{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Axonius-DeployRoles", "Parameters": { "AWSLaunchAccountID": { "Type": "String", "Description": "Provide the account ID for the AWS account where your Axonius User or role will be deployed", "AllowedPattern": "[0-9]+" }, "AWSConnectionMethod": { "Type": "String", "Description": "Choose what deployment type you are using - User or Role", "AllowedValues": ["user","role"] }, "SelfHosted": { "Type": "String", "Description": "Please select if you host your own Axonius instance (either on-premises or within one of your cloud accounts) or if Axonius hosts your instance for you.", "AllowedValues": ["Self Hosted", "Axonius Hosted"] }, "AWSOrganizationsAccountID": { "Type": "String", "Description": "Provide the account ID for the AWS Organizations Management Account", "AllowedPattern": "[0-9]+" }, "ReadOnlyRole": { "Type": "String", "Description": "The name of the Axonius ReadOnly Role to be created", "AllowedPattern": "[a-zA-Z0-9\\=\\,\\.\\@\\:\\/\\-_]+", "Default": "Axonius-ReadOnly" }, "AccessName": { "Type": "String", "Description": "The name of the Axonius User or Instance Profile Role to be created", "AllowedPattern": "[a-zA-Z0-9\\=\\,\\.\\@\\:\\/\\-_]+", "Default": "Axonius-Access" }, "OrganizationsRole": { "Type": "String", "Description": "The name of the Axonius Organizations Role to be created", "AllowedPattern": "[a-zA-Z0-9\\=\\,\\.\\@\\:\\/\\-_]+", "Default": "Axonius-Organizations" }, "ExternalID": { "Type": "String", "Description": "The value of external ID to be used. This value is only utilized if you select 'Axonius Hosted' under the SelfHosted parameter." } }, "Conditions": { "IsOrganizationsAccount": { "Fn::Equals": [ { "Ref": "AWSOrganizationsAccountID" }, { "Ref": "AWS::AccountId" } ] }, "IsIAMUser": { "Fn::And": [ {"Fn::Equals": [ { "Ref": "AWSConnectionMethod" }, "user" ]}, {"Fn::Equals": [{ "Ref": "AWSLaunchAccountID" }, { "Ref": "AWS::AccountId" }]} ] }, "IsInstanceProfile": { "Fn::And": [ {"Fn::Equals": [{"Ref": "AWSConnectionMethod"}, "role"]}, {"Fn::Equals": [{"Ref": "AWSLaunchAccountID"}, { "Ref": "AWS::AccountId" }]}, {"Fn::Equals": [{"Ref": "SelfHosted"}, "Self Hosted"]} ] }, "IsHosted": { "Fn::And": [ {"Fn::Equals": [{"Ref": "AWSConnectionMethod"}, "role"]}, {"Fn::Equals": [{"Ref": "AWSLaunchAccountID"}, { "Ref": "AWS::AccountId" }]}, {"Fn::Equals": [{"Ref": "SelfHosted"}, "Axonius Hosted"]} ] } }, "Resources": { "AxoniusInstanceProfile": { "Condition": "IsInstanceProfile", "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "Axonius-InstanceProfile-Policy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/${ReadOnlyRole}" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWSOrganizationsAccountID}:role/${OrganizationsRole}" } ] } ] } } ], "RoleName": { "Ref": "AccessName" } } }, "AxoniusHostedRole": { "Condition": "IsHosted", "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "604119231150" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalID": { "Ref": "ExternalID" } } } } ] }, "Policies": [ { "PolicyName": "Axonius-Hosted-Policy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/${ReadOnlyRole}" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWSOrganizationsAccountID}:role/${OrganizationsRole}" } ] } ] } } ], "RoleName": { "Ref": "AccessName" } } }, "AxoniusUser": { "Condition": "IsIAMUser", "Type": "AWS::IAM::User", "Properties": { "Policies": [ { "PolicyName": "Axonius-User-Policy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": [ { "Fn::Sub" : "arn:${AWS::Partition}:iam::*:role/${ReadOnlyRole}" }, { "Fn::Sub" : "arn:${AWS::Partition}:iam::${AWSOrganizationsAccountID}:role/${OrganizationsRole}" } ] } ] } } ], "UserName": { "Ref": "AccessName" } } }, "AxoniusOrganizationsRole": { "Condition": "IsOrganizationsAccount", "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS" : { "Ref" : "AWSLaunchAccountID" } }, "Action" : "sts:AssumeRole", "Condition" : { "StringEquals": {"aws:PrincipalArn": { "Fn::Sub" : "arn:${AWS::Partition}:iam::${AWSLaunchAccountID}:${AWSConnectionMethod}/${AccessName}" }} } } ] }, "Policies": [ { "PolicyName": "Axonius-Organizations-Policy", "PolicyDocument" : { "Version": "2012-10-17", "Statement": [ { "Action": "organizations:ListAccounts", "Effect": "Allow", "Resource": "*" } ] } } ], "RoleName": { "Ref": "OrganizationsRole" } } }, "AxoniusReadRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Ref" : "AWSLaunchAccountID" } }, "Action" : "sts:AssumeRole", "Condition" : { "StringEquals": {"aws:PrincipalArn": { "Fn::Sub" : "arn:${AWS::Partition}:iam::${AWSLaunchAccountID}:${AWSConnectionMethod}/${AccessName}" }} } } ] }, "Policies": [ { "PolicyName": "Axonius-ReadOnly-Policy", "PolicyDocument" : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", "apigateway:GET", "appstream:DescribeFleets", "appstream:DescribeStacks", "appstream:DescribeUserStackAssociations", "appstream:DescribeUsers", "appstream:ListAssociatedFleets", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListQueryExecutions", "athena:ListTableMetadata", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribePolicies", "backup:ListBackupPlans", "backup:ListBackupVaults", "cloudformation:DescribeStacks", "cloudformation:ListStackSets", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "directconnect:DescribeConnections", "directconnect:DescribeLags", "directconnect:DescribeVirtualGateways", "directconnect:DescribeVirtualInterfaces", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeGlobalTableSettings", "dynamodb:DescribeTable", "dynamodb:ListGlobalTables", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeFlowLogs", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInternetGateways", "ec2:DescribeNatGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeVpnConnections", "ecr-public:DescribeImages", "ecr-public:DescribeRegistries", "ecr-public:DescribeRepositories", "ecr:DescribeImages", "ecr:DescribeRegistry", "ecr:DescribeRepositories", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTasks", "eks:DescribeCluster", "eks:ListClusters", "elasticbeanstalk:DescribeEnvironments", "elasticache:DescribeCacheClusters", "elasticache:DescribeReplicationGroups", "elasticache:ListTagsForResource", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "es:DescribeElasticsearchDomain", "es:ListDomainNames", "fsx:DescribeFileSystems", "globalaccelerator:ListAccelerators", "globalaccelerator:ListCustomRoutingAccelerators", "glue:GetDatabases", "glue:GetTables", "guardduty:GetDetector", "guardduty:GetFilter", "guardduty:GetFindings", "guardduty:GetMembers", "guardduty:ListDetectors", "guardduty:ListFilters", "guardduty:ListFindings", "guardduty:ListMembers", "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:GetAccessKeyLastUsed", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetLoginProfile", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetServiceLastAccessedDetails", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys", "iam:ListAccountAliases", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroups", "iam:ListGroupsForUser", "iam:ListInstanceProfilesForRole", "iam:ListMFADevices", "iam:ListPolicies", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUserPolicies", "iam:ListUserTags", "iam:ListUsers", "iam:ListVirtualMFADevices", "identitystore:ListGroups", "identitystore:ListUsers", "inspector:DescribeFindings", "inspector:ListFindings", "inspector2:ListFindings", "inspector2:ListMembers", "kinesis:ListStreams", "kinesisanalytics:ListApplications", "kinesisanalytics:DescribeApplication", "lambda:GetFunctionUrlConfig", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListTags", "lightsail:GetInstances", "macie2:GetFindings", "macie2:ListFindings", "macie2:ListMembers", "organizations:DescribeAccount", "organizations:DescribeEffectivePolicy", "organizations:DescribeOrganization", "organizations:DescribePolicy", "organizations:ListAccounts", "organizations:ListPoliciesForTarget", "organizations:ListTagsForResource", "outposts:ListAssets", "outposts:ListSites", "outposts:ListOutposts", "redshift:DescribeClusters", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeOptionGroups", "rds:DescribePendingMaintenanceActions", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53domains:GetDomainDetail", "route53domains:ListDomains", "route53resolver:ListResolverRules", "route53resolver:ListResolverRuleAssociations", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetEncryptionConfiguration", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:DescribeNotebookInstance", "sagemaker:ListNotebookInstances", "sagemaker:ListTags", "secretsmanager:GetResourcePolicy", "secretsmanager:ListSecrets", "securityhub:DescribeHub", "securityhub:GetFindings", "securityhub:ListMembers", "securityhub:ListTagsForResource", "servicecatalog:ListPortfolios", "servicecatalog:DescribePortfolio", "sns:ListSubscriptionsByTopic", "sqs:GetQueueAttributes", "sqs:ListQueues", "ssm:DescribeAvailablePatches", "ssm:DescribeInstanceInformation", "ssm:DescribeInstancePatches", "ssm:DescribeParameters", "ssm:DescribePatchGroups", "ssm:GetInventorySchema", "ssm:GetParameters", "ssm:ListInventoryEntries", "ssm:ListResourceComplianceSummaries", "ssm:ListTagsForResource", "sso:ListInstances", "states:ListStateMachines", "states:DescribeStateMachine", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", "waf-regional:ListWebACLs", "waf:GetWebACL", "waf:ListWebACLs", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:ListWebACLs", "workspaces:DescribeTags", "workspaces:DescribeWorkspaceDirectories", "workspaces:DescribeWorkspaces", "workspaces:DescribeWorkspacesConnectionStatus" ], "Resource": "*" } ] } } ], "RoleName": { "Ref": "ReadOnlyRole" } } }, "InstanceProfile" : { "Condition": "IsInstanceProfile", "DependsOn": "AxoniusInstanceProfile", "Type": "AWS::IAM::InstanceProfile", "Properties" : { "InstanceProfileName" : { "Ref": "AccessName" }, "Roles" : [ { "Ref": "AccessName" } ] } } } }