/
AUTOMATE+ (continuous compliance) AWS Cross Account Role Post-Deployment Permissions

AUTOMATE+ (continuous compliance) AWS Cross Account Role Post-Deployment Permissions

Post Deployment Permissions

{ "Description": "Allows application to gain least privileged access to your AWS account.", "Parameters": { "AccountId": { "Type": "String", "Default": "936682280665", "Description": "6pillars's AWS Account Id", "MinLength": 12 }, "ExternalId": { "Type": "String", "Description": "Unique External Id generated by 6pillars" }, "RoleName": { "Type": "String", "Default": "six-pillars-role", "Description": "IAM Role Name" }, "EnableGuardDutyRole": { "Type": "String", "Default": "YES", "AllowedValues": [ "YES", "NO" ], "Description": "Enable Guardduty role to enable Guardduty in this AWS account" }, "EnableMacieRole": { "Type": "String", "Default": "YES", "AllowedValues": [ "YES", "NO" ], "Description": "Enable Macie role to enable Macie in this AWS account" }, "EnableCloudWatchRole": { "Type": "String", "Default": "YES", "AllowedValues": [ "YES", "NO" ], "Description": "Enable CloudWatch role to enable CloudWatch in this AWS account" }, "EnableSixPillarsDeployAccess": { "Type": "String", "Default": "NO", "AllowedValues": [ "YES", "NO" ], "Description": "Enable Six Pillars deploy access to enable Six Pillars in this AWS account" }, "EnableInspectorRole": { "Type": "String", "Default": "YES", "AllowedValues": [ "YES", "NO" ], "Description": "Enable Inspector role to enable Inspector in this AWS account" }, "EnableResourceTaggingRole": { "Type": "String", "Default": "YES", "AllowedValues": [ "YES", "NO" ], "Description": "Enable Resource Tagging role to enable tagging in this AWS account" } }, "Resources": { "SixPillarsRoleBB82BD63": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Allows application to gain least privileged access to your AWS account.", "ManagedPolicyArns": [ { "Ref": "SixPillarsS3CloudFrontPolicyFC53222D" }, { "Ref": "SixPillarsEC2NetworkingPolicyB15A93A1" }, { "Ref": "SixPillarsDatabaseServicesPolicy56171DE0" }, { "Ref": "SixPillarsLambdaStepFunctionsPolicy07C4001E" }, { "Ref": "SixPillarsIAMSecurityPolicy4E37B826" }, { "Ref": "SixPillarsSSMPolicyBF5D6E81" }, { "Ref": "SixPillarsCloudWatchCloudTrailPolicy701DF19D" }, { "Ref": "SixPillarsSNSSQSPolicyDD643257" }, { "Ref": "SixPillarsAutoScalingPolicy56EC990C" }, { "Ref": "SixPillarsMiscellaneousPolicy1C0EFC7A" } ], "MaxSessionDuration": 43200, "RoleName": { "Ref": "RoleName" } }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/SixPillarsRole/Resource" } }, "sixpillarsplaybookaccesscrossaccountC74DF904": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ "arn:aws:s3:::5pillars-prod-playbooks-reference/*", "arn:aws:s3:::5pillars-prod-playbooks-ap-southeast-2/*", "arn:aws:s3:::5pillars-prod-playbooks-ap-southeast-1/*", "arn:aws:s3:::5pillars-prod-playbooks-ap-southeast-4/*", "arn:aws:s3:::5pillars-prod-playbooks-ap-south-1/*", "arn:aws:s3:::5pillars-prod-playbooks-ap-northeast-1/*", "arn:aws:s3:::5pillars-prod-playbooks-ap-east-1/*", "arn:aws:s3:::5pillars-prod-playbooks-us-east-1/*", "arn:aws:s3:::5pillars-prod-playbooks-us-east-2/*", "arn:aws:s3:::5pillars-prod-playbooks-us-west-1/*", "arn:aws:s3:::5pillars-prod-playbooks-us-west-2/*", "arn:aws:s3:::5pillars-prod-playbooks-eu-central-1/*", "arn:aws:s3:::5pillars-prod-playbooks-eu-west-1/*", "arn:aws:s3:::5pillars-prod-playbooks-eu-west-2/*", "arn:aws:s3:::5pillars-prod-playbooks-me-south-1/*", "arn:aws:s3:::5pillars-prod-playbooks-me-central-1/*" ] } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-playbook-access-cross-account", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-playbook-access-cross-account/Resource" } }, "sixpillarsreadonlyaccess6E6C79AE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "securityhub:UpdateStandardsControl", