Parameters: VegaExternalIdParameter: Type: String Description: Vega Cloud's ExternalId for your environments (helps to authenticate role assumption). Default: "vega:" Resources: VegaDiscoveryReader: Properties: RoleName: VegaDiscoveryReader AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Ref VegaExternalIdParameter Effect: Allow Principal: # 955075715928 This one of the Vega Data Collection Accounts # 549829454055 This one of the Vega Data Collection Accounts # 933023916684 This is the Vega Saas Platform Account AWS: ["arn:aws:iam::955075715928:root", "arn:aws:iam::549829454055:root", "arn:aws:iam::933023916684:root"] - Action: "sts:AssumeRole" Effect: Allow Principal: Service: ["cloudformation.amazonaws.com"] Version: 2012-10-17 Type: "AWS::IAM::Role" DiscoveryPolicy: DependsOn: VegaDiscoveryReader Type: "AWS::IAM::Policy" Properties: PolicyDocument: Statement: # AWS Batch Discovery - Effect: Allow Resource: "*" Action: - "batch:Describe*" - "batch:List*" # CloudWatch Metrics Discovery - Effect: Allow Resource: "*" Action: - "cloudwatch:GetMetricData" - "cloudwatch:GetMetricStatistics" - "cloudwatch:ListMetrics" - "cloudwatch:ListTagsForResource" # EC2 Resource Discovery - Effect: Allow Resource: "*" Action: - "ec2:Describe*" - "ec2:GetCapacityReservationUsage" - "ec2:GetGroupsForCapacityReservation" - "ec2:GetHostReservationPurchasePreview" # RDS Resource Discovery - Effect: Allow Resource: "*" Action: - "rds:DescribeDBClusterSnapshots" - "rds:DescribeDBClusters" - "rds:DescribeDBClusterSnapshots" - "rds:DescribeRecommendationGroups" - "rds:DescribeRecommendations" - "rds:DescribeReservedDBInstances" - "rds:DescribeReservedDBInstancesOfferings" - "rds:DescribeDBInstances" - "rds:DescribeDBSnapshots" - "rds:ListTagsForResource" # Elastic Container Service (ECS) - Effect: Allow Resource: "*" Action: - "ecs:Describe*" - "ecs:List*" # Elastic Kubernetes Service (EKS) - Effect: Allow Resource: "*" Action: - "eks:Describe*" - "eks:List*" # ElastiCache Resource Discovery - Effect: Allow Resource: "*" Action: - "elasticache:Describe*" - "elasticache:List*" # Redshift Resource Discovery - Effect: Allow Resource: "*" Action: - "redshift:DescribeReservedNodes" - "redshift:DescribeReservedNodeExchangeStatus" - "redshift:DescribeReservedNodeOfferings" - "redshift:DescribeClusters" - "redshift:DescribeClusterSnapshots" - "redshift:DescribeStorage" - "redshift:DescribeTags" - "redshift:GetReservedNodeExchangeOfferings" - "redshift:GetReservedNodeExchangeConfigurationOptions" # DynamoDB Resource Discovery - Effect: Allow Resource: "*" Action: - "dynamodb:DescribeReservedCapacity" - "dynamodb:DescribeReservedCapacityOfferings" - "dynamodb:ListTagsOfResource" # Opensearch Resource Discovery - Effect: Allow Resource: "*" Action: - "es:DescribeReservedElasticsearchInstances" - "es:DescribeReservedElasticsearchInstanceOfferings" - "es:DescribeReservedInstances" - "es:DescribeReservedInstanceOfferings" - "es:ListTags" # Medialive Resource Discovery - Effect: Allow Resource: "*" Action: - "medialive:DescribeReservation" - "medialive:ListReservations" - "medialive:ListTagsForResource" # Trusted Advisor Resource Discovery - Effect: Allow Resource: "*" Action: - "support:DescribeTrustedAdvisorCheckRefreshStatuses" - "support:DescribeTrustedAdvisorCheckResult" - "support:DescribeTrustedAdvisorChecks" - "support:DescribeTrustedAdvisorCheckSummaries" - "support:RefreshTrustedAdvisorCheck" - "trustedadvisor:Describe*" # Savings Plan Resource Discovery - Effect: Allow Resource: "*" Action: - "savingsplans:Describe*" - "savingsplans:List*" # Compute Optimizer Resource Discovery - Effect: Allow Resource: "*" Action: - "compute-optimizer:GetAutoScalingGroupRecommendations" - "compute-optimizer:GetEBSVolumeRecommendations" - "compute-optimizer:GetEC2InstanceRecommendations" - "compute-optimizer:GetEC2RecommendationProjectedMetrics" - "compute-optimizer:GetEffectiveRecommendationPreferences" - "compute-optimizer:GetEnrollmentStatus" - "compute-optimizer:GetEnrollmentStatusesForOrganization" - "compute-optimizer:GetLambdaFunctionRecommendations" - "compute-optimizer:GetRecommendationPreferences" - "compute-optimizer:GetRecommendationSummaries" # S3 Resource Discovery - Effect: Allow Resource: "*" Action: # Note: Get* is filtered with an explicit deny on GetObject below. - "s3:Get*" - "s3:List*" - Action: - "s3:GetObject" Effect: Deny Resource: "*" PolicyName: VegaDiscoveryReaderPolicy Roles: - VegaDiscoveryReader