{ "Description": "(SO0111R) Automated Security Response on AWS Remediation Roles, v3.1.6", "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "SecHubAdminAccount": { "Type": "String", "AllowedPattern": "^\\d{12}$", "Description": "Admin account number" }, "Namespace": { "Type": "String", "AllowedPattern": "(?!(^xn--|^sthree-|^sthree-configurator|^amzn-s3-demo-|.+-s3alias|.+--ol-s3|.+.mrap|.+--x-s3$))^[a-z0-9][a-z0-9-]{1,7}[a-z0-9]$", "ConstraintDescription": "The Namespace parameter must follow naming restrictions for S3 buckets and have a minimum length of 3 and a maximum length of 9. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html", "Description": "Choose a unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment, but does not need to be changed during stack updates.", "MaxLength": 9, "MinLength": 3 } }, "Resources": { "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "SecHubAdminAccount" }, ":role/SO0111-ASR-Orchestrator-Admin" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "iam:PassRole", "iam:GetRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] } }, { "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": [ "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ssm:DescribeDocument", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:document/*" ] ] } }, { "Action": [ "ssm:GetParameters", "ssm:GetParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/Solutions/SO0111/*" ] ] } }, { "Action": "config:DescribeConfigRules", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:PutMetricData", "securityhub:BatchUpdateFindings" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "member_orchestrator" } ], "RoleName": "SO0111-ASR-Orchestrator-Member", "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "ASRRemediationPolicyCreateCloudTrailMultiRegionTrail7713D52C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:CreateTrail", "cloudtrail:UpdateTrail", "cloudtrail:StartLogging", "cloudtrail:AddTags" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:*:", { "Ref": "AWS::AccountId" }, ":trail/*" ] ] } }, { "Action": "cloudtrail:DescribeTrails", "Effect": "Allow", "Resource": "*" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrail" ] ] } }, { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/*" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } ] }, { "Action": "organizations:ListAWSServiceAccessForOrganization", "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:PutBucketOwnershipControls" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::so0111-*" ] ] } }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateCloudTrailMultiRegionTrail7713D52C", "Roles": [ { "Ref": "RemediationRoleCreateCloudTrailMultiRegionTrailMemberAccountRoleF70577FF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for cloudtrail:DescribeTrails to check existing trails and for KMS operations on customer-managed keys." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleCreateCloudTrailMultiRegionTrailASRMemberBasePolicyF31CFEB8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-CreateCloudTrailMultiRegionTrail" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateCloudTrailMultiRegionTrailASRMemberBasePolicyF31CFEB8", "Roles": [ { "Ref": "RemediationRoleCreateCloudTrailMultiRegionTrailMemberAccountRoleF70577FF" } ] } }, "RemediationRoleCreateCloudTrailMultiRegionTrailMemberAccountRoleF70577FF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyCreateLogMetricFilterAndAlarm8937C9B2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:PutMetricFilter", "cloudwatch:PutMetricAlarm" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudwatch:*:", { "Ref": "AWS::AccountId" }, ":alarm:*" ] ] } ] }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": "*" }, { "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":SO0111-ASR-LocalAlarmNotification" ] ] } }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] } }, { "Action": "ssm:PutParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateLogMetricFilterAndAlarm8937C9B2", "Roles": [ { "Ref": "RemediationRoleCreateLogMetricFilterAndAlarmMemberAccountRoleAA3E3C8A" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for logs:DescribeLogGroups to list all log groups and for KMS operations on customer-managed keys." } ] } } }, "RemediationRoleCreateLogMetricFilterAndAlarmASRMemberBasePolicy9D94C0BA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-CreateLogMetricFilterAndAlarm" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateLogMetricFilterAndAlarmASRMemberBasePolicy9D94C0BA", "Roles": [ { "Ref": "RemediationRoleCreateLogMetricFilterAndAlarmMemberAccountRoleAA3E3C8A" } ] } }, "RemediationRoleCreateLogMetricFilterAndAlarmMemberAccountRoleAA3E3C8A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutoScalingGroupELBHealthCheckF0CEBAAC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "autoscaling:UpdateAutoScalingGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":autoscaling:*:", { "Ref": "AWS::AccountId" }, ":autoScalingGroup:*:autoScalingGroupName/*" ] ] } }, { "Action": "autoscaling:DescribeAutoScalingGroups", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutoScalingGroupELBHealthCheckF0CEBAAC", "Roles": [ { "Ref": "RemediationRoleEnableAutoScalingGroupELBHealthCheckMemberAccountRole03AE4AEA" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* ASG." } ] } } }, "RemediationRoleEnableAutoScalingGroupELBHealthCheckASRMemberBasePolicy9D05ECE1": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAutoScalingGroupELBHealthCheck" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutoScalingGroupELBHealthCheckASRMemberBasePolicy9D05ECE1", "Roles": [ { "Ref": "RemediationRoleEnableAutoScalingGroupELBHealthCheckMemberAccountRole03AE4AEA" } ] } }, "RemediationRoleEnableAutoScalingGroupELBHealthCheckMemberAccountRole03AE4AEA": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAWSConfig9DF637C7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } ] }, { "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":SO0111-ASR-AWSConfigNotification" ] ] } }, { "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/ASR-CreateAccessLoggingBucket:*" ] ] } }, { "Action": [ "ssm:GetAutomationExecution", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:DescribeConfigurationRecorders", "config:StartConfigurationRecorder", "config:DescribeDeliveryChannels", "config:DescribeConfigurationRecorderStatus" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutBucketAcl", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::so0111-*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAWSConfig9DF637C7", "Roles": [ { "Ref": "RemediationRoleEnableAWSConfigMemberAccountRole3914B25F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEnableAWSConfigASRMemberBasePolicy619A1036": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAWSConfig" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAWSConfigASRMemberBasePolicy619A1036", "Roles": [ { "Ref": "RemediationRoleEnableAWSConfigMemberAccountRole3914B25F" } ] } }, "RemediationRoleEnableAWSConfigMemberAccountRole3914B25F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudTrailToCloudWatchLoggingAA242151": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:UpdateTrail", "cloudtrail:GetTrail" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:*:", { "Ref": "AWS::AccountId" }, ":trail/*" ] ] } }, { "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "ctcwremediationrole7AB69D0B", "Arn" ] } }, { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/*" ] ] } }, { "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/cloudtrail.amazonaws.com/*" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } ] }, { "Action": "organizations:ListAWSServiceAccessForOrganization", "Effect": "Allow", "Resource": "*" }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudTrailToCloudWatchLoggingAA242151", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailToCloudWatchLoggingMemberAccountRoleE7E9C206" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow creation and description of any log group" }, { "id": "W28", "reason": "Static resource names are required to enable cross-account functionality" } ] } } }, "ctcwremediationrole7AB69D0B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": { "Fn::Join": [ "", [ "cloudtrail.", { "Ref": "AWS::URLSuffix" } ] ] } } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "logs:CreateLogStream", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:*:log-group:*" ] ] } }, { "Action": "logs:PutLogEvents", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:*:log-group:*:log-stream:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "default_lambdaPolicy" } ], "RoleName": { "Fn::Join": [ "", [ "SO0111-CloudTrailToCloudWatchLogs-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "RemediationRoleEnableCloudTrailToCloudWatchLoggingASRMemberBasePolicyD5403BD3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableCloudTrailToCloudWatchLogging" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudTrailToCloudWatchLoggingASRMemberBasePolicyD5403BD3", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailToCloudWatchLoggingMemberAccountRoleE7E9C206" } ] } }, "RemediationRoleEnableCloudTrailToCloudWatchLoggingMemberAccountRoleE7E9C206": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudTrailEncryptionA9BFF78B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudtrail:UpdateTrail", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:*:", { "Ref": "AWS::AccountId" }, ":trail/*" ] ] } }, { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/*" ] ] } }, { "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/cloudtrail.amazonaws.com/*" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } ] }, { "Action": "organizations:ListAWSServiceAccessForOrganization", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudTrailEncryptionA9BFF78B", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailEncryptionMemberAccountRoleA936699B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleEnableCloudTrailEncryptionASRMemberBasePolicy6E26C1AB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableCloudTrailEncryption" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudTrailEncryptionASRMemberBasePolicy6E26C1AB", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailEncryptionMemberAccountRoleA936699B" } ] } }, "RemediationRoleEnableCloudTrailEncryptionMemberAccountRoleA936699B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableDefaultEncryptionS3281EC5FA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutEncryptionConfiguration", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableDefaultEncryptionS3281EC5FA", "Roles": [ { "Ref": "RemediationRoleEnableDefaultEncryptionS3MemberAccountRoleD9D87C04" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleEnableDefaultEncryptionS3ASRMemberBasePolicyC22626F6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableDefaultEncryptionS3" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableDefaultEncryptionS3ASRMemberBasePolicyC22626F6", "Roles": [ { "Ref": "RemediationRoleEnableDefaultEncryptionS3MemberAccountRoleD9D87C04" } ] } }, "RemediationRoleEnableDefaultEncryptionS3MemberAccountRoleD9D87C04": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableVPCFlowLogsB7CEF42E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:CreateFlowLogs", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc-flow-log/*" ] ] } ] }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableVPCFlowLogs-remediationRole-", { "Ref": "Namespace" } ] ] } }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/SO0111/CMK_REMEDIATION_ARN" ] ] } }, { "Action": [ "ec2:DescribeFlowLogs", "logs:DescribeLogGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableVPCFlowLogsB7CEF42E", "Roles": [ { "Ref": "RemediationRoleEnableVPCFlowLogsMemberAccountRoleB79F3729" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resources." } ] } } }, "EnableVPCFlowLogsremediationrole00848CDF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:DescribeLogStreams", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*:log-stream:*" ] ] } }, { "Action": "logs:DescribeLogGroups", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "default_lambdaPolicy" } ], "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableVPCFlowLogs-remediationRole-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "RemediationRoleEnableVPCFlowLogsASRMemberBasePolicy864B8EA2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableVPCFlowLogs" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableVPCFlowLogsASRMemberBasePolicy864B8EA2", "Roles": [ { "Ref": "RemediationRoleEnableVPCFlowLogsMemberAccountRoleB79F3729" } ] } }, "RemediationRoleEnableVPCFlowLogsMemberAccountRoleB79F3729": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyCreateAccessLoggingBucketE3EEC590": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketAcl", "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::so0111-*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateAccessLoggingBucketE3EEC590", "Roles": [ { "Ref": "RemediationRoleCreateAccessLoggingBucketMemberAccountRole3E1569D8" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resources." } ] } } }, "RemediationRoleCreateAccessLoggingBucketASRMemberBasePolicy26E74012": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-CreateAccessLoggingBucket" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateAccessLoggingBucketASRMemberBasePolicy26E74012", "Roles": [ { "Ref": "RemediationRoleCreateAccessLoggingBucketMemberAccountRole3E1569D8" } ] } }, "RemediationRoleCreateAccessLoggingBucketMemberAccountRole3E1569D8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyMakeEBSSnapshotsPrivate8E0355EB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeSnapshots", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:ModifySnapshotAttribute", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*::snapshot/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyMakeEBSSnapshotsPrivate8E0355EB", "Roles": [ { "Ref": "RemediationRoleMakeEBSSnapshotsPrivateMemberAccountRoleFA05CFAF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* snapshot." } ] } } }, "RemediationRoleMakeEBSSnapshotsPrivateASRMemberBasePolicy3A55B4F3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-MakeEBSSnapshotsPrivate" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleMakeEBSSnapshotsPrivateASRMemberBasePolicy3A55B4F3", "Roles": [ { "Ref": "RemediationRoleMakeEBSSnapshotsPrivateMemberAccountRoleFA05CFAF" } ] } }, "RemediationRoleMakeEBSSnapshotsPrivateMemberAccountRoleFA05CFAF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyMakeRDSSnapshotPrivate384830D9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:ModifyDBSnapshotAttribute", "rds:ModifyDBClusterSnapshotAttribute" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":snapshot:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster-snapshot:*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyMakeRDSSnapshotPrivate384830D9", "Roles": [ { "Ref": "RemediationRoleMakeRDSSnapshotPrivateMemberAccountRole6760FE6D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* snapshot." } ] } } }, "RemediationRoleMakeRDSSnapshotPrivateASRMemberBasePolicy2CA830B3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-MakeRDSSnapshotPrivate" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleMakeRDSSnapshotPrivateASRMemberBasePolicy2CA830B3", "Roles": [ { "Ref": "RemediationRoleMakeRDSSnapshotPrivateMemberAccountRole6760FE6D" } ] } }, "RemediationRoleMakeRDSSnapshotPrivateMemberAccountRole6760FE6D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveLambdaPublicAccessE64C4109": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "lambda:GetPolicy", "lambda:RemovePermission" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":lambda:*:", { "Ref": "AWS::AccountId" }, ":function:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveLambdaPublicAccessE64C4109", "Roles": [ { "Ref": "RemediationRoleRemoveLambdaPublicAccessMemberAccountRoleB266862C" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRemoveLambdaPublicAccessASRMemberBasePolicy63ECFF55": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RemoveLambdaPublicAccess" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveLambdaPublicAccessASRMemberBasePolicy63ECFF55", "Roles": [ { "Ref": "RemediationRoleRemoveLambdaPublicAccessMemberAccountRoleB266862C" } ] } }, "RemediationRoleRemoveLambdaPublicAccessMemberAccountRoleB266862C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRevokeUnrotatedKeys25EB4C63": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:UpdateAccessKey", "iam:ListAccessKeys", "iam:GetAccessKeyLastUsed", "iam:GetUser" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } }, { "Action": "config:ListDiscoveredResources", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRevokeUnrotatedKeys25EB4C63", "Roles": [ { "Ref": "RemediationRoleRevokeUnrotatedKeysMemberAccountRoleBC193A84" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRevokeUnrotatedKeysASRMemberBasePolicyF8EE3645": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RevokeUnrotatedKeys" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRevokeUnrotatedKeysASRMemberBasePolicyF8EE3645", "Roles": [ { "Ref": "RemediationRoleRevokeUnrotatedKeysMemberAccountRoleBC193A84" } ] } }, "RemediationRoleRevokeUnrotatedKeysMemberAccountRoleBC193A84": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetSSLBucketPolicy0C3B0C4F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetSSLBucketPolicy0C3B0C4F", "Roles": [ { "Ref": "RemediationRoleSetSSLBucketPolicyMemberAccountRoleD6BB5274" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleSetSSLBucketPolicyASRMemberBasePolicy793A8CE9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-SetSSLBucketPolicy" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetSSLBucketPolicyASRMemberBasePolicy793A8CE9", "Roles": [ { "Ref": "RemediationRoleSetSSLBucketPolicyMemberAccountRoleD6BB5274" } ] } }, "RemediationRoleSetSSLBucketPolicyMemberAccountRoleD6BB5274": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyReplaceCodeBuildClearTextCredentials41F60669": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codeBuild:BatchGetProjects", "codeBuild:UpdateProject", "ssm:PutParameter", "iam:CreatePolicy" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codebuild:*:", { "Ref": "AWS::AccountId" }, ":project/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":policy/*" ] ] } ] }, { "Action": "iam:AttachRolePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/service-role/*" ] ] } }, { "Action": "iam:AttachRolePolicy", "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyReplaceCodeBuildClearTextCredentials41F60669", "Roles": [ { "Ref": "RemediationRoleReplaceCodeBuildClearTextCredentialsMemberAccountRoleAEEA6C96" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleReplaceCodeBuildClearTextCredentialsASRMemberBasePolicy352AD083": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ReplaceCodeBuildClearTextCredentials" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleReplaceCodeBuildClearTextCredentialsASRMemberBasePolicy352AD083", "Roles": [ { "Ref": "RemediationRoleReplaceCodeBuildClearTextCredentialsMemberAccountRoleAEEA6C96" } ] } }, "RemediationRoleReplaceCodeBuildClearTextCredentialsMemberAccountRoleAEEA6C96": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyS3BlockDenylist09CFB29B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyS3BlockDenylist09CFB29B", "Roles": [ { "Ref": "RemediationRoleS3BlockDenylistMemberAccountRoleDFABBAB3" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleS3BlockDenylistASRMemberBasePolicy7CB3AB1A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-S3BlockDenylist" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleS3BlockDenylistASRMemberBasePolicy7CB3AB1A", "Roles": [ { "Ref": "RemediationRoleS3BlockDenylistMemberAccountRoleDFABBAB3" } ] } }, "RemediationRoleS3BlockDenylistMemberAccountRoleDFABBAB3": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEncryptRDSSnapshot977A3E1D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:AddTagsToResource", "rds:CopyDBSnapshot", "rds:CopyDBClusterSnapshot", "rds:DescribeDBSnapshots", "rds:DescribeDBClusterSnapshots", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshot", "rds:CopyCustomDBEngineVersion" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":snapshot:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster-snapshot:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cev:*/*/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEncryptRDSSnapshot977A3E1D", "Roles": [ { "Ref": "RemediationRoleEncryptRDSSnapshotMemberAccountRole5D2C905F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEncryptRDSSnapshotASRMemberBasePolicy63AA6C73": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EncryptRDSSnapshot" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEncryptRDSSnapshotASRMemberBasePolicy63AA6C73", "Roles": [ { "Ref": "RemediationRoleEncryptRDSSnapshotMemberAccountRole5D2C905F" } ] } }, "RemediationRoleEncryptRDSSnapshotMemberAccountRole5D2C905F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicAccessToRedshiftCluster66BC092B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "redshift:DescribeClusters", "Effect": "Allow", "Resource": "*" }, { "Action": "redshift:ModifyCluster", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":redshift:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] } }, { "Action": [ "kms:Decrypt", "kms:RetireGrant", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant", "secretsmanager:DescribeSecret", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:UpdateSecret", "secretsmanager:RotateSecret", "secretsmanager:TagResource", "acm:DescribeCertificate" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":acm:*:", { "Ref": "AWS::AccountId" }, ":certificate/*" ] ] } ] }, { "Action": "secretsmanager:GetRandomPassword", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicAccessToRedshiftCluster66BC092B", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRedshiftClusterMemberAccountRole87AA27A6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisablePublicAccessToRedshiftClusterASRMemberBasePolicy52AE8892": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-DisablePublicAccessToRedshiftCluster" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicAccessToRedshiftClusterASRMemberBasePolicy52AE8892", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRedshiftClusterMemberAccountRole87AA27A6" } ] } }, "RemediationRoleDisablePublicAccessToRedshiftClusterMemberAccountRole87AA27A6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableRedshiftClusterAuditLoggingD5BE977C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "redshift:DescribeLoggingStatus", "redshift:EnableLogging", "s3:PutObject" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":redshift:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableRedshiftClusterAuditLoggingD5BE977C", "Roles": [ { "Ref": "RemediationRoleEnableRedshiftClusterAuditLoggingMemberAccountRoleD7AC224E" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableRedshiftClusterAuditLoggingASRMemberBasePolicy848FC925": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableRedshiftClusterAuditLogging" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableRedshiftClusterAuditLoggingASRMemberBasePolicy848FC925", "Roles": [ { "Ref": "RemediationRoleEnableRedshiftClusterAuditLoggingMemberAccountRoleD7AC224E" } ] } }, "RemediationRoleEnableRedshiftClusterAuditLoggingMemberAccountRoleD7AC224E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutomaticVersionUpgradeOnRedshiftCluster5A0C15D8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "redshift:DescribeClusters", "Effect": "Allow", "Resource": "*" }, { "Action": "redshift:ModifyCluster", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":redshift:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] } }, { "Action": [ "kms:Decrypt", "kms:RetireGrant", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant", "secretsmanager:DescribeSecret", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:UpdateSecret", "secretsmanager:RotateSecret", "secretsmanager:TagResource", "acm:DescribeCertificate" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":acm:*:", { "Ref": "AWS::AccountId" }, ":certificate/*" ] ] } ] }, { "Action": "secretsmanager:GetRandomPassword", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutomaticVersionUpgradeOnRedshiftCluster5A0C15D8", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterMemberAccountRoleADCE761E" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterASRMemberBasePolicyE77FB443": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAutomaticVersionUpgradeOnRedshiftCluster" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterASRMemberBasePolicyE77FB443", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterMemberAccountRoleADCE761E" } ] } }, "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterMemberAccountRoleADCE761E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutomaticSnapshotsOnRedshiftClusterC0A2A72C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "redshift:DescribeClusters", "Effect": "Allow", "Resource": "*" }, { "Action": "redshift:ModifyCluster", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":redshift:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] } }, { "Action": [ "kms:Decrypt", "kms:RetireGrant", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant", "secretsmanager:DescribeSecret", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:UpdateSecret", "secretsmanager:RotateSecret", "secretsmanager:TagResource", "acm:DescribeCertificate" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":acm:*:", { "Ref": "AWS::AccountId" }, ":certificate/*" ] ] } ] }, { "Action": "secretsmanager:GetRandomPassword", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutomaticSnapshotsOnRedshiftClusterC0A2A72C", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterMemberAccountRole13857606" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterASRMemberBasePolicyE3F88DCF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAutomaticSnapshotsOnRedshiftCluster" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterASRMemberBasePolicyE3F88DCF", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterMemberAccountRole13857606" } ] } }, "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterMemberAccountRole13857606": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyCreateIAMSupportRole28E10C2E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:TagRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws_incident_support_role" ] ] } }, { "Action": "iam:AttachRolePolicy", "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateIAMSupportRole28E10C2E", "Roles": [ { "Ref": "RemediationRoleCreateIAMSupportRoleMemberAccountRoleFD80F5F3" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleCreateIAMSupportRoleASRMemberBasePolicy37E2791C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-CreateIAMSupportRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateIAMSupportRoleASRMemberBasePolicy37E2791C", "Roles": [ { "Ref": "RemediationRoleCreateIAMSupportRoleMemberAccountRoleFD80F5F3" } ] } }, "RemediationRoleCreateIAMSupportRoleMemberAccountRoleFD80F5F3": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEncryptionForSQSQueueB4AC4CBC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:GetQueueUrl", "sqs:SetQueueAttributes", "sqs:GetQueueAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sqs:*:", { "Ref": "AWS::AccountId" }, ":*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEncryptionForSQSQueueB4AC4CBC", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSQSQueueMemberAccountRole7976F712" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableEncryptionForSQSQueueASRMemberBasePolicy02F9F069": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableEncryptionForSQSQueue" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEncryptionForSQSQueueASRMemberBasePolicy02F9F069", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSQSQueueMemberAccountRole7976F712" } ] } }, "RemediationRoleEnableEncryptionForSQSQueueMemberAccountRole7976F712": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureSNSTopicForStackEB0051E6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStacks", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudformation:*:", { "Ref": "AWS::AccountId" }, ":stack/*/*" ] ] } }, { "Action": "cloudformation:ListStacks", "Effect": "Allow", "Resource": "*" }, { "Action": [ "sns:CreateTopic", "sns:Publish" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":SO0111-ASR-CloudFormationNotifications" ] ] } }, { "Action": "servicecatalog:GetApplication", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":servicecatalog:*:", { "Ref": "AWS::AccountId" }, ":/applications/*" ] ] } }, { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureSNSTopicForStackEB0051E6", "Roles": [ { "Ref": "RemediationRoleConfigureSNSTopicForStackMemberAccountRoleF91254E5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." } ] } } }, "RemediationRoleConfigureSNSTopicForStackASRMemberBasePolicyCB4F96A8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureSNSTopicForStack" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureSNSTopicForStackASRMemberBasePolicyCB4F96A8", "Roles": [ { "Ref": "RemediationRoleConfigureSNSTopicForStackMemberAccountRoleF91254E5" } ] } }, "RemediationRoleConfigureSNSTopicForStackMemberAccountRoleF91254E5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureS3BucketLogging72C5B50E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketLogging", "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketAcl" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureS3BucketLogging72C5B50E", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketLoggingMemberAccountRoleE068390D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleConfigureS3BucketLoggingASRMemberBasePolicyA9FD6EDC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureS3BucketLogging" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureS3BucketLoggingASRMemberBasePolicyA9FD6EDC", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketLoggingMemberAccountRoleE068390D" } ] } }, "RemediationRoleConfigureS3BucketLoggingMemberAccountRoleE068390D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicAccessForSecurityGroup8796016C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeSecurityGroups", "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:DescribeSecurityGroupReferences", "ec2:RevokeSecurityGroupEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicAccessForSecurityGroup8796016C", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessForSecurityGroupMemberAccountRole3BED8BF4" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleDisablePublicAccessForSecurityGroupASRMemberBasePolicy052834DB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-DisablePublicAccessForSecurityGroup" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicAccessForSecurityGroupASRMemberBasePolicy052834DB", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessForSecurityGroupMemberAccountRole3BED8BF4" } ] } }, "RemediationRoleDisablePublicAccessForSecurityGroupMemberAccountRole3BED8BF4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureS3BucketPublicAccessBlock64F47C51": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketPublicAccessBlock", "s3:GetBucketPublicAccessBlock" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureS3BucketPublicAccessBlock64F47C51", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketPublicAccessBlockMemberAccountRoleC78F6EE7" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleConfigureS3BucketPublicAccessBlockASRMemberBasePolicy26FF204C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureS3BucketPublicAccessBlock" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureS3BucketPublicAccessBlockASRMemberBasePolicy26FF204C", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketPublicAccessBlockMemberAccountRoleC78F6EE7" } ] } }, "RemediationRoleConfigureS3BucketPublicAccessBlockMemberAccountRoleC78F6EE7": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureS3PublicAccessBlockD812FED9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureS3PublicAccessBlockD812FED9", "Roles": [ { "Ref": "RemediationRoleConfigureS3PublicAccessBlockMemberAccountRole98A4BC1D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleConfigureS3PublicAccessBlockASRMemberBasePolicy752EEDF3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureS3PublicAccessBlock" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureS3PublicAccessBlockASRMemberBasePolicy752EEDF3", "Roles": [ { "Ref": "RemediationRoleConfigureS3PublicAccessBlockMemberAccountRole98A4BC1D" } ] } }, "RemediationRoleConfigureS3PublicAccessBlockMemberAccountRole98A4BC1D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudTrailLogFileValidationAD33D09E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:UpdateTrail", "cloudtrail:GetTrail" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:*:", { "Ref": "AWS::AccountId" }, ":trail/*" ] ] } }, { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/*" ] ] } }, { "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/cloudtrail.amazonaws.com/*" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } ] }, { "Action": "organizations:ListAWSServiceAccessForOrganization", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudTrailLogFileValidationAD33D09E", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailLogFileValidationMemberAccountRole3F5F7157" } ] } }, "RemediationRoleEnableCloudTrailLogFileValidationASRMemberBasePolicy60225AD5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableCloudTrailLogFileValidation" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudTrailLogFileValidationASRMemberBasePolicy60225AD5", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailLogFileValidationMemberAccountRole3F5F7157" } ] } }, "RemediationRoleEnableCloudTrailLogFileValidationMemberAccountRole3F5F7157": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEbsEncryptionByDefault7AA2FA46": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:EnableEBSEncryptionByDefault", "ec2:GetEbsEncryptionByDefault" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEbsEncryptionByDefault7AA2FA46", "Roles": [ { "Ref": "RemediationRoleEnableEbsEncryptionByDefaultMemberAccountRoleDF17FF59" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEnableEbsEncryptionByDefaultASRMemberBasePolicyE93FA703": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableEbsEncryptionByDefault" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEbsEncryptionByDefaultASRMemberBasePolicyE93FA703", "Roles": [ { "Ref": "RemediationRoleEnableEbsEncryptionByDefaultMemberAccountRoleDF17FF59" } ] } }, "RemediationRoleEnableEbsEncryptionByDefaultMemberAccountRoleDF17FF59": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEnhancedMonitoringOnRDSInstance7CF36749": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RDSMonitoring-remediationRole-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEnhancedMonitoringOnRDSInstance7CF36749", "Roles": [ { "Ref": "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceMemberAccountRoleB3EFCB99" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceASRMemberBasePolicy5E228195": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableEnhancedMonitoringOnRDSInstance" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceASRMemberBasePolicy5E228195", "Roles": [ { "Ref": "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceMemberAccountRoleB3EFCB99" } ] } }, "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceMemberAccountRoleB3EFCB99": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "Rds6EnhancedMonitoringRoleRDS6EnhancedMonitoringPolicyA2EB4EE9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:RDS*" ] ] }, "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroups" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:RDS*:log-stream:*" ] ] }, "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogStreams" } ], "Version": "2012-10-17" }, "PolicyName": "Rds6EnhancedMonitoringRoleRDS6EnhancedMonitoringPolicyA2EB4EE9", "Roles": [ { "Ref": "Rds6EnhancedMonitoringRole2FD1E9A5" } ] } }, "Rds6EnhancedMonitoringRole2FD1E9A5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "monitoring.rds.amazonaws.com" } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RDSMonitoring-remediationRole-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names required to allow use in automated remediation runbooks." } ] } } }, "ASRRemediationPolicyEnableKeyRotation44A8458E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "kms:EnableKeyRotation", "kms:GetKeyRotationStatus" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableKeyRotation44A8458E", "Roles": [ { "Ref": "RemediationRoleEnableKeyRotationMemberAccountRole2366F17F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEnableKeyRotationASRMemberBasePolicy7F59EFFD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableKeyRotation" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableKeyRotationASRMemberBasePolicy7F59EFFD", "Roles": [ { "Ref": "RemediationRoleEnableKeyRotationMemberAccountRole2366F17F" } ] } }, "RemediationRoleEnableKeyRotationMemberAccountRole2366F17F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableRDSClusterDeletionProtectionCD3F43B5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "config:GetResourceConfigHistory", "Effect": "Allow", "Resource": "*" }, { "Action": [ "rds:DescribeDBClusters", "rds:ModifyDBCluster", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster-pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableRDSClusterDeletionProtectionCD3F43B5", "Roles": [ { "Ref": "RemediationRoleEnableRDSClusterDeletionProtectionMemberAccountRole019A1667" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableRDSClusterDeletionProtectionASRMemberBasePolicy3C7BEDA8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableRDSClusterDeletionProtection" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableRDSClusterDeletionProtectionASRMemberBasePolicy3C7BEDA8", "Roles": [ { "Ref": "RemediationRoleEnableRDSClusterDeletionProtectionMemberAccountRole019A1667" } ] } }, "RemediationRoleEnableRDSClusterDeletionProtectionMemberAccountRole019A1667": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCopyTagsToSnapshotOnRDSCluster28EA92EB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "config:GetResourceConfigHistory", "Effect": "Allow", "Resource": "*" }, { "Action": [ "rds:DescribeDBClusters", "rds:ModifyDBCluster" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster-pg:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCopyTagsToSnapshotOnRDSCluster28EA92EB", "Roles": [ { "Ref": "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterMemberAccountRole026ECDEE" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterASRMemberBasePolicyCC83F0C2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableCopyTagsToSnapshotOnRDSCluster" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterASRMemberBasePolicyCC83F0C2", "Roles": [ { "Ref": "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterMemberAccountRole026ECDEE" } ] } }, "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterMemberAccountRole026ECDEE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableRDSInstanceDeletionProtectionC88D4896": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableRDSInstanceDeletionProtectionC88D4896", "Roles": [ { "Ref": "RemediationRoleEnableRDSInstanceDeletionProtectionMemberAccountRole105E9511" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableRDSInstanceDeletionProtectionASRMemberBasePolicyE6EBA2B2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableRDSInstanceDeletionProtection" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableRDSInstanceDeletionProtectionASRMemberBasePolicyE6EBA2B2", "Roles": [ { "Ref": "RemediationRoleEnableRDSInstanceDeletionProtectionMemberAccountRole105E9511" } ] } }, "RemediationRoleEnableRDSInstanceDeletionProtectionMemberAccountRole105E9511": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableMultiAZOnRDSInstance42AE98DD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableMultiAZOnRDSInstance42AE98DD", "Roles": [ { "Ref": "RemediationRoleEnableMultiAZOnRDSInstanceMemberAccountRoleE0F45AF6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableMultiAZOnRDSInstanceASRMemberBasePolicy1AC5FD82": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableMultiAZOnRDSInstance" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableMultiAZOnRDSInstanceASRMemberBasePolicy1AC5FD82", "Roles": [ { "Ref": "RemediationRoleEnableMultiAZOnRDSInstanceMemberAccountRoleE0F45AF6" } ] } }, "RemediationRoleEnableMultiAZOnRDSInstanceMemberAccountRoleE0F45AF6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveVPCDefaultSecurityGroupRulesCFCC9075": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:DescribeSecurityGroupReferences" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] } }, { "Action": "ec2:DescribeSecurityGroups", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveVPCDefaultSecurityGroupRulesCFCC9075", "Roles": [ { "Ref": "RemediationRoleRemoveVPCDefaultSecurityGroupRulesMemberAccountRole406D320B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "RemediationRoleRemoveVPCDefaultSecurityGroupRulesASRMemberBasePolicyC12262BF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RemoveVPCDefaultSecurityGroupRules" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveVPCDefaultSecurityGroupRulesASRMemberBasePolicyC12262BF", "Roles": [ { "Ref": "RemediationRoleRemoveVPCDefaultSecurityGroupRulesMemberAccountRole406D320B" } ] } }, "RemediationRoleRemoveVPCDefaultSecurityGroupRulesMemberAccountRole406D320B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRevokeUnusedIAMUserCredentials80B75170": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:UpdateAccessKey", "iam:ListAccessKeys", "iam:GetAccessKeyLastUsed", "iam:GetUser", "iam:GetLoginProfile", "iam:DeleteLoginProfile" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } }, { "Action": "config:ListDiscoveredResources", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRevokeUnusedIAMUserCredentials80B75170", "Roles": [ { "Ref": "RemediationRoleRevokeUnusedIAMUserCredentialsMemberAccountRole5C008B43" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRevokeUnusedIAMUserCredentialsASRMemberBasePolicy2B68364A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RevokeUnusedIAMUserCredentials" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRevokeUnusedIAMUserCredentialsASRMemberBasePolicy2B68364A", "Roles": [ { "Ref": "RemediationRoleRevokeUnusedIAMUserCredentialsMemberAccountRole5C008B43" } ] } }, "RemediationRoleRevokeUnusedIAMUserCredentialsMemberAccountRole5C008B43": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetIAMPasswordPolicy5DADE3C8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:UpdateAccountPasswordPolicy", "iam:GetAccountPasswordPolicy" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetIAMPasswordPolicy5DADE3C8", "Roles": [ { "Ref": "RemediationRoleSetIAMPasswordPolicyMemberAccountRoleA1FF47B4" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetIAMPasswordPolicyASRMemberBasePolicy054C9327": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-SetIAMPasswordPolicy" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetIAMPasswordPolicyASRMemberBasePolicy054C9327", "Roles": [ { "Ref": "RemediationRoleSetIAMPasswordPolicyMemberAccountRoleA1FF47B4" } ] } }, "RemediationRoleSetIAMPasswordPolicyMemberAccountRoleA1FF47B4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicAccessToRDSInstanceCEF31FFA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicAccessToRDSInstanceCEF31FFA", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRDSInstanceMemberAccountRole7E0A6680" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisablePublicAccessToRDSInstanceASRMemberBasePolicy916A9C96": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-DisablePublicAccessToRDSInstance" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicAccessToRDSInstanceASRMemberBasePolicy916A9C96", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRDSInstanceMemberAccountRole7E0A6680" } ] } }, "RemediationRoleDisablePublicAccessToRDSInstanceMemberAccountRole7E0A6680": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableMinorVersionUpgradeOnRDSDBInstance2413B7D6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance", "rds:DescribeDBClusters", "rds:ModifyDBCluster" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":cluster-pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] } ] }, { "Action": [ "rds:AddTagsToResource", "kms:Decrypt", "secretsmanager:CreateSecret", "kms:GenerateDataKey", "secretsmanager:RotateSecret", "kms:DescribeKey", "kms:CreateGrant", "rds:CreateTenantDatabase", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":kms:*:", { "Ref": "AWS::AccountId" }, ":key/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":pg:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":og:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":secgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":db:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":rds:*:", { "Ref": "AWS::AccountId" }, ":subgrp:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } ] }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableMinorVersionUpgradeOnRDSDBInstance2413B7D6", "Roles": [ { "Ref": "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceMemberAccountRole66157FBF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceASRMemberBasePolicy955B7A39": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableMinorVersionUpgradeOnRDSDBInstance" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceASRMemberBasePolicy955B7A39", "Roles": [ { "Ref": "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceMemberAccountRole66157FBF" } ] } }, "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceMemberAccountRole66157FBF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEncryptionForSNSTopicA4AB21F5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sns:SetTopicAttributes", "sns:GetTopicAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEncryptionForSNSTopicA4AB21F5", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSNSTopicMemberAccountRoleA4EF5A6E" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableEncryptionForSNSTopicASRMemberBasePolicy40242D41": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableEncryptionForSNSTopic" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEncryptionForSNSTopicASRMemberBasePolicy40242D41", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSNSTopicMemberAccountRoleA4EF5A6E" } ] } }, "RemediationRoleEnableEncryptionForSNSTopicMemberAccountRoleA4EF5A6E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableDeliveryStatusLoggingForSNSTopicF426D24F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sns:SetTopicAttributes", "sns:GetTopicAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":*" ] ] } }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SNS2DeliveryStatusLoggingRole8CA29B1D", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableDeliveryStatusLoggingForSNSTopicF426D24F", "Roles": [ { "Ref": "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicMemberAccountRoleCF9E61FE" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "SNS2DeliveryStatusLoggingRoleDeliveryStatusLoggingPolicy4C4F6343": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "EnableDeliveryStatusLoggingForSNSTopic" } ], "Version": "2012-10-17" }, "PolicyName": "SNS2DeliveryStatusLoggingRoleDeliveryStatusLoggingPolicy4C4F6343", "Roles": [ { "Ref": "SNS2DeliveryStatusLoggingRole8CA29B1D" } ] } }, "SNS2DeliveryStatusLoggingRole8CA29B1D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Role automatically created by ASR for remediation of SNS.2 findings. \n This role is retained after the solution is deleted to support continuing function \n of SNS delivery status logging enabled by this remediation. Before removing this \n role, use IAM access analyzer for confirming it's safe", "RoleName": { "Fn::Join": [ "", [ "SO0111-SNS2DeliveryStatusLogging-remediationRole-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "SO0111", "Value": "RetainedRole" }, { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required to allow delivery status logging for any topic." } ] }, "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicASRMemberBasePolicy45A33E7F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableDeliveryStatusLoggingForSNSTopic" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicASRMemberBasePolicy45A33E7F", "Roles": [ { "Ref": "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicMemberAccountRoleCF9E61FE" } ] } }, "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicMemberAccountRoleCF9E61FE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicIPAutoAssign992332FF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeSubnets", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:ModifySubnetAttribute", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":subnet/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicIPAutoAssign992332FF", "Roles": [ { "Ref": "RemediationRoleDisablePublicIPAutoAssignMemberAccountRoleFEEDBF8B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisablePublicIPAutoAssignASRMemberBasePolicy1D9D8FDB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-DisablePublicIPAutoAssign" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicIPAutoAssignASRMemberBasePolicy1D9D8FDB", "Roles": [ { "Ref": "RemediationRoleDisablePublicIPAutoAssignMemberAccountRoleFEEDBF8B" } ] } }, "RemediationRoleDisablePublicIPAutoAssignMemberAccountRoleFEEDBF8B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableIMDSV2OnInstance33B34528": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:ModifyInstanceMetadataOptions", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":instance/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableIMDSV2OnInstance33B34528", "Roles": [ { "Ref": "RemediationRoleEnableIMDSV2OnInstanceMemberAccountRole8957BF7F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableIMDSV2OnInstanceASRMemberBasePolicy46871D2E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableIMDSV2OnInstance" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableIMDSV2OnInstanceASRMemberBasePolicy46871D2E", "Roles": [ { "Ref": "RemediationRoleEnableIMDSV2OnInstanceMemberAccountRole8957BF7F" } ] } }, "RemediationRoleEnableIMDSV2OnInstanceMemberAccountRole8957BF7F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveCodeBuildPrivilegedModeF4DE6F07": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetProjects", "codebuild:UpdateProject" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":codebuild:*:", { "Ref": "AWS::AccountId" }, ":project/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveCodeBuildPrivilegedModeF4DE6F07", "Roles": [ { "Ref": "RemediationRoleRemoveCodeBuildPrivilegedModeMemberAccountRoleFAE52D4A" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRemoveCodeBuildPrivilegedModeASRMemberBasePolicy687DFA14": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RemoveCodeBuildPrivilegedMode" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveCodeBuildPrivilegedModeASRMemberBasePolicy687DFA14", "Roles": [ { "Ref": "RemediationRoleRemoveCodeBuildPrivilegedModeMemberAccountRoleFAE52D4A" } ] } }, "RemediationRoleRemoveCodeBuildPrivilegedModeMemberAccountRoleFAE52D4A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudFrontDefaultRootObjectB01B99AC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudfront:GetDistributionConfig", "cloudfront:UpdateDistribution" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudFrontDefaultRootObjectB01B99AC", "Roles": [ { "Ref": "RemediationRoleEnableCloudFrontDefaultRootObjectMemberAccountRole52E30D4D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableCloudFrontDefaultRootObjectASRMemberBasePolicy1C0FBF72": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableCloudFrontDefaultRootObject" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudFrontDefaultRootObjectASRMemberBasePolicy1C0FBF72", "Roles": [ { "Ref": "RemediationRoleEnableCloudFrontDefaultRootObjectMemberAccountRole52E30D4D" } ] } }, "RemediationRoleEnableCloudFrontDefaultRootObjectMemberAccountRole52E30D4D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyBlockSSMDocumentPublicAccess2B816E49": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:DescribeDocumentPermission", "ssm:ModifyDocumentPermission" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyBlockSSMDocumentPublicAccess2B816E49", "Roles": [ { "Ref": "RemediationRoleBlockSSMDocumentPublicAccessMemberAccountRoleC8F76AE9" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleBlockSSMDocumentPublicAccessASRMemberBasePolicy6F465C85": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-BlockSSMDocumentPublicAccess" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleBlockSSMDocumentPublicAccessASRMemberBasePolicy6F465C85", "Roles": [ { "Ref": "RemediationRoleBlockSSMDocumentPublicAccessMemberAccountRoleC8F76AE9" } ] } }, "RemediationRoleBlockSSMDocumentPublicAccessMemberAccountRoleC8F76AE9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableSSMDocumentBlockPublicSharingFAF96226": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetServiceSetting", "ssm:UpdateServiceSetting" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":servicesetting/ssm/documents/console/public-sharing-permission" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableSSMDocumentBlockPublicSharingFAF96226", "Roles": [ { "Ref": "RemediationRoleEnableSSMDocumentBlockPublicSharingMemberAccountRole9E0F1E24" } ] } }, "RemediationRoleEnableSSMDocumentBlockPublicSharingASRMemberBasePolicy05E496EF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableSSMDocumentBlockPublicSharing-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableSSMDocumentBlockPublicSharing" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableSSMDocumentBlockPublicSharing-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableSSMDocumentBlockPublicSharingASRMemberBasePolicy05E496EF", "Roles": [ { "Ref": "RemediationRoleEnableSSMDocumentBlockPublicSharingMemberAccountRole9E0F1E24" } ] } }, "RemediationRoleEnableSSMDocumentBlockPublicSharingMemberAccountRole9E0F1E24": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableSSMDocumentBlockPublicSharing-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyAttachSSMPermissionsToEC200DF3702": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-RemediationRole-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "iam:GetRole", "iam:GetInstanceProfile", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":instance-profile/*" ] ] } ] }, { "Action": "iam:AttachRolePolicy", "Condition": { "StringEquals": { "iam:PolicyARN": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/AmazonSSMManagedInstanceCore" ] ] } } }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] } }, { "Action": "iam:AddRoleToInstanceProfile", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":instance-profile/*" ] ] } }, { "Action": [ "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:AssociateIamInstanceProfile", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":instance/*" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyAttachSSMPermissionsToEC200DF3702", "Roles": [ { "Ref": "RemediationRoleAttachSSMPermissionsToEC2MemberAccountRole3C1CAE9D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required to allow remediation of any EC2 instances." } ] } } }, "RemediationRoleAttachSSMPermissionsToEC2ASRMemberBasePolicyD620D658": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-AttachSSMPermissionsToEC2" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleAttachSSMPermissionsToEC2ASRMemberBasePolicyD620D658", "Roles": [ { "Ref": "RemediationRoleAttachSSMPermissionsToEC2MemberAccountRole3C1CAE9D" } ] } }, "RemediationRoleAttachSSMPermissionsToEC2MemberAccountRole3C1CAE9D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "AttachSSMPermissionsToEC2remediationrole695BE4E5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/AmazonSSMManagedInstanceCore" ] ] } ], "RoleName": { "Fn::Join": [ "", [ "SO0111-AttachSSMPermissionsToEC2-RemediationRole-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "AttachSSMPermissionsToEC2instanceprofileE438BA1D": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": { "Fn::Join": [ "", [ "SO0111-AttachSSMPermissionsToEC2-InstanceProfile-", { "Ref": "Namespace" } ] ] }, "Roles": [ { "Ref": "AttachSSMPermissionsToEC2remediationrole695BE4E5" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "ASRRemediationPolicyAttachServiceVPCEndpoint84A124F9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeVpcAttribute" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc-endpoint/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":subnet/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":route-table/*" ] ] } ] }, { "Action": "route53:AssociateVPCWithHostedZone", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":route53:::hostedzone/*" ] ] } }, { "Action": [ "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyAttachServiceVPCEndpoint84A124F9", "Roles": [ { "Ref": "RemediationRoleAttachServiceVPCEndpointMemberAccountRole6AF8EBD9" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required to list all VPC subnets." } ] } } }, "RemediationRoleAttachServiceVPCEndpointASRMemberBasePolicyD42E86F2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-AttachServiceVPCEndpoint" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleAttachServiceVPCEndpointASRMemberBasePolicyD42E86F2", "Roles": [ { "Ref": "RemediationRoleAttachServiceVPCEndpointMemberAccountRole6AF8EBD9" } ] } }, "RemediationRoleAttachServiceVPCEndpointMemberAccountRole6AF8EBD9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableBucketEventNotifications82104223": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetBucketNotification", "s3:PutBucketNotification", "sns:CreateTopic", "sns:GetTopicAttributes", "sns:SetTopicAttributes" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableBucketEventNotifications82104223", "Roles": [ { "Ref": "RemediationRoleEnableBucketEventNotificationsMemberAccountRole8F25C546" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableBucketEventNotificationsASRMemberBasePolicy58CDF2EA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableBucketEventNotifications" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableBucketEventNotificationsASRMemberBasePolicy58CDF2EA", "Roles": [ { "Ref": "RemediationRoleEnableBucketEventNotificationsMemberAccountRole8F25C546" } ] } }, "RemediationRoleEnableBucketEventNotificationsMemberAccountRole8F25C546": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureDynamoDBAutoScaling79259611": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:TagResource" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":application-autoscaling:*:", { "Ref": "AWS::AccountId" }, ":scalable-target/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureDynamoDBAutoScaling79259611", "Roles": [ { "Ref": "RemediationRoleConfigureDynamoDBAutoScalingMemberAccountRole03F246C9" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleConfigureDynamoDBAutoScalingASRMemberBasePolicy270AF3D6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureDynamoDBAutoScaling-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureDynamoDBAutoScaling" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureDynamoDBAutoScaling-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureDynamoDBAutoScalingASRMemberBasePolicy270AF3D6", "Roles": [ { "Ref": "RemediationRoleConfigureDynamoDBAutoScalingMemberAccountRole03F246C9" } ] } }, "RemediationRoleConfigureDynamoDBAutoScalingMemberAccountRole03F246C9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureDynamoDBAutoScaling-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableDynamoDBDeletionProtectionF768A0CD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "dynamodb:UpdateTable", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":dynamodb:*:", { "Ref": "AWS::AccountId" }, ":table/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableDynamoDBDeletionProtectionF768A0CD", "Roles": [ { "Ref": "RemediationRoleEnableDynamoDBDeletionProtectionMemberAccountRole312799B6" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleEnableDynamoDBDeletionProtectionASRMemberBasePolicy92F1B170": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDynamoDBDeletionProtection-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableDynamoDBDeletionProtection" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDynamoDBDeletionProtection-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableDynamoDBDeletionProtectionASRMemberBasePolicy92F1B170", "Roles": [ { "Ref": "RemediationRoleEnableDynamoDBDeletionProtectionMemberAccountRole312799B6" } ] } }, "RemediationRoleEnableDynamoDBDeletionProtectionMemberAccountRole312799B6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableDynamoDBDeletionProtection-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableElastiCacheBackups68AD9300": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "elasticache:ModifyCacheCluster", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticache:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] } }, { "Action": [ "elasticache:ModifyReplicationGroup", "elasticache:DescribeReplicationGroups" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticache:*:", { "Ref": "AWS::AccountId" }, ":replicationgroup:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableElastiCacheBackups68AD9300", "Roles": [ { "Ref": "RemediationRoleEnableElastiCacheBackupsMemberAccountRoleEC568837" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleEnableElastiCacheBackupsASRMemberBasePolicyB74E296F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableElastiCacheBackups-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableElastiCacheBackups" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableElastiCacheBackups-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableElastiCacheBackupsASRMemberBasePolicyB74E296F", "Roles": [ { "Ref": "RemediationRoleEnableElastiCacheBackupsMemberAccountRoleEC568837" } ] } }, "RemediationRoleEnableElastiCacheBackupsMemberAccountRoleEC568837": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableElastiCacheBackups-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnforceHTTPSForALB5B259D91": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "elasticloadbalancing:DescribeListeners", "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:AddTags", "elasticloadbalancing:ModifyListener" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticloadbalancing:*:", { "Ref": "AWS::AccountId" }, ":listener-rule/app/*/*/*/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticloadbalancing:*:", { "Ref": "AWS::AccountId" }, ":listener/app/*/*/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticloadbalancing:*:", { "Ref": "AWS::AccountId" }, ":loadbalancer/app/*/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticloadbalancing:*:", { "Ref": "AWS::AccountId" }, ":targetgroup/*/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnforceHTTPSForALB5B259D91", "Roles": [ { "Ref": "RemediationRoleEnforceHTTPSForALBMemberAccountRoleCAB35669" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleEnforceHTTPSForALBASRMemberBasePolicy053067C5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnforceHTTPSForALB-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnforceHTTPSForALB" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnforceHTTPSForALB-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnforceHTTPSForALBASRMemberBasePolicy053067C5", "Roles": [ { "Ref": "RemediationRoleEnforceHTTPSForALBMemberAccountRoleCAB35669" } ] } }, "RemediationRoleEnforceHTTPSForALBMemberAccountRoleCAB35669": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnforceHTTPSForALB-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyLimitECSRootFilesystemAccessBE3DBAE3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ecs:RegisterTaskDefinition", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ecs:*:", { "Ref": "AWS::AccountId" }, ":task-definition/*:*" ] ] } }, { "Action": "ecs:DescribeTaskDefinition", "Effect": "Allow", "Resource": "*" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } }, "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/ecsTaskExecutionRole" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*TaskExecutionRole*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*TaskRole*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyLimitECSRootFilesystemAccessBE3DBAE3", "Roles": [ { "Ref": "RemediationRoleLimitECSRootFilesystemAccessMemberAccountRole30268D2C" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleLimitECSRootFilesystemAccessASRMemberBasePolicyA29915D3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-LimitECSRootFilesystemAccess-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-LimitECSRootFilesystemAccess" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-LimitECSRootFilesystemAccess-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleLimitECSRootFilesystemAccessASRMemberBasePolicyA29915D3", "Roles": [ { "Ref": "RemediationRoleLimitECSRootFilesystemAccessMemberAccountRole30268D2C" } ] } }, "RemediationRoleLimitECSRootFilesystemAccessMemberAccountRole30268D2C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-LimitECSRootFilesystemAccess-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableElastiCacheReplicationGroupFailoverD83179F3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "elasticache:ModifyReplicationGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticache:*:", { "Ref": "AWS::AccountId" }, ":replicationgroup:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableElastiCacheReplicationGroupFailoverD83179F3", "Roles": [ { "Ref": "RemediationRoleEnableElastiCacheReplicationGroupFailoverMemberAccountRoleD4C71F86" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleEnableElastiCacheReplicationGroupFailoverASRMemberBasePolicy11AFDC5B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableElastiCacheReplicationGroupFailover-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableElastiCacheReplicationGroupFailover" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableElastiCacheReplicationGroupFailover-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableElastiCacheReplicationGroupFailoverASRMemberBasePolicy11AFDC5B", "Roles": [ { "Ref": "RemediationRoleEnableElastiCacheReplicationGroupFailoverMemberAccountRoleD4C71F86" } ] } }, "RemediationRoleEnableElastiCacheReplicationGroupFailoverMemberAccountRoleD4C71F86": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableElastiCacheReplicationGroupFailover-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableElastiCacheVersionUpgradesE2730EC6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "elasticache:ModifyCacheCluster", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":elasticache:*:", { "Ref": "AWS::AccountId" }, ":cluster:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableElastiCacheVersionUpgradesE2730EC6", "Roles": [ { "Ref": "RemediationRoleEnableElastiCacheVersionUpgradesMemberAccountRole057E20CE" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleEnableElastiCacheVersionUpgradesASRMemberBasePolicy1B716D6B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableElastiCacheVersionUpgrades-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableElastiCacheVersionUpgrades" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableElastiCacheVersionUpgrades-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableElastiCacheVersionUpgradesASRMemberBasePolicy1B716D6B", "Roles": [ { "Ref": "RemediationRoleEnableElastiCacheVersionUpgradesMemberAccountRole057E20CE" } ] } }, "RemediationRoleEnableElastiCacheVersionUpgradesMemberAccountRole057E20CE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableElastiCacheVersionUpgrades-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetCloudFrontOriginDomain64A49EDE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudfront:UpdateDistribution", "cloudfront:GetDistributionConfig" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetCloudFrontOriginDomain64A49EDE", "Roles": [ { "Ref": "RemediationRoleSetCloudFrontOriginDomainMemberAccountRoleCE84BD55" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetCloudFrontOriginDomainASRMemberBasePolicyD9F90803": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-SetCloudFrontOriginDomain" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetCloudFrontOriginDomainASRMemberBasePolicyD9F90803", "Roles": [ { "Ref": "RemediationRoleSetCloudFrontOriginDomainMemberAccountRoleCE84BD55" } ] } }, "RemediationRoleSetCloudFrontOriginDomainMemberAccountRoleCE84BD55": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisableUnrestrictedAccessToHighRiskPortsB2871524": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeSecurityGroupRules", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:RevokeSecurityGroupIngress", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisableUnrestrictedAccessToHighRiskPortsB2871524", "Roles": [ { "Ref": "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsMemberAccountRole4FB39E11" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsASRMemberBasePolicy25A56FF5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-DisableUnrestrictedAccessToHighRiskPorts" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsASRMemberBasePolicy25A56FF5", "Roles": [ { "Ref": "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsMemberAccountRole4FB39E11" } ] } }, "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsMemberAccountRole4FB39E11": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnablePrivateRepositoryScanning4D22B2EE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ecr:PutImageScanningConfiguration", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ecr:*:", { "Ref": "AWS::AccountId" }, ":repository/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnablePrivateRepositoryScanning4D22B2EE", "Roles": [ { "Ref": "RemediationRoleEnablePrivateRepositoryScanningMemberAccountRole1481CC5D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnablePrivateRepositoryScanningASRMemberBasePolicyCCCE7761": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnablePrivateRepositoryScanning" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnablePrivateRepositoryScanningASRMemberBasePolicyCCCE7761", "Roles": [ { "Ref": "RemediationRoleEnablePrivateRepositoryScanningMemberAccountRole1481CC5D" } ] } }, "RemediationRoleEnablePrivateRepositoryScanningMemberAccountRole1481CC5D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetS3LifecyclePolicy7F4C0192": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutLifecycleConfiguration", "s3:GetLifecycleConfiguration" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetS3LifecyclePolicy7F4C0192", "Roles": [ { "Ref": "RemediationRoleSetS3LifecyclePolicyMemberAccountRole96385FD0" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetS3LifecyclePolicyASRMemberBasePolicy7250A758": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-SetS3LifecyclePolicy" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetS3LifecyclePolicyASRMemberBasePolicy7250A758", "Roles": [ { "Ref": "RemediationRoleSetS3LifecyclePolicyMemberAccountRole96385FD0" } ] } }, "RemediationRoleSetS3LifecyclePolicyMemberAccountRole96385FD0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyUpdateSecretRotationPeriod8B602083": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:RotateSecret", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyUpdateSecretRotationPeriod8B602083", "Roles": [ { "Ref": "RemediationRoleUpdateSecretRotationPeriodMemberAccountRole3061BFB8" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleUpdateSecretRotationPeriodASRMemberBasePolicy0F2C51CF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-UpdateSecretRotationPeriod" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleUpdateSecretRotationPeriodASRMemberBasePolicy0F2C51CF", "Roles": [ { "Ref": "RemediationRoleUpdateSecretRotationPeriodMemberAccountRole3061BFB8" } ] } }, "RemediationRoleUpdateSecretRotationPeriodMemberAccountRole3061BFB8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisableTGWAutoAcceptSharedAttachmentsA2E0FB90": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeTransitGateways", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:ModifyTransitGateway", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":transit-gateway/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":transit-gateway-route-table/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisableTGWAutoAcceptSharedAttachmentsA2E0FB90", "Roles": [ { "Ref": "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsMemberAccountRole587194E6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsASRMemberBasePolicyA45E9608": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-DisableTGWAutoAcceptSharedAttachments" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsASRMemberBasePolicyA45E9608", "Roles": [ { "Ref": "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsMemberAccountRole587194E6" } ] } }, "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsMemberAccountRole587194E6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableGuardDuty90C5632A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "guardduty:ListDetectors", "guardduty:CreateDetector" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "guardduty:UpdateDetector", "guardduty:GetDetector" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":guardduty:*:", { "Ref": "AWS::AccountId" }, ":detector/*" ] ] } }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableGuardDuty90C5632A", "Roles": [ { "Ref": "RemediationRoleEnableGuardDutyMemberAccountRoleAB2BC065" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableGuardDutyASRMemberBasePolicy6E159471": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableGuardDuty" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableGuardDutyASRMemberBasePolicy6E159471", "Roles": [ { "Ref": "RemediationRoleEnableGuardDutyMemberAccountRoleAB2BC065" } ] } }, "RemediationRoleEnableGuardDutyMemberAccountRoleAB2BC065": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyTagDynamoDBTableResource7023D01C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "dynamodb:TagResource", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":dynamodb:*:", { "Ref": "AWS::AccountId" }, ":table/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyTagDynamoDBTableResource7023D01C", "Roles": [ { "Ref": "RemediationRoleTagDynamoDBTableResourceMemberAccountRole31267C99" } ] }, "Metadata": { "guard": { "SuppressedRules": [ "IAM_POLICYDOCUMENT_NO_WILDCARD_RESOURCE" ] } } }, "RemediationRoleTagDynamoDBTableResourceASRMemberBasePolicy5B55BC9C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TagDynamoDBTableResource-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-TagDynamoDBTableResource" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TagDynamoDBTableResource-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleTagDynamoDBTableResourceASRMemberBasePolicy5B55BC9C", "Roles": [ { "Ref": "RemediationRoleTagDynamoDBTableResourceMemberAccountRole31267C99" } ] } }, "RemediationRoleTagDynamoDBTableResourceMemberAccountRole31267C99": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-TagDynamoDBTableResource-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyTagGuardDutyResourceF88101FE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "guardduty:TagResource", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":guardduty:*:*:detector/*/filter/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":guardduty:*:*:detector/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyTagGuardDutyResourceF88101FE", "Roles": [ { "Ref": "RemediationRoleTagGuardDutyResourceMemberAccountRole6D195F98" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleTagGuardDutyResourceASRMemberBasePolicyF4BA4273": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-TagGuardDutyResource" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleTagGuardDutyResourceASRMemberBasePolicyF4BA4273", "Roles": [ { "Ref": "RemediationRoleTagGuardDutyResourceMemberAccountRole6D195F98" } ] } }, "RemediationRoleTagGuardDutyResourceMemberAccountRole6D195F98": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutoSecretRotation7CF2A230": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:RotateSecret", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutoSecretRotation7CF2A230", "Roles": [ { "Ref": "RemediationRoleEnableAutoSecretRotationMemberAccountRole2D3881E8" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAutoSecretRotationASRMemberBasePolicy25622AB3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAutoSecretRotation" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutoSecretRotationASRMemberBasePolicy25622AB3", "Roles": [ { "Ref": "RemediationRoleEnableAutoSecretRotationMemberAccountRole2D3881E8" } ] } }, "RemediationRoleEnableAutoSecretRotationMemberAccountRole2D3881E8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRevokeUnauthorizedInboundRules8076314E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeSecurityGroupRules", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:RevokeSecurityGroupIngress", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRevokeUnauthorizedInboundRules8076314E", "Roles": [ { "Ref": "RemediationRoleRevokeUnauthorizedInboundRulesMemberAccountRoleFB22E2D5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRevokeUnauthorizedInboundRulesASRMemberBasePolicy0A55D46B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RevokeUnauthorizedInboundRules" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRevokeUnauthorizedInboundRulesASRMemberBasePolicy0A55D46B", "Roles": [ { "Ref": "RemediationRoleRevokeUnauthorizedInboundRulesMemberAccountRoleFB22E2D5" } ] } }, "RemediationRoleRevokeUnauthorizedInboundRulesMemberAccountRoleFB22E2D5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveUnusedSecret692D8382": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":secretsmanager:*:", { "Ref": "AWS::AccountId" }, ":secret:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveUnusedSecret692D8382", "Roles": [ { "Ref": "RemediationRoleRemoveUnusedSecretMemberAccountRole50B9F743" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRemoveUnusedSecretASRMemberBasePolicy9095B18F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-RemoveUnusedSecret" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveUnusedSecretASRMemberBasePolicy9095B18F", "Roles": [ { "Ref": "RemediationRoleRemoveUnusedSecretMemberAccountRole50B9F743" } ] } }, "RemediationRoleRemoveUnusedSecretMemberAccountRole50B9F743": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetLogGroupRetentionDaysD37C9B44": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "logs:PutRetentionPolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetLogGroupRetentionDaysD37C9B44", "Roles": [ { "Ref": "RemediationRoleSetLogGroupRetentionDaysMemberAccountRole5C9CEFCF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetLogGroupRetentionDaysASRMemberBasePolicyDED9E929": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-SetLogGroupRetentionDays" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetLogGroupRetentionDaysASRMemberBasePolicyDED9E929", "Roles": [ { "Ref": "RemediationRoleSetLogGroupRetentionDaysMemberAccountRole5C9CEFCF" } ] } }, "RemediationRoleSetLogGroupRetentionDaysMemberAccountRole5C9CEFCF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyTerminateEC2Instance4F038AA0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:DescribeInstanceStatus", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":instance/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyTerminateEC2Instance4F038AA0", "Roles": [ { "Ref": "RemediationRoleTerminateEC2InstanceMemberAccountRoleE3F5E615" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleTerminateEC2InstanceASRMemberBasePolicy8E254519": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-TerminateEC2Instance" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleTerminateEC2InstanceASRMemberBasePolicy8E254519", "Roles": [ { "Ref": "RemediationRoleTerminateEC2InstanceMemberAccountRoleE3F5E615" } ] } }, "RemediationRoleTerminateEC2InstanceMemberAccountRoleE3F5E615": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAPIGatewayCacheDataEncryption73A0EA08": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "apigateway:PATCH", "apigateway:GET" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:*::/restapis/*/stages" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:*::/restapis/*/stages/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:*::/restapis/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:*::/restapis" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAPIGatewayCacheDataEncryption73A0EA08", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayCacheDataEncryptionMemberAccountRole8DDCC03A" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAPIGatewayCacheDataEncryptionASRMemberBasePolicyFE897815": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAPIGatewayCacheDataEncryption" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAPIGatewayCacheDataEncryptionASRMemberBasePolicyFE897815", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayCacheDataEncryptionMemberAccountRole8DDCC03A" } ] } }, "RemediationRoleEnableAPIGatewayCacheDataEncryptionMemberAccountRole8DDCC03A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureAutoScalingLaunchConfigToRequireIMDSv2079F73E2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/AmazonSSMRoleForInstancesQuickSetup" ] ] } }, { "Action": [ "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":autoscaling:*:", { "Ref": "AWS::AccountId" }, ":autoScalingGroup:*:autoScalingGroupName/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":autoscaling:*:", { "Ref": "AWS::AccountId" }, ":launchConfiguration:*:launchConfigurationName/*" ] ] } ] }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureAutoScalingLaunchConfigToRequireIMDSv2079F73E2", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2MemberAccountRole28FA7ABE" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2ASRMemberBasePolicy313F3C99": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureAutoScalingLaunchConfigToRequireIMDSv2" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2ASRMemberBasePolicy313F3C99", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2MemberAccountRole28FA7ABE" } ] } }, "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2MemberAccountRole28FA7ABE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureAutoScalingLaunchConfigNoPublicIP9F64AA21": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/AmazonSSMRoleForInstancesQuickSetup" ] ] } }, { "Action": [ "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":autoscaling:*:", { "Ref": "AWS::AccountId" }, ":autoScalingGroup:*:autoScalingGroupName/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":autoscaling:*:", { "Ref": "AWS::AccountId" }, ":launchConfiguration:*:launchConfigurationName/*" ] ] } ] }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureAutoScalingLaunchConfigNoPublicIP9F64AA21", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPMemberAccountRoleAD7193E6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPASRMemberBasePolicy3BDA370B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-ConfigureAutoScalingLaunchConfigNoPublicIP" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPASRMemberBasePolicy3BDA370B", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPMemberAccountRoleAD7193E6" } ] } }, "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPMemberAccountRoleAD7193E6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableMacie1038F1C7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "macie2:EnableMacie", "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie*" ] ] } }, { "Action": [ "iam:AddUserToGroup", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteGroupPolicy", "iam:DeleteRolePolicy", "iam:DeleteUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:PutUserPolicy", "iam:RemoveUserFromGroup", "iam:SetDefaultPolicyVersion", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole" ], "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableMacie1038F1C7", "Roles": [ { "Ref": "RemediationRoleEnableMacieMemberAccountRole5538535C" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource wildcard (*) is required by the EnableMacie API." } ] } } }, "RemediationRoleEnableMacieASRMemberBasePolicyBF0893EF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableMacie" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableMacieASRMemberBasePolicyBF0893EF", "Roles": [ { "Ref": "RemediationRoleEnableMacieMemberAccountRole5538535C" } ] } }, "RemediationRoleEnableMacieMemberAccountRole5538535C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAPIGatewayExecutionLogs047A2AE2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "apigateway:PATCH", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, "::/restapis/*/stages/*" ] ] } }, { "Action": [ "apigateway:PATCH", "apigateway:GET" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, "::/apis/*/stages/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAPIGatewayExecutionLogs047A2AE2", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayExecutionLogsMemberAccountRole1B8CCCD4" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource wildcard (*) is required to update any API Stage in the member account." } ] } } }, "RemediationRoleEnableAPIGatewayExecutionLogsASRMemberBasePolicyE642248F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAPIGatewayExecutionLogs" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAPIGatewayExecutionLogsASRMemberBasePolicyE642248F", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayExecutionLogsMemberAccountRole1B8CCCD4" } ] } }, "RemediationRoleEnableAPIGatewayExecutionLogsMemberAccountRole1B8CCCD4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAthenaWorkGroupLogging4573805D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "athena:UpdateWorkGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":athena:*:", { "Ref": "AWS::AccountId" }, ":workgroup/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAthenaWorkGroupLogging4573805D", "Roles": [ { "Ref": "RemediationRoleEnableAthenaWorkGroupLoggingMemberAccountRole5BCA3A47" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource wildcard (*) is required to update any Athena Work Group in the member account." } ] } } }, "RemediationRoleEnableAthenaWorkGroupLoggingASRMemberBasePolicy1398B48B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-EnableAthenaWorkGroupLogging" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAthenaWorkGroupLoggingASRMemberBasePolicy1398B48B", "Roles": [ { "Ref": "RemediationRoleEnableAthenaWorkGroupLoggingMemberAccountRole5BCA3A47" } ] } }, "RemediationRoleEnableAthenaWorkGroupLoggingMemberAccountRole5BCA3A47": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ASR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "Solutions:SolutionID", "Value": "SO0111" }, { "Key": "Solutions:SolutionName", "Value": "automated-security-response-on-aws" }, { "Key": "Solutions:SolutionVersion", "Value": "v3.1.6" } ] }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } } } }