Parameters: CurBucketsParameter: Type: String Description: A comma-separated list of buckets & objects (/*) Vega Cloud can use to build your dashboards and reports. Default: "arn:aws:s3:::your-bucket-here,arn:aws:s3:::your-bucket-here/* (one for bucket, one for resource)" AttachReadOnlyRole: Type: String AllowedValues: - true - false Default: false Description: Attach the AWS Managed ReadOnly policy to Vega Cloud's Role? This will provide Vega read-only access to more AWS Service API details within your environment. VegaExternalIdParameter: Type: String Description: Vega Cloud's ExternalId for your environments (helps to authenticate role assumption). Default: "vega:" Conditions: AttachReadOnly: !Equals - !Ref AttachReadOnlyRole - true Resources: VegaAdminRole: Type: "AWS::IAM::Role" Properties: RoleName: VegaAdmin AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Ref VegaExternalIdParameter Effect: Allow Principal: # 955075715928 This one of the Vega Data Collection Accounts # 549829454055 This one of the Vega Data Collection Accounts # 933023916684 This is the Vega Saas Platform Account AWS: ["arn:aws:iam::955075715928:root", "arn:aws:iam::549829454055:root", "arn:aws:iam::933023916684:root"] Sid: "Stmt156148350008823" Version: 2012-10-17 ManagedPolicyArns: - !If - AttachReadOnly - "arn:aws:iam::aws:policy/ReadOnlyAccess" - !Ref 'AWS::NoValue' DiscoveryPolicy: DependsOn: VegaAdminRole Type: "AWS::IAM::Policy" Properties: PolicyName: VegaDiscoveryPolicy Roles: - VegaAdmin PolicyDocument: Statement: - Sid: VegaDiscoveryComputeOptimizer Action: - "compute-optimizer:Get*" Effect: "Allow" Resource: "*" - Sid: VegaDiscoverySavingsPlans Action: - "savingsplans:*" Effect: Allow Resource: "*" - Sid: VegaDiscoveryOrganizations Action: - "organizations:Describe*" - "organizations:List*" Effect: Allow Resource: "*" # Access to Pricing Data and Current Usage Report Definitions - Sid: VegaDiscoveryPricing Effect: Allow Action: - "pricing:*" - "cur:DescribeReportDefinitions" Resource: "*" # Cost Explorer API Readonly Access - Sid: VegaDiscoveryCostExplorer Effect: Allow Action: - "ce:DescribeCostCategoryDefinition" - "ce:DescribeNotificationSubscription" - "ce:DescribeReport" - "ce:GetAnomalies" - "ce:GetAnomalyMonitors" - "ce:GetAnomalySubscriptions" - "ce:GetCostAndUsage" - "ce:GetCostAndUsageWithResources" - "ce:GetCostCategories" - "ce:GetCostForecast" - "ce:GetDimensionValues" - "ce:GetPreferences" - "ce:GetReservationCoverage" - "ce:GetReservationPurchaseRecommendation" - "ce:GetReservationUtilization" - "ce:GetRightsizingRecommendation" - "ce:GetSavingsPlansCoverage" - "ce:GetSavingsPlansPurchaseRecommendation" - "ce:GetSavingsPlansUtilization" - "ce:GetSavingsPlansUtilizationDetails" - "ce:GetTags" - "ce:GetUsageForecast" - "ce:ListCostCategoryDefinitions" - "ce:ListTagsForResource" Resource: "*" - Sid: VegaDiscoveryBillingConductor Effect: Allow Action: - "billingconductor:ListAccountAssociations" - "billingconductor:ListBillingGroupCostReports" - "billingconductor:ListBillingGroups" - "billingconductor:ListCustomLineItems" - "billingconductor:ListPricingPlans" - "billingconductor:ListPricingPlansAssociatedWithPricingRule" - "billingconductor:ListPricingRules" - "billingconductor:ListPricingRulesAssociatedToPricingPlan" - "billingconductor:ListResourcesAssociatedToCustomLineItem" - "billingconductor:ListTagsForResource" Resource: "*" S3SyncPolicy: DependsOn: VegaAdminRole Type: "AWS::IAM::Policy" Properties: PolicyDocument: Statement: - Sid: VegaS3SyncPolicy Effect: Allow Action: - "s3:GetBucketLocation" - "s3:GetObjectTagging" - "s3:GetObject" - "s3:GetAccountPublicAccessBlock" - "s3:GetBucketTagging" - "s3:ListBucket" - "s3:ListBucketMultipartUploads" - "s3:ListMultipartUploadParts" - "s3:AbortMultipartUpload" # Add any additional S3 buckets below Resource: !Split [",", !Ref CurBucketsParameter] PolicyName: VegaS3SyncPolicy Roles: - VegaAdmin