AWSTemplateFormatVersion: "2010-09-09" # You can invoke CloudFormation and pass the principal ARN from a command line like this: # aws cloudformation create-stack \ # --capabilities CAPABILITY_IAM --capabilities CAPABILITY_NAMED_IAM \ # --template-body "file://prowler-scan-role.yaml" \ # --stack-name "ProwlerScanRole" \ # --parameters "ParameterKey=ExternalId,ParameterValue=ProvidedExternalID" Description: | This template creates the ProwlerScan IAM Role in this account with all read-only permissions to scan your account for security issues. Contains two AWS managed policies (SecurityAudit and ViewOnlyAccess) and an inline policy. It sets the trust policy on that IAM Role to permit Prowler to assume that role. This template is designed to be used in Prowler Cloud, but can also be used in other Prowler deployments. If you are deploying this template to be used in Prowler Cloud please do not edit the AccountId, IAMPrincipal and ExternalId parameters. Parameters: ExternalId: Description: | This is the External ID that Prowler will use to assume the role ProwlerScan IAM Role. Type: String MinLength: 1 AllowedPattern: ".+" ConstraintDescription: "ExternalId must not be empty." AccountId: Description: | AWS Account ID that will assume the role created, if you are deploying this template to be used in Prowler Cloud please do not edit this. Type: String Default: "232136659152" MinLength: 12 MaxLength: 12 AllowedPattern: "[0-9]{12}" ConstraintDescription: "AccountId must be a valid AWS Account ID." IAMPrincipal: Description: | The IAM principal type and name that will be allowed to assume the role created, leave an * for all the IAM principals in your AWS account. If you are deploying this template to be used in Prowler Cloud please do not edit this. Type: String Default: role/prowler* EnableOrganizations: Description: | Enable AWS Organizations discovery permissions. Set to true only when deploying this role in the management account. This adds read-only Organizations permissions (e.g. ListAccounts, DescribeOrganization) and StackSet management permissions. Type: String Default: false AllowedValues: - true - false EnableS3Integration: Description: | Enable S3 integration for storing Prowler scan reports. Type: String Default: false AllowedValues: - true - false S3IntegrationBucketName: Description: | The S3 bucket name where Prowler will store scan reports for your cloud providers. Type: String Default: "" S3IntegrationBucketAccountId: Description: | The AWS Account ID owner of the S3 Bucket. Type: String Default: "" Conditions: OrganizationsEnabled: !Equals [!Ref EnableOrganizations, true] S3IntegrationEnabled: !Equals [!Ref EnableS3Integration, true] Resources: ProwlerScan: Type: AWS::IAM::Role Properties: RoleName: ProwlerScan AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: !Sub "arn:${AWS::Partition}:iam::${AccountId}:root" Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Sub ${ExternalId} StringLike: "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${AccountId}:${IAMPrincipal}" MaxSessionDuration: 3600 ManagedPolicyArns: - "arn:aws:iam::aws:policy/SecurityAudit" - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" Policies: - PolicyName: ProwlerScan PolicyDocument: Version: "2012-10-17" Statement: - Sid: AllowMoreReadOnly Effect: Allow Action: - "account:Get*" - "appstream:Describe*" - "appstream:List*" - "backup:List*" - "bedrock:List*" - "bedrock:Get*" - "cloudtrail:GetInsightSelectors" - "codeartifact:List*" - "codebuild:BatchGet*" - "codebuild:ListReportGroups" - "cognito-idp:GetUserPoolMfaConfig" - "dlm:Get*" - "drs:Describe*" - "ds:Get*" - "ds:Describe*" - "ds:List*" - "dynamodb:GetResourcePolicy" - "ec2:GetEbsEncryptionByDefault" - "ec2:GetSnapshotBlockPublicAccessState" - "ec2:GetInstanceMetadataDefaults" - "ecr:Describe*" - "ecr:GetRegistryScanningConfiguration" - "elasticfilesystem:DescribeBackupPolicy" - "glue:GetConnections" - "glue:GetSecurityConfiguration*" - "glue:SearchTables" - "lambda:GetFunction*" - "logs:FilterLogEvents" - "lightsail:GetRelationalDatabases" - "macie2:GetMacieSession" - "macie2:GetAutomatedDiscoveryConfiguration" - "s3:GetAccountPublicAccessBlock" - "shield:DescribeProtection" - "shield:GetSubscriptionState" - "securityhub:BatchImportFindings" - "securityhub:GetFindings" - "servicecatalog:Describe*" - "servicecatalog:List*" - "ssm:GetDocument" - "ssm-incidents:List*" - "states:ListTagsForResource" - "support:Describe*" - "tag:GetTagKeys" - "wellarchitected:List*" Resource: "*" - Sid: AllowAPIGatewayReadOnly Effect: Allow Action: - "apigateway:GET" Resource: - "arn:*:apigateway:*::/restapis/*" - "arn:*:apigateway:*::/apis/*" - !If - OrganizationsEnabled - PolicyName: ProwlerOrganizations PolicyDocument: Version: "2012-10-17" Statement: - Sid: AllowOrganizationsReadOnly Effect: Allow Action: - "organizations:DescribeAccount" - "organizations:DescribeOrganization" - "organizations:ListAccounts" - "organizations:ListAccountsForParent" - "organizations:ListOrganizationalUnitsForParent" - "organizations:ListRoots" - "organizations:ListTagsForResource" Resource: "*" - Sid: AllowStackSetManagement Effect: Allow Action: - "organizations:RegisterDelegatedAdministrator" - "iam:CreateServiceLinkedRole" Resource: "*" - !Ref AWS::NoValue - !If - S3IntegrationEnabled - PolicyName: S3Integration PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "s3:PutObject" Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*" Condition: StringEquals: "s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId} - Effect: Allow Action: - "s3:ListBucket" Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}" Condition: StringEquals: "s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId} - Effect: Allow Action: - "s3:DeleteObject" Resource: - !Sub "arn:${AWS::Partition}:s3:::${S3IntegrationBucketName}/*test-prowler-connection.txt" Condition: StringEquals: "s3:ResourceAccount": !Sub ${S3IntegrationBucketAccountId} - !Ref AWS::NoValue Tags: - Key: "Service" Value: "https://prowler.com" - Key: "Support" Value: "support@prowler.com" - Key: "CloudFormation" Value: "true" - Key: "Name" Value: "ProwlerScan" Metadata: AWS::CloudFormation::StackName: "Prowler" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Required Parameters: - ExternalId - AccountId - IAMPrincipal - EnableOrganizations - EnableS3Integration - Label: default: Optional Parameters: - S3IntegrationBucketName - S3IntegrationBucketAccountId Outputs: ProwlerScanRoleArn: Description: "ARN of the ProwlerScan IAM Role" Value: !GetAtt ProwlerScan.Arn Export: Name: !Sub "${AWS::StackName}-ProwlerScanRoleArn"