cloudformation/watched-account.template.yaml (58 lines of code) (raw):

# This CloudFormation template is deployed as a CloudFormation Stack Set from the root account # The stack set is called "watched-account" and instances of the stack set are called something like "StackSet-abcde-12345". # It is easiest to find a stack set instance in a target account by filtering for stacks with a description matching this template's description. AWSTemplateFormatVersion: 2010-09-09 Description: Sets up a role for monitoring via Security HQ for real time alerting Parameters: SecurityHQAccount: Type: String Description: The ID of the AWS Account the Security HQ application runs in AllowedPattern: "[0-9]{12}" ConstraintDescription: AWS Account IDs are 12-digit numbers SnsTopicArn: Description: Arn of Anghammarad SNS topic Type: String Resources: # role that security HQ can assume # used to get relevant information for the account SecurityHQRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: AWS: !Sub arn:aws:iam::${SecurityHQAccount}:root Policies: - PolicyName: security-hq-watched-account-access-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Resource: "*" Action: - s3:GetEncryptionConfiguration # Analyse security groups - trustedadvisor:Describe* - trustedadvisor:Refresh* - support:* - ec2:DescribeNetworkInterfaces - ec2:DescribeNetworkInterfaceAttribute - ec2:DescribeRegions - ec2:DescribeSecurityGroups - ec2:DescribeVpcs - elasticfilesystem:DescribeFileSystems - elasticfilesystem:DescribeMountTargets - elasticfilesystem:DescribeMountTargetSecurityGroups # IAM credentials overview - iam:GenerateCredentialReport - iam:GetCredentialReport - cloudformation:DescribeStacks - cloudformation:ListStacks - iam:ListUserTags - iam:ListAccessKeys - iam:ListMFADevices - iam:UpdateAccessKey - iam:DeleteLoginProfile # get AWS inspector results - inspector:List* - inspector:Describe* Outputs: SecurityHQRole: Description: The ARN of a role that Security HQ can assume to lookup details on this account Value: !GetAtt SecurityHQRole.Arn