{ "Description": "Rapticore Cross Account IAM Role Deployment", "Parameters": { "RapticoreAccountId": { "Type": "String", "AllowedPattern": "[0-9]{12}", "ConstraintDescription": "Please enter a valid AWS Account ID (provided by Rapticore)", "Description": "The Rapticore Source AWS Account ID" }, "RapticoreTenantId": { "Type": "String", "AllowedPattern": "[a-zA-Z][a-zA-Z0-9-]+[a-zA-Z0-9]", "ConstraintDescription": "Please enter a valid Tenant ID (provided by Rapticore), must be at least three alphanumeric characters and not start or end with a dash", "Description": "Your Rapticore Tenant ID" } }, "Resources": { "RapticoreExtendedViewOnlyPolicy1": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "apigateway:GET", "Effect": "Allow", "NotResource": [ "arn:aws:apigateway:*::/apikey*", "arn:aws:apigateway:*::/apikeys*" ], "Sid": "AllowApiGatewayReadOnlyExceptAPIKeys" }, { "Action": [ "cognito-identity:DescribeIdentityPool", "cognito-identity:LookupDeveloperIdentity", "cognito-identity:ListIdentities", "cognito-identity:ListTagsForResource", "cognito-identity:GetIdentityPoolRoles", "cognito-identity:ListIdentityPools", "cognito-identity:DescribeIdentity" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowCognitoIdentityPoolsReadOnly" }, { "Action": [ "kinesisanalytics:ListTagsForResource", "kinesisanalytics:GetApplicationState", "kinesisanalytics:DescribeApplication", "kinesisanalytics:DiscoverInputSchema", "kinesisanalytics:ListApplications" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowKinesisAnalyticsReadOnly" }, { "Action": [ "cognito-idp:AdminGetDevice", "cognito-idp:AdminGetUser", "cognito-idp:AdminListDevices", "cognito-idp:AdminListGroupsForUser", "cognito-idp:DescribeIdentityProvider", "cognito-idp:DescribeResourceServer", "cognito-idp:DescribeRiskConfiguration", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:DescribeUserPoolDomain", "cognito-idp:GetIdentityProviderByIdentifier", "cognito-idp:GetSigningCertificate", "cognito-idp:GetUICustomization", "cognito-idp:GetUserPoolMfaConfig", "cognito-idp:ListDevices", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListResourceServers", "cognito-idp:ListTagsForResource", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListUsers", "cognito-idp:ListUsersInGroup" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowCognitoUserPoolsReadOnly" }, { "Action": [ "ecr:DescribeImageScanFindings", "ecr:DescribeRepositories", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTaskSets", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListAttributes", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowElasticContainerServiceReadOnly" }, { "Action": "cloudhsm:DescribeClusters", "Effect": "Allow", "Resource": "*", "Sid": "AllowCloudHSMReadOnly" }, { "Action": [ "glue:GetJobs", "glue:ListWorkflows", "glue:GetWorkflow", "glue:GetClassifiers", "glue:GetCrawlers", "glue:GetDatabases", "glue:GetSecurityConfigurations", "glue:GetTables" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowGlueReadOnly" }, { "Action": "wafv2:GetWebACL", "Effect": "Allow", "Resource": "*", "Sid": "AllowWAFv2ReadOnly" }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowCodeSuiteReadOnly" }, { "Action": [ "mq:DescribeBroker", "mq:ListBrokers" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowMQReadOnly" }, { "Action": [ "eks:DescribeCluster", "eks:ListClusters", "eks:ListNodegroups" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowEKSReadOnly" }, { "Effect": "Allow", "Action": [ "ec2:GetEbsEncryptionByDefault" ], "Resource": "*", "Sid": "AllowEBSReadOnly" }, { "Action": [ "ce:GetCostAndUsage", "ce:GetCostForecast" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowCostExplorerReadOnly" }, { "Effect": "Allow", "Action": [ "kms:ListResourceTags", "kms:GetKeyRotationStatus" ], "Resource": "*", "Sid": "AllowKMSReadOnly" }, { "Effect": "Allow", "Action": [ "inspector2:Describe*", "inspector2:Get*", "inspector2:List*" ], "Resource": "*", "Sid": "AllowInspector2ReadOnly" }, { "Action": [ "states:ListStateMachines", "states:DescribeStateMachine", "states:ListTagsForResource" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowStepFunctionsReadOnly" }, { "Action": [ "kafka:ListClusters", "kafka:ListClustersV2", "kafka:ListNodes", "kafka:DescribeClusterOperation", "kafka:ListConfigurations", "kafka:DescribeConfigurationRevision" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowKafkaReadOnly" } ], "Version": "2012-10-17" } } }, "RapticoreExtendedViewOnlyPolicy2": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sso:DescribeAccountAssignmentCreationStatus", "sso:DescribeAccountAssignmentDeletionStatus", "sso:DescribePermissionSet", "sso:DescribePermissionSetProvisioningStatus", "sso:DescribePermissionsPolicies", "sso:DescribeRegisteredRegions", "sso:GetApplicationInstance", "sso:GetApplicationTemplate", "sso:GetInlinePolicyForPermissionSet", "sso:GetManagedApplicationInstance", "sso:GetMfaDeviceManagementForDirectory", "sso:GetPermissionSet", "sso:GetPermissionsPolicy", "sso:GetProfile", "sso:GetSharedSsoConfiguration", "sso:GetSsoConfiguration", "sso:GetSSOStatus", "sso:GetTrust", "sso:ListAccountAssignmentCreationStatus", "sso:ListAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationInstances", "sso:ListApplications", "sso:ListApplicationTemplates", "sso:ListDirectoryAssociations", "sso:ListInstances", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetProvisioningStatus", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListProfileAssociations", "sso:ListProfiles", "sso:ListTagsForResource", "iam:ListPolicies" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowSsoReadOnly" }, { "Action": [ "sso-directory:DescribeDirectory", "sso-directory:DescribeGroups", "sso-directory:DescribeUsers", "sso-directory:ListGroupsForUser", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowSsoDirectoryReadOnly" }, { "Action": [ "ds:DescribeDirectories", "ds:DescribeTrusts" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowDsDirectoryReadOnly" }, { "Action": [ "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2InstanceRecommendations" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowComputeOptimizerReadOnly" }, { "Action": [ "identitystore:ListGroups", "identitystore:ListUsers", "identitystore:ListGroupMemberships", "identitystore:ListGroupMembershipsForMember", "identitystore:IsMemberInGroups", "identitystore:DescribeUser", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowIdentityStoreReadOnly" }, { "Action": [ "codeartifact:ListDomains", "codeartifact:DescribeDomain", "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositories", "codeartifact:DescribeRepository", "codeartifact:GetRepositoryPermissionsPolicy", "codeartifact:GetRepositoryEndpoint", "codeartifact:ListPackages", "codeartifact:ListTagsForResource", "codeartifact:ListPackageVersions", "codeartifact:DescribePackageVersion", "codeartifact:ListPackageVersionDependencies", "codeartifact:ListPackageVersionAssets" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowCodeArtifactReadOnly" }, { "Action": [ "geo:ListMaps", "geo:ListPlaceIndexes", "geo:ListRouteCalculators", "geo:ListGeofences", "geo:ListGeofenceCollections", "geo:ListTrackers", "geo:ListTrackerConsumers", "geo:ListTagsForResource", "geo:DescribeMap", "geo:DescribePlaceIndex", "geo:DescribeRouteCalculator", "geo:DescribeGeofenceCollection", "geo:DescribeTracker" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowLocationServiceReadOnly" }, { "Action": [ "transcribe:GetTranscriptionJob", "transcribe:ListTranscriptionJobs", "transcribe:ListMedicalTranscriptionJobs", "transcribe:GetMedicalTranscriptionJob", "transcribe:ListVocabularies", "transcribe:ListMedicalVocabularies", "transcribe:GetVocabulary", "transcribe:ListLanguageModels", "transcribe:ListCallAnalyticsJobs", "transcribe:GetCallAnalyticsJob", "transcribe:ListCallAnalyticsCategories", "transcribe:GetCallAnalyticsCategory" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowTranscribeServiceReadOnly" }, { "Action": [ "globalaccelerator:ListAccelerators", "globalaccelerator:ListCustomRoutingAccelerators", "globalaccelerator:ListEndpointGroups", "globalaccelerator:ListListeners", "globalaccelerator:ListCustomRoutingEndpointGroups", "globalaccelerator:ListCustomRoutingListeners", "globalaccelerator:ListCustomRoutingPortMappings", "globalaccelerator:ListTagsForResource" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowGlobalAcceleratorService" }, { "Action": [ "es:DescribeDomains", "es:ListTags", "es:GetDomainMaintenanceStatus", "es:DescribePackages", "es:DescribeDomainNodes", "es:DescribeDomainHealth", "es:DescribeDomainAutoTunes", "es:DescribeDomain", "es:ListVpcEndpointsForDomain", "es:ListVpcEndpoints", "es:ListScheduledActions", "es:ListInstanceTypeDetails", "es:ListPackagesForDomain", "es:ListDomainNames", "es:ListDomainsForPackage", "es:DescribeVpcEndpoints", "es:DescribeInstanceTypeLimits", "es:ListDomainMaintenances" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowOpenSearchService" }, { "Action": [ "xray:ListResourcePolicies", "xray:ListTagsForResource", "xray:GetEncryptionConfig", "xray:GetGroups", "xray:GetSamplingRules", "xray:GetSamplingStatisticSummaries" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowXRayService" } ], "Version": "2012-10-17" } } }, "RapticoreExtendedViewOnlyPolicy3": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "timestream:ListBatchLoadTasks", "timestream:ListDatabases", "timestream:ListMeasures", "timestream:ListScheduledQueries", "timestream:ListTables", "timestream:ListTagsForResource", "timestream:DescribeBatchLoadTask", "timestream:DescribeDatabase", "timestream:DescribeEndpoints", "timestream:DescribeScheduledQuery", "timestream:DescribeTable" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowTimestreamReadOnly" }, { "Action": [ "bedrock:ListModelCustomizationJobs", "bedrock:ListModelEvaluationJobs", "bedrock:ListCustomModels", "bedrock:ListGuardrails" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowBedrockService" }, { "Action": [ "macie2:ListClassificationJobs", "macie2:ListClassificationScopes", "macie2:ListCustomDataIdentifiers", "macie2:ListFindings", "macie2:ListFindingsFilters", "macie2:ListInvitations", "macie2:ListAllowLists", "macie2:ListAutomatedDiscoveryAccounts", "macie2:ListManagedDataIdentifiers", "macie2:ListMembers", "macie2:ListOrganizationAdminAccounts", "macie2:ListResourceProfileArtifacts", "macie2:ListResourceProfileDetections", "macie2:ListSensitivityInspectionTemplates", "macie2:DescribeBuckets", "macie2:DescribeClassificationJob", "macie2:DescribeOrganizationConfiguration", "macie2:GetClassificationScope", "macie2:GetCustomDataIdentifier", "macie2:GetFindings", "macie2:GetFindingsFilter", "macie2:GetFindingsPublicationConfiguration", "macie2:GetFindingStatistics", "macie2:GetMacieSession", "macie2:GetResourceProfile", "macie2:ListTagsForResource", "macie2:GetBucketStatistics", "macie2:GetClassificationExportConfiguration", "macie2:GetAutomatedDiscoveryConfiguration", "macie2:GetAllowList", "macie2:GetAdministratorAccount", "macie2:GetMember", "macie2:GetUsageStatistics", "macie2:GetUsageTotals", "macie2:GetMasterAccount" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowMacieReadOnly" }, { "Action": [ "lightsail:GetInstances", "lightsail:GetStaticIps", "lightsail:GetInstanceSnapshots" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowLightsailReadOnly" }, { "Effect": "Allow", "Action": [ "workmail:DescribeEntity", "workmail:DescribeGroup", "workmail:DescribeInboundDmarcSettings", "workmail:DescribeInboundMailFlowRule", "workmail:DescribeMailDomains", "workmail:DescribeMailboxExportJob", "workmail:DescribeOrganization", "workmail:DescribeOutboundMailFlowRule", "workmail:DescribeResource", "workmail:DescribeSmtpGateway", "workmail:DescribeUser", "workmail:GetDefaultRetentionPolicy", "workmail:GetImpersonationRole", "workmail:GetJournalingRules", "workmail:GetMailDomain", "workmail:GetMailDomainDetails", "workmail:GetMailboxDetails", "workmail:GetMobileDevicesForUser", "workmail:ListAccessControlRules", "workmail:ListAliases", "workmail:ListAvailabilityConfigurations", "workmail:ListGroupMembers", "workmail:ListGroups", "workmail:ListGroupsForEntity", "workmail:ListImpersonationRoles", "workmail:ListInboundMailFlowRules", "workmail:ListMailDomains", "workmail:ListMailboxExportJobs", "workmail:ListMailboxPermissions", "workmail:ListMobileDeviceAccessOverrides", "workmail:ListMobileDeviceAccessRules", "workmail:ListOrganizations", "workmail:ListOutboundMailFlowRules", "workmail:ListResourceDelegates", "workmail:ListResources", "workmail:ListSmtpGateways", "workmail:ListTagsForResource", "workmail:ListUsers" ], "Resource": "*", "Sid": "AllowWorkmailReadOnly" }, { "Action": [ "rekognition:DescribeDataset", "rekognition:DescribeProjects" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowRekognitionReadOnly" }, { "Action": [ "backup:ListBackupJobs", "backup:ListBackupJobSummaries", "backup:ListBackupPlans", "backup:ListBackupPlanTemplates", "backup:ListBackupPlanVersions", "backup:ListBackupSelections", "backup:ListBackupVaults", "backup:ListLegalHolds", "backup:ListProtectedResources", "backup:ListProtectedResourcesByBackupVault", "backup:ListRecoveryPointsByBackupVault", "backup:ListRecoveryPointsByLegalHold", "backup:ListRecoveryPointsByResource", "backup:GetBackupPlan", "backup:ListTags", "backup:ListRestoreTestingPlans", "backup:GetBackupSelection", "backup:GetLegalHold" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowBackupReadOnly" }, { "Action": [ "refactor-spaces:ListEnvironments", "refactor-spaces:ListApplications", "refactor-spaces:ListRoutes", "refactor-spaces:ListServices", "refactor-spaces:ListEnvironmentVpcs", "refactor-spaces:ListTagsForResource" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowRefactorSpacesReadOnly" }, { "Action": [ "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:ListTagsForResource", "servicediscovery:ListInstances", "servicediscovery:ListOperations" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowCloudMapReadOnly" }, { "Action": [ "frauddetector:ListTagsForResource", "frauddetector:GetBatchImportJobs", "frauddetector:GetBatchPredictionJobs", "frauddetector:GetEntityTypes", "frauddetector:GetDetectors", "frauddetector:GetExternalModels", "frauddetector:GetKMSEncryptionKey", "frauddetector:GetLabels", "frauddetector:GetVariables", "frauddetector:GetRules", "frauddetector:GetOutcomes", "frauddetector:GetModels", "frauddetector:GetModelVersion", "frauddetector:GetListsMetadata", "frauddetector:GetEventTypes" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowFraudDetectorReadOnly" } ], "Version": "2012-10-17" } } }, "RapticoreExtendedViewOnlyPolicy4": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "airflow:ListEnvironments", "airflow:ListTagsForResource", "airflow:GetEnvironment" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowMWAAReadOnly" }, { "Action": [ "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "route53domains:GetDomainDetail", "route53domains:GetDomainSuggestions" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowRoute53DomainsReadOnly" }, { "Action": [ "dms:DescribeConnections", "dms:ListTagsForResource", "dms:DescribeReplicationInstances", "dms:DescribeReplications", "dms:DescribeReplicationTasks", "dms:DescribeTableStatistics", "dms:DescribeReplicationTaskAssessmentResults", "dms:DescribeReplicationSubnetGroups", "dms:DescribeEvents", "dms:DescribeEventSubscriptions", "dms:DescribeEndpoints", "dms:DescribeCertificates", "dms:DescribeConnections", "dms:DescribeReplicationTaskAssessmentRuns", "dms:DescribeDataProviders", "dms:DescribeMigrationProjects", "dms:DescribeInstanceProfiles", "dms:DescribeMetadataModelAssessments", "dms:DescribeMetadataModelConversions", "dms:DescribeMetadataModelExportsAsScript", "dms:DescribeMetadataModelExportsToTarget", "dms:DescribeMetadataModelImports", "dms:DescribeFleetAdvisorCollectors", "dms:DescribeFleetAdvisorDatabases", "dms:DescribeFleetAdvisorLsaAnalysis", "dms:DescribeFleetAdvisorSchemas" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowDatabaseMigrationServiceReadOnly" }, { "Action": [ "fis:ListTagsForResource", "fis:ListActions", "fis:ListExperimentResolvedTargets", "fis:ListExperiments", "fis:ListExperimentTemplates", "fis:ListActions" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowFaultInjectionSimulatorReadOnly" }, { "Action": [ "devops-guru:ListAnomaliesForInsight", "devops-guru:ListAnomalousLogGroups", "devops-guru:ListEvents", "devops-guru:ListInsights", "devops-guru:ListMonitoredResources", "devops-guru:ListNotificationChannels", "devops-guru:ListOrganizationInsights", "devops-guru:ListRecommendations", "devops-guru:DescribeAccountHealth", "devops-guru:DescribeAccountOverview", "devops-guru:DescribeAnomaly", "devops-guru:DescribeEventSourcesConfig", "devops-guru:DescribeInsight", "devops-guru:DescribeOrganizationHealth", "devops-guru:DescribeOrganizationOverview", "devops-guru:DescribeOrganizationResourceCollectionHealth", "devops-guru:DescribeResourceCollectionHealth", "devops-guru:DescribeServiceIntegration", "devops-guru:GetResourceCollection" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowDevOpsGuruReadOnly" }, { "Effect": "Allow", "Action": [ "transfer:DescribeAccess", "transfer:DescribeAgreement", "transfer:DescribeCertificate", "transfer:DescribeConnector", "transfer:DescribeProfile", "transfer:DescribeSecurityPolicy", "transfer:DescribeServer", "transfer:DescribeUser", "transfer:DescribeWorkflow", "transfer:ListAccesses", "transfer:ListAgreements", "transfer:ListCertificates", "transfer:ListConnectors", "transfer:ListProfiles", "transfer:ListSecurityPolicies", "transfer:ListServers", "transfer:ListTagsForResource", "transfer:ListUsers", "transfer:ListWorkflows" ], "Resource": "*", "Sid": "AllowTransferReadOnly" }, { "Effect": "Allow", "Action": [ "ssm:DescribeParameters", "ssm:GetParameter", "ssm:GetParameters" ], "Resource": "*", "Sid": "AllowSSMReadOnly" }, { "Effect": "Allow", "Action": [ "medialive:DescribeChannel", "mediapackage:ListChannels", "mediapackagev2:ListChannelGroups", "mediapackagev2:GetChannelGroup", "mediapackagev2:ListChannels", "mediapackagev2:GetChannel", "mediastore:GetLifecyclePolicy", "mediastore:GetMetricPolicy", "mediaconvert:ListJobs", "mediaconvert:DescribeEndpoints", "mediaconvert:GetPolicy" ], "Resource": "*", "Sid": "AllowMediaReadOnly" } ], "Version": "2012-10-17" } } }, "RapticoreOneClickRemediationPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:ResetImageAttribute", "ec2:ModifyImageAttribute", "iam:ListAccessKeys", "iam:UpdateAccessKey", "iam:DeleteAccessKey", "iam:GetAccountPasswordPolicy", "iam:UpdateAccountPasswordPolicy", "secretsmanager:UpdateSecret", "lambda:GetPolicy", "lambda:RemovePermission", "s3:GetBucketPublicAccessBlock", "s3:PutBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "kms:EnableKeyRotation", "kms:ListAliases", "kms:DescribeKey", "s3:PutBucketPolicy", "ec2:CreateTags", "ec2:CopySnapshot", "kms:Encrypt", "kms:GenerateDataKey", "ec2:CopyImage", "iam:DeletePolicy", "ec2:RevokeSecurityGroupIngress", "kms:ListKeys", "iam:UpdateLoginProfile", "iam:DeleteLoginProfile", "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "cloudfront:UpdateDistribution", "ec2:DeleteSecurityGroup", "ec2:ReleaseAddress", "ec2:DisassociateAddress", "ec2:EnableEbsEncryptionByDefault", "ec2:DisableEbsEncryptionByDefault", "elasticmapreduce:PutBlockPublicAccessConfiguration", "ec2:ModifyInstanceMetadataDefaults", "ec2:DescribeInstances", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:DescribeVolumes", "glue:PutDataCatalogEncryptionSettings", "glue:PutDataCatalogEncryptionSettings", "elasticloadbalancing:DeleteLoadBalancer", "ssm:ModifyDocumentPermission", "ec2:ModifyInstanceMetadataOptions", "route53:ChangeResourceRecordSets", "rds:ModifyDBCluster", "rds:ModifyDBInstance", "dynamodb:UpdateTable", "dynamodb:UpdateContinuousBackups", "cloudtrail:CreateTrail", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:StartLogging", "cloudtrail:UpdateTrail", "s3:CreateBucket", "s3:GetBucketPolicy", "acm:DeleteCertificate", "cloudfront:UpdateDistribution", "sqs:SetQueueAttributes", "apigateway:PATCH" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowOneClickRemediation" } ], "Version": "2012-10-17" } } }, "RapticoreReactiveRemediationPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowSecurityGroupIngressRemediation" }, { "Action": [ "s3:PutBucketPublicAccessBlock" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowS3PublicAccessRemediation" }, { "Action": [ "iam:DeleteLoginProfile" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowIamUserLoginRemediation" }, { "Action": [ "sns:SetTopicAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowSnsTopicPublicAccessRemediation" }, { "Action": [ "rds:ModifyDBSnapshotAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowRdsSnapshotPublicAccessRemediation" }, { "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowEbsSnapshotPublicAccessRemediation" } ], "Version": "2012-10-17" } } }, "RapticoreGuardRailsPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:EnableEbsEncryptionByDefault", "ec2:DisableEbsEncryptionByDefault" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowEBSDefaultEncryption" }, { "Action": [ "elasticmapreduce:PutBlockPublicAccessConfiguration" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowEMRPublicAccessBlock" }, { "Action": [ "ec2:ModifyInstanceMetadataDefaults" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowEC2IMDSv2Enforcement" }, { "Action": [ "cloudtrail:CreateTrail", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:StartLogging", "cloudtrail:UpdateTrail", "cloudtrail:CreateBucket", "cloudtrail:GetBucketPolicy", "cloudtrail:PutBucketPolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowCloudTrailLogging" }, { "Action": [ "glue:GetSecurityConfigurations", "glue:PutDataCatalogEncryptionSettings" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowGlueCatalogEncryption" }, { "Action": [ "s3:GetBucketPublicAccessBlock", "s3:PutBucketPublicAccessBlock" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowS3PublicBlock" }, { "Action": [ "iam:GetAccountPasswordPolicy", "iam:UpdateAccountPasswordPolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowCISPasswordPolicy" }, { "Action": [ "iam:ListMFADevices", "iam:DeleteLoginProfile" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowIAMUsersMFA" }, { "Action": [ "iam:GetAccountPasswordPolicy", "iam:UpdateAccountPasswordPolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowPasswordPolicy" } ], "Version": "2012-10-17" } } }, "RapticoreIamRightSizingPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Effect": "Allow", "Action": [ "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:DetachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:AttachGroupPolicy" ], "Resource": [ "arn:aws:iam::*:role/*", "arn:aws:iam::*:user/*", "arn:aws:iam::*:group/*" ], "Condition": { "StringLike": { "iam:PolicyARN": "*Rapticore*DenyPolicy" } }, "Sid": "AllowRightSizingIAMResources1" }, { "Effect": "Allow", "Action": [ "iam:DeletePolicy", "iam:CreatePolicy" ], "Resource": "arn:aws:iam::*:policy/*Rapticore*DenyPolicy", "Sid": "AllowRightSizingIAMResources2" } ], "Version": "2012-10-17" } } }, "RapticoreIAMRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Fn::Sub": "rapticore-${RapticoreTenantId}" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${RapticoreAccountId}:root" } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": { "Fn::Sub": "Rapticore Cross-Account Access Role for ${RapticoreTenantId}" }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit" }, { "Ref": "RapticoreExtendedViewOnlyPolicy1" }, { "Ref": "RapticoreExtendedViewOnlyPolicy2" }, { "Ref": "RapticoreExtendedViewOnlyPolicy3" }, { "Ref": "RapticoreExtendedViewOnlyPolicy4" }, { "Ref": "RapticoreOneClickRemediationPolicy" }, { "Ref": "RapticoreReactiveRemediationPolicy" }, { "Ref": "RapticoreGuardRailsPolicy" }, { "Ref": "RapticoreIamRightSizingPolicy" } ], "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutRuleInSenderBus", "Action": [ "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowDeleteRuleInSenderBus", "Action": [ "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/RapticoreRTTM*" ], "Effect": "Allow" }, { "Sid": "AllowIAMPassRoleForRuleTargetRole", "Action": [ "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPutEventsToReceiverBus", "Effect": "Allow", "Action": [ "events:PutEvents" ], "Resource": [ { "Fn::Sub": "arn:aws:events:us-west-2:${RapticoreAccountId}:event-bus/RapticoreEventBus" } ] } ] }, "PolicyName": "RapticoreRTTMEventsBridgePermissions" } ], "RoleName": { "Fn::Sub": "rapticore-cross-account-${RapticoreTenantId}" } } } }, "Outputs": { "IAMRoleARN": { "Description": "Created readonly IAM Role for Rapticore Integration", "Value": { "Fn::GetAtt": [ "RapticoreIAMRole", "Arn" ] } } } }