credentials + iamPolicyAWSAccountCredentialsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSAccountCredentialsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSAccountCredentialsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSAccountCredentials + - read + Resource: "*" + ## AWS Accounts Missing Service Control Policies + iamPolicyAWSAccountsMissingServiceControlPoliciesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSAccountsMissingServiceControlPoliciesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSAccountsMissingServiceControlPoliciesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSAccountsMissingServiceControlPolicies + - read + Resource: "*" + ## AWS Burstable EC2 Instances + iamPolicyAWSBurstableEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSBurstableEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSBurstableEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSBurstableEC2Instances + - read + Resource: "*" + ## AWS CloudTrail Not Enabled In All Regions + iamPolicyAWSCloudTrailNotEnabledInAllRegionsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailNotEnabledInAllRegionsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailNotEnabledInAllRegionsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailNotEnabledInAllRegions + - read + Resource: "*" + ## AWS CloudTrail S3 Buckets Without Access Logging + iamPolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailS3BucketsWithoutAccessLoggingRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailS3BucketsWithoutAccessLoggingReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailS3BucketsWithoutAccessLogging + - read + Resource: "*" + ## AWS CloudTrails Not Integrated With CloudWatch + iamPolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsNotIntegratedWithCloudWatchRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsNotIntegratedWithCloudWatchReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsNotIntegratedWithCloudWatch + - read + Resource: "*" + ## AWS CloudTrails With Read Logging Enabled + iamPolicyAWSCloudTrailsWithReadLoggingEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithReadLoggingEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithReadLoggingEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithReadLoggingEnabled + - read + Resource: "*" + ## AWS CloudTrails Without Encrypted Logs + iamPolicyAWSCloudTrailsWithoutEncryptedLogsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithoutEncryptedLogsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithoutEncryptedLogsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithoutEncryptedLogs + - read + Resource: "*" + ## AWS CloudTrails Without Log File Validation Enabled + iamPolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithoutLogFileValidationEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithoutLogFileValidationEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithoutLogFileValidationEnabled + - read + Resource: "*" + ## AWS CloudTrails Without Object-level Events Logging Enabled + iamPolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCloudTrailsWithoutObjectlevelEventsLoggingEnabled + - read + Resource: "*" + ## AWS Customer Managed Keys (CMKs) Without Rotation Enabled + iamPolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSCustomerManagedKeysCMKsWithoutRotationEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSCustomerManagedKeysCMKsWithoutRotationEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSCustomerManagedKeysCMKsWithoutRotationEnabled + - read + Resource: "*" + ## AWS Disallowed Regions + iamPolicyAWSDisallowedRegionsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSDisallowedRegionsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSDisallowedRegionsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSDisallowedRegions + - read + Resource: "*" + ## AWS EC2 Compute Optimizer Recommendations + iamPolicyAWSEC2ComputeOptimizerRecommendationsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2ComputeOptimizerRecommendationsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2ComputeOptimizerRecommendationsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2ComputeOptimizerRecommendations + - read + Resource: "*" + ## AWS EC2 Instances Time Stopped Report + iamPolicyAWSEC2InstancesTimeStoppedReportRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2InstancesTimeStoppedReportRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2InstancesTimeStoppedReportReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2InstancesTimeStoppedReport + - read + Resource: "*" + ## AWS EC2 Instances not running FlexNet Inventory Agent + iamPolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEC2InstancesnotrunningFlexNetInventoryAgentRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEC2InstancesnotrunningFlexNetInventoryAgentReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEC2InstancesnotrunningFlexNetInventoryAgent + - read + Resource: "*" + ## AWS EKS Clusters Without Spot Instances + iamPolicyAWSEKSClustersWithoutSpotInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSEKSClustersWithoutSpotInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSEKSClustersWithoutSpotInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSEKSClustersWithoutSpotInstances + - read + Resource: "*" + ## AWS Elastic Load Balancers With Unencrypted Listeners + iamPolicyAWSElasticLoadBalancersWithUnencryptedListenersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSElasticLoadBalancersWithUnencryptedListenersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSElasticLoadBalancersWithUnencryptedListenersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSElasticLoadBalancersWithUnencryptedListeners + - read + Resource: "*" + ## AWS Expiring Savings Plans + iamPolicyAWSExpiringSavingsPlansRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSExpiringSavingsPlansRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSExpiringSavingsPlansReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSExpiringSavingsPlans + - read + Resource: "*" + ## AWS IAM Account Missing Support Role + iamPolicyAWSIAMAccountMissingSupportRoleRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMAccountMissingSupportRoleRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMAccountMissingSupportRoleReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMAccountMissingSupportRole + - read + Resource: "*" + ## AWS IAM Attached Admin Policies + iamPolicyAWSIAMAttachedAdminPoliciesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMAttachedAdminPoliciesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMAttachedAdminPoliciesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMAttachedAdminPolicies + - read + Resource: "*" + ## AWS IAM Expired SSL/TLS Certificates + iamPolicyAWSIAMExpiredSSLTLSCertificatesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMExpiredSSLTLSCertificatesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMExpiredSSLTLSCertificatesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMExpiredSSLTLSCertificates + - read + Resource: "*" + ## AWS IAM Insufficient Required Password Length + iamPolicyAWSIAMInsufficientRequiredPasswordLengthRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMInsufficientRequiredPasswordLengthRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMInsufficientRequiredPasswordLengthReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMInsufficientRequiredPasswordLength + - read + Resource: "*" + ## AWS IAM Password Policy Not Restricting Password Reuse + iamPolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMPasswordPolicyNotRestrictingPasswordReuseRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMPasswordPolicyNotRestrictingPasswordReuseReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMPasswordPolicyNotRestrictingPasswordReuse + - read + Resource: "*" + ## AWS IAM Role Audit + iamPolicyAWSIAMRoleAuditRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRoleAuditRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRoleAuditReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRoleAudit + - read + Resource: "*" + ## AWS IAM Root Account Access Keys + iamPolicyAWSIAMRootAccountAccessKeysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootAccountAccessKeysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootAccountAccessKeysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootAccountAccessKeys + - read + Resource: "*" + ## AWS IAM Root User Account Without Hardware MFA + iamPolicyAWSIAMRootUserAccountWithoutHardwareMFARead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootUserAccountWithoutHardwareMFARead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootUserAccountWithoutHardwareMFAReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootUserAccountWithoutHardwareMFA + - read + Resource: "*" + ## AWS IAM Root User Account Without MFA + iamPolicyAWSIAMRootUserAccountWithoutMFARead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootUserAccountWithoutMFARead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootUserAccountWithoutMFAReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootUserAccountWithoutMFA + - read + Resource: "*" + ## AWS IAM Root User Doing Everyday Tasks + iamPolicyAWSIAMRootUserDoingEverydayTasksRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMRootUserDoingEverydayTasksRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMRootUserDoingEverydayTasksReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMRootUserDoingEverydayTasks + - read + Resource: "*" + ## AWS IAM User Accounts Without MFA + iamPolicyAWSIAMUserAccountsWithoutMFARead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUserAccountsWithoutMFARead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUserAccountsWithoutMFAReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUserAccountsWithoutMFA + - read + Resource: "*" + ## AWS IAM Users With Directly-Attached Policies + iamPolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUsersWithDirectlyAttachedPoliciesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUsersWithDirectlyAttachedPoliciesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUsersWithDirectlyAttachedPolicies + - read + Resource: "*" + ## AWS IAM Users With Multiple Active Access Keys + iamPolicyAWSIAMUsersWithMultipleActiveAccessKeysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUsersWithMultipleActiveAccessKeysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUsersWithMultipleActiveAccessKeysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUsersWithMultipleActiveAccessKeys + - read + Resource: "*" + ## AWS IAM Users With Old Access Keys + iamPolicyAWSIAMUsersWithOldAccessKeysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIAMUsersWithOldAccessKeysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIAMUsersWithOldAccessKeysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIAMUsersWithOldAccessKeys + - read + Resource: "*" + ## AWS Idle NAT Gateways + iamPolicyAWSIdleNATGatewaysRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSIdleNATGatewaysRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSIdleNATGatewaysReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSIdleNATGateways + - read + Resource: "*" + ## AWS Internet-Accessible Elastic Load Balancers + iamPolicyAWSInternetAccessibleElasticLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSInternetAccessibleElasticLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSInternetAccessibleElasticLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSInternetAccessibleElasticLoadBalancers + - read + Resource: "*" + ## AWS Lambda Functions With High Error Rate + iamPolicyAWSLambdaFunctionsWithHighErrorRateRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLambdaFunctionsWithHighErrorRateRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLambdaFunctionsWithHighErrorRateReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLambdaFunctionsWithHighErrorRate + - read + Resource: "*" + ## AWS Lambda Functions Without Provisioned Concurrency + iamPolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLambdaFunctionsWithoutProvisionedConcurrencyRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLambdaFunctionsWithoutProvisionedConcurrencyReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLambdaFunctionsWithoutProvisionedConcurrency + - read + Resource: "*" + ## AWS Long Running Instances + iamPolicyAWSLongRunningInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLongRunningInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLongRunningInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLongRunningInstances + - read + Resource: "*" + ## AWS Long Stopped EC2 Instances + iamPolicyAWSLongStoppedEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSLongStoppedEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSLongStoppedEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSLongStoppedEC2Instances + - read + Resource: "*" + ## AWS Missing Regions + iamPolicyAWSMissingRegionsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSMissingRegionsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSMissingRegionsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSMissingRegions + - read + Resource: "*" + ## AWS Old Snapshots + iamPolicyAWSOldSnapshotsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOldSnapshotsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOldSnapshotsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOldSnapshots + - read + Resource: "*" + ## AWS Open S3 Buckets + iamPolicyAWSOpenS3BucketsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOpenS3BucketsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOpenS3BucketsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOpenS3Buckets + - read + Resource: "*" + ## AWS Oversized S3 Buckets + iamPolicyAWSOversizedS3BucketsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSOversizedS3BucketsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSOversizedS3BucketsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSOversizedS3Buckets + - read + Resource: "*" + ## AWS Publicly Accessible CloudTrail S3 Buckets + iamPolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSPubliclyAccessibleCloudTrailS3BucketsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSPubliclyAccessibleCloudTrailS3BucketsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSPubliclyAccessibleCloudTrailS3Buckets + - read + Resource: "*" + ## AWS Publicly Accessible RDS Instances + iamPolicyAWSPubliclyAccessibleRDSInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSPubliclyAccessibleRDSInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSPubliclyAccessibleRDSInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSPubliclyAccessibleRDSInstances + - read + Resource: "*" + ## AWS RDS Instances With Unapproved Backup Settings + iamPolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRDSInstancesWithUnapprovedBackupSettingsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRDSInstancesWithUnapprovedBackupSettingsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRDSInstancesWithUnapprovedBackupSettings + - read + Resource: "*" + ## AWS Regions Without Access Analyzer Enabled + iamPolicyAWSRegionsWithoutAccessAnalyzerEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRegionsWithoutAccessAnalyzerEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRegionsWithoutAccessAnalyzerEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRegionsWithoutAccessAnalyzerEnabled + - read + Resource: "*" + ## AWS Regions Without Config Fully Enabled + iamPolicyAWSRegionsWithoutConfigFullyEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRegionsWithoutConfigFullyEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRegionsWithoutConfigFullyEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRegionsWithoutConfigFullyEnabled + - read + Resource: "*" + ## AWS Regions Without Default EBS Encryption + iamPolicyAWSRegionsWithoutDefaultEBSEncryptionRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRegionsWithoutDefaultEBSEncryptionRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRegionsWithoutDefaultEBSEncryptionReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRegionsWithoutDefaultEBSEncryption + - read + Resource: "*" + ## AWS Reserved Instances Coverage + iamPolicyAWSReservedInstancesCoverageRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSReservedInstancesCoverageRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSReservedInstancesCoverageReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSReservedInstancesCoverage + - read + Resource: "*" + ## AWS Reserved Instances Recommendations + iamPolicyAWSReservedInstancesRecommendationsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSReservedInstancesRecommendationsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSReservedInstancesRecommendationsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSReservedInstancesRecommendations + - read + Resource: "*" + ## AWS Rightsize EBS Volumes + iamPolicyAWSRightsizeEBSVolumesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeEBSVolumesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeEBSVolumesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeEBSVolumes + - read + Resource: "*" + ## AWS Rightsize EC2 Instances + iamPolicyAWSRightsizeEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeEC2Instances + - read + Resource: "*" + ## AWS Rightsize ElastiCache + iamPolicyAWSRightsizeElastiCacheRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeElastiCacheRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeElastiCacheReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeElastiCache + - read + Resource: "*" + ## AWS Rightsize RDS Instances + iamPolicyAWSRightsizeRDSInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeRDSInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeRDSInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeRDSInstances + - read + Resource: "*" + ## AWS Rightsize Redshift + iamPolicyAWSRightsizeRedshiftRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSRightsizeRedshiftRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSRightsizeRedshiftReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSRightsizeRedshift + - read + Resource: "*" + ## AWS S3 Buckets Accepting HTTP Requests + iamPolicyAWSS3BucketsAcceptingHTTPRequestsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsAcceptingHTTPRequestsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsAcceptingHTTPRequestsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsAcceptingHTTPRequests + - read + Resource: "*" + ## AWS S3 Buckets Without Default Encryption Configuration + iamPolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutDefaultEncryptionConfigurationRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutDefaultEncryptionConfigurationReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutDefaultEncryptionConfiguration + - read + Resource: "*" + ## AWS S3 Buckets Without Intelligent Tiering + iamPolicyAWSS3BucketsWithoutIntelligentTieringRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutIntelligentTieringRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutIntelligentTieringReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutIntelligentTiering + - read + Resource: "*" + ## AWS S3 Buckets Without Lifecycle Configuration + iamPolicyAWSS3BucketsWithoutLifecycleConfigurationRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutLifecycleConfigurationRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutLifecycleConfigurationReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutLifecycleConfiguration + - read + Resource: "*" + ## AWS S3 Buckets Without MFA Delete Enabled + iamPolicyAWSS3BucketsWithoutMFADeleteEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutMFADeleteEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutMFADeleteEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutMFADeleteEnabled + - read + Resource: "*" + ## AWS S3 Buckets Without Public Access Blocked + iamPolicyAWSS3BucketsWithoutPublicAccessBlockedRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutPublicAccessBlockedRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutPublicAccessBlockedReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutPublicAccessBlocked + - read + Resource: "*" + ## AWS S3 Buckets Without Server Access Logging + iamPolicyAWSS3BucketsWithoutServerAccessLoggingRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3BucketsWithoutServerAccessLoggingRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3BucketsWithoutServerAccessLoggingReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3BucketsWithoutServerAccessLogging + - read + Resource: "*" + ## AWS S3 Incomplete Multi-Part Uploads + iamPolicyAWSS3IncompleteMultiPartUploadsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSS3IncompleteMultiPartUploadsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSS3IncompleteMultiPartUploadsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSS3IncompleteMultiPartUploads + - read + Resource: "*" + ## AWS Savings Plan Recommendations + iamPolicyAWSSavingsPlanRecommendationsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSavingsPlanRecommendationsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSavingsPlanRecommendationsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSavingsPlanRecommendations + - read + Resource: "*" + ## AWS Savings Plan Utilization + iamPolicyAWSSavingsPlanUtilizationRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSavingsPlanUtilizationRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSavingsPlanUtilizationReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSavingsPlanUtilization + - read + Resource: "*" + ## AWS Schedule Instance + iamPolicyAWSScheduleInstanceRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSScheduleInstanceRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSScheduleInstanceReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSScheduleInstance + - read + Resource: "*" + ## AWS Scheduled EC2 Events + iamPolicyAWSScheduledEC2EventsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSScheduledEC2EventsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSScheduledEC2EventsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSScheduledEC2Events + - read + Resource: "*" + ## AWS Superseded EBS Volumes + iamPolicyAWSSupersededEBSVolumesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEBSVolumesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEBSVolumesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEBSVolumes + - read + Resource: "*" + ## AWS Superseded EC2 Instances + iamPolicyAWSSupersededEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEC2Instances + - read + Resource: "*" + ## AWS Superseded EC2 Instances + iamPolicyAWSSupersededEC2InstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSSupersededEC2InstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSSupersededEC2InstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSSupersededEC2Instances + - read + Resource: "*" + ## AWS Tag Cardinality Report + iamPolicyAWSTagCardinalityReportRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSTagCardinalityReportRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSTagCardinalityReportReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSTagCardinalityReport + - read + Resource: "*" + ## AWS Unencrypted EBS Volumes + iamPolicyAWSUnencryptedEBSVolumesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnencryptedEBSVolumesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnencryptedEBSVolumesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnencryptedEBSVolumes + - read + Resource: "*" + ## AWS Unencrypted RDS Instances + iamPolicyAWSUnencryptedRDSInstancesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnencryptedRDSInstancesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnencryptedRDSInstancesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnencryptedRDSInstances + - read + Resource: "*" + ## AWS Untagged Resources + iamPolicyAWSUntaggedResourcesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUntaggedResourcesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUntaggedResourcesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUntaggedResources + - read + Resource: "*" + ## AWS Unused Application Load Balancers + iamPolicyAWSUnusedApplicationLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedApplicationLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedApplicationLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedApplicationLoadBalancers + - read + Resource: "*" + ## AWS Unused Classic Load Balancers + iamPolicyAWSUnusedClassicLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedClassicLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedClassicLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedClassicLoadBalancers + - read + Resource: "*" + ## AWS Unused ECS Clusters + iamPolicyAWSUnusedECSClustersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedECSClustersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedECSClustersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedECSClusters + - read + Resource: "*" + ## AWS Unused IAM Credentials + iamPolicyAWSUnusedIAMCredentialsRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedIAMCredentialsRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedIAMCredentialsReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedIAMCredentials + - read + Resource: "*" + ## AWS Unused IP Addresses + iamPolicyAWSUnusedIPAddressesRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedIPAddressesRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedIPAddressesReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedIPAddresses + - read + Resource: "*" + ## AWS Unused Network Load Balancers + iamPolicyAWSUnusedNetworkLoadBalancersRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSUnusedNetworkLoadBalancersRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSUnusedNetworkLoadBalancersReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSUnusedNetworkLoadBalancers + - read + Resource: "*" + ## AWS VPCs Without FlowLogs Enabled + iamPolicyAWSVPCsWithoutFlowLogsEnabledRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyAWSVPCsWithoutFlowLogsEnabledRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - AWSVPCsWithoutFlowLogsEnabledReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - AWSVPCsWithoutFlowLogsEnabled + - read + Resource: "*" + ## Common Bill Ingestion from AWS S3 Object Storage + iamPolicyCommonBillIngestionfromAWSS3ObjectStorageRead: + Type: "AWS::IAM::Policy" + Condition: CreatePolicyCommonBillIngestionfromAWSS3ObjectStorageRead + Properties: + PolicyName: !Join + - "_" + - - !Ref paramRoleName + - CommonBillIngestionfromAWSS3ObjectStorageReadPermissionPolicy + Roles: + - !Ref iamRole + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: !FindInMap + - PermissionMap + - CommonBillIngestionfromAWSS3ObjectStorage + - read + Resource: "*" + + # End for each policy template + + # End IAM Permission Policy Resources + +Outputs: + iamRoleArn: + Description: The ARN of the IAM Role that was created + Value: !GetAtt + - iamRole + - Arn