{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "ADAPASAAuditPolicyName": { "Default": "ADAP_ASA_Audit_Policy", "Description": "Name for the policy. This policy contains list of permissions required by Attack Surface Analyzer.", "ConstraintDescription": "Use alphanumeric and '+=,.@_-' characters. Maximum allowed characters is 128", "Type": "String", "MinLength": "1", "MaxLength": "128", "AllowedPattern": "[a-zA-Z0-9+=,.@\\-_]*" }, "UseExistingUser": { "Type": "String", "Description": "Whether to use existing user. If 'true' existing user will be used or else new user will be created", "Default": "false", "AllowedValues": [ "true", "false" ] }, "ADAPASAAuditUserName": { "Default": "ADAP_ASA_Audit_User", "Description": "Name of the new user or name of the existing user. This user will be used to discover resources and collect audit logs.", "ConstraintDescription": "Use alphanumeric and '+=,.@_-' characters. Maximum allowed characters is 64", "Type": "String", "MinLength": "1", "MaxLength": "64", "AllowedPattern": "[a-zA-Z0-9+=,.@\\-_]*" } }, "Conditions": { "CreateNewUserCondition": { "Fn::Equals": [ { "Ref": "UseExistingUser" }, "false" ] }, "UseExisingUserCondition": { "Fn::Equals": [ { "Ref": "UseExistingUser" }, "true" ] } }, "Resources": { "ADAPASAAuditUser": { "Type": "AWS::IAM::User", "Condition": "CreateNewUserCondition", "Properties": { "UserName": { "Ref": "ADAPASAAuditUserName" } } }, "ADAPASAAuditPolicyNewUser": { "Type": "AWS::IAM::ManagedPolicy", "Condition": "CreateNewUserCondition", "Properties": { "ManagedPolicyName": { "Ref": "ADAPASAAuditPolicyName" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "ServicePermissions0", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeNotificationConfigurations", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:DescribeAlarms", "codebuild:BatchGetProjects", "codebuild:ListProjects", "config:DescribeComplianceByConfigRule", "config:DescribeConfigRules", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "config:DescribeDeliveryChannels", "config:GetComplianceDetailsByConfigRule", "config:GetDiscoveredResourceCounts", "dax:DescribeClusters", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeTable", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInternetGateways", "ec2:DescribeFlowLogs", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetEbsEncryptionByDefault", "ec2:GetManagedPrefixListEntries", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticache:DescribeReservedCacheNodes", "elasticache:DescribeSnapshots", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUserPolicy", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListPolicies", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListRoleTags", "iam:ListServerCertificates", "iam:ListSSHPublicKeys", "iam:ListUserPolicies", "iam:ListUsers", "iam:ListUserTags", "iam:ListVirtualMFADevices", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListGrants", "kms:ListKeys", "kms:ListResourceTags", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListFunctionUrlConfigs", "lambda:ListTags", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:Unmask", "logs:DescribeMetricFilters", "memorydb:DescribeClusters", "memorydb:DescribeSubnetGroups", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeEventSubscriptions", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53domains:GetDomainDetail", "route53domains:ListDomains", "s3:GetAccelerateConfiguration", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "waf-regional:ListResourcesForWebACL", "waf-regional:ListWebACLs", "waf:ListWebACLs", "wafv2:GetWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListWebACLs" ], "Resource": "*" } ] }, "Users": [ { "Ref": "ADAPASAAuditUserName" } ] }, "DependsOn": "ADAPASAAuditUser" }, "ADAPASAAuditPolicyExistingUser": { "Type": "AWS::IAM::ManagedPolicy", "Condition": "UseExisingUserCondition", "Properties": { "ManagedPolicyName": { "Ref": "ADAPASAAuditPolicyName" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "ServicePermissions0", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeNotificationConfigurations", "cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:DescribeAlarms", "codebuild:BatchGetProjects", "codebuild:ListProjects", "config:DescribeComplianceByConfigRule", "config:DescribeConfigRules", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "config:DescribeDeliveryChannels", "config:GetComplianceDetailsByConfigRule", "config:GetDiscoveredResourceCounts", "dax:DescribeClusters", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeTable", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInternetGateways", "ec2:DescribeFlowLogs", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetEbsEncryptionByDefault", "ec2:GetManagedPrefixListEntries", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticache:DescribeReservedCacheNodes", "elasticache:DescribeSnapshots", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUserPolicy", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListPolicies", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListRoleTags", "iam:ListServerCertificates", "iam:ListSSHPublicKeys", "iam:ListUserPolicies", "iam:ListUsers", "iam:ListUserTags", "iam:ListVirtualMFADevices", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListGrants", "kms:ListKeys", "kms:ListResourceTags", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListFunctionUrlConfigs", "lambda:ListTags", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:Unmask", "logs:DescribeMetricFilters", "memorydb:DescribeClusters", "memorydb:DescribeSubnetGroups", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeEventSubscriptions", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53domains:GetDomainDetail", "route53domains:ListDomains", "s3:GetAccelerateConfiguration", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "waf-regional:ListResourcesForWebACL", "waf-regional:ListWebACLs", "waf:ListWebACLs", "wafv2:GetWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListWebACLs" ], "Resource": "*" } ] }, "Users": [ { "Ref": "ADAPASAAuditUserName" } ] } } } }