fix-role.cf.template

AWSTemplateFormatVersion: 2010-09-09
Description: This CloudFormation template creates a role in your AWS account that Fix can assume to perform security audits. It also sends a SNS callback notification to Fix with the account ID and name of the role that was created.

Parameters:
  ExternalId:
    Description: Your Fix-assigned External ID (DO NOT EDIT)
    Type: String
  WorkspaceId:
    Description: Your Fix-assigned Workspace ID (DO NOT EDIT)
    Type: String

Outputs:
  FixAccessRoleName:
    Description: Name of the Fix Access Role
    Value: !GetAtt FixAccountCallback.RoleName

Resources:
  FixCrossAccountAccessRole:
    Type: 'AWS::IAM::Role'
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::{{fix_account_id}}:root
          Action:
          - 'sts:AssumeRole'
          - 'sts:TagSession'
          Condition:
            StringEquals:
              'sts:ExternalId': !Ref ExternalId
      MaxSessionDuration: 10800
      ManagedPolicyArns:
      - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      Policies:
      - PolicyName: FixOrgList
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Resource: '*'
            Action:
            - organizations:List*
            - organizations:Describe*
            - ec2:DescribeRegions
            - iam:ListAccountAliases
      - PolicyName: FixPricingList
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Resource: '*'
            Action:
            - pricing:DescribeServices
            - pricing:GetAttributeValues
            - pricing:GetProducts
      - PolicyName: FixRevokeUnnecessaryPermissions
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Deny
            Resource: '*'
            Action:
            - athena:GetQueryResults
            - cloudformation:GetTemplate
            - codecommit:GetBlob
            - codecommit:GetCommit
            - codecommit:GetFile
            - codecommit:GetFolder
            - config:SelectAggregateResourceConfig
            - config:SelectResourceConfig
            - directconnect:DescribeConnectionLoa
            - dynamodb:BatchGetItem
            - dynamodb:GetItem
            - dynamodb:Query
            - dynamodb:Scan
            - ec2:GetConsoleOutput
            - ec2:GetConsoleScreenshot
            - ec2:GetPasswordData
            - ecr:BatchGetImage
            - ecr:GetDownloadUrlForLayer
            - glacier:GetJobOutput
            - kinesis:GetRecords
            - lambda:GetFunction
            - lambda:GetLayerVersion
            - rds:DownloadCompleteDBLogFile
            - rds:DownloadDbLogFilePortion
            - s3:GetObject
            - s3:GetObjectVersion
            - sdb:Select*
            - secretsmanager:GetSecretValue
            - sqs:ReceiveMessage
            - ssm:GetParameter
            - ssm:GetParameters
            - ssm:GetParametersByPath

  FixAccountCallback:
    Type: Custom::Function
    Properties:
      StackId: !Ref AWS::StackId
      RoleName: !Ref FixCrossAccountAccessRole
      WorkspaceId: !Ref WorkspaceId
      ExternalId: !Ref ExternalId
      FixEnvironment: "{{environment}}"
      FixStackVersion: "{{unixtime}}"
      ServiceToken: !Sub "arn:aws:sns:${AWS::Region}:{{fix_account_id}}:FixAccountCallbacks"