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "securityhub:GetFindings", "securityhub:ListSecurityControlDefinitions", "securityhub:ListStandardsControlAssociations", "securityhub:BatchUpdateStandardsControlAssociations", "wellarchitected:CreateWorkload", "wellarchitected:UpdateAnswer", "wellarchitected:CreateMilestone", "wellarchitected:DeleteWorkload", "wellarchitected:List*", "wellarchitected:Get*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-read-only-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-read-only-access/Resource" } }, "sixpillarssupportcontrolaccessC29B6A38": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "support:DescribeSeverityLevels", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-support-control-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-support-control-access/Resource" } }, "sixpillarsaccess2D0243C8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:ListRules", "states:StartExecution" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-access/Resource" } }, "sixpillarssecurityhubintegrationaccess3EEFBAB7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "securityhub:EnableImportFindingsForProduct", "securityhub:BatchImportFindings", "securityhub:BatchEnableStandards", "securityhub:BatchDisableStandards", "securityhub:GetEnabledStandards", "securityhub:GetInsights", "securityhub:ListMembers" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-security-hub-integration-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-security-hub-integration-access/Resource" } }, "sixpillarsmulticloudwatchaccess009662D5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:DescribeTrails", "sns:ListTopics", "sns:GetTopicAttributes", "cloudtrail:GetTrail" ], "Effect": "Allow", "Resource": "*" }, { "Action": "sns:Subscribe", "Effect": "Allow", "Resource": "*" }, { "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": [ "arn:aws:ssm:*:*:parameter/Solutions/SO0111/Metrics_LogGroupName", "arn:aws:ssm:*:*:parameter/Solutions/SO0111/SNS_Topic_CIS3.x" ] }, { "Action": "cloudtrail:UpdateTrail", "Effect": "Allow", "Resource": "*" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/SO0111-CloudTrailToCloudWatchLogs" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-multi-cloudwatch-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-multi-cloudwatch-access/Resource" } }, "sixpillarscontroltoweraccessE3308308": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "controltower:ListEnabledControls", "controltower:EnableControl", "controltower:DisableControl", "organizations:ListRoots", "organizations:ListAccounts", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:ListChildren", "controltower:GetEnabledControl" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-controltower-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-controltower-access/Resource" } }, "sixpillarscheckroleaccessDF62453E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:ListRolePolicies", "iam:GetRolePolicy" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/SixPillarsEnableGuardDutyRole", "arn:aws:iam::*:role/SixPillarsEnableMacieRole", "arn:aws:iam::*:role/SixPillarsEnableInspectorRole", "arn:aws:iam::*:role/SixPillarsEnableResourceTaggingRole", "arn:aws:iam::*:role/SixPillarsCloudwatchRole" ] } ], "Version": "2012-10-17" }, "PolicyName": "six-pillars-check-role-access", "Roles": [ { "Ref": "SixPillarsRoleBB82BD63" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-check-role-access/Resource" } }, "SixPillarsEnableGuardDutyRole9BFEF6CB": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Allows 6pillars application to gain access to enable Guardduty.", "MaxSessionDuration": 