-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
50 lines (47 loc) · 1.46 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
AWSTemplateFormatVersion: '2010-09-09'
Description: Cross Account IAM role in each member account to automate SecurityHub update controls
Parameters:
SecurityHubAdminAccountId:
Type: String
MaxLength: 12
MinLength: 12
Description: 12 digit account id of SecurityHub Administrator account
IAMRolePath:
Type: String
Default: "/"
Description: Path for IAM Role
IAMRoleName:
Type: String
Default: "securityhub-UpdateControl-role"
Description: Name of IAM Role
Resources:
AssumeRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref IAMRoleName
Path: !Ref IAMRolePath
Policies:
- PolicyName: "UpdateSecurityHub"
PolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Action:
- securityhub:Get*
- securityhub:List*
- securityhub:Describe*
- securityhub:UpdateStandardsControl
- securityhub:BatchDisableStandards
- securityhub:BatchEnableStandards
Resource: "*"
AssumeRolePolicyDocument:
#add trust policy here
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
"AWS": !Join [ "", [ "arn:aws:iam::", !Ref SecurityHubAdminAccountId, ":root" ] ]
Action: sts:AssumeRole
Outputs:
IAMRoleArn:
Value: !GetAtt AssumeRole.Arn