Description: Rapticore Freemium Cross Account IAM Role Deployment Parameters: RapticoreAccountId: Type: String AllowedPattern: "[0-9]{12}" ConstraintDescription: Please enter a valid AWS Account ID where Rapticore Freemium instance will be hosted Description: The Source AWS Account ID where Rapticore Freemium instance will be hosted Resources: RapticoreExtendedViewOnlyPolicy1: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: apigateway:GET Effect: Allow NotResource: - arn:aws:apigateway:*::/apikey* - arn:aws:apigateway:*::/apikeys* Sid: AllowApiGatewayReadOnlyExceptAPIKeys - Action: - cognito-identity:DescribeIdentityPool - cognito-identity:LookupDeveloperIdentity - cognito-identity:ListIdentities - cognito-identity:ListTagsForResource - cognito-identity:GetIdentityPoolRoles - cognito-identity:ListIdentityPools - cognito-identity:DescribeIdentity Effect: Allow Resource: '*' Sid: AllowCognitoIdentityPoolsReadOnly - Action: - kinesisanalytics:ListTagsForResource - kinesisanalytics:GetApplicationState - kinesisanalytics:DescribeApplication - kinesisanalytics:DiscoverInputSchema - kinesisanalytics:ListApplications Effect: Allow Resource: '*' Sid: AllowKinesisAnalyticsReadOnly - Action: - cognito-idp:AdminGetDevice - cognito-idp:AdminGetUser - cognito-idp:AdminListDevices - cognito-idp:AdminListGroupsForUser - cognito-idp:DescribeIdentityProvider - cognito-idp:DescribeResourceServer - cognito-idp:DescribeRiskConfiguration - cognito-idp:DescribeUserPool - cognito-idp:DescribeUserPoolClient - cognito-idp:DescribeUserPoolDomain - cognito-idp:GetIdentityProviderByIdentifier - cognito-idp:GetSigningCertificate - cognito-idp:GetUICustomization - cognito-idp:GetUserPoolMfaConfig - cognito-idp:ListDevices - cognito-idp:ListGroups - cognito-idp:ListIdentityProviders - cognito-idp:ListResourceServers - cognito-idp:ListTagsForResource - cognito-idp:ListUserPoolClients - cognito-idp:ListUserPools - cognito-idp:ListUsers - cognito-idp:ListUsersInGroup Effect: Allow Resource: '*' Sid: AllowCognitoUserPoolsReadOnly - Action: - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecs:DescribeClusters - ecs:DescribeContainerInstances - ecs:DescribeServices - ecs:DescribeTaskDefinition - ecs:DescribeTaskSets - ecs:DescribeTasks - ecs:ListAccountSettings - ecs:ListAttributes - ecs:ListClusters - ecs:ListContainerInstances - ecs:ListServices - ecs:ListTagsForResource - ecs:ListTaskDefinitionFamilies - ecs:ListTaskDefinitions - ecs:ListTasks Effect: Allow Resource: '*' Sid: AllowElasticContainerServiceReadOnly - Action: cloudhsm:DescribeClusters Effect: Allow Resource: '*' Sid: AllowCloudHSMReadOnly - Action: - glue:GetJobs - glue:ListWorkflows - glue:GetWorkflow - glue:GetClassifiers - glue:GetCrawlers - glue:GetDatabases - glue:GetSecurityConfigurations - glue:GetTables Effect: Allow Resource: '*' Sid: AllowGlueReadOnly - Action: wafv2:GetWebACL Effect: Allow Resource: '*' Sid: AllowWAFv2ReadOnly - Action: - codebuild:BatchGetBuilds - codebuild:BatchGetProjects - codepipeline:GetPipeline - codepipeline:ListTagsForResource Effect: Allow Resource: '*' Sid: AllowCodeSuiteReadOnly - Action: - mq:DescribeBroker - mq:ListBrokers Effect: Allow Resource: '*' Sid: AllowMQReadOnly - Action: - eks:DescribeCluster - eks:ListClusters - eks:ListNodegroups Effect: Allow Resource: '*' Sid: AllowEKSReadOnly - Effect: Allow Action: - ec2:GetEbsEncryptionByDefault Resource: '*' Sid: AllowEBSReadOnly - Action: - ce:GetCostAndUsage - ce:GetCostForecast Effect: Allow Resource: '*' Sid: AllowCostExplorerReadOnly - Effect: Allow Action: - kms:ListResourceTags - kms:GetKeyRotationStatus Resource: '*' Sid: AllowKMSReadOnly - Effect: Allow Action: - inspector2:Describe* - inspector2:Get* - inspector2:List* Resource: '*' Sid: AllowInspector2ReadOnly - Action: - states:ListStateMachines - states:DescribeStateMachine - states:ListTagsForResource Resource: '*' Effect: Allow Sid: AllowStepFunctionsReadOnly - Action: - kafka:ListClusters - kafka:ListClustersV2 - kafka:ListNodes - kafka:DescribeClusterOperation - kafka:ListConfigurations - kafka:DescribeConfigurationRevision Resource: '*' Effect: Allow Sid: AllowKafkaReadOnly Version: '2012-10-17' RapticoreExtendedViewOnlyPolicy2: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: - sso:DescribeAccountAssignmentCreationStatus - sso:DescribeAccountAssignmentDeletionStatus - sso:DescribePermissionSet - sso:DescribePermissionSetProvisioningStatus - sso:DescribePermissionsPolicies - sso:DescribeRegisteredRegions - sso:GetApplicationInstance - sso:GetApplicationTemplate - sso:GetInlinePolicyForPermissionSet - sso:GetManagedApplicationInstance - sso:GetMfaDeviceManagementForDirectory - sso:GetPermissionSet - sso:GetPermissionsPolicy - sso:GetProfile - sso:GetSharedSsoConfiguration - sso:GetSsoConfiguration - sso:GetSSOStatus - sso:GetTrust - sso:ListAccountAssignmentCreationStatus - sso:ListAccountAssignmentDeletionStatus - sso:ListAccountAssignments - sso:ListAccountsForProvisionedPermissionSet - sso:ListApplicationInstanceCertificates - sso:ListApplicationInstances - sso:ListApplications - sso:ListApplicationTemplates - sso:ListDirectoryAssociations - sso:ListInstances - sso:ListManagedPoliciesInPermissionSet - sso:ListPermissionSetProvisioningStatus - sso:ListPermissionSets - sso:ListPermissionSetsProvisionedToAccount - sso:ListProfileAssociations - sso:ListProfiles - sso:ListTagsForResource - iam:ListPolicies Resource: '*' Effect: Allow Sid: AllowSsoReadOnly - Action: - sso-directory:DescribeDirectory - sso-directory:DescribeGroups - sso-directory:DescribeUsers - sso-directory:ListGroupsForUser - sso-directory:ListMembersInGroup - sso-directory:SearchGroups - sso-directory:SearchUsers Resource: '*' Effect: Allow Sid: AllowSsoDirectoryReadOnly - Action: - ds:DescribeDirectories - ds:DescribeTrusts Resource: '*' Effect: Allow Sid: AllowDsDirectoryReadOnly - Action: - compute-optimizer:GetEC2InstanceRecommendations - compute-optimizer:GetEC2InstanceRecommendations Resource: '*' Effect: Allow Sid: AllowComputeOptimizerReadOnly - Action: - identitystore:ListGroups - identitystore:ListUsers - identitystore:ListGroupMemberships - identitystore:ListGroupMembershipsForMember - identitystore:IsMemberInGroups - identitystore:DescribeUser - identitystore:DescribeGroup - identitystore:DescribeGroupMembership Resource: '*' Effect: Allow Sid: AllowIdentityStoreReadOnly - Action: - codeartifact:ListDomains - codeartifact:DescribeDomain - codeartifact:GetDomainPermissionsPolicy - codeartifact:ListRepositories - codeartifact:DescribeRepository - codeartifact:GetRepositoryPermissionsPolicy - codeartifact:GetRepositoryEndpoint - codeartifact:ListPackages - codeartifact:ListTagsForResource - codeartifact:ListPackageVersions - codeartifact:DescribePackageVersion - codeartifact:ListPackageVersionDependencies - codeartifact:ListPackageVersionAssets Resource: '*' Effect: Allow Sid: AllowCodeArtifactReadOnly - Action: - geo:ListMaps - geo:ListPlaceIndexes - geo:ListRouteCalculators - geo:ListGeofences - geo:ListGeofenceCollections - geo:ListTrackers - geo:ListTrackerConsumers - geo:ListTagsForResource - geo:DescribeMap - geo:DescribePlaceIndex - geo:DescribeRouteCalculator - geo:DescribeGeofenceCollection - geo:DescribeTracker Resource: '*' Effect: Allow Sid: AllowLocationServiceReadOnly - Action: - transcribe:GetTranscriptionJob - transcribe:ListTranscriptionJobs - transcribe:ListMedicalTranscriptionJobs - transcribe:GetMedicalTranscriptionJob - transcribe:ListVocabularies - transcribe:ListMedicalVocabularies - transcribe:GetVocabulary - transcribe:ListLanguageModels - transcribe:ListCallAnalyticsJobs - transcribe:GetCallAnalyticsJob - transcribe:ListCallAnalyticsCategories - transcribe:GetCallAnalyticsCategory Resource: '*' Effect: Allow Sid: AllowTranscribeServiceReadOnly - Action: - globalaccelerator:ListAccelerators - globalaccelerator:ListCustomRoutingAccelerators - globalaccelerator:ListEndpointGroups - globalaccelerator:ListListeners - globalaccelerator:ListCustomRoutingEndpointGroups - globalaccelerator:ListCustomRoutingListeners - globalaccelerator:ListCustomRoutingPortMappings - globalaccelerator:ListTagsForResource Resource: '*' Effect: Allow Sid: AllowGlobalAcceleratorService - Action: - es:DescribeDomains - es:ListTags - es:GetDomainMaintenanceStatus - es:DescribePackages - es:DescribeDomainNodes - es:DescribeDomainHealth - es:DescribeDomainAutoTunes - es:DescribeDomain - es:ListVpcEndpointsForDomain - es:ListVpcEndpoints - es:ListScheduledActions - es:ListInstanceTypeDetails - es:ListPackagesForDomain - es:ListDomainNames - es:ListDomainsForPackage - es:DescribeVpcEndpoints - es:DescribeInstanceTypeLimits - es:ListDomainMaintenances Resource: '*' Effect: Allow Sid: AllowOpenSearchService - Action: - xray:ListResourcePolicies - xray:ListTagsForResource - xray:GetEncryptionConfig - xray:GetGroups - xray:GetSamplingRules - xray:GetSamplingStatisticSummaries Resource: '*' Effect: Allow Sid: AllowXRayService Version: '2012-10-17' RapticoreExtendedViewOnlyPolicy3: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: - timestream:ListBatchLoadTasks - timestream:ListDatabases - timestream:ListMeasures - timestream:ListScheduledQueries - timestream:ListTables - timestream:ListTagsForResource - timestream:DescribeBatchLoadTask - timestream:DescribeDatabase - timestream:DescribeEndpoints - timestream:DescribeScheduledQuery - timestream:DescribeTable Resource: '*' Effect: Allow Sid: AllowTimestreamReadOnly - Action: - bedrock:ListModelCustomizationJobs - bedrock:ListModelEvaluationJobs - bedrock:ListCustomModels - bedrock:ListGuardrails Resource: '*' Effect: Allow Sid: AllowBedrockService - Action: - macie2:ListClassificationJobs - macie2:ListClassificationScopes - macie2:ListCustomDataIdentifiers - macie2:ListFindings - macie2:ListFindingsFilters - macie2:ListInvitations - macie2:ListAllowLists - macie2:ListAutomatedDiscoveryAccounts - macie2:ListManagedDataIdentifiers - macie2:ListMembers - macie2:ListOrganizationAdminAccounts - macie2:ListResourceProfileArtifacts - macie2:ListResourceProfileDetections - macie2:ListSensitivityInspectionTemplates - macie2:DescribeBuckets - macie2:DescribeClassificationJob - macie2:DescribeOrganizationConfiguration - macie2:GetClassificationScope - macie2:GetCustomDataIdentifier - macie2:GetFindings - macie2:GetFindingsFilter - macie2:GetFindingsPublicationConfiguration - macie2:GetFindingStatistics - macie2:GetMacieSession - macie2:GetResourceProfile - macie2:ListTagsForResource - macie2:GetBucketStatistics - macie2:GetClassificationExportConfiguration - macie2:GetAutomatedDiscoveryConfiguration - macie2:GetAllowList - macie2:GetAdministratorAccount - macie2:GetMember - macie2:GetUsageStatistics - macie2:GetUsageTotals - macie2:GetMasterAccount Resource: '*' Effect: Allow Sid: AllowMacieReadOnly - Action: - lightsail:GetInstances - lightsail:GetStaticIps - lightsail:GetInstanceSnapshots Resource: '*' Effect: Allow Sid: AllowLightsailReadOnly - Effect: Allow Action: - workmail:DescribeEntity - workmail:DescribeGroup - workmail:DescribeInboundDmarcSettings - workmail:DescribeInboundMailFlowRule - workmail:DescribeMailDomains - workmail:DescribeMailboxExportJob - workmail:DescribeOrganization - workmail:DescribeOutboundMailFlowRule - workmail:DescribeResource - workmail:DescribeSmtpGateway - workmail:DescribeUser - workmail:GetDefaultRetentionPolicy - workmail:GetImpersonationRole - workmail:GetJournalingRules - workmail:GetMailDomain - workmail:GetMailDomainDetails - workmail:GetMailboxDetails - workmail:GetMobileDevicesForUser - workmail:ListAccessControlRules - workmail:ListAliases - workmail:ListAvailabilityConfigurations - workmail:ListGroupMembers - workmail:ListGroups - workmail:ListGroupsForEntity - workmail:ListImpersonationRoles - workmail:ListInboundMailFlowRules - workmail:ListMailDomains - workmail:ListMailboxExportJobs - workmail:ListMailboxPermissions - workmail:ListMobileDeviceAccessOverrides - workmail:ListMobileDeviceAccessRules - workmail:ListOrganizations - workmail:ListOutboundMailFlowRules - workmail:ListResourceDelegates - workmail:ListResources - workmail:ListSmtpGateways - workmail:ListTagsForResource - workmail:ListUsers Resource: '*' Sid: AllowWorkmailReadOnly - Action: - rekognition:DescribeDataset - rekognition:DescribeProjects Resource: '*' Effect: Allow Sid: AllowRekognitionReadOnly - Action: - backup:ListBackupJobs - backup:ListBackupJobSummaries - backup:ListBackupPlans - backup:ListBackupPlanTemplates - backup:ListBackupPlanVersions - backup:ListBackupSelections - backup:ListBackupVaults - backup:ListLegalHolds - backup:ListProtectedResources - backup:ListProtectedResourcesByBackupVault - backup:ListRecoveryPointsByBackupVault - backup:ListRecoveryPointsByLegalHold - backup:ListRecoveryPointsByResource - backup:GetBackupPlan - backup:ListTags - backup:GetBackupSelection - backup:GetLegalHold Resource: '*' Effect: Allow Sid: AllowBackupReadOnly - Action: - refactor-spaces:ListEnvironments - refactor-spaces:ListApplications - refactor-spaces:ListRoutes - refactor-spaces:ListServices - refactor-spaces:ListEnvironmentVpcs - refactor-spaces:ListTagsForResource Resource: '*' Effect: Allow Sid: AllowRefactorSpacesReadOnly - Action: - servicediscovery:ListNamespaces - servicediscovery:ListServices - servicediscovery:ListTagsForResource - servicediscovery:ListInstances - servicediscovery:ListOperations Resource: '*' Effect: Allow Sid: AllowCloudMapReadOnly - Action: - frauddetector:ListTagsForResource - frauddetector:GetBatchImportJobs - frauddetector:GetBatchPredictionJobs - frauddetector:GetEntityTypes - frauddetector:GetDetectors - frauddetector:GetExternalModels - frauddetector:GetKMSEncryptionKey - frauddetector:GetLabels - frauddetector:GetVariables - frauddetector:GetRules - frauddetector:GetOutcomes - frauddetector:GetModels - frauddetector:GetModelVersion - frauddetector:GetListsMetadata - frauddetector:GetEventTypes Resource: '*' Effect: Allow Sid: AllowFraudDetectorReadOnly Version: '2012-10-17' RapticoreExtendedViewOnlyPolicy4: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: - airflow:ListEnvironments - airflow:ListTagsForResource - airflow:GetEnvironment Resource: '*' Effect: Allow Sid: AllowMWAAReadOnly - Action: - route53domains:ListDomains - route53domains:ListOperations - route53domains:ListTagsForDomain - route53domains:GetDomainDetail - route53domains:GetDomainSuggestions Resource: '*' Effect: Allow Sid: AllowRoute53DomainsReadOnly - Action: - dms:DescribeConnections - dms:ListTagsForResource - dms:DescribeReplicationInstances - dms:DescribeReplications - dms:DescribeReplicationTasks - dms:DescribeTableStatistics - dms:DescribeReplicationTaskAssessmentResults - dms:DescribeReplicationSubnetGroups - dms:DescribeEvents - dms:DescribeEventSubscriptions - dms:DescribeEndpoints - dms:DescribeCertificates - dms:DescribeConnections - dms:DescribeReplicationTaskAssessmentRuns - dms:DescribeDataProviders - dms:DescribeMigrationProjects - dms:DescribeInstanceProfiles - dms:DescribeMetadataModelAssessments - dms:DescribeMetadataModelConversions - dms:DescribeMetadataModelExportsAsScript - dms:DescribeMetadataModelExportsToTarget - dms:DescribeMetadataModelImports - dms:DescribeFleetAdvisorCollectors - dms:DescribeFleetAdvisorDatabases - dms:DescribeFleetAdvisorLsaAnalysis - dms:DescribeFleetAdvisorSchemas Resource: '*' Effect: Allow Sid: AllowDatabaseMigrationServiceReadOnly - Action: - fis:ListTagsForResource - fis:ListActions - fis:ListExperimentResolvedTargets - fis:ListExperiments - fis:ListExperimentTemplates - fis:ListActions Resource: '*' Effect: Allow Sid: AllowFaultInjectionSimulatorReadOnly - Action: - devops-guru:ListAnomaliesForInsight - devops-guru:ListAnomalousLogGroups - devops-guru:ListEvents - devops-guru:ListInsights - devops-guru:ListMonitoredResources - devops-guru:ListNotificationChannels - devops-guru:ListOrganizationInsights - devops-guru:ListRecommendations - devops-guru:DescribeAccountHealth - devops-guru:DescribeAccountOverview - devops-guru:DescribeAnomaly - devops-guru:DescribeEventSourcesConfig - devops-guru:DescribeInsight - devops-guru:DescribeOrganizationHealth - devops-guru:DescribeOrganizationOverview - devops-guru:DescribeOrganizationResourceCollectionHealth - devops-guru:DescribeResourceCollectionHealth - devops-guru:DescribeServiceIntegration - devops-guru:GetResourceCollection Resource: '*' Effect: Allow Sid: AllowDevOpsGuruReadOnly - Effect: Allow Action: - transfer:DescribeAccess - transfer:DescribeAgreement - transfer:DescribeCertificate - transfer:DescribeConnector - transfer:DescribeProfile - transfer:DescribeSecurityPolicy - transfer:DescribeServer - transfer:DescribeUser - transfer:DescribeWorkflow - transfer:ListAccesses - transfer:ListAgreements - transfer:ListCertificates - transfer:ListConnectors - transfer:ListProfiles - transfer:ListSecurityPolicies - transfer:ListServers - transfer:ListTagsForResource - transfer:ListUsers - transfer:ListWorkflows Resource: '*' Sid: AllowTransferReadOnly - Effect: Allow Action: - ssm:DescribeParameters - ssm:GetParameter - ssm:GetParameters Resource: '*' Sid: AllowSSMReadOnly - Effect: Allow Action: - medialive:DescribeChannel - mediapackage:ListChannels - mediapackagev2:ListChannelGroups - mediapackagev2:GetChannelGroup - mediapackagev2:ListChannels - mediapackagev2:GetChannel - mediastore:GetLifecyclePolicy - mediastore:GetMetricPolicy - mediaconvert:ListJobs - mediaconvert:DescribeEndpoints - mediaconvert:GetPolicy Resource: '*' Sid: AllowMediaReadOnly Version: '2012-10-17' RapticoreIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: [ "rapticore-freemium" ] Effect: Allow Principal: AWS: !Sub "arn:${AWS::Partition}:iam::${RapticoreAccountId}:root" - Action: sts:AssumeRole Effect: Allow Principal: Service: events.amazonaws.com Version: "2012-10-17" Description: Rapticore Cross-Account Access Role for freemium ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess" - !Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit" - !Ref RapticoreExtendedViewOnlyPolicy1 - !Ref RapticoreExtendedViewOnlyPolicy2 - !Ref RapticoreExtendedViewOnlyPolicy3 - !Ref RapticoreExtendedViewOnlyPolicy4 Policies: - PolicyDocument: Statement: - Sid: AllowPutRuleInSenderBus Action: - events:PutRule - events:DeleteRule - events:PutTargets - events:RemoveTargets Resource: "*" Effect: Allow - Sid: AllowIAMPassRoleForRuleTargetRole Action: - iam:PassRole Resource: "*" Effect: Allow - Sid: AllowPutEventsToReceiverBus Effect: Allow Action: - events:PutEvents Resource: - !Sub "arn:aws:events:us-west-2:${RapticoreAccountId}:event-bus/RapticoreEventBus" Version: "2012-10-17" PolicyName: RapticoreRTTMEventsBridgePermissions RoleName: rapticore-cross-account-freemium Outputs: IAMRoleARN: Description: Created readonly IAM Role for Rapticore Integration Value: !GetAtt RapticoreIAMRole.Arn