3600, "RoleName": "SixPillarsEnableGuardDutyRole" }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/SixPillarsEnableGuardDutyRole/Resource" }, "Condition": "EnableGuardDutyRoleCondition" }, "guarddutyaccesspolicy3649897B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "guardduty:CreateDetector", "guardduty:ListDetectors", "guardduty:GetDetector", "guardduty:UpdateDetector" ], "Effect": "Allow", "Resource": "*" }, { "Action": "iam:CreateServiceLinkedRole", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "guardduty.amazonaws.com", "malware-protection.guardduty.amazonaws.com" ] } }, "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SixPillars-guardduty-access-policy", "Roles": [ { "Ref": "SixPillarsEnableGuardDutyRole9BFEF6CB" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/guardduty-access-policy/Resource" }, "Condition": "EnableGuardDutyRoleCondition" }, "SixPillarsEnableMacieRole2B1ABECF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Allows 6pillars application to gain access to enable Macie.", "MaxSessionDuration": 3600, "RoleName": "SixPillarsEnableMacieRole" }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/SixPillarsEnableMacieRole/Resource" }, "Condition": "EnableMacieRoleCondition" }, "macieaccesspolicy8DDEEFB6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "macie2:EnableMacie", "Effect": "Allow", "Resource": "*" }, { "Action": "iam:CreateServiceLinkedRole", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "macie.amazonaws.com" ] } }, "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SixPillars-macie-access-policy", "Roles": [ { "Ref": "SixPillarsEnableMacieRole2B1ABECF" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/macie-access-policy/Resource" }, "Condition": "EnableMacieRoleCondition" }, "SixPillarsEnableInspectorRole03052BBA": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Allows 6pillars application to gain access to enable Inspector.", "MaxSessionDuration": 3600, "RoleName": "SixPillarsEnableInspectorRole" }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/SixPillarsEnableInspectorRole/Resource" } }, "inspectoraccesspolicy344AC936": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "inspector2:Enable", "Effect": "Allow", "Resource": "*" }, { "Action": "iam:CreateServiceLinkedRole", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "inspector2.amazonaws.com", "agentless.inspector2.amazonaws.com" ] } }, "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "SixPillars-inspector-access-policy", "Roles": [ { "Ref": "SixPillarsEnableInspectorRole03052BBA" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/inspector-access-policy/Resource" }, "Condition": "EnableInspectorRoleCondition" }, "SixPillarsEnableResourceTaggingRoleB42E9228": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Allows 6pillars application to gain access to enable Resource Tagging.", "MaxSessionDuration": 3600, "RoleName": "SixPillarsEnableResourceTaggingRole" }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/SixPillarsEnableResourceTaggingRole/Resource" }, "Condition": "EnableResourceTaggingRoleCondition" }, "sixpillarsresourceexplorerresourcegroupsaccess27E4AD02": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "ssm:GetParameter", "secretsmanager:GetSecretValue", "account:ListRegions", "iam:CreateServiceLinkedRole", "resource-explorer-2:CreateIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:UpdateIndexType", "resource-explorer-2:CreateView", "resource-explorer-2:AssociateDefaultView", "resource-explorer-2:GetDefaultView", "resource-explorer-2:Search", "resource-explorer-2:ListViews", "resource-explorer-2:GetView", "resource-explorer-2:DeleteView", "resource-groups:ListGroups", "resource-groups:CreateGroup", "resource-groups:ListGroupResources", "resource-groups:GetGroupQuery", "resource-groups:DeleteGroup", "cloudformation:DescribeStacks", "cloudformation:ListStackResources" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "a4b:TagResource", "a4b:UntagResource", "access-analyzer:TagResource", "access