Description: Rapticore Freemium Cross Account IAM Role Deployment Parameters: RapticoreAccountId: Type: String AllowedPattern: "[0-9]{12}" ConstraintDescription: Please enter a valid AWS Account ID where Rapticore Freemium instance will be hosted Description: The Source AWS Account ID where Rapticore Freemium instance will be hosted Resources: RapticoreIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: ["rapticore-freemium"] Effect: Allow Principal: AWS: !Sub "arn:${AWS::Partition}:iam::${RapticoreAccountId}:root" - Action: sts:AssumeRole Effect: Allow Principal: Service: events.amazonaws.com Version: "2012-10-17" Description: Rapticore Cross-Account Access Role for freemium ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess" - !Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit" Policies: - PolicyDocument: Statement: - Action: apigateway:GET Effect: Allow NotResource: - arn:aws:apigateway:*::/apikey* - arn:aws:apigateway:*::/apikeys* Sid: AllowApiGatewayReadOnlyExceptAPIKeys - Action: - cognito-identity:DescribeIdentityPool - cognito-identity:LookupDeveloperIdentity - cognito-identity:ListIdentities - cognito-identity:ListTagsForResource - cognito-identity:GetIdentityPoolRoles - cognito-identity:ListIdentityPools - cognito-identity:DescribeIdentity Effect: Allow Resource: "*" Sid: AllowCognitoIdentityPoolsReadOnly - Action: - kinesisanalytics:ListTagsForResource - kinesisanalytics:GetApplicationState - kinesisanalytics:DescribeApplication - kinesisanalytics:DiscoverInputSchema - kinesisanalytics:ListApplications Effect: Allow Resource: "*" Sid: AllowKinesisAnalyticsReadOnly - Action: - cognito-idp:AdminGetDevice - cognito-idp:AdminGetUser - cognito-idp:AdminListDevices - cognito-idp:AdminListGroupsForUser - cognito-idp:DescribeIdentityProvider - cognito-idp:DescribeResourceServer - cognito-idp:DescribeRiskConfiguration - cognito-idp:DescribeUserPool - cognito-idp:DescribeUserPoolClient - cognito-idp:DescribeUserPoolDomain - cognito-idp:GetIdentityProviderByIdentifier - cognito-idp:GetSigningCertificate - cognito-idp:GetUICustomization - cognito-idp:GetUserPoolMfaConfig - cognito-idp:ListDevices - cognito-idp:ListGroups - cognito-idp:ListIdentityProviders - cognito-idp:ListResourceServers - cognito-idp:ListTagsForResource - cognito-idp:ListUserPoolClients - cognito-idp:ListUserPools - cognito-idp:ListUsers - cognito-idp:ListUsersInGroup Effect: Allow Resource: "*" Sid: AllowCognitoUserPoolsReadOnly - Action: - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecs:DescribeClusters - ecs:DescribeContainerInstances - ecs:DescribeServices - ecs:DescribeTaskDefinition - ecs:DescribeTaskSets - ecs:DescribeTasks - ecs:ListAccountSettings - ecs:ListAttributes - ecs:ListClusters - ecs:ListContainerInstances - ecs:ListServices - ecs:ListTagsForResource - ecs:ListTaskDefinitionFamilies - ecs:ListTaskDefinitions - ecs:ListTasks Effect: Allow Resource: "*" Sid: AllowElasticContainerServiceReadOnly - Action: cloudhsm:DescribeClusters Effect: Allow Resource: "*" Sid: AllowCloudHSMReadOnly - Action: - glue:GetJobs - glue:ListWorkflows - glue:GetWorkflow - glue:GetClassifiers - glue:GetCrawlers - glue:GetDatabases - glue:GetSecurityConfigurations - glue:GetTags Effect: Allow Resource: "*" Sid: AllowGlueReadOnly - Action: wafv2:GetWebACL Effect: Allow Resource: "*" Sid: AllowWAFv2ReadOnly - Action: - codebuild:BatchGetBuilds - codebuild:BatchGetProjects - codepipeline:GetPipeline - codepipeline:ListTagsForResource Effect: Allow Resource: "*" Sid: AllowCodeSuiteReadOnly - Action: - mq:DescribeBroker - mq:ListBrokers Effect: Allow Resource: "*" Sid: AllowMQReadOnly - Action: - eks:DescribeCluster - eks:ListClusters - eks:ListNodegroups Effect: Allow Resource: "*" Sid: AllowEKSReadOnly - Action: - ec2:GetEbsEncryptionByDefault - ec2:GetEbsEncryptionByDefault Effect: Allow Resource: "*" Sid: AllowEC2ReadOnly - Action: - ce:GetCostAndUsage - ce:GetCostForecast Effect: Allow Resource: "*" Sid: AllowCostExplorerReadOnly - Action: - access-analyzer:CreateAnalyzer Effect: Allow Resource: "*" Sid: AllowIAMCreateAnalyzer - Action: - kms:ListResourceTags Effect: Allow Resource: "*" Sid: AllowKMSListTagsReadOnly - Action: - lambda:GetFunction - lambda:ListFunctions Effect: Allow Resource: "*" Sid: AllowLambdaReadOnly - Action: - inspector2:Describe*" - inspector2:Get*" - inspector2:List* Effect: Allow Resource: "*" Sid: AllowInspector2ReadOnly - Action: - states:ListStateMachines - states:DescribeStateMachine - states:ListTagsForResource Resource: "*" Effect: Allow Sid: AllowStepFunctionsReadOnly - Action: - kafka:ListClusters - kafka:ListClustersV2 - kafka:ListNodes - kafka:DescribeClusterOperation - kafka:ListConfigurations - kafka:DescribeConfigurationRevision Resource: "*" Effect: Allow Sid: AllowKafkaReadOnly - Action: - sso:DescribeAccountAssignmentCreationStatus - sso:DescribeAccountAssignmentDeletionStatus - sso:DescribePermissionSet - sso:DescribePermissionSetProvisioningStatus - sso:DescribePermissionsPolicies - sso:DescribeRegisteredRegions - sso:GetApplicationInstance - sso:GetApplicationTemplate - sso:GetInlinePolicyForPermissionSet - sso:GetManagedApplicationInstance - sso:GetMfaDeviceManagementForDirectory - sso:GetPermissionSet - sso:GetPermissionsPolicy - sso:GetProfile - sso:GetSharedSsoConfiguration - sso:GetSsoConfiguration - sso:GetSSOStatus - sso:GetTrust - sso:ListAccountAssignmentCreationStatus - sso:ListAccountAssignmentDeletionStatus - sso:ListAccountAssignments - sso:ListAccountsForProvisionedPermissionSet - sso:ListApplicationInstanceCertificates - sso:ListApplicationInstances - sso:ListApplications - sso:ListApplicationTemplates - sso:ListDirectoryAssociations - sso:ListInstances - sso:ListManagedPoliciesInPermissionSet - sso:ListPermissionSetProvisioningStatus - sso:ListPermissionSets - sso:ListPermissionSetsProvisionedToAccount - sso:ListProfileAssociations - sso:ListProfiles - sso:ListTagsForResource - iam:ListPolicies Resource: "*" Effect: Allow Sid: AllowSsoReadOnly - Action: - sso-directory:DescribeDirectory - sso-directory:DescribeGroups - sso-directory:DescribeUsers - sso-directory:ListGroupsForUser - sso-directory:ListMembersInGroup - sso-directory:SearchGroups - sso-directory:SearchUsers Resource: "*" Effect: Allow Sid: AllowSsoDirectoryReadOnly - Action: - ds:DescribeDirectories - ds:DescribeTrusts Resource: "*" Effect: Allow Sid: AllowDsDirectoryReadOnly - Action: - identitystore:ListGroups - identitystore:ListUsers - identitystore:ListGroupMemberships - identitystore:ListGroupMembershipsForMember - identitystore:IsMemberInGroups - identitystore:DescribeUser - identitystore:DescribeGroup - identitystore:DescribeGroupMembership Resource: "*" Effect: Allow Sid: AllowIdentityStoreReadOnly - Action: - transfer:DescribeAccess - transfer:DescribeAgreement - transfer:DescribeCertificate - transfer:DescribeConnector - transfer:DescribeProfile - transfer:DescribeSecurityPolicy - transfer:DescribeServer - transfer:DescribeUser - transfer:DescribeWorkflow - transfer:ListAccesses - transfer:ListAgreements - transfer:ListCertificates - transfer:ListConnectors - transfer:ListProfiles - transfer:ListSecurityPolicies - transfer:ListServers - transfer:ListTagsForResource - transfer:ListUsers - transfer:ListWorkflows Resource: "*" Effect: Allow Sid: AllowTransferReadOnly - Action: - ssm:DescribeParameters - ssm:GetParameter - ssm:GetParameters Resource: "*" Effect: Allow Sid: AllowSSMReadOnly Version: "2012-10-17" PolicyName: RapticoreExtendedViewOnly - PolicyDocument: Statement: - Sid: AllowPutRuleInSenderBus Action: - events:PutRule - events:PutTargets - events:RemoveTargets Resource: "*" Effect: Allow - Sid: AllowDeleteRuleInSenderBus Action: - events:DeleteRule Resource: - "arn:aws:events:*:*:rule/RapticoreRTTM*" Effect: Allow - Sid: AllowIAMPassRoleForRuleTargetRole Action: - iam:PassRole Resource: "*" Effect: Allow - Sid: AllowPutEventsToReceiverBus Effect: Allow Action: - events:PutEvents Resource: - !Sub "arn:aws:events:us-west-2:${RapticoreAccountId}:event-bus/RapticoreEventBus" Version: "2012-10-17" PolicyName: RapticoreRTTMEventsBridgePermissions RoleName: rapticore-cross-account-freemium Outputs: IAMRoleARN: Description: Created readonly IAM Role for Rapticore Integration Value: !GetAtt RapticoreIAMRole.Arn