AUTOMATE (read only) - AWS Cross Account Role Post-Deployment Permissions

Post Deployment Permissions
AUTOMATE+ (read-only)
{
 "Description": "Allows application to gain least privileged access to your AWS account.",
 "Parameters": {
  "AccountId": {
   "Type": "String",
   "Default": "936682280665",
   "Description": "6pillars's AWS Account Id",
   "MinLength": 12
  },
  "ExternalId": {
   "Type": "String",
   "Description": "Unique External Id generated by 6pillars"
  },
  "RoleName": {
   "Type": "String",
   "Default": "six-pillars-role",
   "Description": "IAM Role Name"
  }
 },
 "Resources": {
  "SixPillarsRoleBB82BD63": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Condition": {
        "StringEquals": {
         "sts:ExternalId": {
          "Ref": "ExternalId"
         }
        }
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": {
         "Fn::Join": [
          "",
          [
           "arn:aws:iam::",
           {
            "Ref": "AccountId"
           },
           ":root"
          ]
         ]
        }
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "Description": "Allows application to gain least privileged access to your AWS account.",
    "MaxSessionDuration": 43200,
    "RoleName": {
     "Ref": "RoleName"
    }
   },
   "Metadata": {
    "aws:cdk:path": "SixPillarReadOnlyRoleStack/SixPillarsRole/Resource"
   }
  },
  "sixpillarsreadonlysecurityhubaccess97F8B1B9": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "securityhub:UpdateStandardsControl",
        "securityhub:DescribeStandardsControls",
        "securityhub:GetEnabledStandards",
        "securityhub:GetFindings",
        "securityhub:ListMembers",
        "securityhub:ListStandardsControlAssociations",
        "securityhub:BatchUpdateStandardsControlAssociations"
       ],
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "6pillars-read-only-securityhub-access",
    "Roles": [
     {
      "Ref": "SixPillarsRoleBB82BD63"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "SixPillarReadOnlyRoleStack/six-pillars-read-only-securityhub-access/Resource"
   }
  },
  "sixpillarsreadonlywellarchitectedaccessE5AF04C1": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "wellarchitected:CreateWorkload",
        "wellarchitected:UpdateAnswer",
        "wellarchitected:CreateMilestone",
        "wellarchitected:DeleteWorkload",
        "wellarchitected:List*",
        "wellarchitected:Get*"
       ],
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "6pillars-read-only-wellarchitected-access",
    "Roles": [
     {
      "Ref": "SixPillarsRoleBB82BD63"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "SixPillarReadOnlyRoleStack/six-pillars-read-only-wellarchitected-access/Resource"
   }
  },
  "sixpillarssupportcontrolaccessC29B6A38": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "support:DescribeSeverityLevels",
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "6pillars-support-control-access",
    "Roles": [
     {
      "Ref": "SixPillarsRoleBB82BD63"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "SixPillarReadOnlyRoleStack/six-pillars-support-control-access/Resource"
   }
  }
 }
}