-analyzer:UntagResource", "acm-pca:TagCertificateAuthority", "acm-pca:UntagCertificateAuthority", "acm:AddTagsToCertificate", "acm:RemoveTagsFromCertificate", "amplify:TagResource", "amplify:UntagResource", "appconfig:TagResource", "appconfig:UntagResource", "appflow:TagResource", "appflow:UntagResource", "appmesh:TagResource", "appmesh:UntagResource", "appstream:TagResource", "appstream:UntagResource", "appsync:TagResource", "appsync:UntagResource", "athena:TagResource", "athena:UntagResource", "auditmanager:TagResource", "auditmanager:UntagResource", "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteTags", "backup:TagResource", "backup:UntagResource", "batch:TagResource", "batch:UntagResource", "braket:TagResource", "braket:UntagResource", "cassandra:TagResource", "cassandra:UntagResource", "chime:TagResource", "chime:UntagResource", "cloud9:TagResource", "cloud9:UntagResource", "clouddirectory:TagResource", "clouddirectory:UntagResource", "cloudfront:TagResource", "cloudfront:UntagResource", "cloudhsm:TagResource", "cloudhsm:UntagResource", "cloudtrail:AddTags", "cloudtrail:RemoveTags", "cloudwatch:TagResource", "cloudwatch:UntagResource", "codeartifact:TagResource", "codeartifact:UntagResource", "codecommit:TagResource", "codecommit:UntagResource", "codedeploy:AddTagsToOnPremisesInstances", "codedeploy:RemoveTagsFromOnPremisesInstances", "codedeploy:TagResource", "codedeploy:UntagResource", "codeguru-profiler:TagResource", "codeguru-profiler:UntagResource", "codepipeline:TagResource", "codepipeline:UntagResource", "codestar-connections:TagResource", "codestar-connections:UntagResource", "codestar:TagProject", "codestar:UntagProject", "cognito-identity:TagResource", "cognito-identity:UntagResource", "cognito-idp:TagResource", "cognito-idp:UntagResource", "comprehend:TagResource", "comprehend:UntagResource", "config:TagResource", "config:UntagResource", "connect:TagResource", "connect:UntagResource", "dataexchange:TagResource", "dataexchange:UntagResource", "datapipeline:AddTags", "datapipeline:RemoveTags", "datasync:TagResource", "datasync:UntagResource", "deepcomposer:TagResource", "deepcomposer:UntagResource", "detective:TagResource", "detective:UntagResource", "devicefarm:TagResource", "devicefarm:UntagResource", "directconnect:TagResource", "directconnect:UntagResource", "dlm:TagResource", "dlm:UntagResource", "dms:AddTagsToResource", "dms:RemoveTagsFromResource", "dynamodb:TagResource", "dynamodb:UntagResource", "ec2:CreateTags", "ec2:DeleteTags", "ecr:TagResource", "ecr:UntagResource", "ecs:TagResource", "ecs:UntagResource", "eks:TagResource", "eks:UntagResource", "elastic-inference:TagResource", "elastic-inference:UntagResource", "elasticache:AddTagsToResource", "elasticache:RemoveTagsFromResource", "elasticbeanstalk:UpdateTagsForResource", "elasticfilesystem:CreateTags", "elasticfilesystem:DeleteTags", "elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags", "elasticmapreduce:AddTags", "elasticmapreduce:RemoveTags", "emr-containers:TagResource", "emr-containers:UntagResource", "es:AddTags", "es:RemoveTags", "events:TagResource", "events:UntagResource", "firehose:TagDeliveryStream", "firehose:UntagDeliveryStream", "fms:TagResource", "fms:UntagResource", "forecast:TagResource", "forecast:UntagResource", "frauddetector:TagResource", "frauddetector:UntagResource", "fsx:TagResource", "fsx:UntagResource", "gamelift:TagResource", "gamelift:UntagResource", "glacier:AddTagsToVault", "glacier:RemoveTagsFromVault", "globalaccelerator:TagResource", "globalaccelerator:UntagResource", "glue:TagResource", "glue:UntagResource", "greengrass:TagResource", "greengrass:UntagResource", "groundstation:TagResource", "groundstation:UntagResource", "guardduty:TagResource", "guardduty:UntagResource", "iam:TagInstanceProfile", "iam:TagMFADevice", "iam:TagOpenIDConnectProvider", "iam:TagPolicy", "iam:TagRole", "iam:TagSAMLProvider", "iam:TagServerCertificate", "iam:TagUser", "iam:UntagInstanceProfile", "iam:UntagMFADevice", "iam:UntagOpenIDConnectProvider", "iam:UntagPolicy", "iam:UntagRole", "iam:UntagSAMLProvider", "iam:UntagServerCertificate", "iam:UntagUser", "imagebuilder:TagResource", "imagebuilder:UntagResource", "inspector:ListTagsForResource", "inspector:SetTagsForResource", "iot1click:TagResource", "iot1click:UntagResource", "iot:TagResource", "iot:UntagResource", "iotanalytics:TagResource", "iotanalytics:UntagResource", "iotdeviceadvisor:TagResource", "iotdeviceadvisor:UntagResource", "iotevents:TagResource", "iotevents:UntagResource", "iotfleethub:TagResource", "iotfleethub:UntagResource", "iotsitewise:TagResource", "iotsitewise:UntagResource", "iottwinmaker:TagResource", "iottwinmaker:UntagResource", "iotwireless:TagResource", "iotwireless:UntagResource", "ivs:TagResource", "ivs:UntagResource", "kafka:TagResource", "kafka:UntagResource", "kendra:TagResource", "kendra:UntagResource", "kinesis:AddTagsToStream", "kinesis:RemoveTagsFromStream", "kinesisanalytics:TagResource", "kinesisanalytics:UntagResource", "kms:TagResource", "kms:UntagResource", "lambda:TagResource", "lambda:UntagResource", "lex:TagResource", "lex:UntagResource", "license-manager:TagResource", "license-manager:UntagResource", "lightsail:TagResource", "lightsail:UntagResource", "logs:TagLogGroup", "logs:TagResource", "logs:UntagLogGroup", "logs:UntagResource", "lookoutequipment:TagResource", "lookoutequipment:UntagResource", "machinelearning:AddTags", "machinelearning:DeleteTags", "macie2:TagResource", "macie2:UntagResource", "managedblockchain:TagResource", "managedblockchain:UntagResource", "mediaconnect:TagResource", "mediaconnect:UntagResource", "mediaconvert:TagResource", "mediaconvert:UntagResource", "medialive:CreateTags", "medialive:DeleteTags", "mediapackage-vod:TagResource", "mediapackage-vod:UntagResource", "mediapackage:TagResource", "mediapackage:UntagResource", "mediatailor:TagResource", "mediatailor:UntagResource", "mobiletargeting:TagResource", "mobiletargeting:UntagResource", "mq:CreateTags", "mq:DeleteTags", "neptune-graph:TagResource", "neptune-graph:UntagResource", "network-firewall:TagResource", "network-firewall:UntagResource", "networkmanager:TagResource", "networkmanager:UntagResource", "opsworks-cm:TagResource", "opsworks-cm:UntagResource", "opsworks:TagResource", "opsworks:UntagResource", "organizations:TagResource", "organizations:UntagResource", "outposts:TagResource", "outposts:UntagResource", "qldb:TagResource", "qldb:UntagResource", "quicksight:TagResource", "quicksight:UntagResource", "ram:TagResource", "ram:UntagResource", "rds:AddTagsToResource", "rds:RemoveTagsFromResource", "redshift:CreateTags", "redshift:DeleteTags", "resource-explorer-2:TagResource", "resource-explorer-2:UntagResource", "resource-groups:Tag", "resource-groups:Untag", "robomaker:TagResource", "robomaker:UntagResource", "route53:ChangeTagsForResource", "route53domains:DeleteTagsForDomain", "route53domains:UpdateTagsForDomain", "route53resolver:TagResource", "route53resolver:UntagResource", "s3:GetBucketTagging", "s3:GetJobTagging", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:GetStorageLensConfigurationTagging", "s3:DeleteJobTagging", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging", "s3:ListBucket", "s3:PutBucketTagging", "s3:PutJobTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:PutStorageLensConfigurationTagging", "s3:DeleteStorageLensConfigurationTagging", "s3:TagResource", "s3:UntagResource", "sagemaker:AddTags", "sagemaker:DeleteTags", "savingsplans:TagResource", "savingsplans:UntagResource", "schemas:TagResource", "schemas:UntagResource", "secretsmanager:TagResource", "secretsmanager:UntagResource", "securityhub:TagResource", "securityhub:UntagResource", "servicediscovery:TagResource", "servicediscovery:UntagResource", "servicequotas:TagResource", "servicequotas:UntagResource", "ses:TagResource", "ses:UntagResource", "sns:TagResource", "sns:UntagResource", "sqs:TagQueue", "sqs:UntagQueue", "ssm:GetParameter", "ssm:AddTagsToResource", "ssm:RemoveTagsFromResource", "states:TagResource", "states:UntagResource", "storagegateway:AddTagsToResource", "storagegateway:RemoveTagsFromResource", "swf:TagResource", "swf:UntagResource", "synthetics:TagResource", "synthetics:UntagResource", "tag:GetResources", "tag:TagResources", "tag:UntagResources", "transfer:TagResource", "transfer:UntagResource", "waf-regional:TagResource", "waf-regional:UntagResource", "waf:TagResource", "waf:UntagResource", "wafv2:TagResource", "wafv2:UntagResource", "worklink:TagResource", "worklink:UntagResource", "workmail:TagResource", "workmail:UntagResource", "workspaces:CreateTags", "workspaces:DeleteTags", "xray:TagResource", "xray:UntagResource", "kinesisvideo:TagResource", "kinesisvideo:UntagResource", "redshift-serverless:TagResource", "redshift-serverless:UntagResource", "route53-recovery-control-config:TagResource", "route53-recovery-control-config:UntagResource", "route53-recovery-readiness:TagResource", "route53-recovery-readiness:UntagResource", "ssm-contacts:TagResource", "ssm-contacts:UntagResource", "ssm-incidents:TagResource", "ssm-incidents:UntagResource", "vpc-lattice:TagResource", "vpc-lattice:UntagResource", "workspaces-web:TagResource", "workspaces-web:UntagResource" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "6pillars-resource-explorer-resource-groups-access", "Roles": [ { "Ref": "SixPillarsEnableResourceTaggingRoleB42E9228" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/six-pillars-resource-explorer-resource-groups-access/Resource" }, "Condition": "EnableResourceTaggingRoleCondition" }, "SixPillarsCloudwatchRoleD11B18C6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } }, "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:aws:iam::", { "Ref": "AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "Description": "Allows 6pillars application to gain access to change cloudwatch config.", "MaxSessionDuration": 3600, "RoleName": "SixPillarsCloudwatchRole" }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/SixPillarsCloudwatchRole/Resource" }, "Condition": "EnableCloudwatchRoleCondition" }, "cloudwatchpolicy19111BB6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "sns:ListSubscriptionsByTopic", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": "arn:aws:ssm:*:*:parameter/Solutions/SO0111/SNS_Topic_CIS3.x" } ], "Version": "2012-10-17" }, "PolicyName": "SixPillars-cloudwatch-access-policy", "Roles": [ { "Ref": "SixPillarsCloudwatchRoleD11B18C6" } ] }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/cloudwatch-policy/Resource" }, "Condition": "EnableCloudwatchRoleCondition" }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/1WMUQrCMBBEz9L/dE30CP0WQjyArEnUtUkWkpRSSu8upoL49YY3wxxBSQmyw7n01o19oBusl4p2FMM9acwYffVZ4FyuhBFWw8F/qkbNgezSlns6Y8KHdz//JzZhfOEp2/YwcHJUiVO7+xab0Et9cjqcQClQqnsVoj5PqVL0YHa+AacBa561AAAA" }, "Metadata": { "aws:cdk:path": "SixPillarRoleStack/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Conditions": { "EnableSixPillarsDeployAccessCondition": { "Fn::Equals": [ { "Ref": "EnableSixPillarsDeployAccess" }, "YES" ] }, "EnableGuardDutyRoleCondition": { "Fn::Equals": [ { "Ref": "EnableGuardDutyRole" }, "YES" ] }, "EnableMacieRoleCondition": { "Fn::Equals": [ { "Ref": "EnableMacieRole" }, "YES" ] }, "EnableInspectorRoleCondition": { "Fn::Equals": [ { "Ref": "EnableInspectorRole" }, "YES" ] }, "EnableResourceTaggingRoleCondition": { "Fn::Equals": [ { "Ref": "EnableResourceTaggingRole" }, "YES" ] }, "EnableCloudwatchRoleCondition": { "Fn::Equals": [ { "Ref": "EnableCloudWatchRole" }, "YES" ] } } }